Closed Bug 229023 Opened 20 years ago Closed 20 years ago
NSS cmds' pwd callbacks should call PK11
_Protected Authentication Path()
In news://news.mozilla.org:119/brvig3$81g4l$1@ID-171477.news.uni-berlin.de Chris wrote: > i implemented a pkcs#11 device using an external pinpad > for pin input. Therefore the CKF_PROTECTED_AUTHENTICATION_PATH flag > has been set in the CK_TOKEN_INFO struct returned by C_GetTokenInfo(). > Altough this flag has been set the Mozilla/Firebird prompts the > user with a Pin Dialog for pin input!?! Normally he should recognize > the flag and pass NULL_PTR to C_Login() like the pkcs#11 standard says! > How can i prevent NSS from prompting the user with a pin input dialog? > Is this a known bug? Why does all Mozilla/Firebirds ignore the flag? > Is there a solution for the problem?
I'm changing this bug to an RFE for the password callback function used in NSS's QA test programs. That function, SECU_GetModulePassword(), should exemplefy the use of PK11_ProtectedAuthenticationPath() to deal with devices that have their own pinpads or other I&A methods. > How can i prevent NSS from prompting the user with a pin input dialog? NSS doesn't prompt the user directly. It calls a callback function provided by the applicatin program (e.g. the browser). That function, the "password callback function", which is part of the browser, not NSS, does whatever it wants to with respect to prompting the user. NSS provides a function by which a password callback function can ask NSS (does the token in this slot have a protected authentication path?" That function is PK11_ProtectedAuthenticationPath(). The application's password callback function is supposed to call it, but mozilla/*bird do not have code that does so. The reason why NSS calls the callback, even when the CKF_PROTECTED_AUTHENTICATION_PATH is present, is that the application MAY need to prompt the user to enter the PIN on the external pinpad. The application would use the return value from PK11_ProtectedAuthenticationPath, and the "retry" flag (an argument to the password callback function itself) to decide whether to display any prompt, and whether that prompt should say "Enter your password here in this dialog" or "Enter your password on the PinPad now". > Why does all Mozilla/Firebirds ignore the flag? I think the answer is that their password callback functions were modelled after the NSS QA test programs, none of which call PK11_ProtectedAuthenticationPath(). In that respect, the NSS QA test programs are not particularly exemplary. > Is there a solution for the problem? The solution is to get mozilla's password callback function, PK11PasswordPrompt, (see http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp#120 to call PK11_ProtectedAuthenticationPath() and use its answer. Since there is no full-time staff working on PSM now (PSM is the part of the mozilla browser that interfaces to NSS), this change is not likely to happen until some volunteer constributes a patch that does it (hint, hint). Also, an NSS engineer should add some code to the NSS QA test password callback function to demonstrate the use of PK11_ProtectedAuthenticationPath(). There is also a workaround. When mozilla asks for a password, just type in some random string and click OK (or press enter). When the password callback returns to NSS, NSS will notice the CKF_PROTECTED_AUTHENTICATION_PATH flag, and will "pass NULL_PTR to C_Login() like the pkcs#11 standard says!" regardless of what password you entered (provided you entered a non-empty password). So, all you need to do is get past the password callback function and the right thing should happen. But don't try to get past it without entering some non-empty password.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Component: Libraries → Tools
Ever confirmed: true
Priority: -- → P3
Summary: NSS ignores CKF_PROTECTED_AUTHENTICATION_PATH → NSS cmds' pwd callbacks should call PK11_ProtectedAuthenticationPath()
This untested patch demonstrates the basic points. if PK11_ProtectedAuthenticationPath(slot) returns true, then tell the user to enter his PIN on the external device, and return a non-null string. In this case, it returns "external", but any string will do. string must be strdup'ed, IIRC. Something similar to this needs to be done in mozilla's password callback functions, too.
Assigned the bug to Bob.
Assignee: wchang0222 → rrelyea0264
Comment on attachment 137738 [details] [diff] [review] untested patch v1 I'd like to check this patch in, even if it's not the final solution to this RFE.
Attachment #137738 - Flags: review?(rrelyea0264)
Comment on attachment 137738 [details] [diff] [review] untested patch v1 It would be nice to test this. patch. BTW, PSM *DID* have support for protected pin path. A vendor did the work and it was checked into PSM a couple of years ago. My guess is the Firebird code has regressed. There was a similiar bug I saw on this as well. bob
Attachment #137738 - Flags: review?(rrelyea0264) → review+
Bob, I don't see any evidence of any protected pin path code in the CVS log for the source file that contains mozilla's password callback function. Are you sure that work got checked in? on the PSM trunk? Do you know any protected pin path module with which the above patch can be testted?
The submittor of this bug tested this patch for me and verified that it works with his PKCS11 module. /cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v <-- secutil.c new revision: 1.60; previous revision: 1.59 /cvsroot/mozilla/security/nss/cmd/lib/secutil.h,v <-- secutil.h new revision: 1.14; previous revision: 1.13
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.9.1
Hey there, this is an important fix - and i do not understand why it did not make its way to a mozilla build yet, as of today - the current mozilla build 1.7.2 still has this bug.
Rene: In comment 1, Nelson changed to scope of this bug to cover only the password callback function used in NSS's QA test programs. We did not fix the password callback function in Mozilla. This is why Mozilla 1.7.2 still has this bug. You should open a bug against the product "PSM". At the end of comment 1, Nelson's answer to the question "Is there a solution for the problem?" describes how one might fix this bug in Mozilla. I encourage you to submit a patch.
The reason that mozilla's PSM is unfixed is that no-one works on PSM. PSM is effectively an orphan. I filed this bug against NSS, not PSM, because it was apparent that the most that we (NSS team) could do about it was to be exemplary in the proper handling of it in NSS sample programs.
ok, i thought anyone opened already a BUG report for the PSM module - i know its an orphan and i feel that it is really a shame - no smime V3 or anything in near time...there will be a time when Windows Users will have to use outlook to use newer technology, ugh. Anybody here know by chance were within the mozilla code this kind of patch could be applied ? I would need a good mozilla build for presentation purpose and this password popup is really silly...
You need to log in before you can comment on or make changes to this bug.