Mark PKCS#11 token friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN
Categories
(NSS :: Libraries, enhancement, P1)
Tracking
(Not tracked)
People
(Reporter: ueno, Assigned: ueno)
References
Details
Attachments
(2 files, 1 obsolete file)
In Fedora 29 and RHEL 8, we started registering p11-kit-proxy.so by default, which loads all the PKCS#11 modules configured system wide:
https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules
However, this is causing an annoying behavior with Firefox, that is the PIN prompt appearing at random timing:
https://bugzilla.redhat.com/show_bug.cgi?id=1650578
https://bugzilla.redhat.com/show_bug.cgi?id=1745920
This is because pk11_AuthenticateUnfriendly()
is indirectly called from CanEnableSpeculativeConnect()
https://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#2323
The possible solutions are either delaying slot traversal in CanEnableSpeculativeConnect()
until client authentication, or marking all the tokens loaded from p11-kit-proxy as friendly.
I am going to attach a patch in the latter approach. I've tested it with SoftHSM against Apache httpd and confirmed that it suppresses the random PIN prompt while it still prompts PIN on client authentication.
Comment 1•5 years ago
|
||
Creating allowlists in software like this seems very hard to maintain, and also makes it difficult for those other slots to update (e.g. to change their name).
What would it take to delay slot traversal?
Updated•5 years ago
|
Comment 2•5 years ago
|
||
Comment on attachment 9089386 [details] [diff] [review] nss-p11-kit-proxy-friendly.patch I agree with Ryan. We don't want to have token specific semantics here. There are two ways to get the same result that's more general: 1) When installing the p11-kit-procy set the PUBLICLY_READABLE certs flag in the database. Since it's installed with it's own installer that shouldn't be an issue. 2) Implement the PKCS #11 profile object and get the publicly readable flag from that. This is more fine grain than either 1) or the proposed patch as the flag can be set per token rather than per module. bob
Assignee | ||
Comment 3•5 years ago
|
||
Yes, while I proposed a fix in Firefox side (bug 1579023) for this particular case, I think token friendliness should be configurable per token at PKCS #11 level. I will try the approach (2) as well.
Assignee | ||
Comment 4•5 years ago
|
||
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
This adds a mock PKCS #11 module from Firefox and add basic tests around it.
This is needed for proper testing of PKCS #11 v3.0 profile objects (D45669).
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 6•5 years ago
|
||
Pushed as:
https://hg.mozilla.org/projects/nss/rev/0a86945adf74
https://hg.mozilla.org/projects/nss/rev/b39c8eeabe6a
Thanks for the review!
Comment 7•5 years ago
|
||
Appears likely that this caused a performance test regression in Firefox (Bug 1596430) from something having to do with the call to pk11_ReadProfileList
hitting the DB during init. I'll try and find the time to debug this today and confirm, but in which case it's blocking the uplift of NSS (Bug 1592007).
Assuming it's this method, then I think the answer is to modify the performance test [0], because we want this feature.
Description
•