Closed Bug 1631124 Opened 5 years ago Closed 5 years ago

osclientcerts: look for intermediate client certificates to help PSM with path building (windows)

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Version:
75 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- disabled
firefox76 --- disabled
firefox77 --- disabled
firefox78 --- disabled

People

(Reporter: samlh+bz2, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(7 files, 4 obsolete files)

example chain.crt
6.86 KB, text/plain
Details
about:support
40.54 KB, text/plain
Details
MOZ_LOG=pipnss4 RUST_LOG=osclientcerts_static open firefox, try logging in, and close again.txt
684.74 KB, text/plain
Details
MOZ_LOG=pipnss4 RUST_LOG=osclientcerts_static open firefox, successfully log in, and close again with intermediate added.txt
1.53 MB, text/plain
Details
intermediates imported (foo.p7b)
6.65 KB, application/x-pkcs7-certificates
Details
Powershell "Get-ChildItem -path cert:\CurrentUser\My | Format-List *"
6.56 KB, text/plain
Details
Bug 1631124 - osclientcerts: attempt to find issuing certificates when looking for client certificates (Windows) r?kjacobs,mhowell
47 bytes, text/x-phabricator-request
Details | Review
Attached file example chain.crt

+++ This bug was initially created as a clone of Bug #1630473 +++

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Even with the fix from bug 1639473, some client certificates are shown in the list unless the intermediate is added into Firefox

See attachment for the client certificate and chain

Flags: needinfo?(dkeeler)

Thanks - let's first land bug 1630473.

Depends on: 1630473
Flags: needinfo?(dkeeler)
Priority: P1 → P2
Whiteboard: [psm-blocked]

If you set security.osclientcerts.autoload and security.enterprise_roots.enabled to true with the latest version of Nightly, are you still seeing this behavior?

Flags: needinfo?(samlh+bz2)
Attached file about:support

Hi Dana!

Yes, I am still seeing this behavior on Nightly 20200424114754.

If I do not import any intermediates, I have 1 client certificate show up in the list.

If I import the corresponding intermediates for the other 2 client certificates (one attached), the client certificates also shows up in the list.

Possible correlation:

  • The certificate that shows up in the list as-is has an exportable private key
  • The certificates that do not show up in the list do not have exportable private keys (due to being on a smart card or similar)

If there is logging I can enable or instructions for what to check in a debugger, I'm happy to give it a try.

Thanks,
Sam

Flags: needinfo?(samlh+bz2)

If you set the environment variable RUST_LOG to osclientcerts_static it should output some debugging information to the console (here's how to run Firefox with a console: https://developer.mozilla.org/en-US/docs/Mozilla/Command_Line_Options#Miscellaneous)

Flags: needinfo?(samlh+bz2)
Flags: needinfo?(samlh+bz2)

Thanks! It looks like the module is finding 4 client certificates. Can you do that again with MOZ_LOG set to pipnss:4? (no need for the testcases where you don't visit the server)
Also, to be clear, when you said "If I do not import any intermediates" did you mean importing via the certificate manager or by setting security.enterprise_roots.enabled?

Flags: needinfo?(samlh+bz2)

Thanks! It looks like the module is finding 4 client certificates. Can you do that again with MOZ_LOG set to pipnss:4? (no need for the testcases where you don't visit the server)

Logs attached.

Also, to be clear, when you said "If I do not import any intermediates" did you mean importing via the certificate manager or by setting security.enterprise_roots.enabled?

Importing via about:preferences#privacy -> Certificate Manager.
All logs are with security.enterprise_roots.enabled=true and security.osclientcerts.autoload=true

Thanks for taking a look!

Attachment #9145664 - Attachment is obsolete: true
Attachment #9145666 - Attachment is obsolete: true
Flags: needinfo?(samlh+bz2)

It looks like the module is finding 4 client certificates.

Yes. See the attached list of certs.

The one I want to use is #2 in the attached list.
(SerialNumber: 5D00347B941897D81CCCF1B545000000347B94)

The only one that shows up is #4.
(SerialNumber: 7F53F612C9576F51C9FCF462AF06E243)

The only one that shows up is #4.
(SerialNumber: 7F53F612C9576F51C9FCF462AF06E243)

Argh, sorry, that should be #3 (48:00:70:5C:69:3C:2E:86:02:55:52:71:10:00:01:00:70:5C:69)

Assignee: nobody → dkeeler
Blocks: osclientcerts
Priority: P2 → P1
Summary: Intermediate required to be added to Firefox for some client certificates (potentially related to smartcard usage) → osclientcerts: look for intermediate client certificates to help PSM with path building (windows)
Whiteboard: [psm-blocked] → [psm-assigned]

To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the Windows backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.

Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/38e08f6e791c osclientcerts: attempt to find issuing certificates when looking for client certificates (Windows) r=kjacobs,mhowell

https://hg.mozilla.org/mozilla-central/rev/38e08f6e791c

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78

Does the latest build of Nightly work for you?

Flags: needinfo?(samlh+bz2)

Yes, everything works perfectly on latest nightly.

Thank you - I really appreciate it!

Flags: needinfo?(samlh+bz2)

Thanks!

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: