111080 - certs imported from p12 and certs generated on card behave differently on ActivCard.

Status: RESOLVED INVALID

(Core Graveyard :: Security: UI, defect, P2)

Description

[Stephane Saux]

First, some background:

The NSS pkcs 11 implementation strives to ensure that the password for a token
is only asked when a private key operation is needed.  Thus, if the module/toke
are properly configured, opening the cert manager shouldn't require the user to
be logged in the token.

Earlier today, Nelson Bolyard complained that opening the cert manager while not
logged in did cause the browser to prompt him for the ActivCard password.

After conversations with Bob Relyea it became clear that the module had not been
installed using the third parameter of pkcs11.addmodule() (see:
http://developer.netscape.com/docs/manuals/security/jmpkcs/jimpkcs.htm#addmodule)
which allows one to set the PKCS11_PUB_READABLE_CERT_FLAG while installing the
module.

I updated Bill Burn's ActivCard add module script to set that flag, and reloaded
the module.

For reference the new code to load the modules reads:
// set the flags for 
//Stored certs can be read off the token w/o logging in 
PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28;
var flags = 0;
flags |= PKCS11_PUB_READABLE_CERT_FLAG;

result = pkcs11.addmodule("ActivCard Gold", "ns-acpkcs.dll", flags, 0);

Having done that, opening the cert manager withoug being logged in does not
prompt one for the ActivCard Gold password.
-- End of Background.

-- Start of bug report.
The bug is that if you have certs on the card that were generated, you will see
your certs. If the certs on the card were imported from a p12, you will not see
the certs in the cert manager until you're logged in to the token.

Bob Relyea's theory is that the public key is not stored on the token during a
p12 import.

Indeed, when trying to open the cert manager and fill the user certs tab, the
cod e will call PK11_IsUserCert(), which given a cert tries to determine whether
it's a user cert by one of the following methods:
  -- if the cert token is logged in, try to find the private key.
  -- if the token is not logged in, and not required to be
(PKCS11_PUB_READABLE_CERT_FLAG set), then try to find the public key. If the
public key is found assume that the private key is also there.

In the case of p12 imported certs, the search for the public key fails.
In the case of certs generated on the token, the search succeeds.

To reproduce:
On a new profile, install the module with the flag set.
With an empty card, obtain dual key certs from https://testca.netscape.com
Once you have the certs, quit the browser.
start the browser.
1) check in prefs->Priv&sec->certificates->device manager, that ActivCard token
is not logged in by selecting it (the "log in" button should be active).
2) close the device manager.
3) open the cert manager. You can view your certs.
go to https://testca.netscape.com:500 which requires client-authentication.  The
private key is needed, you're prompted to enter your ActivCard password.

Quit the browser.

Using the ActivCard utility, delete the two certs (see bug 111078)

Obtain a p12 containing dual key certs from testca.netscape.com. You can use a
different profile, generate them on the software security device, back them up,
restart, import them on the card.

restart the browser, and follow steps 1-3 above. On step 3 the certs do not show.
Close the cert manager, open the device manager, log in to the token, open the
cert manager, the certs show up.

Comment 1

[John Unruh]

nsbeta1

Comment 2

[Stephane Saux]

cc ActivCard contact.

This needs to be tested again both with the new NSS and with any updated pkcs11
driver from ActivCard.

Comment 3

[John G. Myers]

Mass reassign ssaux bugs to nobody

Comment 4

[Kai Engert (:KaiE:)]

changing obsolete psm* target to --- (unspecified)