Hello, after months of debugging and having also not working HTTPS issues with Electron(https://github.com/electron) packaged proprietary apps(Slack and Discord) while not having issues with other Signal(also based on Electron) , Chromium and Firefox were working I've started to digging around dynamic libraries of all those.
All those use NSS and PKCS#11 to lookup certificates and keys
I've found that the root cause was the ~/pki/nssdb/pkcs11.txt file. After moving it away file regenerated as described in newly reported bug #1993963. Besides this there were entries created for PKCS#11 token on Polish national ID ( PIV card with NFC layer): https://www.gov.pl/pliki/edowod/e-dowod-4.2.3.run. leading to final form:
$ modutil -list -dbdir ~/.pki/nssdb/
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
3. e-dowód (64 bits)
library name: /opt/e-dowod/e-dowod-pkcs11-64.so
uri: pkcs11:library-manufacturer=PWPW%20S.A.;library-description=PL-ID%20PKCS%2311%20API%20v.4.2.2.1;library-version=4.2
slots: There are no slots attached to this module
status: loaded
4. OpenSC smartcard framework (0.22)
library name: /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.22
slots: There are no slots attached to this module
status: loaded
After trying to add and remove subsequent PKCS#11 modules I wasn't able to reproduce the bug anymore, I guess it could be due lack of seperating endlines in pkcs11.txt when the software modified it directly in txt file instead of using modutil command.
Regarding this particular bug I would leave it open -as the logging issue persist in case anyone would have similar bug - the error code NSS error code: -8018 is to enigmatic, even googling doesn't return much info. I needed to download source code to determine that -8018 means SEC_ERROR_UNKNOWN_PKCS11_ERROR . Even if one would get such error he should be provided with more information in terms of problem context, and if it's caused by external library which doesn't return those - name of that particular library and call stack.
Hello, after months of debugging and having also not working HTTPS issues with Electron(https:/ /github. com/electron) packaged proprietary apps(Slack and Discord) while not having issues with other Signal(also based on Electron) , Chromium and Firefox were working I've started to digging around dynamic libraries of all those. pkcs11. txt file. After moving it away file regenerated as described in newly reported bug #1993963. Besides this there were entries created for PKCS#11 token on Polish national ID ( PIV card with NFC layer): https:/ /www.gov. pl/pliki/ edowod/ e-dowod- 4.2.3.run. leading to final form:
All those use NSS and PKCS#11 to lookup certificates and keys
I've found that the root cause was the ~/pki/nssdb/
$ modutil -list -dbdir ~/.pki/nssdb/
Listing of PKCS #11 Modules ------- ------- ------- ------- ------- ------- ------- --- library- manufacturer= Mozilla% 20Foundation; library- description= NSS%20Internal% 20Crypto% 20Services; library- version= 3.68
-------
1. NSS Internal PKCS #11 Module
uri: pkcs11:
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services token=NSS% 20Generic% 20Crypto% 20Services; manufacturer= Mozilla% 20Foundation; serial= 000000000000000 0;model= NSS%203
token: NSS Generic Crypto Services
uri: pkcs11:
slot: NSS User Private Key and Certificate Services token=NSS% 20Certificate% 20DB;manufactur er=Mozilla% 20Foundation; serial= 000000000000000 0;model= NSS%203
token: NSS Certificate DB
uri: pkcs11:
2. Mozilla Root Certs x86_64- linux-gnu/ nss/libnssckbi. so library- manufacturer= Mozilla% 20Foundation; library- description= NSS%20Builtin% 20Object% 20Cryptoki% 20Modu; library- version= 2.50
library name: /usr/lib/
uri: pkcs11:
slots: 1 slot attached
status: loaded
slot: NSS Builtin Objects token=Builtin% 20Object% 20Token; manufacturer= Mozilla% 20Foundation; serial= 1;model= 1
token: Builtin Object Token
uri: pkcs11:
3. e-dowód (64 bits) dowod/e- dowod-pkcs11- 64.so library- manufacturer= PWPW%20S. A.;library- description= PL-ID%20PKCS% 2311%20API% 20v.4.2. 2.1;library- version= 4.2
library name: /opt/e-
uri: pkcs11:
slots: There are no slots attached to this module
status: loaded
4. OpenSC smartcard framework (0.22) x86_64- linux-gnu/ onepin- opensc- pkcs11. so library- manufacturer= OpenSC% 20Project; library- description= OpenSC% 20smartcard% 20framework; library- version= 0.22
library name: /usr/lib/
uri: pkcs11:
slots: There are no slots attached to this module
status: loaded
After trying to add and remove subsequent PKCS#11 modules I wasn't able to reproduce the bug anymore, I guess it could be due lack of seperating endlines in pkcs11.txt when the software modified it directly in txt file instead of using modutil command.
Regarding this particular bug I would leave it open -as the logging issue persist in case anyone would have similar bug - the error code NSS error code: -8018 is to enigmatic, even googling doesn't return much info. I needed to download source code to determine that -8018 means SEC_ERROR_ UNKNOWN_ PKCS11_ ERROR . Even if one would get such error he should be provided with more information in terms of problem context, and if it's caused by external library which doesn't return those - name of that particular library and call stack.