1243748 - Sign FireFox.app with pcsc.entitlements file to let Firefox use smartcards on Mac OS X 10.10 and higher

Status: RESOLVED WONTFIX

(Release Engineering :: General, defect, P3)

Description

[michael]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.82 Safari/537.36

Steps to reproduce:

Attach a PKCS#11 library based (communicating to the smartcard through) on Apple's Crypto Token Kit API. Attempt to communication with the smartcard.

Workaround for developers: When resigning the Firefox binary to give it the com.apple.security.smartcard entitlement, everything works as expected.

As Firefox is not entitled to the Crypto Token Kit library, neither is the PKCS#11 library below. As with the introduction of the Crypto Token Kit library, PC/SC support is very poor. Future PKCS#11 are more likely to be based on Crypto Token Kit.

Example entitlement file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.security.smartcard</key>
        <true/>
 </dict>
</plist>


Actual results:

PKCS#11 middleware is unable to load Crypto Token Kit library, no communication with the smartcard is possible.


Expected results:

PKCS#11 middleware loads Crypto Token Kit library as expected and communicates with the smartcard.

Comment 1

[michael]

The information below is from the MacOSX console during the start of Firefox with the CryptoTokenKit enabled moduled attached. As you can see the CrytoTokenKit fails to initialise.


2/2/16 3:37:07.975 PM firefox[13860]: WARNING: The Gestalt selector gestaltSystemVersion is returning 10.9.4 instead of 10.11.4. This is not a bug in Gestalt -- it is a documented limitation. Use NSProcessInfo's operatingSystemVersion property to get correct system version number.
Call location:

2/2/16 3:37:07.975 PM firefox[13860]: 0   CarbonCore                          0x00007fff94ee46df ___Gestalt_SystemVersion_block_invoke + 113
2/2/16 3:37:07.975 PM firefox[13860]: 1   libdispatch.dylib                   0x00007fff92c6833f _dispatch_client_callout + 8
2/2/16 3:37:07.975 PM firefox[13860]: 2   libdispatch.dylib                   0x00007fff92c68237 dispatch_once_f + 67
2/2/16 3:37:07.975 PM firefox[13860]: 3   CarbonCore                          0x00007fff94e70fdc _Gestalt_SystemVersion + 987
2/2/16 3:37:07.975 PM firefox[13860]: 4   CarbonCore                          0x00007fff94e707f0 Gestalt + 139
2/2/16 3:37:07.975 PM firefox[13860]: 5   XUL                                 0x000000010413cf50 vpx_reset_mmx_state + 623883
2/2/16 3:37:08.127 PM firefox[13860]: ctk: connecting to slot registration server failed
2/2/16 3:37:08.127 PM firefox[13860]: ctk: connection to slot registration server failed
2/2/16 3:37:08.128 PM firefox[13860]: ctk: connecting to slot registration server failed
2/2/16 3:37:08.128 PM firefox[13860]: ctk: connection to slot registration server failed

Comment 2

[Makoto Kato [:m_kato]]

not widget.  Although NSS provides Smart Card interface (see our unit test security/manager/sll/tests/units/pkcs11testmodule), we don't have Apple's Crypto Token Kit API based PKCS#11 module.

If 3rd party developer develops it, Firefox will be able to support it.

Comment 3

[michael]

You don't need a Apple's Crypto Token Kit API based PKCS#11 module to get it working, all you have to do is to sign FireFox.app with pcsc.entitlements file



Example entitlement file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.security.smartcard</key>
        <true/>
 </dict>
</plist>


and then signg with the following line:

sudo codesign --force --sign --deep --entitlements pcsc.entitlements -s "your Apple developer certificate's name from keychain" /Applications/Firefox.app


After this, all third party Apple's Crypto Token Kit API based PKCS#11 module is able to communicate with Firefox

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

This sounds more like a releng issue, I think.

Comment 5

[michael]

With MacOS 10.12+ the codesigning got even stricter. When this is not done correctly, macOS will reject to install Firefox and the only option you get is to move Firefox to the trash bin. 

Points to consider:
- Create a provisioning profile and cal it "embedded.provisionprofile" and put it inside the Firefox.app/Contents/
- Request a new certificate for "Developer ID Application", any other won't work.
- Install the certificate into your keychain
- Create the firefox.app.xcent with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>xxxxxxx.org.mozilla.firefox</string>
	<key>com.apple.developer.team-identifier</key>
	<string>xxxxxxx</string>
	<key>com.apple.security.smartcard</key>
	<true/>
</dict>
</plist>


With xxxxxxx is your team identifier
The previously mentioned pcsc.entitlements is replaced with this new firefox.app.xcent.

- Sign with
    
    codesign --force --entitlements firefox.app.xcent -s 'Developer ID Application: yyyy'  Firefox.app/

  with yyyy is the name of your Certificate derived from the keychain

- Check if signing is successfull with:

   spctl -a -vv Firefox.app/     

   It should report as "accepted"

Comment 6

[Mihai Tabara [:mtabara]⌚️GMT]

The mechanics of signing these on Mac has changed in the last few years, I think this bug outlived its usefuless. Please re-open if I'm wrong.