Hi Nelson, thanks for the quick response, I think it is looking for a certificate object. I don't have a full stack, but here's a partial list of the calls that lead up to the C_FindObjects() invocation (firefox 3.0.9):
find_objects (NSSToken *,nssSession *,CK_ATTRIBUTE_PTR,CK_ULONG,PRUint32,PRStatus *) <-- calls C_FindObjects() ... PK11_FindCertFromNickname CERT_FindCertByNickname SEC_CertNicknameConflict nsNSSCertificate::defaultServerNickname nsCertOverrideService::RememberValidityOverride > A dump of the values of the attribute array passed to > C_FindObjects, and any referenced data buffers, would also tell us a bunch. I assume you mean the phObject arg? If so, it's the value of staticObjects, which just looks like an empty array on the first invocation. The returned count is 0 for the first C_FindObjects() invocation, so it doesn't get used again. I have some printf's() added and I notice in the firefox case that there seems to be more activity happening in this area before ever navigating to the page with the invalid cert. Is there any initialization/setup required up front (eg.- for the default crypto context)? Unfortunately I've left revisiting this a bit too close to the start of my vacation, so if you need more info I won't be able to respond for a couple of weeks (I'll definitely come back to this immediately after). Sorry if any of my answers aren't quite as revealing as hoped, but debugging on the C side is a bit trickier when calling in from a Java app, and I end up relying on printf's a lot. Thanks again for your time. Grant "Nelson B Bolyard" <nel...@bolyard.me> wrote in message news:mailman.872.1248960408.24810.dev-tech-cry...@lists.mozilla.org... > On 2009-07-28 10:41 PDT, Grant Gayed wrote: > > (originally posted on the mozilla.dev.security group, was suggested to post > > here as well) > > Yeah, this is the right place. > > > I work on the SWT Browser, which embeds XULRunner. I've been stuck on a > > problem for a while now, and would really appreciate help with an issue > > which could be a simple one. > > > > As of XULRunner 1.9, when navigating to a site whose cert is considered > > invalid (eg.- https://verisign.com), embedders get an error alert ("...site > > has invalid cert...") with no opportunity to proceed. So I've implemented a > > dialog that allows the user to see what the cert problem is, say "go ahead > > anyways", and then add the cert to the nsICertOverrideService (this happens > > in an nsIBadCertListener2.NotifyCertProblem() implementation). With > > XULRunner 1.9.1 this all works perfectly fine. > > > > However it's critical for us that this work with XULRunner 1.9.x as well, > > and with this version the nsICertOverrideService.RememberValidityOverride() > > invocation always returns NS_ERROR_FAILURE. I've dug to see where this > > diverges for us vs. firefox 3.0.9, and it happens in devtoken.c's > > find_objects()'s invocation of C_FindObjects(). The args passed to this > > call are the same for us and firefox (session->handle is the default > > 16777217, numhandles=0, arraysize=1), but firefox gets a returned object > > count of 1 while we get 0. > > So, it's searching for an object that is there in one case but not the > other. Odds are good that, whatever code is supposed to have put the > object there, did so in one case and not in the other. > > > I'm guessing that our embedding case is missing something that would result > > in the default session having the object it's looking for, but I have no > > idea what it is. Can anyone suggest what it would be? And if additional > > info would be helpful then please let me know. > > Without looking, I think the probability is extremely high that it is > looking for the certificate object, or perhaps the certificate trust object. > > With a stack back-trace of the stack at the point in C_FindObjects where > this difference occurs, it should be pretty easy to tell exactly what it > was looking for. A dump of the values of the attribute array passed to > C_FindObjects, and any referenced data buffers, would also tell us a bunch. > > > Thanks in advance for your help! > > Grant -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
