Smartcard security devices broken in 91
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: vesely, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Steps to reproduce:
Using Italian smartcard certificates, which used to work with previous version of Firefox. There are two of them:
- CIE
https://www.cartaidentita.interno.gov.it/en/citizens/cie-software/
NFC, used with Identiv uTrust 4701 F Dual Interface Reader
2 TS-CNS
https://sistemats4.sanita.finanze.it/CardDriverDownloaderWeb/pages/home.xhtml
contact, used with Gemalto USB SmartCard Reader
Actual results:
Using CIE(1) there are two device entries under each module. Both say "Not Present" even if the card is inserted and the green led show connection is ok.
Using TS-CNS(2) I can attempt login, but it fails. I tried several times, unblocking the pin every now and then. Curiously, when I click on "View Certificates..." it asks the password (Please enter the password for the PKCS#11 token Carta Nazionale dei Servizi) and accepts it.
Also, the devices shown don't change when (un)plugging USB devices. It is necessary to restart Firefox.
Expected results:
All that worked well with previous versions.
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
Reporter | |
Comment 2•2 years ago
|
||
Now I also tried with Firefox 97.0, only TS-CNS. Fail in similar way.
I tested pkcs11-tool, and it also fails:
ale@alenovo:~/Downloads$ pkcs11-tool --module /usr/lib/bit4id/libbit4xpki.so --login --test
Using slot 0 with a present token (0x0)
Logging in to "Carta Nazionale dei Servizi".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
I never used that tool before. Perhaps that indicates something else changed in the system during the upgrade?!?
For sure, I've been using TS-CNS for years. Sometimes it hiccuped, possibly requiring a few attempts, but always allowed me to authenticate.
If pkcs11-tool also doesn't work, this is probably not a bug in Firefox.
|
|
Reporter | |
Comment 4•2 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #3)
If
pkcs11-toolalso doesn't work, this is probably not a bug in Firefox.
I agree. However, not recognizing when cards are inserted/ removed seems to be a Mozilla defect.
For one of the cards, CIE, the software is open source. So if there's anything specific that can be fixed, I could try and fix it, at least for myself. The last release, 1.4.2, has a double free bug which is easily corrected. I also noted minor disparities with respect to pkcs11, such as some null-terminated parameters, which don't seem to be very relevant. Does Mozilla publish any kind of guide or hint on developing security device interfaces?
This is the PKCS#11 interface specification, if that's what you mean: https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/pkcs11-base-v3.0.html
|
|
Reporter | |
Comment 6•2 years ago
|
||
I knew the link, but wasn't sure it was what Mozilla refers to.
Browsing the code, I see that C_GetFunctionList sets the library version to 2.20. That's a 2004 version, when pkcs11 was still at RSA labs. However, something must have been upgraded, as CK_DEFINE_FUNCTION appears in some comments only. Anyway, the 46 new functions defined in 3.0, including C_LoginUser, are not implemented; C_GetFunctionList returns the 68-function CK_FUNCTION_LIST of versions 2.x.
Version 3.0 was specified in July 2020. Do you know what version of FireFox, if any, began to use its new functions? Is there a compatibility layer?
NSS supports versions earlier than 3.0 - the new functions aren't necessarily required.
|
|
Reporter | |
Comment 8•2 years ago
|
||
One point, w.r.t. my 1st comment, was hardware. pcsc_scan couldn't see the card (strange fact for a two-year old, mostly disconnected reader). Got a new reader now.
If I configure the device while it has no card on it, I'm never able to log in. From the log, after C_Initialize, I see calls to C_GetInfo and then to C_GetSlotList. The last call is repeated every time I open the Security Device... dialog. However, Log in is grayed and the device line is not displayed. If I restart FireFox while the card is inserted in a connected device, Log in is enabled. I'll investigate whether the bug is in the shared object not refreshing the data.
Finally, if I enter the whole PIN in the Log in dialog, it is rejected. I have to enter the second half of the pin only. Is this a widespread convention?
(In reply to Alessandro Vesely from comment #8)
Finally, if I enter the whole PIN in the
Log indialog, it is rejected. I have to enter the second half of the pin only. Is this a widespread convention?
No - that sounds like a bug in either your hardware or the PKCS#11 library that talks to it.
Description
•