Firefox' password manager with sqlite based NSS

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Firefox' password manager with sqlite based NSS

Wolfgang Rosenauer-2
Hi,

I'm trying to use Firefox with an sqlite based NSS. So far all the
certificate stuff still works as expected as far as I can see but the
password manager component is broken now:

The exposed error is this:

Login Manager: Initialization of storage component failed: [Exception...
"Component returned failure code: 0x80004005 (NS_ERROR_FAILURE)
[nsIPK11Token.initPassword]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"
location: "JS frame ::
file:///usr/lib/xulrunner-1.9.0.4/components/storage-Legacy.js ::
anonymous :: line 180"  data: no]

I tried to trace down as far as I could through the following failing calls:
http://mxr.mozilla.org/mozilla/source/security/nss/lib/pk11wrap/pk11auth.c#449
http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/pkcs11.c#3099
http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/sftkpwd.c#1254
http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/sdb.c#1514

sqlerr = sqlite3_exec(sqlDB, PW_CREATE_TABLE_CMD, NULL, 0, NULL);

fails with error code 6 which seems to be "SQLITE_LOCKED"

Any ideas?


Wolfgang
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Nelson B Bolyard-2
Wolfgang Rosenauer wrote, On 2008-11-18 05:38:

> Hi,
>
> I'm trying to use Firefox with an sqlite based NSS. So far all the
> certificate stuff still works as expected as far as I can see but the
> password manager component is broken now:
>
> The exposed error is this:
>
> Login Manager: Initialization of storage component failed: [Exception...
> "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE)
> [nsIPK11Token.initPassword]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"
> location: "JS frame ::
> file:///usr/lib/xulrunner-1.9.0.4/components/storage-Legacy.js ::
> anonymous :: line 180"  data: no]
>
> I tried to trace down as far as I could through the following failing calls:

Here's a little more of that call stack:

http://mxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/src/storage-Legacy.js#179
http://mxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsPK11TokenDB.cpp#337

This is in a call to C_InitPIN, which sets a new password on a DB.
This is not a "login" type call.  Is that what you really intended to do?
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Wolfgang Rosenauer-2
In reply to this post by Wolfgang Rosenauer-2
Nelson B Bolyard schrieb:

> Wolfgang Rosenauer wrote, On 2008-11-18 05:38:
>> Hi,
>>
>> I'm trying to use Firefox with an sqlite based NSS. So far all the
>> certificate stuff still works as expected as far as I can see but the
>> password manager component is broken now:
>>
>> The exposed error is this:
>>
>> Login Manager: Initialization of storage component failed: [Exception...
>> "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE)
>> [nsIPK11Token.initPassword]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"
>> location: "JS frame ::
>> file:///usr/lib/xulrunner-1.9.0.4/components/storage-Legacy.js ::
>> anonymous :: line 180"  data: no]
>>
>> I tried to trace down as far as I could through the following failing calls:
>
> Here's a little more of that call stack:
>
> http://mxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/src/storage-Legacy.js#179
> http://mxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsPK11TokenDB.cpp#337
>
>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/pk11wrap/pk11auth.c#449
>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/pkcs11.c#3099
>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/sftkpwd.c#1254
>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/sdb.c#1514
>>
>> sqlerr = sqlite3_exec(sqlDB, PW_CREATE_TABLE_CMD, NULL, 0, NULL);
>>
>> fails with error code 6 which seems to be "SQLITE_LOCKED"
>>
>> Any ideas?
>
> This is in a call to C_InitPIN, which sets a new password on a DB.
> This is not a "login" type call.  Is that what you really intended to do?

Hmm, now that you say that...
It's not much about what I intend to do since I'm just trying to use
Firefox ;-)
But yeah, it might go wrong before that trace already?

http://mxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/src/storage-Legacy.js#176

176         var token = tokenDB.getInternalKeyToken();
177         if (token.needsUserInit) {
178             this.log("Initializing key3.db with default blank
password.");
179             token.initPassword("");

Is it expected that token.needsUserInit is true if there already is a
NSS database without a master password? Probably not. I've just checked
what happens if I remove the token.needsUserInit case and it now doesn't
fail to load the login storage component anymore. But trying to save a
password still doesn't work as Firefox "fails to encrypt string".

Something must be broken in my NSS database :-(

Thanks,
Wolfgang
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Robert Relyea
Wolfgang Rosenauer wrote:

> Nelson B Bolyard schrieb:
>  
>> Wolfgang Rosenauer wrote, On 2008-11-18 05:38:
>>    
>>> Hi,
>>>
>>> I'm trying to use Firefox with an sqlite based NSS. So far all the
>>> certificate stuff still works as expected as far as I can see but the
>>> password manager component is broken now:
>>>
>>> The exposed error is this:
>>>
>>> Login Manager: Initialization of storage component failed: [Exception...
>>> "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE)
>>> [nsIPK11Token.initPassword]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"
>>> location: "JS frame ::
>>> file:///usr/lib/xulrunner-1.9.0.4/components/storage-Legacy.js ::
>>> anonymous :: line 180"  data: no]
>>>
>>> I tried to trace down as far as I could through the following failing calls:
>>>      
>> Here's a little more of that call stack:
>>
>> http://mxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/src/storage-Legacy.js#179
>> http://mxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsPK11TokenDB.cpp#337
>>
>>    
>>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/pk11wrap/pk11auth.c#449
>>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/pkcs11.c#3099
>>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/sftkpwd.c#1254
>>> http://mxr.mozilla.org/mozilla/source/security/nss/lib/softoken/sdb.c#1514
>>>
>>> sqlerr = sqlite3_exec(sqlDB, PW_CREATE_TABLE_CMD, NULL, 0, NULL);
>>>
>>> fails with error code 6 which seems to be "SQLITE_LOCKED"
>>>
>>> Any ideas?
>>>      
>> This is in a call to C_InitPIN, which sets a new password on a DB.
>> This is not a "login" type call.  Is that what you really intended to do?
>>    
>
> Hmm, now that you say that...
> It's not much about what I intend to do since I'm just trying to use
> Firefox ;-)
> But yeah, it might go wrong before that trace already?
>
> http://mxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/src/storage-Legacy.js#176
>
> 176         var token = tokenDB.getInternalKeyToken();
> 177         if (token.needsUserInit) {
> 178             this.log("Initializing key3.db with default blank
> password.");
> 179             token.initPassword("");
>
> Is it expected that token.needsUserInit is true if there already is a
> NSS database without a master password? Probably not. I've just checked
> what happens if I remove the token.needsUserInit case and it now doesn't
> fail to load the login storage component anymore. But trying to save a
> password still doesn't work as Firefox "fails to encrypt string".
>
> Something must be broken in my NSS database :-(
>  
It's true if there's an NSS database, but it hasn't been "Initialized"
yet. Usually we don't store anything in the database until it's
initialized. This coincides with your back trace above.... an
initialized database already has all of it's tables.

One way you can get in this state is if you loose your key database (you
also get in this state when you first create the database). Typically
needsUserInit means there isn't a password record in your key database.
Without this you can not store any keys. The difference between 'not
initialized', 'doesn't have a master password', and 'has master a
password' is as follows:

   1) 'not initialized' --- no password record.
   2) 'doesn't have a master password' --- has a password record, and
the password record is encrypted with a key derived from 'NULL' (\0).
   3) 'has a master password' - has a password record, and key isn't
derived from NULL.

The NSS tools usually create new databases and initializes them at the
same time. I think mozilla creates new databases, and initializes them
later.
Question: is this an updated profile, or is this a new profile?

bob
> Thanks,
> Wolfgang
> _______________________________________________
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>  


_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Wolfgang Rosenauer-2
In reply to this post by Wolfgang Rosenauer-2
Robert Relyea schrieb:

>> Hmm, now that you say that...
>> It's not much about what I intend to do since I'm just trying to use
>> Firefox ;-)
>> But yeah, it might go wrong before that trace already?
>>
>> http://mxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/src/storage-Legacy.js#176
>>
>>
>> 176         var token = tokenDB.getInternalKeyToken();
>> 177         if (token.needsUserInit) {
>> 178             this.log("Initializing key3.db with default blank
>> password.");
>> 179             token.initPassword("");
>>
>> Is it expected that token.needsUserInit is true if there already is a
>> NSS database without a master password? Probably not. I've just checked
>> what happens if I remove the token.needsUserInit case and it now doesn't
>> fail to load the login storage component anymore. But trying to save a
>> password still doesn't work as Firefox "fails to encrypt string".
>>
>> Something must be broken in my NSS database :-(
>>  
> It's true if there's an NSS database, but it hasn't been "Initialized"
> yet. Usually we don't store anything in the database until it's
> initialized. This coincides with your back trace above.... an
> initialized database already has all of it's tables.
>
> One way you can get in this state is if you loose your key database (you
> also get in this state when you first create the database). Typically
> needsUserInit means there isn't a password record in your key database.
> Without this you can not store any keys. The difference between 'not
> initialized', 'doesn't have a master password', and 'has master a
> password' is as follows:
>
>   1) 'not initialized' --- no password record.
>   2) 'doesn't have a master password' --- has a password record, and the
> password record is encrypted with a key derived from 'NULL' (\0).
>   3) 'has a master password' - has a password record, and key isn't
> derived from NULL.
>
> The NSS tools usually create new databases and initializes them at the
> same time. I think mozilla creates new databases, and initializes them
> later.
> Question: is this an updated profile, or is this a new profile?

This was a new profile actually. And yes, the database which reveals
this issue isn't complete it seems. I removed it and created a new empty
one using "certutil -d sql:. -N" and now Firefox works correctly.

What I've used to create the shared database is actually the same as in
the thread "NSS DB migration problem" and something really seems to be
broken with it.

Thanks for the explanation,
 Wolfgang
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Robert Relyea
Wolfgang Rosenauer wrote:

> Robert Relyea schrieb:
>  
> This was a new profile actually. And yes, the database which reveals
> this issue isn't complete it seems. I removed it and created a new empty
> one using "certutil -d sql:. -N" and now Firefox works correctly.
>
> What I've used to create the shared database is actually the same as in
> the thread "NSS DB migration problem" and something really seems to be
> broken with it.
>  
and thanks for the report. I need to solve why mozilla is having trouble
creating new databases.

bob
> Thanks for the explanation,
>  Wolfgang
> _______________________________________________
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>  


_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Nelson B Bolyard-2
In reply to this post by Robert Relyea
Robert Relyea wrote:

> Typically
> needsUserInit means there isn't a password record in your key database.
> Without this you can not store any keys. The difference between 'not
> initialized', 'doesn't have a master password', and 'has master a
> password' is as follows:
>
>   1) 'not initialized' --- no password record.
>   2) 'doesn't have a master password' --- has a password record, and the
> password record is encrypted with a key derived from 'NULL' (\0).
>   3) 'has a master password' - has a password record, and key isn't
> derived from NULL.

Bob, correct me if I'm wrong, but that distinction is purely in PSM, not
in NSS, right?

IINM in NSS, there are only two states:
  - no password record
  - password record exists
and NSS does not give special treatment to the null password case,
but rather PSM handles that.

Do I remember that correctly?
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Nelson B Bolyard-2
In reply to this post by Wolfgang Rosenauer-2
Wolfgang Rosenauer wrote:

> This was a new profile actually. And yes, the database which reveals
> this issue isn't complete it seems. I removed it and created a new empty
> one using "certutil -d sql:. -N" and now Firefox works correctly.

It is possible that code that uses NSS in ways not tested by certutil
may encounter bugs not seen with certutil.  This MAY be just such a bug.
Please file a bugzilla bug report about this.

> What I've used to create the shared database is actually the same as in
> the thread "NSS DB migration problem" and something really seems to be
> broken with it.

That thread seemed to die unresolved, with some questions unanswered
(questions that I asked).  So, let me ask you directly,

Are you trying to use NSS_InitWithMerge to create a new cert9.DB
where none existed before?

I'm pretty sure that that function has not been tested for that purpose.
Perhaps it needs to detect the case where the "target" DB does not
already exist and handle it differently.
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Robert Relyea
In reply to this post by Nelson B Bolyard-2
Nelson Bolyard wrote:

> Robert Relyea wrote:
>  
>> Typically
>> needsUserInit means there isn't a password record in your key database.
>> Without this you can not store any keys. The difference between 'not
>> initialized', 'doesn't have a master password', and 'has master a
>> password' is as follows:
>>
>>   1) 'not initialized' --- no password record.
>>   2) 'doesn't have a master password' --- has a password record, and the
>> password record is encrypted with a key derived from 'NULL' (\0).
>>   3) 'has a master password' - has a password record, and key isn't
>> derived from NULL.
>>    
>
> Bob, correct me if I'm wrong, but that distinction is purely in PSM, not
> in NSS, right?
>
> IINM in NSS, there are only two states:
>   - no password record
>   - password record exists
> and NSS does not give special treatment to the null password case,
> but rather PSM handles that.
>
> Do I remember that correctly?
>  
No, It's a semantic of softoken.
In general the NSS tools tries to convince you that you must set a
password, but that's a semantic of certutil, not the softoken itself
(well unless you are in FIPS mode).
No one outside of softoken knows that a password of "" means no
password. That's strictly a softoken semantic and has been since the
beginning of NSS (that is before there was a softoken;).

bob
> _______________________________________________
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>  


_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Wolfgang Rosenauer-2
In reply to this post by Wolfgang Rosenauer-2
Hi,

Nelson Bolyard schrieb:

> Wolfgang Rosenauer wrote:
>
> It is possible that code that uses NSS in ways not tested by certutil
> may encounter bugs not seen with certutil.  This MAY be just such a bug.
> Please file a bugzilla bug report about this.
>
>> What I've used to create the shared database is actually the same as in
>> the thread "NSS DB migration problem" and something really seems to be
>> broken with it.
>
> That thread seemed to die unresolved, with some questions unanswered
> (questions that I asked).  So, let me ask you directly,

I'm not the author of that function but as it's OSS:

> Are you trying to use NSS_InitWithMerge to create a new cert9.DB
> where none existed before?

Yes. NSS_InitWithMerge is used regardless of an existing cert9.db (and
even cert8.db). The conversion function uses pretty much what is on
https://wiki.mozilla.org/NSS_Shared_DB#Type_A mentioned as "simple
update". Only if NSS_InitWithMerge fails it does NSS_Initialize instead
to create the new db but that didn't happen.

> I'm pretty sure that that function has not been tested for that purpose.
> Perhaps it needs to detect the case where the "target" DB does not
> already exist and handle it differently.

As far as I can see https://wiki.mozilla.org/NSS_Shared_DB is unclear
about the fact if it can be used to create a db from scratch.


Thanks,
 Wolfgang
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Wolfgang Rosenauer-2
Wolfgang Rosenauer schrieb:

>> Are you trying to use NSS_InitWithMerge to create a new cert9.DB
>> where none existed before?
>
> Yes. NSS_InitWithMerge is used regardless of an existing cert9.db (and
> even cert8.db). The conversion function uses pretty much what is on
> https://wiki.mozilla.org/NSS_Shared_DB#Type_A mentioned as "simple
> update". Only if NSS_InitWithMerge fails it does NSS_Initialize instead
> to create the new db but that didn't happen.
>
>> I'm pretty sure that that function has not been tested for that purpose.
>> Perhaps it needs to detect the case where the "target" DB does not
>> already exist and handle it differently.
>
> As far as I can see https://wiki.mozilla.org/NSS_Shared_DB is unclear
> about the fact if it can be used to create a db from scratch.

I can confirm that NSS_InitWithMerge doesn't create a working database
here at least if none existed before. So it should either fail or handle
that case in future versions. I'll try some more things.

Wolfgang
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox' password manager with sqlite based NSS

Nelson B Bolyard-2
Wolfgang Rosenauer wrote:

> Wolfgang Rosenauer schrieb:
>
>>> Are you trying to use NSS_InitWithMerge to create a new cert9.DB
>>> where none existed before?
>> Yes. NSS_InitWithMerge is used regardless of an existing cert9.db (and
>> even cert8.db). The conversion function uses pretty much what is on
>> https://wiki.mozilla.org/NSS_Shared_DB#Type_A mentioned as "simple
>> update". Only if NSS_InitWithMerge fails it does NSS_Initialize instead
>> to create the new db but that didn't happen.
>>
>>> I'm pretty sure that that function has not been tested for that purpose.
>>> Perhaps it needs to detect the case where the "target" DB does not
>>> already exist and handle it differently.
>> As far as I can see https://wiki.mozilla.org/NSS_Shared_DB is unclear
>> about the fact if it can be used to create a db from scratch.
>
> I can confirm that NSS_InitWithMerge doesn't create a working database
> here at least if none existed before. So it should either fail or handle
> that case in future versions. I'll try some more things.

Wolfgang,
Thank you for your continued efforts in this area.
Please file a bug in bugzilla about this finding.
A small test program would be VERY helpful, but not absolutely essential.
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto