Hello,
Adding few more details to this issue we are facing in regards to NSS.
Please note: this was not an issue with NSS3.42.1. We are looking to upgrade to
NSS3.47.1 and have noticed it from then on. We approached IAIK aswell in
regards to this after debugging their pkcs#11wrapper module. Please see their
response at the below of the post.
We created sample Java client that uses IAIK PKCS#11 Wrapper 1.4 to connect to
NSS
Module pkcs11Module = Module.getInstance( library ); // library
-> softokn3.dll
.....
pkcs11Module.initialize(arguments); // arguments -> maps to
initializeArguments
....
session = token.openSession(Token.SessionType.SERIAL_SESSION,
Token.SessionReadWriteBehavior.RW_SESSION, null, null);
...
session.login(Session.UserType.USER, pin.toCharArray()); //
login is fine
...
// set the general attributes for the public key
rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE); ///
this is source of problem . If set to False ( meaning session object), client
works fine.
...
// set the general attributes for the private key
rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE); ///
this is source of problem . If set to False ( meaning session object), client
works fine.
....
KeyPair generatedKeyPair = null;
try
{
generatedKeyPair =
session.generateKeyPair(keyPairGenerationMechanism,rsaPublicKeyTemplate,
rsaPrivateKeyTemplate);
}
catch (TokenException e)
{
String msg = "Failed to generate RSA key pair on token: " +
e.getMessage();
throw new Exception( msg, e );
}
...
Input file for the sample client :
library=softokn3.dll
initializeArguments=configDir='sql:D:/workdir/devunit/KMDemo/NSS/db'
certPrefix='' keyPrefix='' secmod='' flags='readWrite' updatedir=''
updateCertPrefix='' updateKeyPrefix='' updateTokenDescription=''
pin=XXXXX
slot=1
libPath=D:/workdir/devunit/KMDemo/NSS-3.49/lib
libList=libnspr4.dll,libplc4.dll,libplds4.dll,sqlite3.dll,nssutil3.dll,softokn3.dll
Steps I've been following ::
1) I cleanup NSS db directory.
2) Prior to executing the client code, I recreate the NSS db.
a) Create NSS db ---> modutil -create -dbdir
sql:D:\workdir\devunit\KMDemo\NSS\db
b) Provide password ---> modutil -dbdir
sql:D:\workdir\devunit\KMDemo\NSS\db -changepw "NSS Certificate DB"
c) Check content of the db --> certutil -K -d
sql:D:\workdir\devunit\KMDemo\NSS\db ( displays no keys )
3) Run the Sample client code. Saw exception
################################################################################
PKCS#11 session login successful
################################################################################
Generating new 2048 bit RSA key-pair...
java.lang.Exception: Failed to generate RSA key pair on
token: CKR_GENERAL_ERROR
at
demo.pkcs.pkcs11.GenerateKeyPair.main(GenerateKeyPair.java:110)
Caused by: iaik.pkcs.pkcs11.wrapper.PKCS11Exception:
CKR_GENERAL_ERROR
at
iaik.pkcs.pkcs11.wrapper.PKCS11Implementation.C_GetAttributeValue(Native Method)
at
iaik.pkcs.pkcs11.objects.Object.getAttributeValue(Object.java:716)
at
iaik.pkcs.pkcs11.objects.Key.readAttributes(Key.java:622)
at
iaik.pkcs.pkcs11.objects.PublicKey.readAttributes(PublicKey.java:398)
at
iaik.pkcs.pkcs11.objects.RSAPublicKey.readAttributes(RSAPublicKey.java:242)
at
iaik.pkcs.pkcs11.objects.Object.<init>(Object.java:223)
at
iaik.pkcs.pkcs11.objects.Storage.<init>(Storage.java:105)
at
iaik.pkcs.pkcs11.objects.Key.<init>(Key.java:321)
at
iaik.pkcs.pkcs11.objects.PublicKey.<init>(PublicKey.java:119)
at
iaik.pkcs.pkcs11.objects.RSAPublicKey.<init>(RSAPublicKey.java:96)
at
iaik.pkcs.pkcs11.objects.RSAPublicKey.getInstance(RSAPublicKey.java:118)
at
iaik.pkcs.pkcs11.objects.PublicKey.getInstance(PublicKey.java:156)
at
iaik.pkcs.pkcs11.objects.Object.getInstance(Object.java:262)
at
iaik.pkcs.pkcs11.Session.generateKeyPair(Session.java:1260)
at
demo.pkcs.pkcs11.GenerateKeyPair.main(GenerateKeyPair.java:105)
################################################################################
Close Session...
PKCS#11 session logout successful
4) Check the NSS key db store for the contents:
D:\workdir\devunit\KMDemo>certutil -K -d
sql:D:\workdir\devunit\KMDemo\NSS\db
certutil: Checking token "NSS Certificate DB" in slot
"NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa
"60b0df57-df82-4a73-b1c9-7fc17204e1d0;157" KMRootCA
NOTE: I see the exception in the console as well as notice that
NSS store having the key.
Debugged IAIK:
• Enabled debugging of IAIK PKCS#11 Wrapper module.
01/23/20 19:38:18 ERROR: got 5 instead of CKR_OK, going to raise an exception
(in Java_iaik_pkcs_pkcs11_wrapper_PKCS11Implementation_C_1GetAttributeValue)
• I decided to build/debug the native pkcs11Wrapper code with the Java
sample client.
JNIEXPORT void JNICALL
Java_iaik_pkcs_pkcs11_wrapper_PKCS11Implementation_C_1GetAttributeValue
(JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle,
jobjectArray jTemplate, jboolean jUseUtf8)
{
.....
rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle,
ckpAttributes, ckAttributesLength);
...
}
Values in the variable when this failure occurred ..
rv = 5
+ ckpAttributes 0x0000000017e7cb00 {type=1073742353 pValue=0x0000000017e76980
ulValueLen=240 } CK_ATTRIBUTE *
ckObjectHandle 2357156729 unsigned long
+ ckpFunctions softokn3.dll!0x00007ffee9b0c620 (load symbols for additional
information) {version={major=1 '\x1' minor=...} ...} CK_FUNCTION_LIST *
ckSessionHandle 16777217 unsigned long
ckAttributesLength 23 unsigned long
• The above highlighted code does make a call to NSS ( softtokn3 ) and
receives 5 ( which stands for CKR_GENERAL_ERROR ) for the ckpAttributes
type=1073742353.
I approached IAIK, here’s the response they provided …
On Fri, Jan 24, 2020 at 3:12 AM SIC/IAIK <XXXX> wrote:
The ckpAttributes that you have viewed in the debugger is actually an array
with multiple ckAttributes. Specifically 1073742353 is the CKA_WRAP_TEMPLATE
attribute.
I traced the error down to this NSS git commit [1]. There is seemingly a
problem when querying ArrayAttributes. It produces an sqlite_error in the NSS
code.
However, I'm pretty sure that this error is an actual NSS error and cannot be
fixed from our side. I would suggest to file a bug report.
[1]:
https://github.com/nss-dev/nss/commit/f572a15e45c5c4a26a0ada7ee008843ad19ec202
Please let us know ..
Thanks..
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
