First, some background: The NSS pkcs 11 implementation strives to ensure that the password for a token is only asked when a private key operation is needed. Thus, if the module/toke are properly configured, opening the cert manager shouldn't require the user to be logged in the token. Earlier today, Nelson Bolyard complained that opening the cert manager while not logged in did cause the browser to prompt him for the ActivCard password. After conversations with Bob Relyea it became clear that the module had not been installed using the third parameter of pkcs11.addmodule() (see: http://developer.netscape.com/docs/manuals/security/jmpkcs/jimpkcs.htm#addmodule) which allows one to set the PKCS11_PUB_READABLE_CERT_FLAG while installing the module. I updated Bill Burn's ActivCard add module script to set that flag, and reloaded the module. For reference the new code to load the modules reads: // set the flags for //Stored certs can be read off the token w/o logging in PKCS11_PUB_READABLE_CERT_FLAG = 0x1<<28; var flags = 0; flags |= PKCS11_PUB_READABLE_CERT_FLAG; result = pkcs11.addmodule("ActivCard Gold", "ns-acpkcs.dll", flags, 0); Having done that, opening the cert manager withoug being logged in does not prompt one for the ActivCard Gold password. -- End of Background. -- Start of bug report. The bug is that if you have certs on the card that were generated, you will see your certs. If the certs on the card were imported from a p12, you will not see the certs in the cert manager until you're logged in to the token. Bob Relyea's theory is that the public key is not stored on the token during a p12 import. Indeed, when trying to open the cert manager and fill the user certs tab, the cod e will call PK11_IsUserCert(), which given a cert tries to determine whether it's a user cert by one of the following methods: -- if the cert token is logged in, try to find the private key. -- if the token is not logged in, and not required to be (PKCS11_PUB_READABLE_CERT_FLAG set), then try to find the public key. If the public key is found assume that the private key is also there. In the case of p12 imported certs, the search for the public key fails. In the case of certs generated on the token, the search succeeds. To reproduce: On a new profile, install the module with the flag set. With an empty card, obtain dual key certs from https://testca.netscape.com Once you have the certs, quit the browser. start the browser. 1) check in prefs->Priv&sec->certificates->device manager, that ActivCard token is not logged in by selecting it (the "log in" button should be active). 2) close the device manager. 3) open the cert manager. You can view your certs. go to https://testca.netscape.com:500 which requires client-authentication. The private key is needed, you're prompted to enter your ActivCard password. Quit the browser. Using the ActivCard utility, delete the two certs (see bug 111078) Obtain a p12 containing dual key certs from testca.netscape.com. You can use a different profile, generate them on the software security device, back them up, restart, import them on the card. restart the browser, and follow steps 1-3 above. On step 3 the certs do not show. Close the cert manager, open the device manager, log in to the token, open the cert manager, the certs show up.
cc ActivCard contact. This needs to be tested again both with the new NSS and with any updated pkcs11 driver from ActivCard.
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
changing obsolete psm* target to --- (unspecified)
Target Milestone: psm2.2 → ---
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.