From e2023b9800089e77edbbf9ca3c86f9f0e4a83f73 Mon Sep 17 00:00:00 2001 From: Robert Relyea Date: Wed, 24 Feb 2021 11:04:07 -0800 Subject: [PATCH] Bug 1694392 NSS does not work with PKCS #11 modules not supporting profiles r=ueno,bbeurdouche User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Steps to reproduce: Using NSS with PKCS #11 library that returns CKR_ATTRIBUTE_VALUE_INVALID when searching for CKA_CLASS = CKO_PROFILE. Actual results: PK11_InitToken calls pk11_ReadProfileList and passes on failures. Thus, if the profiles cannot be read the token cannot be initialized. pk11_ReadProfileList in turn uses pk11_FindObjectsByTemplate to search for CKO_PROFILE objects. This function fails if C_FindObjectsInit fails. However, it should be perfectly ok that C_FindObjectsInit fails if CKO_PROFILE is not known. In fact, CKR_ATTRIBUTE_VALUE_INVALID is a valid return code here since the library does not know (yet) the value CKO_PROFILE for CKA_CLASS and since the CKA_CLASS is a fixed list it the standard allows to return this error code. Expected results: PK11_InitToken should complete successfully. Differential Revision: https://phabricator.services.mozilla.com/D106167 --- lib/pk11wrap/pk11slot.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c index 2451c36396..d64e2a10dc 100644 --- a/lib/pk11wrap/pk11slot.c +++ b/lib/pk11wrap/pk11slot.c @@ -1369,10 +1369,9 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) if (status != PR_SUCCESS) return SECFailure; - rv = pk11_ReadProfileList(slot); - if (rv != SECSuccess) { - return SECFailure; - } + /* Not all tokens have profile objects or even recognize what profile + * objects are it's OK for pk11_ReadProfileList to fail */ + (void) pk11_ReadProfileList(slot); if (!(slot->isInternal) && (slot->hasRandom)) { /* if this slot has a random number generater, use it to add entropy