CKR_GENERAL_ERROR when attempting smartcard authentication
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: jhaiduce, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(6 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
- Visit a site that uses smart card authentication
- Authenticate with smart card
- Choose smart card certificate
Actual results:
For some sites, Firefox displays the following error page:
Secure Connection Failed
An error occurred during a connection to check.dmdc.mil. A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.
Error code: SEC_ERROR_PKCS11_GENERAL_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Other sites do not display the above error, but instead give a site-specific message that the authentication failed, after a delay of a few seconds up to a minute or two.
Expected results:
Firefox should load the page (assuming the smart card password was entered correctly and the user has access to the site).
|
||
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
Reporter | |
Comment 2•3 years ago
|
||
Additional information: Smart card authentication works as expected immediately after starting or restarting Firefox, but the authentication failures begin to occur again after Firefox has been running for a while. I have not determined what amount of time or other conditions are required to cause the bug to occur.
|
Assignee | |
Comment 3•3 years ago
|
||
Is this with osclientcerts (security.osclientcerts.autoload in about:config) or with a third-party PKCS#11 module? (if the latter, try removing the third-party module and enabling osclientcerts)
|
|
Assignee | |
Comment 5•3 years ago
|
||
Can you run Firefox with the environment variable RUST_LOG set to osclientcerts_static=debug, try to connect, and attach the resulting log here? (e.g. running RUST_LOG=osclientcerts_static=debug /Applications/Firefox.app/Contents/MacOS/firefox in a terminal)
|
|
Reporter | |
Comment 6•3 years ago
|
||
Attached log contains output from
RUST_LOG=osclientcerts_static=debug /Applications/Firefox.app/Contents/MacOS/firefox
During the session, two or three CAC-enabled sites were visited. Most authentication attempts were successful until the smart card was removed from the reader and then re-inserted (one site was visited for which the user did not have an account).
After the smart card was removed and re-inserted most authentication attempts were unsuccessful. One site appeared to still accept the user's login credentials, probably due to some sort of cached data. That site also failed when attempting to log in from a private browser window.
|
|
Reporter | |
Comment 7•3 years ago
|
||
The attached log file contains the output from
RUST_LOG=osclientcerts_static=debug /Applications/Firefox.app/Contents/MacOS/firefox
It differs from the earlier attachment in that Firefox was started with the smart card disconnected, and the smart card was inserted after starting Firefox (in the previous log the smart card was already inserted before starting Firefox). After inserting the smart card I was able to successfully authenticate. I then removed and re-inserted the smart card, and was no longer able to authenticate. The following lines were printed to the log around the time of the authentication failure:
[ERROR osclientcerts_static::backend_macos] SecKeyCreateSignature failed: The operation couldn’t be completed. (OSStatus error -67588 - CSSM Exception: -2147415835 CSSMERR_CSP_DEVICE_FAILED)
[ERROR osclientcerts_static] ThreadId(5) C_Sign: sign failed
[DEBUG osclientcerts_static] ThreadId(5) C_CloseSession: CKR_OK
[Parent 1638, IPC I/O Parent] WARNING: pipe error: Socket is not connected: file /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:723
|
|
Reporter | |
Comment 9•3 years ago
|
||
Chrome does not give errors like Firefox does after the smartcard is removed/reinserted. It prompts for the smart card password when attempting to authenticate to a smartcard-enabled site after the smart card was removed and reinserted, but otherwise the behavior is the same after the removing and reinserting the smart card (I do get authentication failures if I attempt to use the smart card for authentication within a second or so of inserting it though).
|
|
Assignee | |
Comment 10•3 years ago
|
||
How does this build behave? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/JzDW3t_8RyS1RDANNWF_jw/runs/0/artifacts/public/build/target.dmg
|
|
Reporter | |
Comment 11•3 years ago
|
||
The problem appears to be fixed in this build. Smartcard authentication continues to work after removing and reinserting the smart card. I've attached the output from RUST_LOG=osclientcerts_static=debug ./firefox for this latest build in case it is useful, but I didn't notice any error messages in it.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 12•3 years ago
|
||
That's interesting - there should be a message like "sign failed: refreshing key handle" in that log. How does the current version of Nightly (not the special build I pointed you at) behave?
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 13•3 years ago
|
||
Output from RUST_LOG=osclientcerts_static=debug ./firefox for the nightly build on jun 21, 2021.
Tried signing into three different smartcard-enabled sites. Started the browser with the smartcard inserted. Successfully authenticated to all three sites.
After logging out of sites and removing the smart card, I was still able to sign back into one of the sites.
I attempted to sign into one of the sites for the first time in the browser session with the smart card removed. That attempt produced a CKR_GENERAL_ERROR message. A subsequent attempt to access the same site with the smart card inserted (still in the same browser session) was successful.
One instance of the words "sign failed" occurs in the log, but "refreshing key handle" does not appear anywhere in the log.
|
|
Assignee | |
Comment 14•3 years ago
|
||
Thanks - can you do those same tests again with the special build I gave you, but with RUST_LOG set to osclientcerts_static::backend_macos=debug?
|
|
Reporter | |
Comment 15•3 years ago
|
||
Output from RUST_LOG=osclientcerts_static=debug ./firefox for the special build mentioned in the last comment.
Conducted approximately the same test as before, visiting three smartcard-enabled sites. UI behavior was mostly the same as the June 6, 2021 nightly build.
Detailed notes
Site #1: Connected initially with smartcard connected, then signed out and attempted to sign in with smartcard disconnected. Authentication was successful both times.
Site #2: Connected initially with smartcard disconnected. Received a site-specific authentication failure message. Re-inserted smartcard and attempted to log in again. Received multiple prompts for the smartcard password, none of which resulted in a successful login or prompt to select a certificate from the smartcard. Removed and re-inserted smartcard again, received a single password prompt and logged into site successfully.
Site #3: Connected initially with smartcard disconnected. Received a CKR_GENERAL_ERROR page from Firefox when attempting to log in. Re-inserted the smartcard and refreshed page, logged in successfully.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 16•3 years ago
|
||
Sorry, I apparently keep forgetting to change the MIME type.
|
|
Assignee | |
Comment 17•3 years ago
•
|
||
(In reply to John Haiducek from comment #16)
Sorry, I apparently keep forgetting to change the MIME type.
No worries!
In any case, that sounds like the expected behavior. Thanks!
|
|
Assignee | |
Comment 18•3 years ago
|
||
|
|
Reporter | |
Comment 19•3 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #17)
In any case, that sounds like the expected behavior. Thanks!
Thank you! You're doing great work on this!
|
||
Comment 20•3 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7204c7336e91 osclientcerts: try refreshing the cached key handle if signing fails r=rmf
|
||
Comment 21•3 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 22•3 years ago
|
||
Comment on attachment 9228431 [details]
Bug 1715325 - osclientcerts: try refreshing the cached key handle if signing fails r?rmf
Beta/Release Uplift Approval Request
- User impact if declined: Authenticating with client certificates may stop working until users restart the browser.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch is small and straightforward.
- String changes made/needed:
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 23•3 years ago
|
||
Comment on attachment 9228431 [details]
Bug 1715325 - osclientcerts: try refreshing the cached key handle if signing fails r?rmf
We've already built a release candidate for 90; not sure this is worth uplifting to rc2 or a dot release vs waiting for 91.
|
|
||
Comment 24•3 years ago
|
||
The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
||
Updated•3 years ago
|
|
||
Comment 25•3 years ago
|
||
(In reply to Cristian Brindusan [:cbrindusan] from comment #21)
Can this be ported to Firefox 89 or 90? We have this issue as well
|
|
||
Comment 26•3 years ago
|
||
Comment on attachment 9228431 [details]
Bug 1715325 - osclientcerts: try refreshing the cached key handle if signing fails r?rmf
approved for 90.0.1
|
|
||
Comment 27•3 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 28•3 years ago
|
||
Added to 90.0.1 release notes: "Fixed transient errors authenticating with some smart cards"
|
|
Reporter | |
Comment 29•3 years ago
|
||
This appeared to be fixed in the nightly builds I tested earlier, but I'm still seeing this behavior again in 90.0.2. Perhaps my testing wasn't thorough enough to cover all the conditions that led to this error. Should we reopen this or is it better to create a new bug report?
|
|
Assignee | |
Comment 30•3 years ago
•
|
||
The builds I linked weren't official Nightly builds - no changes from this bug have landed in Firefox yet.
edit: shoot - I thought we were talking about a different bug. Yes, please open a new bug.
|
||
Comment 31•2 years ago
|
||
Hi,
We have an application which is using SmartCards and experiencing the same SEC_ERROR_PKCS11_GENERAL_ERROR on Firefox 104.
Following the comment from the testing, I understood that the issue is not fully fixed.
Is there a follow-up bug opened for this topic ?
Description
•