Hey all! I'm posting this from one of my alternate accounts since the Mozilla sever (notorious.mozilla.org) strangely doesn't seem to like my spf record and for some reason thinks that my server at 130.205.32.3 does not match the ipv4:130.205.32.0/20 criterion in my spf record. Last I looked 130.205.32.3 was contained within 130.205.32.0/20. Go figure.
IAC Just wanted to raise an issue on this list before opening a bugzilla ticket on it but I seem to have run into a circumstance under which deleting a certificate from the NSS database ends up doing the wrong thing with some real confusion resulting that looks like a corrupted or bad database (but seems to be just a poor error message). The senario is in Openswan with NSS for the peer certificates. The host certificates are imported through pk12util after being converted from their OpenSSL cert and key. The peer certificates have been imported directly using "certutil -A" since they don't have a private key. Everything was fine and someone on the Openswan list happen to ask why didn't I used pk12 for the peer certificate by using the -nokey option when creating them from openssl. So I tried that and didn't get an error, but the import did something strange and didn't give me the correct name from the openssl command. Instead of having a cert in the database with the name I specified in creating the .p12 file, I ended up with a cert in the database with the name of the E-Mail address in the cert. Not sure where that problem is (openssl or the pk12util import). But, I went to delete that certificate and that's when the fun begun. "certutil -D -n postmas...@wittsend.com" ran without error but the cert was still there. Run it again and you get this error: [root@romulus ipsec.d]# certutil -D -n postmas...@wittsend.com -d . certutil: could not find certificate named "postmas...@wittsend.com": security library: bad database. That's also when I noticed I was missing at least one other cert. It appears that the first delete deleted the wrong cert and then looked like it did something bad in the database and can't find the cert showing up in the list with that name. Turned out it had deleted the first .p12 cert that I had imported and could no longer find the other cert. Looking a little closer, it looks like certutil -D will give that same "bad database" error anytime it can not find a named cert, so it may actually not be corrupting the database per se but it is deleting the wrong certificate and then refuse to find the right certificate at all afterwords. You can't list it even though it's still there on the list. Sequence of things I did and the results are below my signature block with a few comments in square brackets... I figure this one is heading for bugzilla one way or the other but wanted to hear others thoughts on it first. Oh... This is on Fedora 13 with nss-util 3.12.8 as well as Fedora 14 with nss-util 3.12.9. Regards, Mike -- Michael H. Warfield (AI4NB) | Desk: (404) 236-2807 Senior Researcher - X-Force | Cell: (678) 463-0932 IBM Security Services | m...@linux.vnet.ibm.com m...@wittsend.com 6303 Barfield Road | http://www.iss.net/ Atlanta, Georgia 30328 | http://www.wittsend.com/mhw/ | PGP Key: 0x674627FF -- [root@romulus ipsec.d]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI remus.wittsend.com u,u,u gorgon8.wittsend.com ,, romulus.wittsend.com u,u,u complex.wittsend.com ,, gorgon9.wittsend.com ,, wittsendCA C,C,C WittsEndCA C,C,C [root@romulus ipsec.d]# openssl pkcs12 -export -in certs/gorgon10.wittsend.com.crt -nokeys -name gorgon10.wittsend.com -out gorgon10.wittsend.com.p12 Enter Export Password: Verifying - Enter Export Password: [root@romulus ipsec.d]# pk12util -i gorgon10.wittsend.com.p12 -d . Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL [root@romulus ipsec.d]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI remus.wittsend.com u,u,u gorgon8.wittsend.com ,, romulus.wittsend.com u,u,u complex.wittsend.com ,, gorgon9.wittsend.com ,, wittsendCA C,C,C WittsEndCA C,C,C postmas...@wittsend.com ,, ***** [^^^ Note wrong name ^^^] [root@romulus ipsec.d]# certutil -D -n postmas...@wittsend.com -d . [root@romulus ipsec.d]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI gorgon8.wittsend.com ,, romulus.wittsend.com u,u,u complex.wittsend.com ,, gorgon9.wittsend.com ,, wittsendCA C,C,C WittsEndCA C,C,C postmas...@wittsend.com ,, ***** [Note "remus" cert is gone. The "postmas...@wittsend.com" cert is still there!] [root@romulus ipsec.d]# certutil -L -n postmas...@wittsend.com -d . certutil: Could not find cert: postmas...@wittsend.com : File not found. ***** [Oh really... It's there in the listing.] [root@romulus ipsec.d]# certutil -D -n postmas...@wittsend.com -d . certutil: could not find certificate named "postmas...@wittsend.com": security library: bad database. ***** [That's kind of a scary message to get back that the database is bad.]
signature.asc
Description: This is a digitally signed message part
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
