1024965 - Plugin whitelist request: Nexus Personal (not the same as BankID)

Status: VERIFIED FIXED

(Firefox Graveyard :: Plugin Click-To-Activate Whitelist, defect)

Description

[Samuel Erdtman]

<<Please supply the following information for new plugin whitelist requests>>

Plugin name: Nexus Personal
Vendor: Technology Nexus AB
Point of contact: samuel@nexusgroup.com, martin.furuhed@nexusgroup.com
Current version: 4.24.1
Download URL: The application is not publicly available, please send Samuel or Martin an email to receive a copy.
Sample URL of plugin in use: The application is not publicly available, please send Samuel or Martin an email for a demo page

Plugin details: Installed as part of neXus Personal Security Client a smart-card middleware. Used by banks, clearinghouses, national id programs etc. over the world. (Nexus Personal has a historic relationship with Nexus Personal BankID, but since a few years the products has went separate ways.)

neXus is currently working on the replacement and intend to release the first version of the replacement after summer. We will keep the plugins during a transitioning period, but are in communication with our customers to quicken the transition. During 2015 the need for the plugins should have been removed. The solution will not include any new extension, the connection between browser and neXus Personal Security Client will be handled by standard web technologies.

<<For each affected operating system, please copy the plugin information from about:plugins in Firefox>>
== Mac OS X ==
Nexus Personal

    File: PersonalPlugin.bundle
    Path: /Applications/Personal.app/Contents/SharedSupport/PersonalPlugin.bundle
    Version: 4.24.1.10913
    State: Enabled
    Nexus Personal 4.24.1.10913

MIME Type	Description	Suffixes
application/x-personal-signer	Signer	
application/x-personal-regutil	Enrollment	
application/x-personal-signer2	Signer XML	
application/x-personal-version	Version	
application/x-personal-webadmin	Administration	
application/x-personal-logout	Logout	
application/x-personal-authentication	Authentication

== Windows ==
Nexus Personal

    File: np_prsnl.dll
    Version: 4.24.1.10913
    State: Enabled
    Nexus Personal Plug-Ins

MIME Type	Description	Suffixes
application/x-personal-signer	Signer	
application/x-personal-regutil	Enrolment	
application/x-personal-logout	Logout	
application/x-personal-version	Version	
application/x-personal-webadmin	WebAdmin	
application/x-personal-authentication	Authentication	
application/x-personal-signer2	Signer2	
application/x-personal-clm	CLM

== Linux ==
Nexus Personal

    File: libplugins.so
    Path: /usr/local/lib/personal/libplugins.so
    Version: 
    State: Enabled
    Nexus Personal Plug-Ins

MIME Type       Description     Suffixes
application/x-personal-regutil  Regutil 
application/x-personal-signer   Signer  
application/x-personal-signer2  Signer2 
application/x-personal-version  Version 
application/x-personal-authentication   Authentication  
application/x-personal-webadmin Webadmin        
application/x-personal-logout   Logout  
application/x-personal-clm      CLM



Are there any variations in the plugin file name, MIME types, description, or version from one release to the next?
Version number is increased.

Are there any known security issues in current or older versions of the plugin?
No.

Comment 1

[Benjamin Smedberg]

The linux data is surprising: "libplugins.so" is not a normal NPAPI plugin name. It is symlinked from /usr/lib/mozilla/plugins under that name or a different name?

PersonalPlugin.bundle is also a bit surprising: is it linked from /Library/Internet Plug-Ins ?


When you say that it will be replaced by web technologies: we currently don't have a web API for smart cards. Are you saying that you are moving away from smart card technology? We are actively looking for partners who are interested in helping us spec and build a native interface layer for crypto hardware/smartcards.

Comment 2

[Samuel Erdtman]

Hi Benjamin,

The neXus Personal plugins are part of the neXus Personal application which is a complete application that could be used without the plugins, and the plugins are linked from there. 
Is there a problem with the plugin name not being as expected? If there is a problem could you point us to some resources with details on how to name plugins. These plugins have existed for quite some time by now so it might be that we are following some older paradigm. If could you give me some more details I would be happy to answer why files are placed in a certain place with certain names.
For linux libplugins is linked like this:
lrwxrwxrwx 1 root root     37 Jun 24 00:49 libplugins.so -> /usr/local/lib/personal/libplugins.so

We are aware that there is no web browser integration for smart cards, I cannot share the details for our solution publicly since it has not been released yet, I could in a private email conversation or a Skype call if it is necessary. 
I was initially hoping that WebCrypto could solve this gap but as that work progressed it did not move in that direction. Now it has been a while since I followed the details of WebCrypto so I do not know if there has been any change to that. If Mozilla has interest in working with smart cards in some way we would be very interested cooperating. I cannot share details on how we

Best Regards
Samuel Erdtman

(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> The linux data is surprising: "libplugins.so" is not a normal NPAPI plugin
> name. It is symlinked from /usr/lib/mozilla/plugins under that name or a
> different name?
> 
> PersonalPlugin.bundle is also a bit surprising: is it linked from
> /Library/Internet Plug-Ins ?
> 
> 
> When you say that it will be replaced by web technologies: we currently
> don't have a web API for smart cards. Are you saying that you are moving
> away from smart card technology? We are actively looking for partners who
> are interested in helping us spec and build a native interface layer for
> crypto hardware/smartcards.

Comment 3

[Marco Mucci [:MarcoM]]

Added to Iteration 34.1

Comment 4

[Blair McBride [:Unfocused] (UNAVAILABLE)]

Attachment: Patch v1

Comment 5

[Blair McBride [:Unfocused] (UNAVAILABLE)]

https://hg.mozilla.org/integration/fx-team/rev/3ab31cfb6837

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/3ab31cfb6837

Comment 7

[Blair McBride [:Unfocused] (UNAVAILABLE)]

Samuel: This has landed in Nightly. Could you please do a QA pass using a Nightly build from http://nightly.mozilla.org/. Using a new Firefox profile (https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles) to ensure that the plugin activates without a popup and appears as "Always Activate" in the Add-ons Manager. Report back in this bug when QA is complete. Please try to complete QA by the end of the week.

Comment 8

[Samuel Erdtman]

Hi Blair,

I cannot seem to get it to work, I downloaded firefox-34.0a1.en-US.mac.dmg from http://nightly.mozilla.org/ and created a new profile according to https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles (but with FirefoxNightly).

I still get the activate plugin prompt. Am I doing something wrong?

Image of my failure
https://dl.dropboxusercontent.com/u/10828630/Personal.png

Do you need additional information on what I did?

Best Regards
Samuel Erdtman
Product Manager

(In reply to Blair McBride [:Unfocused] from comment #7)
> Samuel: This has landed in Nightly. Could you please do a QA pass using a
> Nightly build from http://nightly.mozilla.org/. Using a new Firefox profile
> (https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-
> firefox-profiles) to ensure that the plugin activates without a popup and
> appears as "Always Activate" in the Add-ons Manager. Report back in this bug
> when QA is complete. Please try to complete QA by the end of the week.

Comment 9

[Georg Fritzsche [:gfritzsche]]

Comment on attachment 8460694 [details] [diff] [review]
Patch v1

Review of attachment 8460694 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/app/profile/firefox.js
@@ +826,5 @@
>  #endif
>  
> +// Nexus Personal, bug 1024965
> +#ifdef XP_WIN
> +pref("plugins.state.np_prsnl", 2);

Hm, typos here too on all three platforms :(
Should be "plugin.state.*", not "plugins.state.*".

Comment 10

[Blair McBride [:Unfocused] (UNAVAILABLE)]

Foiled by a typo :\

Backout: https://hg.mozilla.org/integration/fx-team/rev/54598200f301
Reland:  https://hg.mozilla.org/integration/fx-team/rev/f4ac52fb6c84

Comment 11

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/f4ac52fb6c84

Comment 12

[Bogdan Maris, Desktop QA]

Verified as fixed on Windows 7 64bit, Ubuntu 13.04 64bit and Mac OS X 10.9.4 using latest Nightly.
Used the demo account and other instructions received from Samuel via e-mail to verify that the plugin is whitelisted, Nexus Personal 4.24.2.10931 is set to 'Always Activate' by default in about:addons.

Comment 13

[Blair McBride [:Unfocused] (UNAVAILABLE)]

Samuel: Could you re-do QA on the latest Nightly build? Thanks!

Comment 14

[Samuel Erdtman]

We have now tested the nightly build and it works. Thanks!

Comment 15

[Blair McBride [:Unfocused] (UNAVAILABLE)]

Benjamin: Guessing you'll want this in your spreadsheet.

Comment 16

[Benjamin Smedberg]

Comment on attachment 8460694 [details] [diff] [review]
Patch v1

Approval Request Comment
[Feature/regressing bug #]: whitelist request
[User impact if declined]:
[Describe test coverage new/current, TBPL]:
[Risks and why]: very low
[String/UUID change made/needed]: none

Comment 17

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/16bf6714c6a0
https://hg.mozilla.org/releases/mozilla-beta/rev/c2fc1e357ca0

Comment 18

[Bogdan Maris, Desktop QA]

Verified as fixed on Windows 7 64bit, Ubuntu 13.04 64bit and Mac OS X 10.9.4 using latest Aurora and Firefox 32 beta 5.
Used the demo account and other instructions received from Samuel via e-mail to verify that the plugin is whitelisted, Nexus Personal 4.24.2.10931 is set to 'Always Activate' by default in about:addons.