Fix firefox test

aidangarske · aidangarske · commit 25f9b2c2c16f · 2026-04-09T16:28:16.000-07:00
diff --git a/src/internal.c b/src/internal.c
@@ -8158,6 +8158,9 @@ static WP11_Object* wp11_Session_FindNext(WP11_Session* session, int onToken,
         }
    #endif
 
+        /* Note: this CKA_PRIVATE check is intentionally active in NSS mode.
+         * NSS accesses private objects by handle (via WP11_Object_Find) rather
+         * than discovering them through C_FindObjects enumeration. */
         if ((ret->opFlag & WP11_FLAG_PRIVATE) == WP11_FLAG_PRIVATE) {
             if (!onToken)
                 WP11_Lock_LockRO(&session->slot->token.lock);
@@ -9176,7 +9179,10 @@ int WP11_Object_Find(WP11_Session* session, CK_OBJECT_HANDLE objHandle,
     }
 
     if (ret == 0 && obj != NULL && (obj->handle == objHandle)) {
-        /* Enforce CKA_PRIVATE: reject private objects from public sessions */
+#ifndef WOLFPKCS11_NSS
+        /* Enforce CKA_PRIVATE: reject private objects from public sessions.
+         * Skipped in NSS mode because NSS operates as the internal crypto
+         * module without calling C_Login. */
         if ((obj->opFlag & WP11_FLAG_PRIVATE) == WP11_FLAG_PRIVATE) {
             int loginState;
             WP11_Lock_LockRO(&session->slot->lock);
@@ -9188,6 +9194,7 @@ int WP11_Object_Find(WP11_Session* session, CK_OBJECT_HANDLE objHandle,
             }
             WP11_Lock_UnlockRO(&session->slot->lock);
         }
+#endif
         if (ret == 0)
             *object = obj;
     }
diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
@@ -16675,6 +16675,7 @@ static CK_RV test_private_object_access(void* args)
     return ret;
 }
 
+#ifndef WOLFPKCS11_NSS
 static CK_RV test_private_object_handle_access(void* args)
 {
     CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
@@ -16735,6 +16736,7 @@ static CK_RV test_private_object_handle_access(void* args)
 
     return ret;
 }
+#endif /* !WOLFPKCS11_NSS */
 
 /* C_GetAttributeValue must process all attributes in the template even when one
  * returns an error, setting ulValueLen to (CK_ULONG)-1 for invalid types and
@@ -17269,7 +17271,9 @@ static TEST_FUNC testFunc[] = {
     PKCS11TEST_FUNC_SESS_DECL(test_get_attr_value_all_processed),
     PKCS11TEST_FUNC_SESS_DECL(test_find_objects),
     PKCS11TEST_FUNC_SESS_DECL(test_private_object_access),
+#ifndef WOLFPKCS11_NSS
     PKCS11TEST_FUNC_SESS_DECL(test_private_object_handle_access),
+#endif
     PKCS11TEST_FUNC_SESS_DECL(test_encrypt_decrypt),
 #ifndef NO_AES
     PKCS11TEST_FUNC_SESS_DECL(test_encrypt_decrypt_op_not_supported),

Original file line number	Diff line number	Diff line change
`@@ -8158,6 +8158,9 @@ static WP11_Object* wp11_Session_FindNext(WP11_Session* session, int onToken,`
`8158`	`8158`	`}`
`8159`	`8159`	`#endif`
`8160`	`8160`
	`8161`	`+ /* Note: this CKA_PRIVATE check is intentionally active in NSS mode.`
	`8162`	`+ * NSS accesses private objects by handle (via WP11_Object_Find) rather`
	`8163`	`+ * than discovering them through C_FindObjects enumeration. */`
`8161`	`8164`	`if ((ret->opFlag & WP11_FLAG_PRIVATE) == WP11_FLAG_PRIVATE) {`
`8162`	`8165`	`if (!onToken)`
`8163`	`8166`	`WP11_Lock_LockRO(&session->slot->token.lock);`
`@@ -9176,7 +9179,10 @@ int WP11_Object_Find(WP11_Session* session, CK_OBJECT_HANDLE objHandle,`
`9176`	`9179`	`}`
`9177`	`9180`
`9178`	`9181`	`if (ret == 0 && obj != NULL && (obj->handle == objHandle)) {`
`9179`		`- /* Enforce CKA_PRIVATE: reject private objects from public sessions */`
	`9182`	`+#ifndef WOLFPKCS11_NSS`
	`9183`	`+ /* Enforce CKA_PRIVATE: reject private objects from public sessions.`
	`9184`	`+ * Skipped in NSS mode because NSS operates as the internal crypto`
	`9185`	`+ * module without calling C_Login. */`
`9180`	`9186`	`if ((obj->opFlag & WP11_FLAG_PRIVATE) == WP11_FLAG_PRIVATE) {`
`9181`	`9187`	`int loginState;`
`9182`	`9188`	`WP11_Lock_LockRO(&session->slot->lock);`
`@@ -9188,6 +9194,7 @@ int WP11_Object_Find(WP11_Session* session, CK_OBJECT_HANDLE objHandle,`
`9188`	`9194`	`}`
`9189`	`9195`	`WP11_Lock_UnlockRO(&session->slot->lock);`
`9190`	`9196`	`}`
	`9197`	`+#endif`
`9191`	`9198`	`if (ret == 0)`
`9192`	`9199`	`*object = obj;`
`9193`	`9200`	`}`