Libnss3 doesn't log SEC_ERROR_UNKNOWN_PKCS11_ERROR properly ( NSS error code: -8018 )

Hello,

Thanks for filing this bug and helping us get better. I tried to take a look into this but I can't seem to be able to reproduce this. Do you have a set of steps so that I can reproduce this, maybe?

Without being able to reproduce the above issue, I am not sure how much I/we might be able to help but we try our best. :)

Let us know the same and please change the status of the bug to "New" again once you do that and we'll be happy to take a look again! \o/

[Expired for nss (Ubuntu) because there has been no activity for 60 days.]

Hello, after months of debugging and having also not working HTTPS issues with Electron(https://github.com/electron) packaged proprietary apps(Slack and Discord) while not having issues with other Signal(also based on Electron) , Chromium and Firefox were working I've started to digging around dynamic libraries of all those.
All those use NSS and PKCS#11 to lookup certificates and keys
I've found that the root cause was the ~/pki/nssdb/pkcs11.txt file. After moving it away file regenerated as described in newly reported bug #1993963. Besides this there were entries created for PKCS#11 token on Polish national ID ( PIV card with NFC layer): https://www.gov.pl/pliki/edowod/e-dowod-4.2.3.run. leading to final form:
$ modutil -list -dbdir ~/.pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
    uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.68
  slots: 2 slots attached
 status: loaded

  slot: NSS Internal Cryptographic Services
 token: NSS Generic Crypto Services
   uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  slot: NSS User Private Key and Certificate Services
 token: NSS Certificate DB
   uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. Mozilla Root Certs
 library name: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
    uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Builtin%20Object%20Cryptoki%20Modu;library-version=2.50
  slots: 1 slot attached
 status: loaded

  slot: NSS Builtin Objects
 token: Builtin Object Token
   uri: pkcs11:token=Builtin%20Object%20Token;manufacturer=Mozilla%20Foundation;serial=1;model=1

  3. e-dowód (64 bits)
 library name: /opt/e-dowod/e-dowod-pkcs11-64.so
    uri: pkcs11:library-manufacturer=PWPW%20S.A.;library-description=PL-ID%20PKCS%2311%20API%20v.4.2.2.1;library-version=4.2
  slots: There are no slots attached to this module
 status: loaded

  4. OpenSC smartcard framework (0.22)
 library name: /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
    uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.22
  slots: There are no slots attached to this module
 status: loaded

After trying to add and remove subsequent PKCS#11 modules I wasn't able to reproduce the bug anymore, I guess it could be due lack of seperating endlines in pkcs11.txt when the software modified it directly in txt file instead of using modutil command.

Regarding this particular bug I would leave it open -as the logging issue persist in case anyone would have similar bug - the error code NSS error code: -8018 is to enigmatic, even googling doesn't return much info. I needed to download source code to determine that -8018 means SEC_ERROR_UNKNOWN_PKCS11_ERROR . Even if one would get such error he should be provided with more information in terms of problem context, and if it's caused by external library which doesn't return those - name of ...

Good to hear that the issue is kind of resolved for you. The logging improvements you mentioned should be addressed by upstream, if you manage to find patches to achieve this we could take a look if it would worth a Stable Release Update (SRU).

Thanks, what would be upstream bugzilla for libnss?

Hi Bartłomiej, NSS is in the regular mozilla bugzilla at https://bugzilla.mozilla.org/home. You can file or search for bugs related to NSS by specifying "NSS" as the Product, e.g.:

https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&product=NSS&order=Importance&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other

Upstream bug report attached

Based on the latest upstream comment, I am marking this one as invalid as well. If you disagree with the assessment, please, set this back to new and state why you believe this is indeed a bug in the Ubuntu package.

Hi,
I had the same error message when launching google-chrome.
I got rid of it by removing my ~/.pki/ directory.

I'm aware workarounds are possibile but this bug is about 'libnss provides
very nigmatic error code -8018:'
also deleting configs without understanding the background I won't even
consider as a workaround - it will definiately will make you trouble in
other places like enforcing to reinstall propriertary PKI token driver

wt., 14 maj 2024, 13:20 użytkownik Laurent Bonnaud <
<email address hidden>> napisał:

> Hi,
> I had the same error message when launching google-chrome.
> I got rid of it by removing my ~/.pki/ directory.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1960736
>
> Title:
> Libnss3 doesn't log SEC_ERROR_UNKNOWN_PKCS11_ERROR properly ( NSS
> error code: -8018 )
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nss/+bug/1960736/+subscriptions
>
>