On 11/20/2010 07:56 AM, Matej Kurpel wrote: > On 16. 11. 2010 14:53, Matej Kurpel wrote: >> Hello, >> I am implementing a PKCS#11 module and have just implemented >> C_GenerateKeyPair. For this purpose, I have set up a html page with >> the "keygen" tag which sends the form data to my php script to write >> back to me what was sent. >> Now, everything works perfectly. It generates the key pair, then sets >> the CKA_ID attribute of both keys, asks for some more attributes, >> then it signs some md5 hashed data with the newly generated private >> key and closes the session. >> Lastly, C_GetAttributeValue is called to see if the public key >> (handle 0x03) is a token object. It indeed is so I provide the value. >> The problem is, that is the last thing Firefox does. When closing it, >> it forgets to call C_CloseAllSessions and then C_Finalize, as >> Thunderbird does. So the next time I open Firefox, C_Initialize is >> called again which creates a new state in the device, thus leaving >> dangling resources by the old, unused "session". Is this a bug or am >> I missing something? I am attaching a pkcs11-spy log (with >> unneccessary info stripped out) if it is needed. >> Thanks in advance, >> >> M. Kurpel So while we should be calling C_Finalize when shutting down, you should not depend on that. It's possible, even likely that an application crashes and you never get the C_Finalize. You really should be robust against that case. FF will not call C_Finalize until it shuts down.
Also, I would not depend on C_CloseAllSessions being called before C_Finalize. There's nothing that says it has to. The most likely reason for Finalize not being called is a reference leak in PSM. Since it looks simply like a keygen case, it should be possible to track it down. I suggest writing a bug against PSM with the information in this email. I don't guarantee that it will get a very high priority, but the mozilla code is open source. If you can identify where the leak is, there's a pretty good chance someone will review it and pick up the fix. bob >> >> ----------------------------- pkcs11-spy log begin >> ---------------------------------- >> >> 7: C_GetMechanismList >> [in] slotID = 0x0 >> [out] pMechanismList[2]: >> Count is 2 >> Returned: 0 CKR_OK >> >> >> 8: C_GetMechanismList >> [in] slotID = 0x0 >> [out] pMechanismList[2]: >> CKM_RSA_PKCS >> CKM_RSA_PKCS_KEY_PAIR_GEN >> Returned: 0 CKR_OK >> >> >> 9: C_OpenSession >> [in] slotID = 0x0 >> [in] flags = 0x4 >> pApplication=06CA5400 >> Notify=5D5EA378 >> [out] *phSession = 0x1 >> Returned: 0 CKR_OK >> >> >> 10: C_FindObjectsInit >> [in] hSession = 0x1 >> [in] pTemplate[1]: >> CKA_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST >> Returned: 19 CKR_ATTRIBUTE_VALUE_INVALID >> >> >> 11: C_GetMechanismInfo >> [in] slotID = 0x0 >> CKM_RSA_PKCS >> [out] pInfo: >> CKM_RSA_PKCS : min:256 max:4096 flags:0xA01 >> Returned: 0 CKR_OK >> >> >> 12: C_OpenSession >> [in] slotID = 0x0 >> [in] flags = 0x6 >> pApplication=06CA5400 >> Notify=5D5EA378 >> [out] *phSession = 0x2 >> Returned: 0 CKR_OK >> >> >> 13: C_GenerateKeyPair >> [in] hSession = 0x2 >> pMechanism->type=CKM_RSA_PKCS_KEY_PAIR_GEN >> [in] pPublicKeyTemplate[8]: >> CKA_MODULUS_BITS [size : 0x4 (4)] >> 00040000 >> CKA_PUBLIC_EXPONENT [size : 0x3 (3)] >> 010001 >> CKA_TOKEN True >> CKA_DERIVE False >> CKA_WRAP False >> CKA_VERIFY False >> CKA_VERIFY_RECOVER False >> CKA_ENCRYPT False >> [in] pPrivateKeyTemplate[7]: >> CKA_TOKEN True >> CKA_PRIVATE True >> CKA_SENSITIVE True >> CKA_DERIVE False >> CKA_UNWRAP False >> CKA_SIGN True >> CKA_DECRYPT True >> [out] hPublicKey = 0x3 >> [out] hPrivateKey = 0x4 >> Returned: 0 CKR_OK >> >> >> 14: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x3 >> [in] pTemplate[1]: >> CKA_CLASS requested with 4 buffer >> [out] pTemplate[1]: >> CKA_CLASS CKO_PUBLIC_KEY >> Returned: 0 CKR_OK >> >> >> 15: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x3 >> [in] pTemplate[4]: >> CKA_CLASS requested with 4 buffer >> CKA_KEY_TYPE requested with 4 buffer >> CKA_MODULUS requested with 0 buffer >> CKA_PUBLIC_EXPONENT requested with 0 buffer >> [out] pTemplate[4]: >> CKA_CLASS CKO_PUBLIC_KEY >> CKA_KEY_TYPE CKK_RSA >> CKA_MODULUS has size 128 >> CKA_PUBLIC_EXPONENT has size 3 >> Returned: 0 CKR_OK >> >> >> 16: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x3 >> [in] pTemplate[4]: >> CKA_CLASS requested with 4 buffer >> CKA_KEY_TYPE requested with 4 buffer >> CKA_MODULUS requested with 128 buffer >> CKA_PUBLIC_EXPONENT requested with 3 buffer >> [out] pTemplate[4]: >> CKA_CLASS CKO_PUBLIC_KEY >> CKA_KEY_TYPE CKK_RSA >> CKA_MODULUS [size : 0x80 (128)] >> B3906CBA 83B28918 CDC1EFB3 E4A93367 CF6C0674 6A40ED7E 1758DFDE >> C740AA97 >> FD6AE7F7 033BA8FE 3329BDBE 2AA00242 7CA82A47 F6B5E15F AC16400F >> 35D5033E >> 28B4BA6B 67C35BB2 A49A9CD9 1CC701EF 0984CE38 34ABAA5E 01F92EA2 >> 0488C3AE >> E48A7C4B 01667D1C 4FFAE1D2 3A86CAEB 64489E1B 01456657 249E9593 >> 3C2B5D95 >> CKA_PUBLIC_EXPONENT [size : 0x3 (3)] >> 010001 >> Returned: 0 CKR_OK >> >> >> 17: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x3 >> [in] pTemplate[1]: >> CKA_TOKEN requested with 1 buffer >> [out] pTemplate[1]: >> CKA_TOKEN True >> Returned: 0 CKR_OK >> >> >> 18: C_SetAttributeValue >> [in] hSession = 0x2 >> [in] hObject = 0x4 >> [in] pTemplate[1]: >> CKA_ID [size : 0x14 (20)] >> FEA653BE 4BD2BD65 272F2102 49833397 3AB3F67B >> Returned: 0 CKR_OK >> >> >> 19: C_SetAttributeValue >> [in] hSession = 0x2 >> [in] hObject = 0x3 >> [in] pTemplate[1]: >> CKA_ID [size : 0x14 (20)] >> FEA653BE 4BD2BD65 272F2102 49833397 3AB3F67B >> Returned: 0 CKR_OK >> >> >> 20: C_CloseSession >> [in] hSession = 0x2 >> Returned: 0 CKR_OK >> >> >> 21: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x4 >> [in] pTemplate[1]: >> CKA_PRIVATE requested with 1 buffer >> [out] pTemplate[1]: >> CKA_PRIVATE True >> Returned: 0 CKR_OK >> >> >> 22: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x4 >> [in] pTemplate[1]: >> CKA_MODULUS requested with 0 buffer >> [out] pTemplate[1]: >> CKA_MODULUS has size 128 >> Returned: 0 CKR_OK >> >> >> 23: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x4 >> [in] pTemplate[1]: >> CKA_MODULUS requested with 128 buffer >> [out] pTemplate[1]: >> CKA_MODULUS [size : 0x80 (128)] >> B3906CBA 83B28918 CDC1EFB3 E4A93367 CF6C0674 6A40ED7E 1758DFDE >> C740AA97 >> FD6AE7F7 033BA8FE 3329BDBE 2AA00242 7CA82A47 F6B5E15F AC16400F >> 35D5033E >> 28B4BA6B 67C35BB2 A49A9CD9 1CC701EF 0984CE38 34ABAA5E 01F92EA2 >> 0488C3AE >> E48A7C4B 01667D1C 4FFAE1D2 3A86CAEB 64489E1B 01456657 249E9593 >> 3C2B5D95 >> Returned: 0 CKR_OK >> >> >> 24: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x4 >> [in] pTemplate[1]: >> CKA_PRIVATE requested with 1 buffer >> [out] pTemplate[1]: >> CKA_PRIVATE True >> Returned: 0 CKR_OK >> >> >> 25: C_OpenSession >> [in] slotID = 0x0 >> [in] flags = 0x4 >> pApplication=06CA5400 >> Notify=5D5EA378 >> [out] *phSession = 0x2 >> Returned: 0 CKR_OK >> >> >> 26: C_SignInit >> [in] hSession = 0x2 >> pMechanism->type=CKM_RSA_PKCS >> [in] hKey = 0x4 >> Returned: 0 CKR_OK >> >> >> 27: C_Sign >> [in] hSession = 0x2 >> [in] pData[ulDataLen] [size : 0x22 (34)] >> 3020300C 06082A86 4886F70D 02050500 041078FC 99F7CC96 0B51B1EA >> F7FF4D0D >> 7D55 >> [out] pSignature[*pulSignatureLen] [size : 0x80 (128)] >> 52237EAF 9CA447B8 22CAF509 FAC68481 1957ADA8 7585E92E 60342DCB >> E5806F38 >> C6A774B6 82FD032B 1CE25264 7B9227CB 028496D4 22CA6EC5 47314F3A >> 89F05CB2 >> ED2F8936 B13ED1E6 355E88FC 64854588 231FDA18 5B07466C 2F02CB54 >> 093DF569 >> 2D5BAF61 23563AB2 44570977 0DBCA843 4CC93A73 AC3E2D13 79D1AFCD >> 783CA6E6 >> Returned: 0 CKR_OK >> >> >> 28: C_CloseSession >> [in] hSession = 0x2 >> Returned: 0 CKR_OK >> >> >> 29: C_GetAttributeValue >> [in] hSession = 0x1 >> [in] hObject = 0x3 >> [in] pTemplate[1]: >> CKA_TOKEN requested with 1 buffer >> [out] pTemplate[1]: >> CKA_TOKEN True >> Returned: 0 CKR_OK >> >> ----------------------------- pkcs11-spy log end >> ---------------------------------- > Sorry to quote myself, but doesn't really anyone know? It's a bug in > my head. > (I have edited the original message to reflect the most current > behavior). > > M. Kurpel
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
