Platform/OS: CentOS release 6.3 (Final) Linux xxxxx 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/LinuxLinux
NSS Version: nss.x86_64 3.13.3-6.el6 nss-softokn.x86_64 3.12.9-11.el6 nss-softokn-freebl.x86_64 3.12.9-11.el6 Problem: We have a Java7 application that uses NSS (with FIPS mode enabled) for RSA based crypto operations via SunPKCS11 Java abstraction. The RSA key pairs and corresponding X.509 certs are generated and stored within NSS from Java application using SunPKCS11 APIs. I observed that key3.db file size grows and I could only relate that to key lookup/encryption/decryption (running in FIPS mode) over a period of time with in the context of number of crypt operations. Typically I have observed that the file size grows in chunks of 4K bytes. I ran following command: certutil -K -d <dbfolder>, it displayed entries which indicated that along with valid entries that match with certutil -L -d <dbFolder> output, there were orphan keys in the db for examples: <584> dh bde64ed8d8ed868390e3133cccde75ef22e4c19f (orphan) Following notes from this https://bugzilla.mozilla.org/show_bug.cgi?id=291383 I then ran following command to remove orphan key: certutil -F -n bde64ed8d8ed868390e3133cccde75ef22e4c19f -d <dbFolder> -l -e It asked for the password and didn't report any errors but didn't seem to delete the orphan key either. At this point, I have few questions - - Am I missing something in order to delete orphan keys? Is it possible to achieve that (any implication that NSS is configured to be in FIPS mode?) - Worst case scenario, if the DB is corrupted - is there a way to recover valid keys/certs (FIPS mode) - Why does key3.db file increase in size when nothing is being requested to be stored and the only operations that are being performed are - lookup or encryption/decryption? Any help would be greatly appreciated. Please let me know if any other piece of information would be helpful in figuring out what might be going on. Regards, Prax -- View this message in context: http://mozilla.6506.n7.nabble.com/certutil-Unable-to-delete-orphan-key-tp280706.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
