Closed Bug 1629002 Opened 4 years ago Closed 4 years ago

osclientcerts: c_sign fails with some private keys

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr78 81+ fixed
firefox80 --- verified

People

(Reporter: cobzarupetrumihai96, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(18 files)

Test log.txt
865.03 KB, text/plain
Details
Test_2 log.txt
630.08 KB, text/plain
Details
Test_3 log.txt
585.69 KB, text/plain
Details
Test_4_log_Nightly3.txt
983.09 KB, text/plain
Details
Pers_cert_Nighly3.png
100.82 KB, image/png
Details
Test_4 log Nightly2_a.txt
852.40 KB, text/plain
Details
Test_4 log Nightly2_b.txt
382.80 KB, text/plain
Details
Pers_cert_Nightly2.png
112.77 KB, image/png
Details
log_osclient.txt
1.12 MB, text/plain
Details
log_asepkcs.txt
189 bytes, text/plain
Details
Pers_cert_asepkcs.png
106.54 KB, image/png
Details
log_oscl_asep.txt
1.09 MB, text/plain
Details
log_browsing.txt
6.17 MB, text/plain
Details
log_osclient_legacyAPI.txt
2.20 MB, text/plain
Details
Pers_cert_oscli_Nighly_5.png
100.38 KB, image/png
Details
Bug 1629002 - unblock asepkcs.dll r?jmathies
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review
Bug 1629002 - osclientcerts: add support for CryptoAPI-only keys r?mhowell!,kjacobs!
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review
log_Firefox_80_RC.txt
2.49 MB, text/plain
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

I went to Options > Privacy & Security > Certificates > Security Devices... > Load.
I typed in a specific Module Name.
I browsed Module Name in the System32 folder for a specific .dll (asepkcs.dll).
I pressed OK.

Sidenote: The same security device worked without issues on the previous FF version.

Actual results:

Alert window popped up with the message "Unable to add module".

Expected results:

Firefox should have added a new entry in Security Modules and Devices with the specific.

hello, in bug 1560052 older versions of the asepkcs.dll module (6.5.0.5) were blocked for causing frequent browser crashes. please see if a newer version of the smartcard software is available.

See Also: → 1560052

(In reply to [:philipp] from comment #1)

hello, in bug 1560052 older versions of the asepkcs.dll module (6.5.0.5) were blocked for causing frequent browser crashes. please see if a newer version of the smartcard software is available.

Thanks for the related reply,
The Smartcard Software for the Athena is bundled in this package, along with other tokens, and the asepkcs.dll version that is reported after a fresh install is 6.5.0.1.

I've followed the mentioned similar token driver from https://bugzilla.mozilla.org/show_bug.cgi?id=1560052#c12, which .dll version is 6.5.0.5.
I can't find a newer version than will suffice the (<=6.5.0.5) module exclusion condition that was listed in this build.

Hello.
I think that I found a more recent asepkcs.dll from the Colegio de Abogados La Plata website: http://www.calp.org.ar/download/controladores-token (Controlador para Athena ID-Protect para Windows de 64 bits.)
asepkcs.dll version is 7.0.2.0
But the alert window pops up as well with the message "Unable to add module".

As a side note, if I load the dll using policies.json, the security device is in place.
{
"policies": {
"SecurityDevices": {
"CNS": "C:\windows\system32\asepkcs.dll"
}
}
}

Resetting severity to default of --.

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Severity: normal → --

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: PSM
Product: Firefox → Core

If you set security.osclientcerts.autoload to true in about:config instead of loading that module, are you able to do what you would otherwise need that module to do?

Assignee: nobody → nobody
Component: Security: PSM → Libraries
Flags: needinfo?(cobzarupetrumihai96)
Product: Core → NSS
QA Contact: jjones
Version: 75 Branch → other

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #7)

If you set security.osclientcerts.autoload to true in about:config instead of loading that module, are you able to do what you would otherwise need that module to do?

I don't know, because with the latest version of Fedora (76.0.1) I'm able to load the module.

BTW I don't really understand why blacklisting the previous dll version. Official version of the dll distributed by the government bodies is still 6.5.0.5
It was working without any issue in all the Firefox installations.
Now we are switching to other browsers due to the inability to use the dll shipped with the smart card software provided by the government.
This is sad.

(In reply to alcr from comment #8)

I don't know, because with the latest version of Fedora (76.0.1) I'm able to load the module.

Typo: with the latest version of Firefox (76.0.1)

(In reply to alcr from comment #9)

(In reply to alcr from comment #8)

I don't know, because with the latest version of Fedora (76.0.1) I'm able to load the module.

Typo: with the latest version of Firefox (76.0.1)

"able" or "unable"?

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #10)

(In reply to alcr from comment #9)

(In reply to alcr from comment #8)

I don't know, because with the latest version of Fedora (76.0.1) I'm able to load the module.

Typo: with the latest version of Firefox (76.0.1)

"able" or "unable"?

Yes, sorry, able to load asepkcs.dll version 7.0.2.0, even without setting security.osclientcerts.autoload to true.

Great! So, what if instead of loading the asepkcs.dll module, you set that preference - does that configuration enable you to do what you would use asepkcs.dll for? (if the module has already been loaded, you can unload it using about:preferences -> Security Devices)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #12)

Great! So, what if instead of loading the asepkcs.dll module, you set that preference - does that configuration enable you to do what you would use asepkcs.dll for? (if the module has already been loaded, you can unload it using about:preferences -> Security Devices)

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

I tried what you suggested in the last post but with no results.
Trying to connect with my smart card to an italian administration site, Firefox displayed a pop-up window with an User Identification Request reporting the correct data of my certificate but after clicking the OK button appeared the SECURE CONNECTION FAILED page, reporting

SEC_ERROR_PKCS11_GENERAL_ERROR

Unfortunately the administration body is already alerting that Firefox 75 and beyond cannot handle the kind of smart card that I own (all those with asepkcs.dll), suggesting to use Firefox ESR instead or another browser: I tested the new MS Edge Chromium-based and I entered the sites with no problem.
In Italy there are a lot of people with the same issue, as you can see from

https://forum.mozillaitalia.org/index.php?topic=74089.0

Can you run Firefox with the environment variable RUST_LOG set to osclientcerts_static=debug, try to connect to the site, and attach the resulting log here? Thanks! (this might be helpful for getting output: https://developer.mozilla.org/en-US/docs/Mozilla/Command_Line_Options#Miscellaneous)

Flags: needinfo?(polim27)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #14)

Can you run Firefox with the environment variable RUST_LOG set to osclientcerts_static=debug, try to connect to the site, and attach the resulting log here? Thanks! (this might be helpful for getting output: https://developer.mozilla.org/en-US/docs/Mozilla/Command_Line_Options#Miscellaneous)

Unfortunately I'm not a developer, only a user able to run and test Firefox following accurate instructions like yours from the last post, but if you tell me how to set the environment variable and then run Firefox via command line (I think) I'll certainly do

Flags: needinfo?(polim27)

If you open up powershell (I do this by typing "powershell" in the search bar at the bottom of the screen and pressing enter), you can set the environment variable by typing (or just copy/paste)

$env:RUST_LOG = 'osclientcerts_static'

and hitting enter. Then, to start Firefox and have it save the logging information, type

Start-Process -FilePath 'C:\Program Files\Mozilla Firefox\firefox.exe' -RedirectStandardError $HOME\Desktop\log.txt

and hit enter. This should start Firefox and redirect the logging output to a file called log.txt on your desktop.

Flags: needinfo?(polim27)
Attached file Test log.txt

As you requested, Dana. Hope this log helps to finally solve the issue.

Flags: needinfo?(polim27)

Thanks. That looks a lot like bug 1617000 (everything appears to work up until the sign operation, which fails). I'm going to land some changes in bug 1619817 that will hopefully give us more information as to why it failed.

Actually, can you install this build and follow the above instructions again? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/cPcUcrkTQZ60YoN0HW-5yQ/runs/0/artifacts/public/build/install/sea/target.installer.exe (you might need to change the FilePath argument to where that build puts firefox.exe) Thanks!

Flags: needinfo?(polim27)
Attached file Test_2 log.txt

Done it.

Flags: needinfo?(polim27)
Attached file Test_3 log.txt

As you requested, Dana. For your information, in order to do the test I preferred to uninstall the previous release of Nightly and then install the new one instead of installing the new over the old one.

Flags: needinfo?(polim27)

Thanks! Unfortunately both of my ideas didn't seem to be correct. Does your token work with Chrome? Also, if you look in about:preferences -> View Certificates -> Your Certificates, how many certificates do you see from your token? Alternatively, this build might give me more insight: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/fwdGWeXDQ9ehQPAw6wu-fw/runs/0/artifacts/public/build/install/sea/target.installer.exe

Flags: needinfo?(polim27)

Dear Dana, here are the answers to your questions:

  1. On my pc I don't have Chrome (I hate the evil Google :-) ) but I have the new Chromium-based MS Edge; my token works smoothly with it with no issue;

  2. As you can see from the attached Test_4_log_Nightly3, I think that the latest build you sent me contains a regression since I could not even see the pop-up window with my certificate data. In about:preferences -> ... -> Your certificates , no certificate was showed, as you can see from the attached picture Pers_cert_Nighly3

  3. After reinstalling Nightly build 2, I managed to see my certificates either in the pop-up window and in about:preferences -> ... -> Your certificates (Pers_cert_Nighly2). Also today happened the same strange thing that I ignored yesterday (my fault if I didn't inform you): I tested the login with my token 2 times and obtained 2 different logs. Yesterday I thought that the first was my mistake so I didn't send you the first log which didn't have any ERROR line in it, but today the same thing happened so you'll find two Nightly2_logs attached (same browser behaviour, different logs)

Flags: needinfo?(polim27)
Attached image Pers_cert_Nighly3.png
Attached image Pers_cert_Nightly2.png

Dana: for triage purposes, should this still be in NSS?

Flags: needinfo?(dkeeler)

Judging by comment 11, the original issue for this bug has been fixed, so I'm going to morph it into trying to figure out why osclientcerts doesn't work with this token.

Polim - what version of asepkcs.dll do you have installed?

Assignee: nobody → nobody
Severity: -- → S4
Component: Libraries → Security: PSM
Flags: needinfo?(dkeeler) → needinfo?(polim27)
Product: NSS → Core
QA Contact: jjones
Summary: Firefox 75 cannot load asepkcs.dll module when loading Security Device. → osclientcerts: c_sign fails with some private keys
Version: other → unspecified

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #31)

Judging by comment 11, the original issue for this bug has been fixed, so I'm going to morph it into trying to figure out why osclientcerts doesn't work with this token.

Polim - what version of asepkcs.dll do you have installed?

6.5.0.5

Flags: needinfo?(polim27)

Ah - I wonder if the dll block is interfering. Is there an updated version of asepkcs.dll you can use? (the Firefox build from comment 21 would probably be best to try with)

Flags: needinfo?(polim27)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #33)

Ah - I wonder if the dll block is interfering. Is there an updated version of asepkcs.dll you can use? (the Firefox build from comment 21 would probably be best to try with)

I'm going to search an updated version on the internet but I think this is a false problem. One question (please remember, I'm not a developer): why MS Edge works smoothly with asepkcs.dll 6.5.0.5? If osclientcerts should work with every certificate accepted by the OS, then it should work also with asepkcs.dll 6.5.0.5. If not, then I could download an updated release of asepkcs.dll that isn't blocked, install it in Firefox via about:preferences -> Security devices and then enter secured sites without any issues, so that setting security.osclientcerts.autoload to true would be redundant.

One word about asepkcs.dll crashes and subsequent block: last autumn I experienced the same crashes on Firefox too, immediately after updating Windows 10 to version 1909. When I realized that the root cause was asepkcs.dll I disabled it from security devices so I was able to use Firefox again. BUT, after uninstalling and then reinstalling on my pc the whole software pack related to my smartcard, I re-enabled the same asepkcs.dll file (6.5.0.5) and Firefox worked fine again.
After that experience this time I disabled asepkcs on Firefox before updating Windows 10 to release 2004 but when I tried to re-enable it I found it blocked by Firefox itself.
I don't know if the previous crashes were related to a changed physical location of asepkcs.dll on the pc hard drive due to the transition from the old to the new release of Windows 10 (maybe Firefox was looking for that module in the wrong place?) but, if you at Mozilla would accept one hint from me, please reconsider all the stages of the process that lead you to block that file. Otherwise Firefox risks to lose another great number of users in those countries where other browsers have no issue in managing government private keys and their software, even when it isn't updated regularly.

Flags: needinfo?(polim27)

Hi Polim27 and Hi Dana
i'm also experiencing this so very frustrating BUG..
same exact behaviour as very well described by Polim27..
so i re-underline very strong what he state and suggest to you:
"please reconsider all the stages of the process that lead you to block that file. Otherwise Firefox risks to lose another great number of users in those countries where other browsers have no issue in managing government private keys and their software, even when it isn't updated regularly."

sincerely

regards

Were you able to find an updated version of asepkcs.dll?

Flags: needinfo?(polim27)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #36)

Were you able to find an updated version of asepkcs.dll?

Unfortunately not; I tried also the link posted in comment #3 but Firefox blocked the connection due to security reasons and I'm sorry but I don't want to put at risk my only computer for testing a nightly build.
Instead, why don't you send me a new nightly build based on that from comment #21 BUT WITHOUT the asepkcs block? If my suspects are true, I bet that it works without crashes with my old release of asepkcs.dll, with or without osclientcerts set to true.
Many thanks in advance

Flags: needinfo?(polim27)

hi, with the nigthly 80.0a1 that you give i was able to upload the asepks.dll 6.5.0.5
..but for what is WORTH....
i already state that also with the ESR vers i was really able to...
the BUG is with yr OFFICIAL stable version
and is STILL since the very late 75...
now we are at the newest 78...
and the BUG is really there
have you understand..
if you have understood why force us to do this UNWORTHLY try.....
i really do not want to use a nightly..
i want FF- STABLE- to finally solve this astonishing issue/BUG
yrs very truly

Dear Dana

Below you'll find 4 logs related to 4 different tests I did on your latest Nightly with these specifications:
#1) osclientcerts TRUE asepkcs.dll DISABLED
#2) osclientcerts FALSE asepkcs.dll ENABLED
#3) osclientcerts TRUE asepkcs.dll ENABLED
#4) osclientcerts TRUE asepkcs.dll ENABLED (only common browsing, no access to protected sites via smartcard)

Here they are with some comments

Flags: needinfo?(polim27)
Attached file log_osclient.txt

As you can see, with only osclientscert set to TRUE I could NOT enter any protected site, just like with the previous Nightly_3 release. No certificate was shown in the certificate pop up windows (same picture of comment #26)

Attached file log_asepkcs.txt

As I thought, with osclientcerts set to FALSE and asepkcs. dll enabled, I had no problem entering the protected sites absolutely smoothly. My personal certificate was shown in the popup window (see picture below)

Attached image Pers_cert_asepkcs.png
Attached file log_oscl_asep.txt

With osclientscert set to TRUE AND asepkcs.dll ENABLED, again no problem in entering protected sites at first try.

Attached file log_browsing.txt

This time I didn't enter any protected site via personal smartcard, instead I did a limited "endurance test" with osclientscert and asepkcs.dll enabled in order to verify any possible sudden crash during common browsing. No issue until now, since I'm currently writing these notes via Nightly set in the same configuration.

Maybe I'm wrong (I'm not a developer) but these results, and in my humble opinion also what is happening in Estonia just a few days after the release of the new Windows 10 2004, confirm my conviction that the root cause of Firefox sudden crashes due to security modules is related somehow to the process of updating Windows OS to a new feature version.
I don't know what but something goes corrupted or lost (in Firefox? In the software pack linked to the security external device?) in migrating from the old to the new OS directories. And what really remains in the Windows.old directory, surviving for some days in order to downgrade the OS in case of issues? Is there something causing conflicts that could crash Firefox?
As you can see, asepkcs.dll works smoothly as it should; if it was the root cause of all the issues on Firefox and Thunderbird, then Nightly should have crashed in a few minutes or seconds time after opening as it happened to me several months ago with Firefox, again just after updating my OS, before I uninstalled and then reinstalled the smartcard software pack.
In my opinion you @Firefox should first log data and then design some experiments in order to investigate what really happens to Firefox and its external modules during OS updates: I think you'd discover a lot of information useful to solve these issues and to improve Firefox.

Happy 4th of July! :-)

Thank you for trying that build out. It looks like if the dll is unblocked, osclientcerts can get a handle on the key corresponding to your certificate if it uses the legacy api (this is what was failing before). However, the current implementation doesn't use the legacy api.
This build does use the legacy api - can you give it a try? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/dvZ2L3dNQN6ULNxonr0y8A/runs/0/artifacts/public/build/install/sea/target.installer.exe (just with osclientcerts - I don't need to know how it behaves with asepkcs.dll).
Thanks!

As an aside to p033928, I realize that this is a frustrating issue for you, but your repeated comments are not contributing to resolving this bug. Please have patience and understand that we are working to address this.

Flags: needinfo?(polim27)

Dear Dana

IT WORKS!
After setting only security.osclientcerts.autoload to true without loading asepkcs.dll via about:preferences --> ... --> Personal devices, I entered several government sites at first try, with no issue at all.
During my browsing, my certificates were regularly reported in about:preferences --> ... --> View certificates, as you can see from the picture below.
Now it's up to you to investigate what can be saved from the old API to the new one in order to use asepkcs.dll in the same way of this build.
Thanks and good luck with your work :-)

Flags: needinfo?(polim27)

When the osclientcerts module attempts to use client certificates and keys from
certain tokens, the Windows APIs will attempt to load asepkcs.dll. If Firefox
blocks this library, the keys won't be available. Thus, it needs to be
unblocked.

Due to the architecture of osclientcerts (namely, its dedicated single thread),
using asepkcs.dll via the Windows APIs shouldn't cause the crashes that led to
this module being blocked.

Assignee: nobody → dkeeler

Evidently, keys stored on some tokens can only be accessed via the deprecated
CryptoAPI interface. This patch adds support for such keys.

Depends on D82788

Priority: -- → P1
Whiteboard: [psm-assigned]

(In reply to p033928 from comment #57)

..in more simple words...??...
what you mean...?
what we have to do to have latest stable vers Firefox 78.0.1 finally FIXED with this frustrating BUG..?
it should be so very duly indeed that you'll finally issue a new FF -stable vers-: we hope 78.0.2..
with this BUG
finally FIXED
regards

Dear p033928
The answer to your question about what we have to do is simple: wait until the problem is solved (and, as Dana wrote, the patch is on the way).

In facing the issues of life (also Firefox issues) we can sit and watch other people trying to solve them for us while we are crying like a baby for his broken toy and blaming those who are working for us because they are terribly late; or we can wait confidently and if possible give them our helping hand in order to solve that problem as soon as possible. It's a matter of choice: and where there is a choice there is always personal responsibility.

Bugzilla is not a support forum: it's a place where people wanting to give a helping hand meet in order to signal and then solve Firefox issues.
When Dana asked to verify osclientcerts for the first time (see comment #12), NONE here in Italy answered; after more than 2 weeks from her request, although I'm not a developer, since I wanted to see my issue with smart-card solved I decided to try what she suggested and finally gave her the needed feedback. Then came the tests which I was able to do only thanks to her foolproof instructions and after all this time now we can see a little ray of light at the end of this tunnel.
In the meantime you started to post your comments and what have you done in order to help solve the problem? You could read the previous posts, do the same tests I did and gave Dana other data for improving Firefox in less time: did you do it? Not at all, instead you are always complaining.

Why am I saying these things that might seem so hard to you? Not because I'm a Mozilla employee or developer: only because just in these days 20 (yes, twenty) years ago I bought my first pc with internet access. Then I was like a newborn on the net but enough clever to change almost immediately my default browser from the preinstalled MS Explorer to the mythic Netscape Navigator; after Navigator came Mozilla Seamonkey and finally Firefox which now is my default browser on my pc and on my android tablet and smartphone, too.
After all Mozilla Foundation gave me FREE in all these 20 years in terms of security, privacy and performance (sometimes also disappointing performances and bugs, as every human creation), about one month ago I thought this bug was the opportunity to give something back to it and, even though I'm not a professional web developer, I'm still here to give my time and my machine to solve this annoying (as you said) issue affecting me and so many people here in Italy, like you I suppose.

Now it's up to you to choose which kind of Bugzilla member you want to be: as I said before, it's a matter of choice and personal responsibility.

Best regards

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a37281c02d0f
unblock asepkcs.dll r=tkikuchi
https://hg.mozilla.org/integration/autoland/rev/ea8c5d66605d
osclientcerts: add support for CryptoAPI-only keys r=mhowell,kjacobs

https://hg.mozilla.org/mozilla-central/rev/a37281c02d0f
https://hg.mozilla.org/mozilla-central/rev/ea8c5d66605d

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Flags: qe-verify+

Due to lack of environment would you mind verifying that this is fixed for you in Firefox 80.0 RC build?
https://archive.mozilla.org/pub/firefox/candidates/80.0-candidates/build2/win64/en-US/

Flags: needinfo?(polim27)
Attached file log_Firefox_80_RC.txt

As you can see from the attached log, after setting security.osclientcerts.autoload to true in about:config, everything worked well with my smartcard; I entered the same sites of previous tests with no issues, as it happened with the last Nighly, so for me the bug is fixed.
Best regards

Flags: needinfo?(polim27)

Thanks for checking this. Closing as verified fixed.

Status: RESOLVED → VERIFIED
status-firefox80: fixedverified
Flags: qe-verify+

hi!
first thxs for creating this very useful topic
i've just upgraded to the vers 80 but in my case the bug is still there..
i mean that i'm not able to load the asepkcs.dll
where am i wrong..?
which could be my fault?
i pray you to guide me step by step like i were a little child cause i'm really not an expertise at all...
thxs in advance for yr kind cooperation
and patience too...
cheers

(In reply to Giusy from comment #66)

hi!
first thxs for creating this very useful topic
i've just upgraded to the vers 80 but in my case the bug is still there..
i mean that i'm not able to load the asepkcs.dll
where am i wrong..?
which could be my fault?
i pray you to guide me step by step like i were a little child cause i'm really not an expertise at all...
thxs in advance for yr kind cooperation
and patience too...
cheers

Hi Giusy
In order to make things work probably you have to change something in your Firefox configuration: I'm not an expert just like you but I can tell how to set the same configuration I have on my computer that works fine with my smartcard reader.

First of all, I don't load asepkcs.dll any more via Firefox so I deleted it from the security devices. In order to do so you should:

  1. Go to Options > Privacy & Security > Certificates > Security Devices;
  2. Check if asepkcs.dll is listed;
  3. If so, select and unload asepkcs.dll. If not, go directly to step 4.
  4. Press Ok.

Then you should enable the osclientscerts module in about:config. Osclientscert is the module that makes asepkcs.dll work from within the Operating System (Windows for me and also for you, I suppose) and not from within Firefox, for crashes and security reasons.
To do so, you should:

  1. Type about:config in the Firefox address bar
  2. Say Yes to the alert page
  3. In the preference search bar within the page type security.osclientcerts.autoload
  4. Set security.osclientcerts.autoload to TRUE clicking on the DOUBLE arrow on the right
  5. Then close Firefox and restart
  6. Now try to enter a protected site via your smartcard

This is the configuration tested during the last months (you can see the test logs above). With this configuration I can enter protected sites smoothly with no issue here in Italy. I think it should work for you, too.
Best regards

Hi Polim27,
first let me thank you so much for yr kind attention and helping,
i'll surely try your so very well detailed workround instructions
i'd like only to know if i was wrong understanding from my reading from posts 60 to 65 that the problem was fixed with the new vers 80
that, this is what i've may be wrongly understood, should have allowed again ,as in the past , to load the asepks.dll
i've misunderstood this?
for me should be important to realize if i did not be able to interpret those posts 60->65 in the right way
may be i'm so confused but to sum up i'd like to know that the workround you kindly gift to me in yr post 67
is the same that was found by the authors of posts 60 to 65
or if they instead stated that the asepkcs.dll loading should be again working well with the ff vers 80

thxs you so very much indeed for yr kind and preciouys helping
and big patience too..
cheers

maybe my post is very confused so i try to clear it ,apologize my poor english and my poor skills..,
the thing i'd like to know if with the new vers 80 is again possible to load the famous asepkcs.dll module in Firefox as we done in the past
or instead the only way to have the smartcard working is the very clever precious and detailed workaround gifted here in post 67 by the so very kind Polim27
thxs again so much indeed for yr attention
and patience too..
cheers

(In reply to Giusy from comment #69)

maybe my post is very confused so i try to clear it ,apologize my poor english and my poor skills..,
the thing i'd like to know if with the new vers 80 is again possible to load the famous asepkcs.dll module in Firefox as we done in the past
or instead the only way to have the smartcard working is the very clever precious and detailed workaround gifted here in post 67 by the so very kind Polim27
thxs again so much indeed for yr attention
and patience too..
cheers

Dear Giusy

Premised that I'm not a Mozilla developer but only a Firefox user, let me give you a little summary of previous posts (or at least what I've understood from them):

  1. asepkcs.dll was blocked due to a lot of Firefox sudden repeated crashes; at that time asepkcs.dll was loaded via Options > Privacy & Security > Certificates > Security Devices... > Load ("the past way" you cited in your post);
  2. in the meantime Dana Keeler and her colleagues developed a new way to load security modules via osclientcerts module, more reliable and secure (for more information see https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/)
  3. as you can see from comment #7, in order to bypass the asepkcs.dll block and allow the smartcard use Dana suggested to enable osclientcerts module instead of "the past way";
  4. I tried that new method but it didn't work (see comment #13)
  5. after many tests with several Firefox Nightly builds, Dana found that in order to use osclientcerts module the removal of asepkcs.dll block was needed (see comment #51, #55 and #60)
  6. After removing the asepkcs.dll block, enabling osclientcerts.autoload in about:config allows to use the smartcard with no issue, without loading asepcks.dll by "the past way"

At the end of all this process, I think that now asepkcs.dll might be loaded via 2 ways (remember, I'm not a Firefox developer, it's only my opinion):
a) "the past way" (via Options > Privacy & Security > Certificates > Security Devices... > Load) is more insecure and unreliable since Firefox could crash again suddenly: maybe this way is still possible but I'm sure it's absolutely deprecated by Mozilla developers (otherwise they wouldn't have blocked asepkcs.dll before). At this moment I haven't tested it and I'm not going to try it.
b) the new way (via setting security.osclientcerts.autoload to true in about:config) is certainly more secure and reliable (no more crashes) and, once you set it, it is valid forever, not only for asepkcs.dll but also for every new security device you may install on your pc (so you don't have to use "the past way" every time you install a new smartcard or similar devices). This is the way I use with no issue until now.
Hope this helps.

Dear Polim27
first i like to thank you so much from the very deep of my heart
cause you are so patience and so kind and generous
i apologize again for my very poor skills
i ask to you:

as per yr clear 5): that trick was working also for previous ff vers then latest 80?
i mean that also with the previous 79 if i set all the things you clearly written in yr post 67 i should be able to enter the protected site via my Athena smart card? or this possibility became working only with this new vers 80? i can stated that the a) via to load the asepkcs.dll still not working also with new vers 80 so , i re apologize for my very confused post, i try to sum up:

  1. with vers 80 there is still no way to load the asepkcs.dll in the old way , the way you clearly named as a)
  2. vers 80 as introduced the possibility to use ff and the Athena smart card but we have to do the 2 yr very clever workround of yr so gentle and helpful post 67: 1) unload the module if present, 2) set true in about config

am i right? have i understood well? i apologize again for all yr precious time i'm stealing and i thank you so much for the very big patience you have with me.
thanks so much again
cheers

@Alcr. in yr post 3 you state to have the :

I think that I found a more recent asepkcs.dll from the Colegio de Abogados La Plata website:

http://www.calp.org.ar/download/controladores-token

(Controlador para Athena ID-Protect para Windows de 64 bits.)
asepkcs.dll version is 7.0.2.0

...how you did..??...if you dl the file is a zipped that require a password...:

Controlador para Athena ID-Protect en Windows

https://www.macroseguridad.net/soporte/download/detectar.php

(In reply to Giusy from comment #72)

as per yr clear 5): that trick was working also for previous ff vers then latest 80?
i mean that also with the previous 79 if i set all the things you clearly written in yr post 67 i should be able to enter the protected site via my Athena smart card? or this possibility became working only with this new vers 80? i can stated that the a) via to load the asepkcs.dll still not working also with new vers 80 so , i re apologize for my very confused post, i try to sum up:

  1. with vers 80 there is still no way to load the asepkcs.dll in the old way , the way you clearly named as a)
  2. vers 80 as introduced the possibility to use ff and the Athena smart card but we have to do the 2 yr very clever workround of yr so gentle and helpful post 67: 1) unload the module if present, 2) set true in about config

am i right? have i understood well? i apologize again for all yr precious time i'm stealing and i thank you so much for the very big patience you have with me.
thanks so much again
cheers

Dear Giusy

  1. the "new way" of loading asepkcs.dll via osclientscert has been enabled with the new Firefox 80; previous releases are not able to load some modules needed to make things work
  2. if in Firefox 80, as you said, the old way of loading asepkcs.dll is still blocked, then I think that the only way to use the Athena smartcard (the same I use) with its original and secure software package in Firefox is by enabling osclientcerts via about:config (see comment #67 for more detailed instructions).
    Regards

Dear Polim27,
you really are my guardian angel
this is my situation:
if i only do the -true- trick in about config but i do not load the asepkcs.dll the athena smart card do not work
if i try to load the asepkcs.dll without doing the about config trick the module fails to load
but if i do the about config -true- trick and i try to upload the asepkcs.dll module i again get the error BUT then i see the
module loaded in the :
Options > Privacy & Security > Certificates > Security Devices;
so it is -listed-
then i try to connect, it asks the pin, i put it and finally it works!

what you think about this experience of mine?

i will not end anymore to thank you from the very deep of my heart for having
supported me with yr detailed and so precious instructions
and for all yr kind and generous patience

thank you so much indeed

cheers

..is there anyone who could reply to my questions in my last post n 75..?
i will be very very gratefull..
apologize my very poor skills...
thxs to you all for yr precious time you gifted to us
cheers
:)

Can you file a new bug here: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM and include the behavior you're seeing (and maybe some screenshots?) as well as what version you're using? Thanks!

Flags: needinfo?(p060477)

"the behavior you're seeing"..:
this is to sum up
(and my ff vers is the latest 80.0.1 so the bug maybe is still not completely fixed)

if i only do the -true- trick in about config but i do not load the asepkcs.dll the athena smart card do not work
if i try to load the asepkcs.dll without doing the about config trick the module fails to load
but if i do the about config -true- trick and i try to upload the asepkcs.dll module i again get the error BUT then i see the
module loaded in the :
Options > Privacy & Security > Certificates > Security Devices;
so it is -listed-
then i try to connect, it asks the pin, i put it and finally it works!

with nightly or esr the behaviour is without this bug
so i can easly upload the module -asepkcs.dll-

what you think about this experience of mine?

Flags: needinfo?(p060477)

Comment on attachment 9162288 [details]
Bug 1629002 - osclientcerts: add support for CryptoAPI-only keys r?mhowell!,kjacobs!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Specifically to enterprise client certs
  • User impact if declined: Some Athena cards don't work
  • Fix Landed on Version: 80
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Only affects client certs
  • String or UUID changes made by this patch:
Attachment #9162288 - Flags: approval-mozilla-esr78?
Attachment #9162287 - Flags: approval-mozilla-esr78?

hi Mike
apologize for my really very poor skill but
the only thing i've understand is this:
"Fix Landed on Version: 80"...:
but as i've posted here this is not -completely- true....
:(
thxs for yr attention
cheers

Comment on attachment 9162287 [details]
Bug 1629002 - unblock asepkcs.dll r?jmathies

Sounds like these patches are an improvement over the status quo even if there's some unresolved questions since they landed. As Dana said, let's move that discussion to a new bug rather than continuing to pile onto this one where it's getting harder and harder to follow the discussion. Approved for 78.3esr.

Attachment #9162287 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
Attachment #9162288 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+

hi Ryan
first thxs so much for yr kind attn
i do already create a new Bug
i only post here cause it was written that this was fixed with new ff 80
but as said is not completely true...
about the ESR is already written here that ,as the nightlies, is already not affected
cheers

Reporter seems to be gone, so clearing needinfo

Flags: needinfo?(cobzarupetrumihai96)

apologize my poor english and skill Wayne but i do not understand yr latest post..
:(

Hello there, and sorry for the later reply

The problem for which I originally opened for was solved with the release of Firefox 80 (could not load the asepkcs.dll to use the specific Security tokens from this package, version 6.5.0.1 or any other) was solved, and everything seems to be fine, without tampering with any about:config flags.

Tested both on x86 and x64 releases, on many computers that needed to use a ecurity token for gov related documents.

Hi cobzarupetrumihai96
you are very lucky...cause with ff 80 , i use win 10 home 64, i have to tampering in about config and set it true..
and then i've to load the asepkcs.dll

to sum up
(and my ff vers is the latest 80.0.1 so the bug maybe is still not completely fixed)

if i only do the -true- trick in about config but i do not load the asepkcs.dll the athena smart card do not work
if i try to load the asepkcs.dll without doing the about config trick the module fails to load
but if i do the about config -true- trick and i try to upload the asepkcs.dll module i again get the error BUT then i see the
module loaded in the :
Options > Privacy & Security > Certificates > Security Devices;
so it is -listed-
then i try to connect, it asks the pin, i put it and finally it works!

with nightly or esr the behaviour is without this bug
so i can easly upload the module -asepkcs.dll-

just to let you know that also with latest ff 81 the bug is still there...

Please stop commenting in this bug. We are working with you in the other bug you filed (bug 1663752) to address your issue.

i beg your pardon, sorry and apologize
i'll continue there :
(bug 1663752)

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: