Closed Bug 1577803 Opened 1 year ago Closed 4 months ago

Mark PKCS#11 token friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN

Categories

(NSS :: Libraries, enhancement, P1)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ueno, Assigned: ueno)

References

Details

Attachments

(2 files, 1 obsolete file)

Attached patch nss-p11-kit-proxy-friendly.patch (obsolete) — Splinter Review

In Fedora 29 and RHEL 8, we started registering p11-kit-proxy.so by default, which loads all the PKCS#11 modules configured system wide:
https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules

However, this is causing an annoying behavior with Firefox, that is the PIN prompt appearing at random timing:
https://bugzilla.redhat.com/show_bug.cgi?id=1650578
https://bugzilla.redhat.com/show_bug.cgi?id=1745920

This is because pk11_AuthenticateUnfriendly() is indirectly called from CanEnableSpeculativeConnect() https://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#2323

The possible solutions are either delaying slot traversal in CanEnableSpeculativeConnect() until client authentication, or marking all the tokens loaded from p11-kit-proxy as friendly.

I am going to attach a patch in the latter approach. I've tested it with SoftHSM against Apache httpd and confirmed that it suppresses the random PIN prompt while it still prompts PIN on client authentication.

Attachment #9089386 - Flags: review?(rrelyea)

Creating allowlists in software like this seems very hard to maintain, and also makes it difficult for those other slots to update (e.g. to change their name).

What would it take to delay slot traversal?

Assignee: nobody → dueno
Status: NEW → ASSIGNED
Priority: -- → P1
Comment on attachment 9089386 [details] [diff] [review]
nss-p11-kit-proxy-friendly.patch

I agree with Ryan. We don't want to have token specific semantics here. There are two ways to get the same result that's more general:

1) When installing the p11-kit-procy set the PUBLICLY_READABLE certs flag in the database. Since it's installed with it's own installer that shouldn't be an issue.

2) Implement the PKCS #11 profile object and get the publicly readable flag from that. This is more fine grain than either 1) or the proposed patch as the flag can be set per token rather than per module.

bob
Attachment #9089386 - Flags: review?(rrelyea) → review-
See Also: → 1579023

Yes, while I proposed a fix in Firefox side (bug 1579023) for this particular case, I think token friendliness should be configurable per token at PKCS #11 level. I will try the approach (2) as well.

Summary: Mark PKCS#11 slots loaded from p11-kit-proxy as friendly → Mark PKCS#11 token friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN

This adds a mock PKCS #11 module from Firefox and add basic tests around it.
This is needed for proper testing of PKCS #11 v3.0 profile objects (D45669).

Attachment #9089386 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48

Appears likely that this caused a performance test regression in Firefox (Bug 1596430) from something having to do with the call to pk11_ReadProfileList hitting the DB during init. I'll try and find the time to debug this today and confirm, but in which case it's blocking the uplift of NSS (Bug 1592007).

Assuming it's this method, then I think the answer is to modify the performance test [0], because we want this feature.

[0] https://searchfox.org/mozilla-central/source/browser/base/content/test/performance/browser_startup_mainthreadio.js#424

Regressions: 1596430
You need to log in before you can comment on or make changes to this bug.