Closed Bug 1588941 Opened 5 years ago Closed 4 years ago

trying to use a client certificate from a PKCS#11 token that doesn't implement RSA-PSS with TLS 1.3 results in an assertion failure

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: keeler, Assigned: kjacobs)

References

Details

Attachments

(1 file)

Bug 1588941 - Send empty client cert msg when signature scheme selection fails.
47 bytes, text/x-phabricator-request
Details | Review

STR: get a PKCS#11 module/token that doesn't support RSA-PSS but does have an RSA client certificate and try to use it with a server that negotiates TLS 1.3 (e.g. osclientcerts: https://github.com/mozkeeler/osclientcerts). This results in an assertion failure as a result of ssl_PickClientSignatureScheme not being able to find an acceptable signature scheme in ssl3_CompleteHandleCertificateRequest.

I agree, it seems like it shouldn't be a fatal error on the connection for the PKCS11 module to not support the scheme - the logic might want to just avoid client auth. CC-ing :mt.

For client certificates in particular, there is new work that proposes allowing this sort of signature for client certificates: https://datatracker.ietf.org/doc/draft-davidben-tls13-pkcs1/

However, this shouldn't assert. I think that this code is built with the (bad) assumption that a certificate is validated prior to reaching that point. We should fix the assertion.

I will plan to tackle this next week.

Assignee: nobody → jjones
Status: NEW → ASSIGNED
Priority: -- → P1

(In reply to J.C. Jones [:jcj] (he/him) from comment #3)

I will plan to tackle this next week.

Were you able to make any progress? I hit this with my smartcard at work.

I'm running into this bug. Is there an estimation for when a fix will be available?

Are there any known workarounds?

I am also willing to try to help create a patch. I would need help understanding the issue better at a lower level.

Moving this back to untriaged so we re-tackle it next week.

Assignee: jjones → nobody
Severity: normal → --
Status: ASSIGNED → NEW

Any updates on this bug?

It appears that this could be fixed either by:

  1. Adding a sort of fall-back mechanism in NSS to retry, or
  2. Being more careful in the PKCS11 drivers.

We're pursuing fixes along a the second line for osclientcerst in https://bugzilla.mozilla.org/show_bug.cgi?id=1654999#c5

Severity: -- → S3
Priority: P1 → P3
See Also: → 1654999

ssl3_CompleteHandleCertificateRequest does essentially two things: 1) Calls the getClientAuthData hook for certificate selection, and 2) calls ssl_PickClientSignatureScheme to select an appropriate signature scheme when a cert is selected.

If the first function returns SECFailure, we default to sending an empty certificate message. If the latter fails, however, this bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74ea8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#2670 | fatal error ]] (and an assertion failure) on the connection. Importantly, the signature scheme selection can fail for reasons that should not be considered fatal - notably when an RSA-PSS cert is selected, but the token on which the key resides does not actually support PSS.

This patch treats the failure to find a usable signature scheme as a "no certificate" response, rather than killing the connection entirely.

Assignee: nobody → kjacobs.bugzilla
Status: NEW → ASSIGNED

https://hg.mozilla.org/projects/nss/rev/41ecb7fe55461da66328758a08776f2291ea4d0b

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.56
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: