Closed Bug 1710731 Opened 3 years ago Closed 3 years ago

Firefox prompts repeatedly for smartcard password

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox-esr91 94+ verified
firefox93 --- fixed

People

(Reporter: jhaiduce, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(3 files, 1 obsolete file)

Password prompt inside browser window
69.54 KB, image/png
Details
Password prompt outside the browser window
172.79 KB, image/png
Details
Bug 1710731 - avoid unnecessary PKCS#11 module PIN prompts when looking for client certificates r?rmf
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr91+
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0

Steps to reproduce:

  1. Install Firefox
  2. Install OpenSC
  3. Visit a site that requires smartcard authentication
  4. Change network (e.g. disconnect and reconnect VPN)

Actual results:

Firefox repeatedly prompts for the smartcard password whenever the network changes. The user has to dismiss a dozen or so password prompts before the browser can be used again. Then at least one of the open browser windows becomes unresponsive to mouse clicks, requiring a restart of the browser.

Expected results:

Firefox should only prompt for the smartcard password once, until the smartcard is removed. After the smartcard password is entered or the password dialog dismissed, the browser should continue to operate normally.

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Hi John, thanks for filing this. Are you able to provide screenshots of the prompt (or prompts) that appear? That will help us narrow down what is going on here. Additionally, are there any test sites that utilize OpenSC that we can check out in order to reproduce?

Flags: needinfo?(jhaiduce)

Password prompt that appears inside the browser window. Typically this prompt appears after a change of network environment (connect/disconnect). After pressing Enter or Cancel the prompt closes and reappears immediately. This cycle repeats several times before the password prompt stops appearing and the browser can be used again.

Flags: needinfo?(jhaiduce)

Password prompt outside the browser window. Typically, several of these windows appear upon change of network environment. Sometimes they are responsive to keyboard/mouse input, sometimes not. When the password dialog does not respond to user input, it is often because another password dialog (below the first) has focus. In that case the user has to drag the overlying password prompts aside to find the password dialog underneath that can be dismissed by pressing Cancel. After that the remaining password dialogs can be dismissed.

Hi Tim, thanks for your quick response.

(In reply to Tim Giles [:tgiles] from comment #3)

Are you able to provide screenshots of the prompt (or prompts) that appear?

I've uploaded a couple of screenshots. One shows a couple of password prompts that appear outside the browser window; the other shows a password prompt inside the browser window. Normal behavior for smartcard usage in Firefox is that the browser displays a password prompt in the browser like the one in comment #4, but only does so once (assuming the user enters the correct password).

So what happens in my setup is that whenever the network environment changes (e.g. VPN or wifi disconnects or reconnects) I get a bunch of password prompts outside the browser window like the ones shown in comment #5. The number varies, but it's typically somewhere between two and twelve. Once I've dismissed all of those, a prompt like the one in comment #4 appears in the browser. That one reappears when I click Cancel, and does so repeatedly several times before finally staying away.

are there any test sites that utilize OpenSC that we can check out in order to reproduce?

I'm not aware of any specifically for OpenSC. You could try https://check.dmdc.mil/, though I'm not certain whether that site will provide helpful information without a US Government issued smartcard.

Dana/pbz, I'm not sure if the problem here is all the the number of prompts that should have been queued or somehow coalesced, or the number of cert / auth invalidations that should have been throttled. It looks like MattN was the last person in this code and I don't have that context. Do either of you have any insights here?

Flags: needinfo?(pbz)
Flags: needinfo?(dkeeler)

The UX can certainly be improved here, but I have a couple of questions for John:

  • Is macOS the only platform you need? If you don't need linux, it would be good to try out osclientcerts by setting security.osclientcerts.autoload to true in about:config and unloading OpenSC (osclientcerts will soon to be enabled by default).
  • Otherwise, if you authenticate to your token when the dialog comes up, does it work as expected?
Flags: needinfo?(dkeeler) → needinfo?(jhaiduce)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #8)

  • Is macOS the only platform you need?

I use Linux also, but I haven't encountered this problem there. There are several possible contributing factors for that:

  • My Linux machines are using CACKey rather than OpenSC to interface with the smartcard
  • I've been using smartcard authentication less frequently on Linux
  • The Linux machines where I use smartcard authentication are desktops with wired network connections so they don't change networks as often.

If you don't need linux, it would be good to try out osclientcerts by setting security.osclientcerts.autoload to true in about:config and unloading OpenSC (osclientcerts will soon to be enabled by default).

I tried that, and it seems to work so far (caveat is that I haven't made many network config changes yet). I remember trying that setting a while back (over a year ago when I first noticed it mentioned in the release notes), and it didn't work then which was why I switched to OpenSC in the first place. But osclientcerts seems to be working much better now than it did then.

  • Otherwise, if you authenticate to your token when the dialog comes up, does it work as expected?

Yes, when I visit a smartcard-enabled website and authenticate, it works as expected.

Flags: needinfo?(jhaiduce)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #8)

If you don't need linux, it would be good to try out osclientcerts by setting security.osclientcerts.autoload to true in about:config and unloading OpenSC (osclientcerts will soon to be enabled by default).

Did a little more checking. I've visited four smartcard-enabled sites with OpenSC uninstalled and security.osclientcerts.autoload set to true. Two of them work fine, and two prompt for my smartcard password but then give errors.

https://usajobs.gov and https://check.dmdc.mil both give the following error:

An error occurred during a connection to 0f55.pivcac.prod.login.gov. A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.

Error code: SEC_ERROR_PKCS11_GENERAL_ERROR

(In reply to John Haiducek from comment #10)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #8)

If you don't need linux, it would be good to try out osclientcerts by setting security.osclientcerts.autoload to true in about:config and unloading OpenSC (osclientcerts will soon to be enabled by default).

Did a little more checking. I've visited four smartcard-enabled sites with OpenSC uninstalled and security.osclientcerts.autoload set to true. Two of them work fine, and two prompt for my smartcard password but then give errors.

After restarting Firefox the certificate errors went away. https://check.dmdc.mil loads fine, but https://usajobs.gov doesn't accept my smartcard for authentication. It's been a while since I authenticated to that site with a smartcard though, so I'm not certain the authentication failure is related to Firefox. In the meantime I've temporarily locked my account at usajobs.gov so I have to wait a few minutes before I can try again to confirm whether I can authenticate to usajobs.gov with a different configuration.

(In reply to John Haiducek from comment #11)

https://usajobs.gov doesn't accept my smartcard for authentication. It's been a while since I authenticated to that site with a smartcard though, so I'm not certain the authentication failure is related to Firefox. In the meantime I've temporarily locked my account at usajobs.gov so I have to wait a few minutes before I can try again to confirm whether I can authenticate to usajobs.gov with a different configuration.

The most recent failure on usajobs.gov was due to a problem with my account settings on that site, unrelated to Firefox.

Looks like these prompts are shown via nsIPrompt#promptPassword which is implemented in LoginManagerAuthPrompter.jsm:
https://searchfox.org/mozilla-central/rev/0e8b28fb355afd2fcc69d34e8ed66bbabf59a59a/toolkit/components/passwordmgr/LoginManagerAuthPrompter.jsm#512

It doesn't look like the prompt implementation merges these. That means the consumer (NSS) needs to ensure there are no duplicates.

Flags: needinfo?(pbz)

I agree with Paul, NSS looks like the right component to handle this issue.
I'll move the component, but also feel free to move it back if this can/should be fixed in the prompt implementation.

Assignee: nobody → nobody
Component: Password Manager → Libraries
Product: Toolkit → NSS
Version: Firefox 88 → other
Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
Version: other → unspecified
Assignee: nobody → dkeeler
Severity: -- → S4
Priority: -- → P1
Whiteboard: [psm-assigned]
Status: UNCONFIRMED → NEW
Ever confirmed: true

John, can you do me a favor and see if this build behaves more like you'd expect? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/aECUfCw2RpyzKP1pDqhQYg/runs/0/artifacts/public/build/target.dmg

Flags: needinfo?(jhaiduce)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #17)

John, can you do me a favor and see if this build behaves more like you'd expect? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/aECUfCw2RpyzKP1pDqhQYg/runs/0/artifacts/public/build/target.dmg

I think that build improves things. I did find that I got a lot of password prompts in my initial test (which had OpenSC loaded and security.osclientcerts.autoload set to True). But the problem doesn't appear in other configurations.

More details:

  • I initially tried loading OpenSC using the file 'opensc-pk11.so'. I'm pretty sure that's what I was using before, but when googling to check the path to it I found instructions that said to use 'onepin-opensc-pk11.so'. I tried both.
  • In my first attempt I used 'opensc-pk11.so' with security.osclientcerts.autoload set to True. That configuration did produce a lot of password prompts similar to I reported initially. Most were the style that Firefox produces when using OpenSC, but once per website I got a prompt of the style that I normally get from the OS. As before, a change of network configuration produced a bunch of password prompts.
  • If I 'onepin-opensc-pk11.so' instead of 'opensc-pk11.so', the excessive password prompts go away. Similarly, if I used 'opensc-pk11.so' with security.osclientcerts.autoload set to False, the excessive password prompts also go away.
Flags: needinfo?(jhaiduce)

In general, if you can just use osclientcerts instead of the opensc modules, I would recommend that, since that will never cause Firefox to open a password dialog like attachment 9221885 [details].

That aside, how many different slots do each of onepin-opensc-pk11.so and opensc-pk11.so have, when you load them? You might be getting one prompt per slot, and attachment 9231463 [details] wouldn't change that. Another question is maybe the browser is behaving a bit differently from how I'm assuming it is. Would you be able to get stack traces of the browser when it opens these prompts? You could use the "sample" functionality of the macOS system monitor. Another thing that might work would be to capture a profile with https://profiler.firefox.com/.

Flags: needinfo?(jhaiduce)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #19)

In general, if you can just use osclientcerts instead of the opensc modules, I would recommend that, since that will never cause Firefox to open a password dialog like attachment 9221885 [details].

That's what I've been doing on my main session, since you recommended it earlier.

That aside, how many different slots do each of onepin-opensc-pk11.so and opensc-pk11.so have, when you load them?

I only have one slot at a time; I delete one before adding the other.

Another question is maybe the browser is behaving a bit differently from how I'm assuming it is. Would you be able to get stack traces of the browser when it opens these prompts? You could use the "sample" functionality of the macOS system monitor. Another thing that might work would be to capture a profile with https://profiler.firefox.com/.

I'll get back with you on that; I'm not familiar with those tools so it may take me a little while to get a trace with them.

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #21)

Actually, you might try this build instead: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/cHff-eBkRyqd-ERKU_yjXA/runs/0/artifacts/public/build/target.dmg

I'm able to reproduce the problem with this build as well, when I have both the OpenSC module loaded and security.osclientcerts.autoload set to True. It no longer seems to matter whether I use onepin-opensc-pk11.so or opensc-pk11.so. I also get prompted for my smartcard password upon opening Firefox in this configuration, even though no smartcard-enabled sites are open.

Flags: needinfo?(jhaiduce)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #19)

Another question is maybe the browser is behaving a bit differently from how I'm assuming it is. Would you be able to get stack traces of the browser when it opens these prompts? You could use the "sample" functionality of the macOS system monitor. Another thing that might work would be to capture a profile with https://profiler.firefox.com/.

I was able to generate a profile with profiler.firefox.com, but unfortunately I'm not comfortable uploading it since it contains sensitive information and I'm not sure how to strip that out (hopefully my actual login credentials aren't in there, but the profile also contains information such as file URLs from non-public websites).

Apparently by default any personal information is removed when you upload a profile. If you prefer, you could export it and send it to me (my email address is my bugzilla account). Alternatively, sampling the process in the system monitor shouldn't include any personal information either.

Flags: needinfo?(jhaiduce)

I saved the profile with resource URLs and screenshots stripped out; I'll send it to you shortly.

Flags: needinfo?(jhaiduce)

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)
Flags: needinfo?(bugs)

Hi, John. Can you double-check that you sent that profile yet?

Flags: needinfo?(jhaiduce)
Flags: needinfo?(dkeeler)
Flags: needinfo?(bugs)

John sent it. The issue is not necessarily repeated prompts to authenticate to the same slot, so the approach in attachment 9231463 [details] won't work.

Flags: needinfo?(jhaiduce)
Attachment #9231463 - Attachment is obsolete: true
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2501aeee00c5
avoid unnecessary PKCS#11 module PIN prompts when looking for client certificates r=rmf

https://hg.mozilla.org/mozilla-central/rev/2501aeee00c5

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox93: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch

[Tracking Requested - why for this release]: ESR users are more likely to be negatively impacted by this bug

status-firefox-esr91: --- → affected
tracking-firefox-esr91: --- → ?

Comment on attachment 9235881 [details]
Bug 1710731 - avoid unnecessary PKCS#11 module PIN prompts when looking for client certificates r?rmf

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: ESR users are more likely to need third-party PKCS#11 modules with client certificates. This bug makes Firefox much less usable in setups like that.
  • User impact if declined: Potentially spamming users with PKCS#11 module PIN prompts.
  • Fix Landed on Version: 93
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This patch essentially reverts Firefox back to previous behavior in some situations, so it shouldn't be that risky. Also, the patch is relatively small.
  • String or UUID changes made by this patch: none
Attachment #9235881 - Flags: approval-mozilla-esr91?

Comment on attachment 9235881 [details]
Bug 1710731 - avoid unnecessary PKCS#11 module PIN prompts when looking for client certificates r?rmf

Approved for 91.3esr.

Attachment #9235881 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Flags: qe-verify+

John, could you please verify if this is fixed using Firefox 91.3 ESR build? Thank you!

Flags: needinfo?(jhaiduce)
QA Whiteboard: [qa-triaged]

(In reply to Petruta Horea [:phorea] from comment #37)

John, could you please verify if this is fixed using Firefox 91.3 ESR build? Thank you!

Maybe? When I test with that build the behavior is different from what I reported, but it isn't the expected behavior either. If I attempt to sign in to a smartcard-enabled site after removing and re-inserting the smartcard, I get prompted for my PIN 3-4 times and then get a login failure (either SEC_ERROR_TOKEN_NOT_LOGGED_IN or a site-specific error screen, depending on the site). A subsequent attempt to log in to the same site succeeds without presenting any additional prompts for the PIN.

Flags: needinfo?(jhaiduce)

(In reply to John Haiducek from comment #38)

Maybe? When I test with that build the behavior is different from what I reported, but it isn't the expected behavior either. If I attempt to sign in to a smartcard-enabled site after removing and re-inserting the smartcard, I get prompted for my PIN 3-4 times and then get a login failure (either SEC_ERROR_TOKEN_NOT_LOGGED_IN or a site-specific error screen, depending on the site). A subsequent attempt to log in to the same site succeeds without presenting any additional prompts for the PIN.

Thank you for testing, we don't own working smartcards.

Dana, considering John's answer above, is it possible for this uplift to require something extra for ESR?

Flags: needinfo?(dkeeler)

That sounds like a different bug. John, can you open a new bug with steps to reproduce the issue? Thanks.

Flags: needinfo?(dkeeler) → needinfo?(jhaiduce)

Can do!

Flags: needinfo?(jhaiduce)

Opened Bug #1740149 describing the new issue found in Firefox 91.3 ESR.

Thanks everyone for your help!

Considering the above comments and reporter's answer from duplicate bug 1734810 about the issue being fixed in Fx 91.3esr, I'm closing this as verified fixed.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
status-firefox-esr91: fixedverified
Flags: qe-verify+
See Also: → 1740149
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: