Ubuntu
nss package

Cannot delete a private key using certutil -F

Bug #1377284 reported by Rajaram Soundararajan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss (Ubuntu)
New
Undecided
Unassigned

Bug Description

root@root:~/sandbox# certutil -K -d .pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)

root@root:~/sandbox# certutil -L -d .pki/nssdb/

Certificate Nickname Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

1.2.3.4 CTu,u,u
2.3.4.5 u,u,u
2.3.4.7 u,u,u
2.3.4.37 u,u,u

root@root:~/sandbox# certutil -D -n 2.3.4.37 -d .pki/nssdb/

Here the cert got deleted

root@root:~/sandbox# certutil -L -d .pki/nssdb/

Certificate Nickname Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

1.2.3.4 CTu,u,u
2.3.4.5 u,u,u
2.3.4.7 u,u,u

But the private key did not get which is expected I believe as I just deleted only the cert

root@root:~/sandbox# certutil -K -d .pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)

So I attempted to delete the corresponding key

root@root:~/sandbox# certutil -F -n 2.3.4.37 -d .pki/nssdb/
Enter Password or Pin for "NSS Certificate DB":

But it did not delete as can be seen below.

root@root:~/sandbox# certutil -K -d .pki/nssdb/ -f .pki/conf/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)

Only way I can get the key deleted is by executing a "-F key deletion" on a key whose cert has not already been deleted. This however removes the corresponding cert also. I know there is a bug on 'being unable to delete a orphan key'. But I thought this is a distinct interesting behavior.

=========

lsb_release -rd
Description: Ubuntu 12.04.5 LTS
Release: 12.04

=========

dpkg -l | grep nss
ii insserv 1.14.0-2.1ubuntu2 Tool to organize boot sequence using LSB init.d script dependencies
ii libnss3 3.17-0ubuntu0.12.04.1 Network Security Service libraries
ii libnss3-1d 3.17-0ubuntu0.12.04.1 Network Security Service libraries
ii libnss3-tools 3.17.1-0ubuntu0.12.04.1 Network Security Service tools
ii openssh-client 1:5.9p1-5ubuntu1.4 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.9p1-5ubuntu1.4 secure shell (SSH) server, for secure access from remote machines
ii openssl 1.0.1-4ubuntu5.17 Secure Socket Layer (SSL) binary and related cryptographic tools

Tags: certutil nss pki
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.