1577803 - Mark PKCS#11 token friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement, P1)

Description

[Daiki Ueno [:ueno]]

Attachment: nss-p11-kit-proxy-friendly.patch

In Fedora 29 and RHEL 8, we started registering p11-kit-proxy.so by default, which loads all the PKCS#11 modules configured system wide:
https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules

However, this is causing an annoying behavior with Firefox, that is the PIN prompt appearing at random timing:
https://bugzilla.redhat.com/show_bug.cgi?id=1650578
https://bugzilla.redhat.com/show_bug.cgi?id=1745920

This is because pk11_AuthenticateUnfriendly() is indirectly called from CanEnableSpeculativeConnect() https://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#2323

The possible solutions are either delaying slot traversal in CanEnableSpeculativeConnect() until client authentication, or marking all the tokens loaded from p11-kit-proxy as friendly.

I am going to attach a patch in the latter approach. I've tested it with SoftHSM against Apache httpd and confirmed that it suppresses the random PIN prompt while it still prompts PIN on client authentication.

Comment 1

[Ryan Sleevi]

Creating allowlists in software like this seems very hard to maintain, and also makes it difficult for those other slots to update (e.g. to change their name).

What would it take to delay slot traversal?

Comment 2

[Robert Relyea]

Comment on attachment 9089386 [details] [diff] [review]
nss-p11-kit-proxy-friendly.patch

I agree with Ryan. We don't want to have token specific semantics here. There are two ways to get the same result that's more general:

1) When installing the p11-kit-procy set the PUBLICLY_READABLE certs flag in the database. Since it's installed with it's own installer that shouldn't be an issue.

2) Implement the PKCS #11 profile object and get the publicly readable flag from that. This is more fine grain than either 1) or the proposed patch as the flag can be set per token rather than per module.

bob

Comment 3

[Daiki Ueno [:ueno]]

Yes, while I proposed a fix in Firefox side (bug 1579023) for this particular case, I think token friendliness should be configurable per token at PKCS #11 level. I will try the approach (2) as well.

Comment 4

[Daiki Ueno [:ueno]]

Attachment: Bug 1577803, pk11wrap: set friendly flag if token implements CKP_PUBLIC_CERTIFICATES_TOKEN

Comment 5

[Daiki Ueno [:ueno]]

Attachment: Bug 1577803, gtests: import pkcs11testmodule from Firefox

This adds a mock PKCS #11 module from Firefox and add basic tests around it.
This is needed for proper testing of PKCS #11 v3.0 profile objects (D45669).

Comment 6

[Daiki Ueno [:ueno]]

Pushed as:
https://hg.mozilla.org/projects/nss/rev/0a86945adf74
https://hg.mozilla.org/projects/nss/rev/b39c8eeabe6a

Thanks for the review!

Comment 7

[J.C. Jones [:jcj] (he/him)]

Appears likely that this caused a performance test regression in Firefox (Bug 1596430) from something having to do with the call to pk11_ReadProfileList hitting the DB during init. I'll try and find the time to debug this today and confirm, but in which case it's blocking the uplift of NSS (Bug 1592007).

Assuming it's this method, then I think the answer is to modify the performance test [0], because we want this feature.

[0] https://searchfox.org/mozilla-central/source/browser/base/content/test/performance/browser_startup_mainthreadio.js#424