On Fri, 2008-11-14 at 22:56 -0800, Nelson B Bolyard wrote:
> Hans Petter Jansson wrote, On 2008-11-14 21:54:

> > This works for some databases, but not others. It doesn't seem to matter
> > which application created the database (I've tried with databases from
> > Firefox and Evolution) - e.g. one user's database may fail while another
> > user's database may migrate properly. 

> Do these separate users have separate systems, which separate installations
> of the software?  Or do they share a single multi-user system?
> 
> I'm wondering if perhaps differences in their installations can explain it.

It's on separate workstations, but in some cases one database migrates
successfully while another fails on the same system. In one case, I have
a Firefox database that migrates successfully (resulting in a 150KB
migrated database, slightly smaller than the source) and a small
Evolution database that does not migrate, for the same user on the same
workstation with the same software versions.

> which as a signed number is -8192, which is SEC_ERROR_IO.

Ah yes, sorry. I was using %d initially, then changed it to %u while
looking for the problem and subsequently forgot about it :)

> Let's start with basics.
> Might some of them have corrupt cert8 DBs?

I doubt it - this affects many users on different systems, and the old
databases are working in their original contexts. Could there be an
entry in the database that cannot be migrated, or that confuses the
migration code for some reason?

> Can you get a listing of their cert DBs with certutil?

Here's one:

[EMAIL PROTECTED]:~/.mozilla/firefox/lim69e3n.default> certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

VeriSign Class 3 Secure Server CA                            ,,
Go Daddy Secure Certification Authority                      ,,
Cybertrust Educational CA                                    ,,
Deutsche Telekom CA 5                                        ,,
campusonline.uni-freiburg.de                                 ,,
NewMedia-NET GmbH                                            ,,
DPWN Root CA R2 PS                                           ,,
GlobalSign                                                   ,,
XRamp Security Services GS CA                                ,,
GlobalSign RootSign Partners CA                              ,,
VeriSign, Inc.                                               ,,
VeriSign Class 3 Extended Validation SSL SGC CA              ,,
VeriSign Class 3 Public Primary Certification Authority - G5 ,,
imtek.uni-freiburg.de                                        ,,
I.T. Telecom Global CA                                       ,,
DPWN SSL CA I2 PS                                            ,,
GlobalSign Extended Validation CA                            ,,

And another:

[EMAIL PROTECTED]:~/.mozilla/firefox/lim69e3n.default> certutil -L -d .         
     

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Microsoft Secure Server Authority                            ,,   
VeriSign Class 3 Extended Validation SSL CA                  ,,   
GlobalSign                                                   ,,   
Deutsche Telekom CA 5                                        ,,   
www.asensys.de                                               ,,   
EssentialSSL CA                                              ,,
Microsoft Internet Authority                                 ,,
VeriSign Class 3 Extended Validation SSL SGC CA              ,,
VeriSign, Inc.                                               ,,
WebSpace-Forum Server CA                                     ,,
UTN-USERFirst-Hardware                                       ,,
Akamai Subordinate CA 3                                      ,,
Starfield Secure Certification Authority                     ,,
GlobalSign Extended Validation CA                            ,,
GlobalSign RootSign Partners CA                              ,,
Thawte SGC CA                                                ,,
VeriSign Class 3 Secure Server CA                            ,,
Go Daddy Secure Certification Authority                      ,,
cfc-comm.cfc-int                                             ,,
DigiCert Global CA                                           ,,

> Does modutil show any unloaded PKCS#11 modules in their secmod DB?

No. They tend to look like this:

[EMAIL PROTECTED]:~/.mozilla/firefox/lim69e3n.default> modutil -dbdir . -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
-----------------------------------------------------------

Although for one database that consistently fails to migrate, it looks
like this:

[EMAIL PROTECTED]:~/.evolution> modutil -dbdir . -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Mozilla Root Certs
        library name: /usr/lib/libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot: NSS Builtin Objects
        token: Builtin Object Token
-----------------------------------------------------------

This database only fails to migrate if the target database was not
already created by another, successful merge, though.

> What version of NSS are you using?

3.12.0.

> This sounds somewhat like
> https://bugzilla.mozilla.org/show_bug.cgi?id=397122
> but that was fixed a year ago.

Yeah... I think I can provide you with a problem DB in private that you
can look at if you've got the time.

-- 
Hans Petter Jansson <[EMAIL PROTECTED]>

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to