Closed Bug 1695974 Opened 3 years ago Closed 3 years ago

Smartcard authentication not working with TokenDriver when osclientcerts enabled

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Version:
Firefox 86
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox89 --- fixed

People

(Reporter: pros, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(3 files)

Catalina_FF-Nightly-20210303_Log-AuthFAIL_CPSDiag.txt
429.13 KB, text/plain
Details
Catalina_FF-Nightly-20210303_Log-AuthFAIL_TestSSL.txt
276.24 KB, text/plain
Details
Bug 1695974 - rework osclientcert signing on macOS for compatibility r?rmf
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

See Bug 1690278. On Catalina (so tokenDriver) our PKCS11 module alone works as expected. However with our PKCS11 module unloaded and osclients enabled I cannot authenticate to a test site that we use. Chrome does function correctly however. Authentication does work correctly on macOS Mojave (so TokenD).

I have just tested FF Nightly 2021-02-28 and the problem exists in this version as well.

Actual results:

I can see that the card's certificates are loaded into Firefox's 'My Certificates' store but when loading the test page FF asks me to select a certificate and then errors with SEC_ERROR_PKCS11_GENERAL_ERROR, no PIN is requested.

Expected results:

Following certificate selection a PIN code should be requested and authentication succeed. The explanatory video in Bug 1690278 shows one of the test sequences used.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core

Can you run RUST_LOG=osclientcerts_static /Applications/Firefox\ Nightly.app/Contents/MacOS/firefox from a terminal, try to use your client certificate, and attach the output to this bug? Thanks!

Flags: needinfo?(pros)
Flags: needinfo?(pros)

Hi Dana.

I have attached the log you asked for. The file 'CPSDiag' is the exact same test site and procedure that was used in the video in bug 1690278. The file 'TestSSL' is one of the other sites that we use for testing authentication.

I won't be able to provide any more information before the 11th March, but it's possible one of my colleagues might be able to reply to any questions before then.

Regards.

Flags: needinfo?(dkeeler)
Attachment #9206626 - Attachment mime type: application/octet-stream → text/plain
Flags: needinfo?(dkeeler)
Attachment #9206625 - Attachment mime type: application/octet-stream → text/plain

Hi. Is there any progress on this issue?

Hi,

I have just tested the lastest available FF Nightly (2021-03-31 89.0a1) and seen that this problem still exists.

Just to recap:

When attempting to perform client authentication via a smartcard to various SSL test sites, the authentication fails when 'osclientcerts' is set to 'true' on macOS Catalina (therefore using TokenDriver). On loading the test page(s), FF displays the 'Select certificate' dialog but then does not display a PIN entry dialog and instead fails with 'SEC_ERROR_PKCS11_GENERAL_ERROR'. The card's certificates have been loaded into FF's 'My Certificates' store.

This is a similar problem to bug 1690278 which has been resolved (on Windows)

Could you please provide me with an update please.

Regards,

Paul.

Flags: needinfo?(dkeeler)

Hi Paul, I haven't had time to look at this yet, hence the lack of activity in this bug. When I have something, I'll let you know.

Flags: needinfo?(dkeeler)

OK Dana, that's fine. Thank you.

Paul.

Paul, how does this build work? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/AVPL5JoPSoynwYIy6SIE9A/runs/0/artifacts/public/build/target.dmg Also, what version of TLS is your server using? Thanks!

Flags: needinfo?(pros)

Hi Dana,

Thanks for the build. I've just finished testing it and and can confirm that authenticating to the 3 test sites that we use now works correctly in this version of Firefox.

I have tested on Mojave (TokenD) and Catalina (TokenDriver) using both osclientcerts and our PKCS11 module and in all cases the authentication is OK.

All three of these sites use TLS 1.2

Thanks for your help.

Flags: needinfo?(pros) → needinfo?(dkeeler)

Dana,

Could you please confirm that the osclientcerts parameter will NOT be activated when FF88 is finally released. If this should happen, it will cause a very large problem for our many users.

Thanks.

Paul.

It's been disabled for now.

Flags: needinfo?(dkeeler)

Previously, the macOS backend of osclientcerts used
kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw for RSA PKCS#1v1.5 signing, which
relies on the underlying implementation backing the signing key knowing how to
handle the given data to sign. On Catalina (which uses CryptoTokenKit as
opposed to TokenD), this doesn't appear to work (or, at least, there have been
reports of incompatibilities).
This patch parses out the data to be signed to determine the hash algorithm to
use and the hash data to sign, which is similar to how the Windows backend
works.

Assignee: nobody → dkeeler
Severity: -- → S3
Priority: -- → P1
Whiteboard: [psm-assigned]
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/caadf550854d
rework osclientcert signing on macOS for compatibility r=rmf

https://hg.mozilla.org/mozilla-central/rev/caadf550854d

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
status-firefox89: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: