43.17 KB, text/plain
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030829 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030829 Our PKCS#11 interface implementation don't works anymore with Mozilla while doing client autenticated SSL sessions (where SSL client certificate is required) The Library was tested and is working with Netscape 4.79 and Mozilla 1.3. With recent builds (1.4 and 1.5a) Mozilla started to pass invalid values while searching objects and retieving attributes. So, Just after the first session is opened Mozilla try 2 searches (second one on an invalid session) with the following Template: pTemplate: Type: CKA_CLASS Len: 4 Value:0xCE534354 (NOTE: this is the value, not pointer to the value) Our PKCS#11 library report 0 objects found or CKR_SESSION_HANDLE_INVALID. Then Mozilla look for a certificate using following template: pTemplate: Type: CKA_TOKEN Len: 1 Value: TRUE pTemplate: Type: CKA_CLASS Len: 4 Value: CKO_CERTIFICATE Then Mozilla calls C_GetAttributeValue(), to get CKA_TOKEN and CKA_LABEL; and again C_GetAttributeValue() to get almost all Certificate attributes. But last attribute type is invalid and is always 0xCE534352: pTemplate: Type: 0xCE534352 Len: 0 Value: ? Our Library reports CKR_ATTRIBUTE_TYPE_INVALID as Retrun Value and set the ulValueLen field of the invalid attribute type to -1 Errors don't seem to stop Mozilla, that continue to search for a Private key (CKA_ID and CKA_CLASS=CKO_PRIVATE_KEY), founding it. Then again an invalid value for CKA_CLASS in a search ( 0xCE534353 ). And again a search for a Private key, same template as before, found as before. After that last search Mozilla diplay the IIS Server page that specify that a client certificate is required (while should ask wich client certificate should be used) I'm going to attach a complete log for the session, where all function call and parameters are shown Reproducible: Always Steps to Reproduce: Mozilla dont' stop processing after it received the
Created attachment 131223 [details] Full PKCS#11 Log showing all function calls and parameters All function calls are shown. For each, almost all parameters are displayed. The log show how Mozilla is passing invalid parameters while calling C_FindObjectsInit() and C_GetAttributeValue(). Mozilla display the "Client cettificate required" page sent by the HTTPS server instead of asking fot the client certificate to be used.
Sorry, this was a problem inside our library.