If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Can't find a valid SSL client certificate in SSL sessions

RESOLVED INVALID

Status

Core Graveyard
Security: UI
RESOLVED INVALID
14 years ago
a year ago

People

(Reporter: Midori Sama, Assigned: Stephane Saux)

Tracking

Other Branch
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030829
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030829

Our PKCS#11 interface implementation don't works anymore with Mozilla while
doing client autenticated SSL sessions (where SSL client certificate is required)
The Library was tested and is working with Netscape 4.79 and Mozilla 1.3.
With recent builds (1.4 and 1.5a) Mozilla started to pass invalid values while
searching objects and retieving attributes.

So, Just after the first session is opened Mozilla try 2 searches (second one on
an invalid session) with the following Template:
pTemplate[0]:
	Type: CKA_CLASS
	Len: 4
	Value:0xCE534354 (NOTE: this is the value, not pointer to the value)
Our PKCS#11 library report 0 objects found or CKR_SESSION_HANDLE_INVALID.

Then Mozilla look for a certificate using following template:
pTemplate[0]:
	Type: CKA_TOKEN
	Len: 1
	Value: TRUE
pTemplate[1]:
	Type: CKA_CLASS
	Len: 4
	Value: CKO_CERTIFICATE

Then Mozilla calls C_GetAttributeValue(), to get CKA_TOKEN and CKA_LABEL; and
again C_GetAttributeValue() to get almost all Certificate attributes. But last
attribute type is invalid and is always 0xCE534352:
pTemplate[9]:
	Type: 0xCE534352
	Len: 0
	Value: ?
Our Library reports CKR_ATTRIBUTE_TYPE_INVALID as Retrun Value and set the
ulValueLen field of the invalid attribute type to -1

Errors don't seem to stop Mozilla, that continue to search for a Private key
(CKA_ID and CKA_CLASS=CKO_PRIVATE_KEY), founding it.
Then again an invalid value for CKA_CLASS in a search ( 0xCE534353 ).
And again a search for a Private key, same template as before, found as before.
After that last search Mozilla diplay the IIS Server page that specify that a
client certificate is required (while should ask wich client certificate should
be used)

I'm going to attach a complete log for the session, where all function call and
parameters are shown


Reproducible: Always

Steps to Reproduce:





Mozilla dont' stop processing after it received the
(Reporter)

Comment 1

14 years ago
Created attachment 131223 [details]
Full PKCS#11 Log showing all function calls and parameters

All function calls are shown. For each, almost all parameters are displayed.
The log show how Mozilla is passing invalid parameters while calling
C_FindObjectsInit() and C_GetAttributeValue().
Mozilla display the "Client cettificate required" page sent by the HTTPS server
instead of asking fot the client certificate to be used.
(Reporter)

Comment 2

14 years ago
Sorry, this was a problem inside our library.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → INVALID

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.