1636100 - nsIPKCS11ModuleDB.addModule failure in 76+ (Estonian ID card system broken)

Status: RESOLVED DUPLICATE of bug 1639537

(Core :: Security: PSM, defect, P1)

Description

[murphy deffa]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

I did not do nothing, firefox decided that "fuck this estonia", we disable all ID card plugins.

Actual results:

Cant use bank for paying bills or any kind of goverment service. Should i ditch use of firefox and use some other browser? Same thing happened after last major firefox update.
There should be atelast rever button for older version. But if i installed older it automaticaly upgraded and beside that removed all bookmarks and stuff.

Expected results:

Developers should test theirs stuff. Contry with 1,5mil people is not insignificant so you can just dropp life essential modules.

Comment 1

[:Gijs (he/him)]

I understand this is really frustrating, but unfortunately cursing and telling us we're bad at our jobs don't help fix the issue. I can't quite tell what is going on from your report.

What version of Firefox did you upgrade to that broke things? 75 or 76 or some other version?

Which specific plugin(s) are "disabled"? What kind of behaviour are you seeing? Crashes? Error pages? Websites just not recognizing that you have the ID card system installed? Something else?

Could you try the steps in this comment and see if you can use the ID card system then?

Comment 2

[netcat]

This is about version 76. While I cannot confirm this myself because I need this working and can't update to 76, up until now 2 extensions have been needed to use the Estonian national ID card in Firefox:

https://github.com/open-eid/firefox-pkcs11-loader
https://github.com/open-eid/chrome-token-signing

From the report it seems that after updating to 76 these extensions have been disabled or are prevented from working in some way that cannot be fixed.

This is a general problem that affects all users not just this reporter. Our ID card support team has released official news that Firefox support of our ID card on Windows is broken as of 76 and they are working on it but no details as to what exactly is broken or whether there is a workaround. Right now the recommendation to Estonians relying on ID card use is just not to use Firefox (again!)

See https://www.id.ee/?id=30519&read=39793

If there were a simple workaround I would assume they would let the public know, although maybe expecting a bit much there.

Comment 3

[:Gijs (he/him)]

(In reply to netcat from comment #2)

From the report it seems that after updating to 76 these extensions have been disabled or are prevented from working in some way that cannot be fixed.

Thanks for the added context. Any more details about what this brokenness is / how it manifests / what caused it (like a more detailed regression window) would be really helpful in terms of getting this bug report to an actionable state.

Comment 4

[netcat]

FWIW I am using 75.0 (on Windows 7 64bit) with both abovementioned extensions enabled and security.osclientcerts.autoload on false (by default) and it is working fine. Also FF 76 and the extensions work fine on Linux.

Comment 5

[Tomislav Jovanovic :zombie]

I don't have a hardware reader, but I tried installing the software from www.id.ee, and after (successful?) installation, Firefox Beta 77 reports this error when loading the pkcs11 module:

[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIPKCS11ModuleDB.addModule]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://browser/content/parent/ext-pkcs11.js :: installModule :: line 90" data: no] ext-pkcs11.js:90:20

I'm just guessing here, but I would expect the module to still be loaded even without the hardware present.

Comment 6

[netcat]

On the other hand I just had someone with no reader but pre-installed ID software update from 75 to 76.0.1 and they report the extensions at least appear to have remained enabled.

Comment 7

[netcat]

Apparently this is how it looks when it fails. Just upgraded to 76.0.1 myself, the extensions are displayed as enabled, both when pre-existing and when removed after upgrade and re-installed. But the card is not getting read. No crash and no browser error but access does not work, as if there is no card in the reader. At the same time Chrome etc can read it fine.

Then I changed the security.osclientcerts.autoload to true in about: config as suggested above.

AND IT WORKS

I have not tried all possible sites but it works at my bank, and at the e-government portal, so it should be generally ok

Perhaps someone should document this in a more public manner.

Comment 8

[J.C. Jones [:jcj] (he/him)]

Firefox 76 took only a point release of NSS with very minor changes from Firefox 75 (75 shipped with NSS 3.51, 76 with NSS 3.51.1), so I don't think this was likely an NSS change. Firefox 77 has PKCS11 v3 support (NSS 3.52), which I could much more imagine causing subtle issues with existing drivers, but that cannot be what this is.

NSS team can reproduce on Windows (only, so far) and are investigating nonetheless.

I'm certainly glad that osclientcerts fixes the issue, but there's still the issue.

Moving to PSM first, though it certainly could be an NSS issue.

Comment 9

[J.C. Jones [:jcj] (he/him)]

Thanks to kjacobs, mozregression points to https://hg.mozilla.org/mozilla-central/rev/1e174ff5c656 (Bug 1621804), which blocks OpenSC 0.20.0.0 from being loaded in Windows due to crashes seen when 76 was in Nightly.

The upstream issue at OpenSC is https://github.com/OpenSC/OpenSC/issues/1999.

We know that for some users, opening about:config and setting the preference security.osclientcerts.autoload to true bypasses the need for OpenSC and re-enables access to eID services. I'd encourage anyone encountering this bug to give that a try.

In the meantime, as this is affecting release, we might consider backing out that blocklist patch from Bug 1621804 maybe if the crashes aren't silent anymore? If not, then we need to see how soon OpenSC might have a new release ready. Simultaneous, we should find out how to validate whether the osclientcerts module solves this problem for everyone and, if so, get some signal-boost about that being the solution.

In the longer-term, perhaps we should add UX when a client cert is requested but we have none to provide, suggesting turning on osclientcerts or some-such. Or just turn it on, maybe.

Comment 10

[Gabriele Svelto [:gsvelto]]

There seems to be a fix in upstream OpenSC which should fix the crash, see this comment in their corresponding issue. I filed bug 1633052 to intercept and report this type of crash but the fix for that is tricky and I'm not even sure it will work.

Comment 11

[murphy deffa]

Well its geting better and better. Try manual install then i get "PKCS11 loader ((02274..... blah blah)) is blocked by your system administrator".
WTF??? Who is the administrator??? ME, I OWN PC. I install wadever i wan't. Apparently FF devs have different opinion on that.
This happened AFTER i did try to downgrade and unsinstalled firefox and installed old version.
And now its in any version i try. I was able to save 1 PC in household and disable automatic updates and can use id card. Alltho its constantly showing popups "install your updates and enjoy more broken browser"
will try to pull from backups offline adn disable updates so it cant download crap.

Comment 12

[netcat]

(In reply to murphy deffa from comment #11)

This happened AFTER i did try to downgrade and unsinstalled firefox and installed old version.

It's not clear in what order you went about things but maybe it would help if you uninstalled the ID card software as well and re-installed it after the old browser version is installed?

Also, did the above suggested about : config change not work for you? It works well for me with no need to downgrade and seems to be the easiest approach.

Comment 13

[Rachel Tublitz [:rachel]]

Linking to support article here covering the workaround: https://support.mozilla.org/en-US/kb/workaround-make-estonian-smartcards-work-firefox-7

Comment 14

[Gabriele Svelto [:gsvelto]]

I've filed bug 1639537 to evaluate removing the block and I'm in contact with the developers at the Estonian ID authority. To reduce the fallout on users we're taking a two-pronged approach of removing the block on our side (which hopefully should only lead to a limited number users being affected by crashes) while they will try to release an updated version of the upstream software w/ a fix for the crash.

Comment 15

[Ryan VanderMeulen [:RyanVM]]

Fx77 goes to RC next week, so we're past the point when we'd be spinning a point release for 76 for this issue. Looks like the follow-up work is happening in bug 1639537 at the moment.

Comment 16

[Gabriele Svelto [:gsvelto]]

Yeah, I'll land the fix on nightly and ask for uplift since it's a one-liner.

Comment 17

[Gabriele Svelto [:gsvelto]]

We've reverted the DLL block in nightly, I'm now waiting for approval to uplift it in beta. If all goes well it should be in the next stable release a week from now.

Comment 18

[Pascal Chevrel:pascalc (PTO until April 26)]

Marking as fixed for 77 since we removed the DLL block via a beta uplift in bug 1639537. The release candidate build shipping tomorrow will have the patch.

Comment 19

[Julien Cristau [:jcristau] (back April 22)]

Is there more work to do here or are we ready to call this fixed by bug 1639537?

Comment 20

[Gabriele Svelto [:gsvelto]]

Yeah, it's fixed.

Comment 23

[murphy deffa]

(In reply to p033928 from comment #22)

for me the about config workround DID really NOT FIX anything..
still having this frustrating BUG
see on mozilla forum:
https://forum.mozillaitalia.org/index.php?topic=74089.0#lastPost
ff 77.0.1 win 10 home 64 vers 2004
asepkcs.dll (version<=6.5.0.5)

for me it fixed. You may have to unistall and reinstall firefox. Also try Firefox Nightly, as it owas the one that started working first.

Comment 26

[:Gijs (he/him)]

(In reply to p033928 from comment #22)

for me the about config workround DID really NOT FIX anything..
still having this frustrating BUG
see on mozilla forum:
https://forum.mozillaitalia.org/index.php?topic=74089.0#lastPost
ff 77.0.1 win 10 home 64 vers 2004
asepkcs.dll (version<=6.5.0.5)

This looks like a different DLL, with a different associated bug - bug 1560052, where you have already commented, or bug 1629002. Please see the suggestions in that bug (notably, you could try obtaining a more recent copy of the DLL from the smartcard/certificate provider). Please stop commenting in this unrelated bugreport.