Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1694392 NSS does not work with PKCS #11 modules not supporting pr…
…ofiles

r=ueno,bbeurdouche

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

Using NSS with PKCS #11 library that returns CKR_ATTRIBUTE_VALUE_INVALID when searching for CKA_CLASS = CKO_PROFILE.

Actual results:

PK11_InitToken calls pk11_ReadProfileList and passes on failures. Thus, if the profiles cannot be read the token cannot be initialized.
pk11_ReadProfileList in turn uses pk11_FindObjectsByTemplate to search for CKO_PROFILE objects. This function fails if C_FindObjectsInit fails.
However, it should be perfectly ok that C_FindObjectsInit fails if CKO_PROFILE is not known. In fact, CKR_ATTRIBUTE_VALUE_INVALID is a valid return code here since the library does not know (yet) the value CKO_PROFILE for CKA_CLASS and since the CKA_CLASS is a fixed list it the standard allows to return this error code.

Expected results:

PK11_InitToken should complete successfully.

Differential Revision: https://phabricator.services.mozilla.com/D106167
  • Loading branch information
rjrelyea committed Feb 24, 2021
1 parent d3c1578 commit e2023b9
Showing 1 changed file with 3 additions and 4 deletions.
7 changes: 3 additions & 4 deletions lib/pk11wrap/pk11slot.c
Expand Up @@ -1369,10 +1369,9 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
if (status != PR_SUCCESS)
return SECFailure;

rv = pk11_ReadProfileList(slot);
if (rv != SECSuccess) {
return SECFailure;
}
/* Not all tokens have profile objects or even recognize what profile
* objects are it's OK for pk11_ReadProfileList to fail */
(void) pk11_ReadProfileList(slot);

if (!(slot->isInternal) && (slot->hasRandom)) {
/* if this slot has a random number generater, use it to add entropy
Expand Down

0 comments on commit e2023b9

Please sign in to comment.