Duplicate certificate selection and PIN requested twice when security.osclientcerts.autoload is 'true'
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox88 | --- | fixed |
People
(Reporter: bertrand.perret, Assigned: keeler, NeedInfo)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(6 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Steps to reproduce:
I update FF 85 beta to 86 beta in a machine where our setup is installed.
I close Firefox if it is open.
I insert a smart card in the reader.
I wait for certificates to be populated in the Windows 'MY' store.
I launch Firefox.
I verify that this setting move to 'true'
Then I connect to our test secured site.
Actual results:
The PIN code is requested twice:
1°) by Firefox because the setup install our pkcs#11 as security module (via a dedicated webextension)
2°) by our CSP component which is also installed by the setup.
Here is a video of what happens: https://youtu.be/hXaaF8dWGjE
We notice the same certificate is presented in two entries in the certificate selection dialog.
Expected results:
Only one choice for the certificate to select,
Only one PIN code be entered for authentication to succeed.
Comment 1•3 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
This is not the fact of using a WebExtension. You reproduce the problem you install the pkcs#11 library manually.
So I have changed the target component.
(In reply to BPER_ILEX from comment #2)
This is not the fact of using a WebExtension. You reproduce the problem if you install the pkcs#11 library manually.
So I have changed the target component.
Assignee | ||
Comment 4•3 years ago
|
||
Does it work as expected if you don't install the second pkcs#11 module?
There is no second pkcs#11 installed and configured by our setup.
In security modules dialog we have 'OS Client Cert Module' (ie osclientcert.dll) that make our CSP prompting for the second dialog in the video supplied.
if and only if we reset the property 'security.osclientcerts.autoload' to 'false' , 'OS Client Cert Module' is removed from configuration
And then authentication is performed as expected with 'Module de sécurité CPS' only.
Assignee | ||
Comment 8•3 years ago
|
||
(In reply to BPER_ILEX from comment #5)
And then authentication is performed as expected with 'Module de sécurité CPS' only.
That is a pkcs#11 module. What if you unload it from Firefox?
Dana,
the steps performed:
Lauch firefox§.
go to about:preferences#privacy
go security devices dialog
unload cps3_pkcs11_w64.dll
then go to our secured site shown in the video
the PIN code is asked only by the CSP this time.
OK but there is a difference with FF 85 beta/release behaviour though:
FF 85 beta/release (osclientcerts unloaded, cps3_pkcs11_w64 loaded)
When I click again on the green smartcard image, le pin is NOT asked again
FF 86 beta and (osclientcerts unloaded, cps3_pkcs11_w64 loaded)
When I click again on the green smartcard image, le pin is ALWAYS asked again by Firefox
FF 86 beta and (osclientcerts loaded, cps3_pkcs11 unloaded)
When I click again on the green smartcard image, le pin is ALWAYS asked again by our CSP
Comment 10•3 years ago
|
||
I notice that FF 86 Beta 7 now sets 'security.osclientcerts.autoload' to ‘false’ by default.
In the Release Notes for version 86 (here: https://bugzilla.mozilla.org/buglist.cgi?j_top=OR&f1=target_milestone&o3=equals&v3=Firefox%2086&o1=equals&resolution=FIXED&o2=anyexact&query_format=advanced&f3=target_milestone&f2=cf_status_firefox86&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&v1=mozilla86&v2=fixed%2Cverified&limit=0’) I can see the original ticket (1682596) that sets this parameter to ‘true’.
However I can’t find any ticket that reverts the parameter back to ‘false’.
Can you please confirm whether or not this parameter will continue to be set to ‘false’ by default in future releases.
Assignee | ||
Comment 11•3 years ago
|
||
It's true
by default in what we call "early Beta". Late betas we want to behave like release, and this isn't enabled by default in release yet, so it gets disabled. You should be able to set it to true yourself using an enterprise policy or user.js
file.
(In reply to BPER_ILEX from comment #9)
FF 86 beta and (osclientcerts loaded, cps3_pkcs11 unloaded)
When I click again on the green smartcard image, le pin is ALWAYS asked again by our CSP
This is a dialog provided by your software, right?
How does Chrome behave here?
Comment 12•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #11)
It's
true
by default in what we call "early Beta". Late betas we want to behave like release, and this isn't enabled by default in release yet, so it gets disabled. You should be able to set it to true yourself using an enterprise policy oruser.js
file.(In reply to BPER_ILEX from comment #9)
FF 86 beta and (osclientcerts loaded, cps3_pkcs11 unloaded)
When I click again on the green smartcard image, le pin is ALWAYS asked again by our CSP
This is a dialog provided by your software, right?
How does Chrome behave here?
Hi Dana,
-
"This is a dialog provided by your software, right?" -> Yes, the 3rd PIN entry dialog that you see in the video is provided by our CSP.
-
"How does Chrome behave here?" -> Using Chrome, the PIN code is requested when we click on the card image on the CPS Diag test site the 1st time. When we click the image a 2nd time (and also all subsequent times) Chrome does not ask for a PIN code again. Firefox 86 beta asks for a PIN code every time we subsequently click on the image (osclientcerts loaded, cps3_pkcs11 unloaded).
Assignee | ||
Comment 13•3 years ago
|
||
Thanks! It would be helpful to know what code path is causing your CSP to show the dialog. Would you be able to attach windbg to Firefox when it shows the dialog for the first (expected) time and a subsequent (unexpected time) and capture the stacks of all Firefox threads at those times?
Comment 14•3 years ago
|
||
Dana,
I have attached Call Stack Logs. I'm not very familiar with windbg so if the call traces don't provide you with the info you need then you'll need to give me more detailed instructions. I have also generated mini-dumps at each display of the PIN request dialogs if you want them.
Assignee | ||
Comment 15•3 years ago
|
||
Thanks! Unfortunately that looks like a content process, not the main process. I've had more success in the past by launching Firefox first and then attaching to it when it's already running rather than starting it directly from windbg, which it looks like what you've done there? There will be multiple Firefox processes - the one you're looking for should have pk11_GetPassword
on the stack when Firefox asks you to authenticate.
Assignee | ||
Comment 16•3 years ago
|
||
(In reply to BPER_ILEX from comment #9)
FF 85 beta/release (osclientcerts unloaded, cps3_pkcs11_w64 loaded)
When I click again on the green smartcard image, le pin is NOT asked again
FF 86 beta and (osclientcerts unloaded, cps3_pkcs11_w64 loaded)
When I click again on the green smartcard image, le pin is ALWAYS asked again by Firefox
I missed this the first time around - you're saying that if osclientcerts isn't involved at all, there's a difference between how 85 and 86 behave? Can you use https://mozilla.github.io/mozregression/ to narrow down when this changed?
Comment 17•3 years ago
|
||
Hi Dana,
I have attached a new execution trace using the method you suggested. I will do the mozregressions test you asked for...
By the way, when I post I always select 'Request information from triage owner...' Should I be doing this or not?
Thanks.
Comment 18•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #16)
(In reply to BPER_ILEX from comment #9)
FF 85 beta/release (osclientcerts unloaded, cps3_pkcs11_w64 loaded)
When I click again on the green smartcard image, le pin is NOT asked again
FF 86 beta and (osclientcerts unloaded, cps3_pkcs11_w64 loaded)
When I click again on the green smartcard image, le pin is ALWAYS asked again by Firefox
I missed this the first time around - you're saying that if osclientcerts isn't involved at all, there's a difference between how 85 and 86 behave? Can you use https://mozilla.github.io/mozregression/ to narrow down when this changed?
Dana,
There is a mistake in comment #9 and therefore in comment #16. the 'FF 86 beta and (osclientcerts unloaded, cps3_pkcs11_w64 loaded)' DOES NOT ask for the PIN code everytime the smartcard image is clicked. So FF85 beta (and release) DO behave the same way as FF86 beta. I have tested 85b5, 85.0.2, 86b6 and 86b9, they all behave the same on the test site used (with osclientcerts unloaded, cps3_pkcs11_w64 loaded), ie. the PIN is only requested the 1st time the card image is clicked, not on subsequent times.
Chrome does not ask for a PIN code on subsequent clicks of the smartcard image whereas Firefox (when using OSCLIENTCERTS and NO PKCS11 LOADED) does.
Therefore I have not done the mozregression tests you ask for.
Regards.
Assignee | ||
Comment 19•3 years ago
|
||
Thanks for clarifying that.
(In reply to Paul from comment #17)
By the way, when I post I always select 'Request information from triage owner...' Should I be doing this or not?
Since I am he triage owner for this component, that works, but in general if you want information from a specific person, you can ask by using "other" and putting in their email.
Can you try this build out?
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Wn8umy5gQzG8lTBbjT8eBw/runs/0/artifacts/public/build/install/sea/target.installer.exe
I changed the way osclientcerts uses the key handles it gets from the OS in a way that may avoid duplicate pin prompts from your component.
Comment 20•3 years ago
|
||
Dana,
Thanks for the build.
Using this build we no longer have duplicate/multiple PIN prompts. I have attached a video that shows the same test sequence as that used in the video URL in the problem 'Description' above so you can see the results.
It would be good to test the same fix on a build for macOS (INTEL). Would that be possible?
Thanks for all your help.
Assignee | ||
Comment 21•3 years ago
|
||
Good to hear. Does that build work as expected without your CPS?
Here's a build for macOS: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Pc1Ik8jfRPOQ8G6CtRECoA/runs/0/artifacts/public/build/target.dmg
Comment 22•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #21)
Hi again,
Thank you for the macOS build.
-
"Good to hear. Does that build work as expected without your CPS?". I'm not sure what you mean. Do you mean with a different smartcard other than our CPS (Carte Professional de Santé) cards? If you meant to say "CSP" then yes it does behave as we expect (ie, using only our PKCS11 module).
-
Mixed results on macOS:
a) On Mojave (so tokenD) everything works as we would expect in both configurations, just as it does on Windows.
b) On Catalina (so tokenDriver) our PKCS11 module alone works as expected. However with our module unloaded and osclients enabled I cannot authenticate to the test site. I can see that the card's certificates are loaded into Firefox's 'My Certificates' store but when loading the test page FF asks me to select a certificate and then errors with SEC_ERROR_PKCS11_GENERAL_ERROR, no PIN is requested. Chrome does function correctly however.
Regards,
Assignee | ||
Comment 23•3 years ago
|
||
To give you context, the goal of the osclientcerts project is to make third-party PKCS#11 modules like your Module de sécurité
unnecessary to load into Firefox. So in general, when I ask you to try if a particular build works, what I'm really interested in is if osclientcerts works all on its own, without other modules. So, does the Windows build work for you if you don't load your module into Firefox, and just enable osclientcerts?
From comment 22, it seems like there is an issue with the macOS-specific parts of osclientcerts. Can you please file a new bug and we'll work on that there? Thanks!
Assignee | ||
Comment 24•3 years ago
|
||
When osclientcerts obtains or uses an OS handle on a private key, the
underlying implementation may display some sort of authentication or pin
prompt. In some cases, caching this handle rather than obtaining it multiple
times can prevent multiple prompts. So, this is what this patch does.
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Comment 25•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #23)
To give you context, the goal of the osclientcerts project is to make third-party PKCS#11 modules like your
Module de sécurité
unnecessary to load into Firefox. So in general, when I ask you to try if a particular build works, what I'm really interested in is if osclientcerts works all on its own, without other modules. So, does the Windows build work for you if you don't load your module into Firefox, and just enable osclientcerts?From comment 22, it seems like there is an issue with the macOS-specific parts of osclientcerts. Can you please file a new bug and we'll work on that there? Thanks!
-
"So, does the Windows build work for you if you don't load your module into Firefox, and just enable osclientcerts?" -> Yes it does work as we would expect. Thank you.
-
"Can you please file a new bug and we'll work on that there? Thanks!" -> OK , will do.
Regards,
Comment 26•3 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/442178d578d6 osclientcerts: cache key handles to potentially avoid multiple pin prompts r=mbirghan
Comment 27•3 years ago
|
||
bugherder |
Description
•