No prompt for PIN when digitally signing a message with digital certificate on a smart card
Categories
(Thunderbird :: Security, defect)
Tracking
(thunderbird_esr6067+, thunderbird68 fixed, thunderbird69 fixed)
People
(Reporter: r.ic, Assigned: KaiE)
Details
(Keywords: regression)
Attachments
(3 files, 4 obsolete files)
|
1.42 KB,
patch
|
keeler
:
review+
jorgk-bmo
:
approval-comm-beta+
|
Details | Diff | Splinter Review |
|
551 bytes,
patch
|
jorgk-bmo
:
review+
jorgk-bmo
:
approval-comm-beta+
|
Details | Diff | Splinter Review |
|
2.11 KB,
patch
|
jorgk-bmo
:
approval-comm-esr60+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Steps to reproduce:
Thunderbird 60.4.0 (32b) on Win 10 x64, a digital certificate on a smart card, the smart card present in a reader, Security Device (.dll) for the particilar smart card loaded in Security Settings, the digital certificate and its root autority certificates loaded (visible) in Thunderbird Security Settings.
Write -> Message -> filled in "To:", "Subject" and "Message"
Security -> Digitally Sign This Message
Send
Actual results:
The message was not sent, Thunderbird gives an error saying
"Sending of the message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Accounts Settings for this email account are valid and trusted for mail."
Expected results:
To send the message signed with the digital certificate.
|
Reporter | |
Comment 1•6 years ago
|
||
When I enter Thunderbird's Security Settings and use Manage Certificates, a PIN dialog is elevated and available certificate(s) is/are shown. Now if I create a new message, fill in a recipient, subject and message, and choose Security -> Digitally Sign This Message and Send, the message is sent signed.
This shows that all the required components work fine - the smart card, the digital certificate and authority root certificates and security device.
The problem is that Digitally Sign This Message feature doesn't elevate a PIN dialog itself or it doesn't use the Security Device properly. The Security Device must be "woken up" first through Security Settings otherwise it won't work.
|
||
Comment 2•6 years ago
|
||
Similar to bug 1517408?
|
|
Reporter | |
Comment 3•6 years ago
|
||
I'm not sure since I am able to sign emails while guys reporting bug 1517408 are not.
|
||
Comment 4•6 years ago
|
||
In Thunderbird 52 the PIN prompt dialog is shown when FindEmailEncryptionCert is called:
if (!mSelfEncryptionCert) {
certdb->FindEmailEncryptionCert(mEncryptionCertName,
getter_AddRefs(mSelfEncryptionCert));
}
This call has been removed by changeset [1][2] in TB 60 and it seems that it has not been replaced by some other code.
We have also a report where customer is unable to use their smart card for signing the email:
https://bugzilla.redhat.com/show_bug.cgi?id=1661651
[1] https://hg.mozilla.org/comm-central/rev/e47002b53b5f9294a331d8b84e291ed6c362fb01#l2.34
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1519093
|
|
||
Comment 5•6 years ago
|
||
Could some nss guys help us here?
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 7•6 years ago
|
||
This patch restores code that was removed in bug 857627, and restores the calls to those APIs that were removed in bug 1319185.
|
|
Assignee | |
Comment 8•6 years ago
|
||
This code MIGHT fix it, but I don't have any setup with smart cards, so I cannot test it.
Jan, are you able to test, or get feedback, if this patch fixes the issue?
|
|
||
Comment 9•6 years ago
|
||
Kai, thanks for the patch. After a lot of testing, it seems the problem most likely lies somewhere else. With the nickname removal [1] the code from your patch would work for those who migrated from TB 52 to TB 60 (and not for those who set certificates on TB 60+).
But the problem is in fact in VerifyCert [2] which fails for some certificates (for various reasons it seems - for me it is a unknown issuer) and the removed code saved users from failure (because it does not verify the certificate).
Also the code [3] which deletes the keydb entry without any notice while keeping the signing_cert_name is kind of confusing, because in account settings/Security everything looks reasonable (apart from keydb disappears).
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1319185
[2] https://dxr.mozilla.org/comm-central/source/comm/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp#914
[3] https://dxr.mozilla.org/comm-central/source/comm/mailnews/extensions/smime/src/nsMsgComposeSecure.cpp#922
|
|
Assignee | |
Comment 10•6 years ago
|
||
(In reply to Jan Horak [:jhorak] from comment #9)
Kai, thanks for the patch. After a lot of testing, it seems the problem most likely lies somewhere else. With the nickname removal [1] the code from your patch would work for those who migrated from TB 52 to TB 60 (and not for those who set certificates on TB 60+).
But the problem is in fact in VerifyCert [2] which fails for some certificates (for various reasons it seems - for me it is a unknown issuer) and the removed code saved users from failure (because it does not verify the certificate).
Given that the patch can help some users, and that it helped you to uncover other problems, it might be reasonable to restore that old code.
Also the code [3] which deletes the keydb entry without any notice while keeping the signing_cert_name is kind of confusing, because in account settings/Security everything looks reasonable (apart from keydb disappears).
I don't know/remember the exact intention of that code, but here's a possible explanation:
A DB key identifies one specific certificate. It might have been valid and usable in the past, but might no longer be. So it's reasonable to stop using it, once that is identified.
The settings store both a db key and a nickname. The same nickname might potentially refer to a renewed certificate, which can be found by using the functions that search by nickname. So it seems reasonable to keep that as a fallback option.
|
|
Assignee | |
Comment 11•6 years ago
|
||
|
|
||
Comment 12•6 years ago
|
||
Kai, the problem is that nickname is no longer stored to the identity db [1], the displayName is used instead. And looking up cert by displayName does not work, see PK11_FindCertFromNickname and subsequent find_certs_from_nickname. So that would solve problems for users which set certificate in TB 52 and updated to 60, but not for those who set/changed the certificate in 60.
|
|
||
Comment 13•6 years ago
|
||
|
|
Assignee | |
Comment 14•6 years ago
|
||
(In reply to Jan Horak [:jhorak] from comment #12)
Kai, the problem is that nickname is no longer stored to the identity db [1], the displayName is used instead. And looking up cert by displayName does not work, see PK11_FindCertFromNickname and subsequent find_certs_from_nickname. So that would solve problems for users which set certificate in TB 52 and updated to 60, but not for those who set/changed the certificate in 60.
Thanks for pointing that out, I had missed that. That obsoletes my patch.
(Given that Thunderbird 52.x is no longer supported, and that lifetime period of Thunderbird 60.x is almost over, we must assume that the majority of users has already migrated to TB 60.x. Now we can no longer distinguish which users have stored nicknames and which have stored display names in that pref. That means that pref has become irrelevant. It's no longer used, we should probably remove it. In the past it was probably used for dual-key certificates, see bug 1549709.)
Back to this bug. So it's not about certain certificates not being found, but about the PIN prompt not showing up.
In order for the prompt to work, NSS needs to be given a context pointer to the windowing system.
The old, removed API (find-by-nickname) did do that. The remaining API (find-by-dbkey) doesn't.
We need to change the lookup code to use an API that passes the UI context.
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 15•6 years ago
|
||
It might be as simple as this.
(This change is in general Firefox code.)
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 16•6 years ago
|
||
|
||
Comment 17•6 years ago
|
||
|
|
Assignee | |
Comment 18•6 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #17)
PK11_FindCertByIssuerAndSNdoes nothing with it. So how will adding this help?
It won't help. :(
I trusted the parameter would be used, I should have checked.
Comparing with code in PK11_FindCertFromNickname, we probably must enhance PK11_FindCertByIssuerAndSN to iterate all tokens, search by issuer/SN on each of them, and call pk11_AuthenticateUnfriendly as needed.
The developer working on this should have a smartcard setup to test it.
|
|
||
Comment 19•6 years ago
•
|
||
(In reply to Kai Engert (:kaie:) from comment #14)
Back to this bug. So it's not about certain certificates not being found, but about the PIN prompt not showing up.
In order for the prompt to work, NSS needs to be given a context pointer to the windowing system.
The old, removed API (find-by-nickname) did do that. The remaining API (find-by-dbkey) doesn't.
We need to change the lookup code to use an API that passes the UI context.
Ah, I see.
The developer working on this should have a smartcard setup to test it.
I use following setup to emulate virtual smart card by using softhsm:
sudo dnf install softhsm
sudo usermod -a -G ods $USER
newgrp ods
softhsm2-util --init-token --free --label "Mine soft token"
<set pins>
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
softhsm2-util --import key.pem --token "Mine soft token" --label aKey --id a1b1
p11tool --list-all
# get the <SOFT_HSM_URL> from the output of previous command
# look for something like: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=c8d74ac3c4cca8df;token=Mine%20soft%20token
p11tool --login --write "<SOFT_HSM_URL>" --load-certificate cert.pem
Now after TB restart and assuring the new ods group is active I'm able to select certificate in the account settings/Security. In TB 52 I also get a PIN prompt when sending signed message when not previously logged in.
|
|
||
Comment 20•6 years ago
|
||
Attaching simple patch, which shows pin prompt for not already authenticated tokens before sending the message. It would be better to use pk11_TraverseAllSlots instead but that seems to be a private nss symbol.
|
|
Assignee | |
Comment 21•6 years ago
|
||
I think we should reach out to either Daiki Ueno or Bob Relyea to confirm that this code achieves the intended effect.
Instead of adding this code locally to Thunderbird, we should consider to add this functionality with a new exported function to NSS?
E.g. it could be called PK11_EnsureAllTokensAreLoggedIn
Also, the third parameter to that function is for a window-context parameter, which is probably required by NSS to open prompts for a PIN, so probably it shouldn't be null?
If yes, that new function probably requires this parameter, too.
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Updated•6 years ago
|
|
||
Comment 22•6 years ago
•
|
||
I don't have much knowledge of this part of the code, but my assumption is that NSS calls pk11_TraverseAllSlots() to ensure that all the tokens are authenticated. For example, it is called from CERT_GetCertNicknames() etc.
Doesn't it help if you call one of those public functions?
|
|
Assignee | |
Comment 23•6 years ago
|
||
Good idea, CERT_GetCertNicknames() takes a window parameter, that seems like an improvement over the attached patch.
Jan, I'm still unsure how the patch you had attached helps you. Did you get any prompts for the not-yet-logged-in smartcard with your patch?
Jan, would you be able to test Daiki's alternative? Instead of "PK11_TraverseSlotCerts":
// Calling CERT_GetCertNicknames has the desired side effect of
// traversing all tokens, and brining up prompts to unlock.
nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
CERTCertNicknames *result_unused =
CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
SEC_CERT_NICKNAMES_USER, cxt);
CERT_FreeNicknames(result_unused);
|
|
||
Comment 24•6 years ago
|
||
Yes, I get the prompt shows up even with nullptr as the context. The code proposed by you/Daiki also works. Attaching the updated patch, please feel free to add reviewer for this one.
|
|
Assignee | |
Comment 25•6 years ago
|
||
Dana, would you mind to have a final look? Thanks in advance.
(fixed indent and my typo in comment, prepared for landing by Jörg)
|
|
||
Comment 26•5 years ago
|
||
|
|
||
Comment 27•5 years ago
|
||
This doesn't link on Windows: 0:23.11 lld-link: error: undefined symbol: CERT_GetCertNicknames
|
|
Assignee | |
Comment 28•5 years ago
|
||
Jörg, thanks for checking, this additional patch should fix it.
Dana, thanks for the r+.
I suggest to uplift this to beta, it seems like a helpful fix for smartcard users.
[Approval Request Comment]
Regression caused by (bug #): 1319185
User impact if declined: Smartcard users have trouble signing S/MIME emails
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): very little
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Comment 29•5 years ago
|
||
|
||
Comment 30•5 years ago
|
||
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/f965e7f4a1aa
prompt for smartcard PIN when S/MIME signing. r=keeler
https://hg.mozilla.org/comm-central/rev/df4dd9bfa02d
export CERT_GetCertNicknames. r=jorgk
|
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 31•5 years ago
|
||
Thank you all for dealing with this. Looking forward to TB69 to test it.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 32•5 years ago
|
||
TB 68 beta:
https://hg.mozilla.org/releases/comm-beta/rev/afa49d83a174bd45330797f798a10afdc4dd0510
https://hg.mozilla.org/releases/comm-beta/rev/736c33cdca9ec536b9bc3125374016535520d1a1
|
|
Assignee | |
Comment 33•5 years ago
|
||
I wonder if we should uplift to 60.x. Untested patch.
|
|
||
Comment 34•5 years ago
|
||
If you don't request it, we won't ;-) - We can build a version on try if you or someone else has a way to test it.
|
|
Assignee | |
Comment 35•5 years ago
|
||
It sounds like you're potentially open to the idea :) The last comments in bug 531073 had inspired me to it, as a related problem that was mentioned in bug 531073 comment 36 sounds similar to this bug.
I've started a local build, to check if it actually builds successfully. I can do a try next.
|
|
||
Comment 36•5 years ago
|
||
|
|
Reporter | |
Comment 37•5 years ago
|
||
Are you suggesting that a patch for current 60.x build can be prepared? If so, I'm in to test it on my setup with TB 60.7.0!
|
|
Assignee | |
Comment 38•5 years ago
|
||
Richard, the potential patch for TB 60.x is attached above, comment 33. I was unable to test it. My attempt to build it on my dev system failed with Rust errors. Maybe the Rust toolchain on my system is too new and the Rust syntax has changed? If you could test it, please do.
|
|
||
Comment 39•5 years ago
|
||
Richard, I can do you a try build. Which platform do you need?
|
|
||
Comment 40•5 years ago
|
||
|
|
Reporter | |
Comment 41•5 years ago
|
||
(In reply to Jorg K (GMT+2) from comment #39)
Richard, I can do you a try build. Which platform do you need?
Hi Jorg, my specs are Windows 10 x64 1809, TB 60.7.0 (32-bit)
|
|
||
Comment 42•5 years ago
|
||
Building unofficial 60.7.1 32bit with the patch here now, will advise when ready:
https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=4c898b52bf87d93e12272550a70717d38088872f
|
|
||
Comment 43•5 years ago
|
||
I forgot about this, here's your installer:
https://queue.taskcluster.net/v1/task/ZJj_CyIUQwWRN-aPWgwC6w/runs/0/artifacts/public/build/install/sea/target.installer.exe
This in an unofficial TB 60.7.1 which is 60.7.0 plus the small fix from this bug. It looks like a Daily, but it is an ESR version.
|
|
Reporter | |
Comment 44•5 years ago
|
||
Thank you @Jorg K, I've just tried it and it works as it should! I'll test it more next week.
|
|
||
Comment 45•5 years ago
|
||
|
|
||
Comment 46•5 years ago
|
||
TB 60.7.1 ESR:
https://hg.mozilla.org/releases/comm-esr60/rev/a819a3a05f2109a7704d76267db248aaa972212f
Description
•