David Stutzman wrote: > I created a new security database with modutil, added a root module to > it and then attempted to generate a key using certutil and received an > I/O error: > > # certutil -G -k rsa -g 1024 -d . > certutil: unable to generate key(s) > : An I/O error occurred during security authorization.
That error is SEC_ERROR_IO. It originally meant that NSS received an error on the file it tried to read to get your password (e.g /dev/tty). That's what that error message quoted above is trying to say. It meant "I can't read your password", not "your password was bad". Then it grew to mean that NSS had a problem reading any file while trying to do its job. It meant that the problem was with file I/O, not with security computations per se'. Then in NSS 4.5, it grew into "NSS had an error for which no NSS error code seems appropriate" (that is, it became a catch-all error code). Today, IMO, way too many errors report SEC_ERROR_IO when they should report another error code. It's not difficult to invent new error codes. On the other hand, it is difficult to get mozilla clients to put new error strings for new error codes into their products, which is why so many error codes are reported in dialogs with decimal error code numbers rather than with meaningful error strings. > I took a guess at the problem and set a password for the db using: > # modutil -changepw "NSS Certificate DB" -dbdir . > > and then it worked fine. Right. It is intentional (IINM) that you cannot generate keys in the DB slot until it is initialized, including a password. > Is this something that's fine the way it is or would you prefer (is it > possible) to have it actually say the password is the problem? Being unable to generate keys when the slot is uninitialized is intentional. Putting out a bad error message in that case is not. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto