1 Reply Latest reply: Feb 25, 2013 8:08 PM by 992649 RSS

    Erroneous duplicate entries appearing in SunPKCS11 NSS KeyStore

    992649
      Using the Java PKCS #11 NSS Based KeyStore API (SunPKCS11 provider) in OpenJDK 7, I am managing to get my NSS DB into a bad state:

      certutil from NSS is showing that an alias is getting duplicated again and again on every attempt to overwrite an existing entry with new data:

      Certificate Nickname Trust Attributes
      SSL,S/MIME,JAR/XPI

      sub-ca-node-mgmt u,u,u
      root-ca u,u,u
      sub-ca-endpoints u,u,u
      sub-ca-node-mgmt ,,

      I am only trying to delete the entry using deleteEntry (in this case sub-ca-node-mgmt), then store an updated version of it (you could imagine this as replacing an expired certificate with the updated version) using setKeyEntry. If I add additional code to reload the keyStore after deleting the entry, this does not make any difference in the result. If I rerun the code over again, I can get as many separate copies of sub-ca-node-mgmt as you could imagine. If I comment out the call to setKeyEntry, the problem stops happening.

      Thus I suspect that setKeyEntry is either not working as advertised, or I am misusing the API. Does anyone have a working example of how to delete and overwrite an existing entry in the PKCS11 KeyStore?

      Edited by: 989646 on Feb 21, 2013 6:44 PM
        • 1. Re: Erroneous duplicate entries appearing in SunPKCS11 NSS KeyStore
          992649
          Found the root cause for this one. The code which generated the RSA key for the cert was not quite right, and mismatched the certs and keys. When this happened it broke the NSS DB, because the association between the keys and certs got damaged, and Java could not access the DB reliably anymore. However, Java is still part of the problem, because it fails to check if the CKA_ID (NSS / PKCS11 Key ID), which is calculated from the RSA modulus inside the public key / cert and the private key, are properly matching or not.