Commit e2023b98 authored by Robert Relyea's avatar Robert Relyea

Bug 1694392 NSS does not work with PKCS #11 modules not supporting profiles


User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

Using NSS with PKCS #11 library that returns CKR_ATTRIBUTE_VALUE_INVALID when searching for CKA_CLASS = CKO_PROFILE.

Actual results:

PK11_InitToken calls pk11_ReadProfileList and passes on failures. Thus, if the profiles cannot be read the token cannot be initialized.
pk11_ReadProfileList in turn uses pk11_FindObjectsByTemplate to search for CKO_PROFILE objects. This function fails if C_FindObjectsInit fails.
However, it should be perfectly ok that C_FindObjectsInit fails if CKO_PROFILE is not known. In fact, CKR_ATTRIBUTE_VALUE_INVALID is a valid return code here since the library does not know (yet) the value CKO_PROFILE for CKA_CLASS and since the CKA_CLASS is a fixed list it the standard allows to return this error code.

Expected results:

PK11_InitToken should complete successfully.

Differential Revision:
parent d3c1578c
......@@ -1369,10 +1369,9 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
if (status != PR_SUCCESS)
return SECFailure;
rv = pk11_ReadProfileList(slot);
if (rv != SECSuccess) {
return SECFailure;
/* Not all tokens have profile objects or even recognize what profile
* objects are it's OK for pk11_ReadProfileList to fail */
(void) pk11_ReadProfileList(slot);
if (!(slot->isInternal) && (slot->hasRandom)) {
/* if this slot has a random number generater, use it to add entropy
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment