Hello, after months of debugging and having also not working HTTPS issues with
Electron(https://github.com/electron) packaged proprietary apps(Slack and
Discord) while not having issues with other Signal(also based on Electron) ,
Chromium and Firefox were working I've started to digging around dynamic
libraries of all those.
All those use NSS and PKCS#11 to lookup certificates and keys
I've found that the root cause was the ~/pki/nssdb/pkcs11.txt file. After
moving it away file regenerated as described in newly reported bug #1993963.
Besides this there were entries created for PKCS#11 token on Polish national ID
( PIV card with NFC layer): https://www.gov.pl/pliki/edowod/e-dowod-4.2.3.run.
leading to final form:
$ modutil -list -dbdir ~/.pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.68
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri:
pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri:
pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. Mozilla Root Certs
library name: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
uri:
pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Builtin%20Object%20Cryptoki%20Modu;library-version=2.50
slots: 1 slot attached
status: loaded
slot: NSS Builtin Objects
token: Builtin Object Token
uri:
pkcs11:token=Builtin%20Object%20Token;manufacturer=Mozilla%20Foundation;serial=1;model=1
3. e-dowód (64 bits)
library name: /opt/e-dowod/e-dowod-pkcs11-64.so
uri:
pkcs11:library-manufacturer=PWPW%20S.A.;library-description=PL-ID%20PKCS%2311%20API%20v.4.2.2.1;library-version=4.2
slots: There are no slots attached to this module
status: loaded
4. OpenSC smartcard framework (0.22)
library name: /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
uri:
pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.22
slots: There are no slots attached to this module
status: loaded
After trying to add and remove subsequent PKCS#11 modules I wasn't able
to reproduce the bug anymore, I guess it could be due lack of seperating
endlines in pkcs11.txt when the software modified it directly in txt
file instead of using modutil command.
Regarding this particular bug I would leave it open -as the logging
issue persist in case anyone would have similar bug - the error code NSS
error code: -8018 is to enigmatic, even googling doesn't return much
info. I needed to download source code to determine that -8018 means
SEC_ERROR_UNKNOWN_PKCS11_ERROR . Even if one would get such error he
should be provided with more information in terms of problem context,
and if it's caused by external library which doesn't return those - name
of that particular library and call stack.
** Changed in: nss (Ubuntu)
Status: Expired => New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1960736
Title:
Libnss3 doesn't log SEC_ERROR_UNKNOWN_PKCS11_ERROR properly ( NSS
error code: -8018 )
Status in nss package in Ubuntu:
New
Bug description:
I've got the issue with Google Chrome not recognizing any of SSL/TSL
certificates as trusted. When I look into certificate checksums it's renders
all bytes of it as NULL bytes. I'm aware Google Chrome is proprietary but it
depends on ubuntu provided libnss3-package. And libnss provides very nigmatic
error code -8018:
`/opt/google/chrome$ google-chrome
[23391:23426:0213/133531.202486:ERROR:nss_util.cc(286)] After loading Root
Certs, loaded==false: NSS error code: -8018
[23434:23434:0213/133531.266711:ERROR:sandbox_linux.cc(377)]
InitializeSandbox() called with multiple threads in process gpu-process.
[23391:23427:0213/133531.313065:ERROR:cert_verify_proc_builtin.cc(681)]
CertVerifyProcBuiltin for accounts.google.com failed:
----- Certificate i=3 (CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign
nv-sa,C=BE) -----
ERROR: No matching issuer found
'
When trying to enter this particular error code into search engine nothing is
found. So my suggestion with this bug is to make it more transparent by
providing information to what happened - it seems other bug codes has better
error messages. To get SEC_ERROR_UNKNOWN_PKCS11_ERROR string I was force to
download source code and manually calculate offsets. Another issue is if
failing to initialize PKCS11 token should make whole SSL/TLS crypto invalid ?
I'm not sure if this is libnss or Google Chrome issue but it behaves
differently in Chromium browser with same libnss so I assume either of two is
doing better - it's worth to review this from security perspective.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libnss3 2:3.35-2ubuntu2.13
Uname: Linux 5.10.0-051000rc6-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.27
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Sun Feb 13 13:33:51 2022
Dependencies:
gcc-8-base 8.4.0-1ubuntu1~18.04
libc6 2.27-3ubuntu1.5 [origin: LP-PPA-ubuntu-security-proposed]
libgcc1 1:8.4.0-1ubuntu1~18.04
libnspr4 2:4.18-1ubuntu1
libsqlite3-0 3.22.0-1ubuntu0.4
InstallationDate: Installed on 2015-05-08 (2473 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=pl_PL.UTF-8
SHELL=/bin/bash
SourcePackage: nss
UpgradeStatus: Upgraded to bionic on 2018-08-26 (1266 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1960736/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
