Closed
Bug 229023
Opened 21 years ago
Closed 21 years ago
NSS cmds' pwd callbacks should call PK11_ProtectedAuthenticationPath()
Categories
(NSS :: Tools, enhancement, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
3.9.1
People
(Reporter: nelson, Assigned: rrelyea)
References
Details
Attachments
(1 file)
|
1.67 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
In news://news.mozilla.org:119/brvig3$81g4l$1@ID-171477.news.uni-berlin.de
Chris wrote:
> i implemented a pkcs#11 device using an external pinpad
> for pin input. Therefore the CKF_PROTECTED_AUTHENTICATION_PATH flag
> has been set in the CK_TOKEN_INFO struct returned by C_GetTokenInfo().
> Altough this flag has been set the Mozilla/Firebird prompts the
> user with a Pin Dialog for pin input!?! Normally he should recognize
> the flag and pass NULL_PTR to C_Login() like the pkcs#11 standard says!
> How can i prevent NSS from prompting the user with a pin input dialog?
> Is this a known bug? Why does all Mozilla/Firebirds ignore the flag?
> Is there a solution for the problem?
|
Reporter | |
Comment 1•21 years ago
|
||
I'm changing this bug to an RFE for the password callback function used in
NSS's QA test programs. That function, SECU_GetModulePassword(), should
exemplefy the use of PK11_ProtectedAuthenticationPath() to deal with
devices that have their own pinpads or other I&A methods.
> How can i prevent NSS from prompting the user with a pin input dialog?
NSS doesn't prompt the user directly. It calls a callback function
provided by the applicatin program (e.g. the browser). That function,
the "password callback function", which is part of the browser, not NSS,
does whatever it wants to with respect to prompting the user.
NSS provides a function by which a password callback function can ask
NSS (does the token in this slot have a protected authentication path?"
That function is PK11_ProtectedAuthenticationPath().
The application's password callback function is supposed to call it,
but mozilla/*bird do not have code that does so.
The reason why NSS calls the callback, even when the
CKF_PROTECTED_AUTHENTICATION_PATH is present, is that the application
MAY need to prompt the user to enter the PIN on the external pinpad.
The application would use the return value from
PK11_ProtectedAuthenticationPath, and the "retry" flag (an argument to
the password callback function itself) to decide whether to display
any prompt, and whether that prompt should say "Enter your password
here in this dialog" or "Enter your password on the PinPad now".
> Why does all Mozilla/Firebirds ignore the flag?
I think the answer is that their password callback functions were
modelled after the NSS QA test programs, none of which call
PK11_ProtectedAuthenticationPath(). In that respect, the NSS QA
test programs are not particularly exemplary.
> Is there a solution for the problem?
The solution is to get mozilla's password callback function,
PK11PasswordPrompt, (see
http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp#120
to call PK11_ProtectedAuthenticationPath() and use its answer.
Since there is no full-time staff working on PSM now
(PSM is the part of the mozilla browser that interfaces to NSS),
this change is not likely to happen until some volunteer constributes
a patch that does it (hint, hint).
Also, an NSS engineer should add some code to the NSS QA test password
callback function to demonstrate the use of
PK11_ProtectedAuthenticationPath().
There is also a workaround. When mozilla asks for a password,
just type in some random string and click OK (or press enter).
When the password callback returns to NSS, NSS will notice the
CKF_PROTECTED_AUTHENTICATION_PATH flag, and will
"pass NULL_PTR to C_Login() like the pkcs#11 standard says!"
regardless of what password you entered (provided you entered a
non-empty password).
So, all you need to do is get past the password callback function and
the right thing should happen. But don't try to get past it without
entering some non-empty password.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Component: Libraries → Tools
Ever confirmed: true
Priority: -- → P3
Summary: NSS ignores CKF_PROTECTED_AUTHENTICATION_PATH → NSS cmds' pwd callbacks should call PK11_ProtectedAuthenticationPath()
|
|
Reporter | |
Comment 2•21 years ago
|
||
This untested patch demonstrates the basic points.
if PK11_ProtectedAuthenticationPath(slot) returns true,
then tell the user to enter his PIN on the external
device, and return a non-null string. In this case,
it returns "external", but any string will do.
string must be strdup'ed, IIRC.
Something similar to this needs to be done in mozilla's
password callback functions, too.
|
|
Reporter | |
Comment 4•21 years ago
|
||
Comment on attachment 137738 [details] [diff] [review]
untested patch v1
I'd like to check this patch in, even if it's not the final solution to this
RFE.
Attachment #137738 -
Flags: review?(rrelyea0264)
|
Assignee | |
Comment 5•21 years ago
|
||
Comment on attachment 137738 [details] [diff] [review]
untested patch v1
It would be nice to test this. patch.
BTW, PSM *DID* have support for protected pin path. A vendor did the work and
it was checked into PSM a couple of years ago. My guess is the Firebird code
has regressed. There was a similiar bug I saw on this as well.
bob
Attachment #137738 -
Flags: review?(rrelyea0264) → review+
|
|
Reporter | |
Comment 6•21 years ago
|
||
Bob, I don't see any evidence of any protected pin path code in the CVS log
for the source file that contains mozilla's password callback function.
Are you sure that work got checked in? on the PSM trunk?
Do you know any protected pin path module with which the above patch can be
testted?
|
|
Reporter | |
Comment 7•21 years ago
|
||
The submittor of this bug tested this patch for me and verified that it works
with his PKCS11 module.
/cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v <-- secutil.c
new revision: 1.60; previous revision: 1.59
/cvsroot/mozilla/security/nss/cmd/lib/secutil.h,v <-- secutil.h
new revision: 1.14; previous revision: 1.13
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.9.1
|
||
Comment 8•20 years ago
|
||
Hey there,
this is an important fix - and i do not understand why it did not make its way
to a mozilla build yet, as of today - the current mozilla build 1.7.2 still has
this bug.
|
||
Comment 9•20 years ago
|
||
Rene:
In comment 1, Nelson changed to scope of this bug
to cover only the password callback function used
in NSS's QA test programs. We did not fix the
password callback function in Mozilla. This is
why Mozilla 1.7.2 still has this bug.
You should open a bug against the product "PSM".
At the end of comment 1, Nelson's answer to the
question "Is there a solution for the problem?"
describes how one might fix this bug in Mozilla.
I encourage you to submit a patch.
|
|
Reporter | |
Comment 10•20 years ago
|
||
The reason that mozilla's PSM is unfixed is that no-one works on PSM.
PSM is effectively an orphan. I filed this bug against NSS, not PSM,
because it was apparent that the most that we (NSS team) could do about it
was to be exemplary in the proper handling of it in NSS sample programs.
|
|
||
Comment 11•20 years ago
|
||
ok, i thought anyone opened already a BUG report for the PSM module - i know
its an orphan and i feel that it is really a shame - no smime V3 or anything in
near time...there will be a time when Windows Users will have to use outlook to
use newer technology, ugh.
Anybody here know by chance were within the mozilla code this kind of patch
could be applied ? I would need a good mozilla build for presentation purpose
and this password popup is really silly...
You need to log in
before you can comment on or make changes to this bug.
Description
•