1423608 - Smartcard authentication does not work until View Certificates dialog is opened in FF 57

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, defect)

Description

[Paul Donohue]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171129230227

Steps to reproduce:

When visiting a website that requires smartcard authentication after exiting and re-starting Firefox 57, the smartcard PIN prompt is displayed, but the certificate selection dialog is not displayed, and no certificate is sent to the server.

However, opening "Preferences", clicking on "Privacy & Security", clicking on "View Certificates...", then closing the dialog and preferences tab seems to fix the problem.  Subsequent visits to websites that require smartcard authentication correctly result in the certificate selection dialog being displayed and a certificate being sent to the server.

The problem seems to be related to the association between the smartcard certificates and the CA certificates.  Visiting a website that requires smartcard authentication but provides an empty certificate_authorities hint list in the TLS Certificate Request message (even after exiting and re-starting Firefox 57 without opening the "View Certificates..." dialog) seems to work as expected.  It appears that the issue is simply that Firefox does not properly associate the smartcard certificates with the associated CAs until after the "View Certificates..." dialog has been opened.

FF 56 and earlier did not have this problem.

Comment 1

[Dana Keeler (she/her) [:keeler]]

Paul, would you be able to use the regression finder to narrow down when this happened? https://mozilla.github.io/mozregression/

Comment 2

[Paul Donohue]

Upon further investigation, it looks like the issue is that my cert8.db file is somehow corrupted, and the corruption occurred at the same time as my upgrade from FF56 to 57.  The corrupted cert8.db file causes this issue in both FF56 and FF57.  Rolling back to a backup copy of the cert8.db file from before the upgrade works fine in both FF56 and FF57.  Replacing cert8.db with a fresh copy of that file also works fine in both FF56 and FF57.

More specifically, there seems to be something wrong with the CA cert associated with my SmartCard in cert8.db.  When using the corrupted cert8.db file, deleting that CA from the View Certificates dialog, then restarting Firefox, then re-importing that CA seems to fix the problem.  Attempting to delete the CA from the corrupted cert8.db file using certutil produces:
$ certutil -d corrupted -L
...
Certification Authority                                      c,c,c
...
$ certutil -d bad_test -D -n 'Certification Authority'
certutil: could not find certificate named "Certification Authority": SEC_ERROR_BAD_DATABASE: security library: bad database.
However, certutil does allow me to delete other certificates from the corrupted file.  It appears that there are a few bad certs in the file, although most are fine.

It is not clear to me why Firefox is only affected by this corruption before the View Certificates dialog is opened, or why it works properly after the View Certificates dialog has been opened.

I have not been able to re-corrupt cert8.db again by switching between FF56 and FF57, so I think it is safe to call this a fluke and close this bug ... Unless someone wants to inspect my corrupted cert8.db file further to determine how it became corrupted and/or why Firefox is behaving this way in the presence of such corruption.

Comment 3

[Dana Keeler (she/her) [:keeler]]

That is strange. The good news is Firefox 58 will be using a more modern database format, so hopefully this won't happen again. Feel free to reopen if this does happen again or if you figure out more information about this.