touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #23470
[Bug 1377284] [NEW] Cannot delete a private key using certutil -F
Public bug reported:
root@root:~/sandbox# certutil -K -d .pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)
root@root:~/sandbox# certutil -L -d .pki/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
1.2.3.4 CTu,u,u
2.3.4.5 u,u,u
2.3.4.7 u,u,u
2.3.4.37 u,u,u
root@root:~/sandbox# certutil -D -n 2.3.4.37 -d .pki/nssdb/
Here the cert got deleted
root@root:~/sandbox# certutil -L -d .pki/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
1.2.3.4 CTu,u,u
2.3.4.5 u,u,u
2.3.4.7 u,u,u
But the private key did not get which is expected I believe as I just deleted only the cert
root@root:~/sandbox# certutil -K -d .pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)
So I attempted to delete the corresponding key
root@root:~/sandbox# certutil -F -n 2.3.4.37 -d .pki/nssdb/
Enter Password or Pin for "NSS Certificate DB":
But it did not delete as can be seen below.
root@root:~/sandbox# certutil -K -d .pki/nssdb/ -f .pki/conf/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)
Only way I can get the key deleted is by executing a "-F key deletion"
on a key whose cert has not already been deleted. This however removes
the corresponding cert also. I know there is a bug on 'being unable to
delete a orphan key'. But I thought this is a distinct interesting
behavior.
=========
lsb_release -rd
Description: Ubuntu 12.04.5 LTS
Release: 12.04
=========
dpkg -l | grep nss
ii insserv 1.14.0-2.1ubuntu2 Tool to organize boot sequence using LSB init.d script dependencies
ii libnss3 3.17-0ubuntu0.12.04.1 Network Security Service libraries
ii libnss3-1d 3.17-0ubuntu0.12.04.1 Network Security Service libraries
ii libnss3-tools 3.17.1-0ubuntu0.12.04.1 Network Security Service tools
ii openssh-client 1:5.9p1-5ubuntu1.4 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.9p1-5ubuntu1.4 secure shell (SSH) server, for secure access from remote machines
ii openssl 1.0.1-4ubuntu5.17 Secure Socket Layer (SSL) binary and related cryptographic tools
** Affects: nss (Ubuntu)
Importance: Undecided
Status: New
** Tags: certutil nss pki
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1377284
Title:
Cannot delete a private key using certutil -F
Status in “nss” package in Ubuntu:
New
Bug description:
root@root:~/sandbox# certutil -K -d .pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)
root@root:~/sandbox# certutil -L -d .pki/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
1.2.3.4 CTu,u,u
2.3.4.5 u,u,u
2.3.4.7 u,u,u
2.3.4.37 u,u,u
root@root:~/sandbox# certutil -D -n 2.3.4.37 -d .pki/nssdb/
Here the cert got deleted
root@root:~/sandbox# certutil -L -d .pki/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
1.2.3.4 CTu,u,u
2.3.4.5 u,u,u
2.3.4.7 u,u,u
But the private key did not get which is expected I believe as I just deleted only the cert
root@root:~/sandbox# certutil -K -d .pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)
So I attempted to delete the corresponding key
root@root:~/sandbox# certutil -F -n 2.3.4.37 -d .pki/nssdb/
Enter Password or Pin for "NSS Certificate DB":
But it did not delete as can be seen below.
root@root:~/sandbox# certutil -K -d .pki/nssdb/ -f .pki/conf/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)
Only way I can get the key deleted is by executing a "-F key deletion"
on a key whose cert has not already been deleted. This however removes
the corresponding cert also. I know there is a bug on 'being unable to
delete a orphan key'. But I thought this is a distinct interesting
behavior.
=========
lsb_release -rd
Description: Ubuntu 12.04.5 LTS
Release: 12.04
=========
dpkg -l | grep nss
ii insserv 1.14.0-2.1ubuntu2 Tool to organize boot sequence using LSB init.d script dependencies
ii libnss3 3.17-0ubuntu0.12.04.1 Network Security Service libraries
ii libnss3-1d 3.17-0ubuntu0.12.04.1 Network Security Service libraries
ii libnss3-tools 3.17.1-0ubuntu0.12.04.1 Network Security Service tools
ii openssh-client 1:5.9p1-5ubuntu1.4 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.9p1-5ubuntu1.4 secure shell (SSH) server, for secure access from remote machines
ii openssl 1.0.1-4ubuntu5.17 Secure Socket Layer (SSL) binary and related cryptographic tools
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1377284/+subscriptions
Follow ups
References
