Closed Bug 1773716 Opened 2 years ago Closed 2 years ago

CKR_GENERAL_ERROR when attempting smartcard authentication

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 101
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1771274

People

(Reporter: pros, Unassigned)

Details

Attachments

(1 file)

log.txt
1.31 MB, text/plain
Details
Attached file log.txt

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0

Steps to reproduce:

This is on Windows.

We have a CSP that we use for smartcard authentication to various sites. We also have a MiniDriver that can be used for accessing these same smartcards and therefore authenticating to the same sites. The problem described below occurs when we use our CSP and also occurs if we use our MiniDriver.

When using Firefox (various versions but for this bug report 101.0.1) to authenticate we get a 'SEC_ERROR_PKCS11_GENERAL_ERROR' error.

  1. Ensure oclientscerts is set to 'true'.
  2. CSP is installed on the system.
  3. Ensure no 3rd party PKCS11 modules are loaded.
  4. Authenticate to a site that uses smartcard authentication.

Actual results:

Firefox displays an error page with 'SEC_ERROR_PKCS11_GENERAL_ERROR'

Expected results:

Firefox should authenticate successfully.

Additional Information:

When we set 'osclientcerts=false' and our PKCS11 module is enabled, authentication to the sites always succeeds.

Our smartcard PKCS11 module supports the following mechanisms:
CKM_SHA_1
CKM_SHA256
CKM_RSA_X_509
CKM_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA256_RSA_PKCS

With oclientscerts activated (CSP/MiniDriver), and logging enabled in Firefox (attached) we can see that the signature is attempted using the CKM_RSA_PKCS_PSS (13) mechanism.

These are the cipher suites that the server uses, TLS1.2 only:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Authentication to the same sites using the same smartcard functions correctly when we use Chrome or Edge.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Component: DOM: Security → Security: PSM
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: