CKR_GENERAL_ERROR when attempting smartcard authentication
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: pros, Unassigned)
Details
Attachments
(1 file)
1.31 MB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Steps to reproduce:
This is on Windows.
We have a CSP that we use for smartcard authentication to various sites. We also have a MiniDriver that can be used for accessing these same smartcards and therefore authenticating to the same sites. The problem described below occurs when we use our CSP and also occurs if we use our MiniDriver.
When using Firefox (various versions but for this bug report 101.0.1) to authenticate we get a 'SEC_ERROR_PKCS11_GENERAL_ERROR' error.
- Ensure oclientscerts is set to 'true'.
- CSP is installed on the system.
- Ensure no 3rd party PKCS11 modules are loaded.
- Authenticate to a site that uses smartcard authentication.
Actual results:
Firefox displays an error page with 'SEC_ERROR_PKCS11_GENERAL_ERROR'
Expected results:
Firefox should authenticate successfully.
Additional Information:
When we set 'osclientcerts=false' and our PKCS11 module is enabled, authentication to the sites always succeeds.
Our smartcard PKCS11 module supports the following mechanisms:
CKM_SHA_1
CKM_SHA256
CKM_RSA_X_509
CKM_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA256_RSA_PKCS
With oclientscerts activated (CSP/MiniDriver), and logging enabled in Firefox (attached) we can see that the signature is attempted using the CKM_RSA_PKCS_PSS (13) mechanism.
These are the cipher suites that the server uses, TLS1.2 only:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Authentication to the same sites using the same smartcard functions correctly when we use Chrome or Edge.
Comment 2•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Updated•2 years ago
|
Description
•