Cannot delete a private key using certutil -F

Bug #1377284 reported by Rajaram Soundararajan on 2014-10-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss (Ubuntu)
Undecided
Unassigned

Bug Description

root@root:~/sandbox# certutil -K -d .pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)

root@root:~/sandbox# certutil -L -d .pki/nssdb/

Certificate Nickname Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

1.2.3.4 CTu,u,u
2.3.4.5 u,u,u
2.3.4.7 u,u,u
2.3.4.37 u,u,u

root@root:~/sandbox# certutil -D -n 2.3.4.37 -d .pki/nssdb/

Here the cert got deleted

root@root:~/sandbox# certutil -L -d .pki/nssdb/

Certificate Nickname Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

1.2.3.4 CTu,u,u
2.3.4.5 u,u,u
2.3.4.7 u,u,u

But the private key did not get which is expected I believe as I just deleted only the cert

root@root:~/sandbox# certutil -K -d .pki/nssdb/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)

So I attempted to delete the corresponding key

root@root:~/sandbox# certutil -F -n 2.3.4.37 -d .pki/nssdb/
Enter Password or Pin for "NSS Certificate DB":

But it did not delete as can be seen below.

root@root:~/sandbox# certutil -K -d .pki/nssdb/ -f .pki/conf/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa 04ff65bfa43d71346c786d78e48ff0f2c9fccc71 (orphan)
< 1> rsa c89d0f0a39893f5636281e708434cb2521c9c7e0 1.2.3.4
< 2> rsa 323236d51ca7a59a6cffe8622acb6836db78e565 (orphan)
< 3> rsa 4dd54c6572610a2b41ef06aa93f1845e6def2d8c 2.3.4.37
< 4> rsa a7180b2d9f5dbbbfeb018ed12de8bdbc474967ef (orphan)
< 5> rsa 8323fde266d0db66c19fda80edc8aae50f365e06 (orphan)

Only way I can get the key deleted is by executing a "-F key deletion" on a key whose cert has not already been deleted. This however removes the corresponding cert also. I know there is a bug on 'being unable to delete a orphan key'. But I thought this is a distinct interesting behavior.

=========

lsb_release -rd
Description: Ubuntu 12.04.5 LTS
Release: 12.04

=========

dpkg -l | grep nss
ii insserv 1.14.0-2.1ubuntu2 Tool to organize boot sequence using LSB init.d script dependencies
ii libnss3 3.17-0ubuntu0.12.04.1 Network Security Service libraries
ii libnss3-1d 3.17-0ubuntu0.12.04.1 Network Security Service libraries
ii libnss3-tools 3.17.1-0ubuntu0.12.04.1 Network Security Service tools
ii openssh-client 1:5.9p1-5ubuntu1.4 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.9p1-5ubuntu1.4 secure shell (SSH) server, for secure access from remote machines
ii openssl 1.0.1-4ubuntu5.17 Secure Socket Layer (SSL) binary and related cryptographic tools

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers