Closed Bug 1636100 Opened 1 year ago Closed 11 months ago

nsIPKCS11ModuleDB.addModule failure in 76+ (Estonian ID card system broken)

Categories

(Core :: Security: PSM, defect)

76 Branch
All
Windows
defect

Tracking

()

RESOLVED DUPLICATE of bug 1639537
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- unaffected
firefox76 + wontfix
firefox77 + fixed
firefox78 + fixed

People

(Reporter: murphy, Unassigned)

References

(Regression, )

Details

(Keywords: helpwanted, regression, steps-wanted)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

I did not do nothing, firefox decided that "fuck this estonia", we disable all ID card plugins.

Actual results:

Cant use bank for paying bills or any kind of goverment service. Should i ditch use of firefox and use some other browser? Same thing happened after last major firefox update.
There should be atelast rever button for older version. But if i installed older it automaticaly upgraded and beside that removed all bookmarks and stuff.

Expected results:

Developers should test theirs stuff. Contry with 1,5mil people is not insignificant so you can just dropp life essential modules.

Group: firefox-core-security

I understand this is really frustrating, but unfortunately cursing and telling us we're bad at our jobs don't help fix the issue. I can't quite tell what is going on from your report.

What version of Firefox did you upgrade to that broke things? 75 or 76 or some other version?

Which specific plugin(s) are "disabled"? What kind of behaviour are you seeing? Crashes? Error pages? Websites just not recognizing that you have the ID card system installed? Something else?

Could you try the steps in this comment and see if you can use the ID card system then?

Flags: needinfo?(murphy)

This is about version 76. While I cannot confirm this myself because I need this working and can't update to 76, up until now 2 extensions have been needed to use the Estonian national ID card in Firefox:

https://github.com/open-eid/firefox-pkcs11-loader
https://github.com/open-eid/chrome-token-signing

From the report it seems that after updating to 76 these extensions have been disabled or are prevented from working in some way that cannot be fixed.

This is a general problem that affects all users not just this reporter. Our ID card support team has released official news that Firefox support of our ID card on Windows is broken as of 76 and they are working on it but no details as to what exactly is broken or whether there is a workaround. Right now the recommendation to Estonians relying on ID card use is just not to use Firefox (again!)

See https://www.id.ee/?id=30519&read=39793

If there were a simple workaround I would assume they would let the public know, although maybe expecting a bit much there.

(In reply to netcat from comment #2)

From the report it seems that after updating to 76 these extensions have been disabled or are prevented from working in some way that cannot be fixed.

Thanks for the added context. Any more details about what this brokenness is / how it manifests / what caused it (like a more detailed regression window) would be really helpful in terms of getting this bug report to an actionable state.

Severity: normal → S1
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Estonian ID cared system broken → Estonian ID card system broken

FWIW I am using 75.0 (on Windows 7 64bit) with both abovementioned extensions enabled and security.osclientcerts.autoload on false (by default) and it is working fine. Also FF 76 and the extensions work fine on Linux.

I don't have a hardware reader, but I tried installing the software from www.id.ee, and after (successful?) installation, Firefox Beta 77 reports this error when loading the pkcs11 module:

[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIPKCS11ModuleDB.addModule]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://browser/content/parent/ext-pkcs11.js :: installModule :: line 90" data: no] ext-pkcs11.js:90:20

I'm just guessing here, but I would expect the module to still be loaded even without the hardware present.

On the other hand I just had someone with no reader but pre-installed ID software update from 75 to 76.0.1 and they report the extensions at least appear to have remained enabled.

Apparently this is how it looks when it fails. Just upgraded to 76.0.1 myself, the extensions are displayed as enabled, both when pre-existing and when removed after upgrade and re-installed. But the card is not getting read. No crash and no browser error but access does not work, as if there is no card in the reader. At the same time Chrome etc can read it fine.

Then I changed the security.osclientcerts.autoload to true in about: config as suggested above.

AND IT WORKS

I have not tried all possible sites but it works at my bank, and at the e-government portal, so it should be generally ok

Perhaps someone should document this in a more public manner.

Firefox 76 took only a point release of NSS with very minor changes from Firefox 75 (75 shipped with NSS 3.51, 76 with NSS 3.51.1), so I don't think this was likely an NSS change. Firefox 77 has PKCS11 v3 support (NSS 3.52), which I could much more imagine causing subtle issues with existing drivers, but that cannot be what this is.

NSS team can reproduce on Windows (only, so far) and are investigating nonetheless.

I'm certainly glad that osclientcerts fixes the issue, but there's still the issue.

Moving to PSM first, though it certainly could be an NSS issue.

Component: Untriaged → Security: PSM
OS: Unspecified → Windows
Product: Firefox → Core
Hardware: Unspecified → All
Summary: Estonian ID card system broken → nsIPKCS11ModuleDB.addModule failure in 76+ (Estonian ID card system broken)

Thanks to kjacobs, mozregression points to https://hg.mozilla.org/mozilla-central/rev/1e174ff5c656 (Bug 1621804), which blocks OpenSC 0.20.0.0 from being loaded in Windows due to crashes seen when 76 was in Nightly.

The upstream issue at OpenSC is https://github.com/OpenSC/OpenSC/issues/1999.

We know that for some users, opening about:config and setting the preference security.osclientcerts.autoload to true bypasses the need for OpenSC and re-enables access to eID services. I'd encourage anyone encountering this bug to give that a try.

In the meantime, as this is affecting release, we might consider backing out that blocklist patch from Bug 1621804 maybe if the crashes aren't silent anymore? If not, then we need to see how soon OpenSC might have a new release ready. Simultaneous, we should find out how to validate whether the osclientcerts module solves this problem for everyone and, if so, get some signal-boost about that being the solution.

In the longer-term, perhaps we should add UX when a client cert is requested but we have none to provide, suggesting turning on osclientcerts or some-such. Or just turn it on, maybe.

Component: Security: PSM → General
Product: Core → Firefox
Regressed by: 1621804

There seems to be a fix in upstream OpenSC which should fix the crash, see this comment in their corresponding issue. I filed bug 1633052 to intercept and report this type of crash but the fix for that is tricky and I'm not even sure it will work.

See Also: → 1560486
Component: General → Security: PSM
Product: Firefox → Core

(In reply to murphy deffa from comment #11)

This happened AFTER i did try to downgrade and unsinstalled firefox and installed old version.

It's not clear in what order you went about things but maybe it would help if you uninstalled the ID card software as well and re-installed it after the old browser version is installed?

Also, did the above suggested about : config change not work for you? It works well for me with no need to downgrade and seems to be the easiest approach.

I've filed bug 1639537 to evaluate removing the block and I'm in contact with the developers at the Estonian ID authority. To reduce the fallout on users we're taking a two-pronged approach of removing the block on our side (which hopefully should only lead to a limited number users being affected by crashes) while they will try to release an updated version of the upstream software w/ a fix for the crash.

Fx77 goes to RC next week, so we're past the point when we'd be spinning a point release for 76 for this issue. Looks like the follow-up work is happening in bug 1639537 at the moment.

Yeah, I'll land the fix on nightly and ask for uplift since it's a one-liner.

We've reverted the DLL block in nightly, I'm now waiting for approval to uplift it in beta. If all goes well it should be in the next stable release a week from now.

Depends on: 1639537

Marking as fixed for 77 since we removed the DLL block via a beta uplift in bug 1639537. The release candidate build shipping tomorrow will have the patch.

Is there more work to do here or are we ready to call this fixed by bug 1639537?

Flags: needinfo?(gsvelto)

Yeah, it's fixed.

Flags: needinfo?(gsvelto)
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1639537
You need to log in before you can comment on or make changes to this bug.