Open Bug 1569327 Opened 6 years ago Updated 3 years ago

New checkbox "Certificare are public readable" as option to pkcs11 driver loading

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: krzysiek, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/75.0.3770.90 Chrome/75.0.3770.90 Safari/537.36

Steps to reproduce:

Hi Mozilla team, J'm polish id card developer. Our pkcs11 module have four tokens and firefox before show certificates list, ask for password for each tokens ( 4 passwords).

Actual results:

We create firefox extension, and load our pkcs11 module with flag:
PKCS11_PUB_READABLE_CERT_FLAG = 0x1<<28.

Expected results:

Coud you add checkbok "Certificates are public readeble" to
"Load pkcs#11 driver" message box

now is:
Module Name [ ................ ]
Module FileName [ ................ ]

after change:
Module Name [ ................ ]
Module FileName [ ................ ]
Certificates public readable [x]

Component: Untriaged → Security: PSM
Product: Firefox → Core

Is setting the flag via the extension not working? You can also use the modutil utility and specify the mechanism "FRIENDLY" when adding a new module.

Flags: needinfo?(krzysiek)

Hi Dana.

J tray set this flag with extension and modutil, it work but only when slot numbers are the some as when the module was loaded.

Use case 1:

  • user insert card into card reader.
  • user load extension,

we have slots:
0) Virtual

  1. SDI011 Smart Card Reader
  2. SDI011 Contactless Reader
  3. SDI011 Contactless Reader Conteiner 1
  4. SDI011 Contactless Reader Conteiner 1

in pkcs11.txt we have entries

Use case 1:

  • e'id card is not in smart card reader,
  • user load extension,
  • user insert card into card reader.

in pkcs11.txt we have entries:

Flags: needinfo?(krzysiek)

Hi Dana.

J tray set this flag with extension and modutil, it work but only when slot numbers are the some as when the module was loaded.

Use case 1:

  • user insert card into card reader and next load extension,

we have slots:

  1. SDI011 Smart Card Reader
  2. SDI011 Contactless Reader
  3. SDI011 Contactless Reader eid1
  4. SDI011 Contactless Reader eid2

in pkcs11.txt we have entries
NSS=slotParams=(1={slotFlags=[PublicCerts]} 2={slotFlags=[PublicCerts]} 5={slotFlags=[PublicCerts]} 6={slotFlags=[PublicCerts]})

Works Perfect, no password ask for conteiners eid1, eid2

Use case 2:

  • e'id card is not in smart card reader,
  • next user load extension,

We have slots:

  1. SDI011 Smart Card Reader
  2. SDI011 Contactless Reader

in pkcs11.txt we have entries
NSS=slotParams=(1={slotFlags=[PublicCerts] 2={slotFlags=[PublicCerts])

  • next user insert card ito smart card reader

we have slots:

  1. SDI011 Smart Card Reader
  2. SDI011 Contactless Reader
  3. SDI011 Contactless Reader eid1
  4. SDI011 Contactless Reader eid2

but entries in pkcs11.txt some from the moment of extenson loaded.
No entries "slotFlags=[PublicCerts]" for slots 5 and 6, User is ask for passwords for this conteiners.

Use case 3:
User change smart card reader from Dual interface to ContactLess only.

in pkcs11.txt we have good entries for dual interface reader.
NSS=slotParams=(1={slotFlags=[PublicCerts]} 2={slotFlags=[PublicCerts]} 5={slotFlags=[PublicCerts]} 6={slotFlags=[PublicCerts]})

but new reader have slots:

  1. Omnikey Contactless Reader
  2. Omnikey Contactless Reader eid1
  3. Omnikey Contactless Reader eid2

the some at user case 2, User must put passwords for conteiners eid1 and eid2, becouse now are slots 2,3 not 5,6

I try add this flag (0x1<<28) to token flags and slot flags in our pkcs11 driver
( C_GetSlotInfo and C_GetSlotList and C_GetTokeInfo) but firefox don't accept it.

Maybe it is good think: add new flag to pkcs11 interface, new slot flag or new token flag,
What do you think ?

Thank you for reading.

On mistake:

in User case is
3. SDI011 Contactless Reader eid1
4. SDI011 Contactless Reader eid2

shoud be
5. SDI011 Contactless Reader eid1
6. SDI011 Contactless Reader eid2

Seems like maybe a bug in NSS?

Assignee: nobody → nobody
Type: enhancement → defect
Component: Security: PSM → Libraries
Product: Core → NSS
QA Contact: jjones
Version: 59 Branch → other

Hi Daiki,

Is this PKCS11 bug something that your team can work on? We're unfamiliar with this code.

Flags: needinfo?(dueno)
Priority: -- → P3

Sure, let me take a look.

Flags: needinfo?(dueno)

(In reply to krzysiek from comment #3)

Maybe it is good think: add new flag to pkcs11 interface, new slot flag or new token flag,

I guess the profile object in PKCS#11 v3.0 is what we are looking for. With this, a token implementation could indicate that it allows access to certificates without authentication by returning a token object with CKP_PUBLIC_CERTIFICATES_TOKEN profile ID.

I submitted a tentative patch at bug 1577803.

It is very good news today. Thank you. J try compile NSS and add this path.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.