Closed Bug 229023 Opened 21 years ago Closed 21 years ago

NSS cmds' pwd callbacks should call PK11_ProtectedAuthenticationPath()


(NSS :: Tools, enhancement, P3)

Windows XP


(Not tracked)



(Reporter: nelson, Assigned: rrelyea)




(1 file)

In news://$81g4l$
Chris wrote:

> i implemented a pkcs#11 device using an external pinpad
> for pin input. Therefore the CKF_PROTECTED_AUTHENTICATION_PATH flag
> has been set in the CK_TOKEN_INFO struct returned by C_GetTokenInfo().

> Altough this flag has been set the Mozilla/Firebird prompts the
> user with a Pin Dialog for pin input!?! Normally he should recognize
> the flag and pass NULL_PTR to C_Login() like the pkcs#11 standard says!

> How can i prevent NSS from prompting the user with a pin input dialog?
> Is this a known bug? Why does all Mozilla/Firebirds ignore the flag?
> Is there a solution for the problem?
I'm changing this bug to an RFE for the password callback function used in 
NSS's QA test programs.  That function,  SECU_GetModulePassword(), should
exemplefy the use of PK11_ProtectedAuthenticationPath() to deal with 
devices that have their own pinpads or other I&A methods.

> How can i prevent NSS from prompting the user with a pin input dialog?

NSS doesn't prompt the user directly.  It calls a callback function 
provided by the applicatin program (e.g. the browser).  That function,
the "password callback function", which is part of the browser, not NSS, 
does whatever it wants to with respect to prompting the user.  

NSS provides a function by which a password callback function can ask 
NSS (does the token in this slot have a protected authentication path?"
That function is PK11_ProtectedAuthenticationPath().  
The application's password callback function is supposed to call it,
but mozilla/*bird do not have code that does so.  

The reason why NSS calls the callback, even when the
CKF_PROTECTED_AUTHENTICATION_PATH is present, is that the application
MAY need to prompt the user to enter the PIN on the external pinpad.
The application would use the return value from 
PK11_ProtectedAuthenticationPath, and the "retry" flag (an argument to
the password callback function itself) to decide whether to display
any prompt, and whether that prompt should say "Enter your password 
here in this dialog" or "Enter your password on the PinPad now".

> Why does all Mozilla/Firebirds ignore the flag?

I think the answer is that their password callback functions were
modelled after the NSS QA test programs, none of which call
PK11_ProtectedAuthenticationPath().  In that respect, the NSS QA 
test programs are not particularly exemplary.

> Is there a solution for the problem?

The solution is to get mozilla's password callback function, 
PK11PasswordPrompt, (see
to call PK11_ProtectedAuthenticationPath() and use its answer.  
Since there is no full-time staff working on PSM now
(PSM is the part of the mozilla browser that interfaces to NSS), 
this change is not likely to happen until some volunteer constributes
a patch that does it (hint, hint).   

Also, an NSS engineer should add some code to the NSS QA test password 
callback function to demonstrate the use of 

There is also a workaround.  When mozilla asks for a password, 
just type in some random string and click OK (or press enter).  
When the password callback returns to NSS, NSS will notice the 
"pass NULL_PTR to C_Login() like the pkcs#11 standard says!"
regardless of what password you entered (provided you entered a 
non-empty password).  

So, all you need to do is get past the password callback function and
the right thing should happen.  But don't try to get past it without
entering some non-empty password.  

Severity: normal → enhancement
Component: Libraries → Tools
Ever confirmed: true
Priority: -- → P3
Summary: NSS ignores CKF_PROTECTED_AUTHENTICATION_PATH → NSS cmds' pwd callbacks should call PK11_ProtectedAuthenticationPath()
This untested patch demonstrates the basic points.
if PK11_ProtectedAuthenticationPath(slot) returns true, 
then tell the user to enter his PIN on the external 
device, and return a non-null string.  In this case,
it returns "external", but any string will do.
string must be strdup'ed, IIRC. 

Something similar to this needs to be done in mozilla's 
password callback functions, too.
Assigned the bug to Bob.
Assignee: wchang0222 → rrelyea0264
Comment on attachment 137738 [details] [diff] [review]
untested patch v1

I'd like to check this patch in, even if it's not the final solution to this
Attachment #137738 - Flags: review?(rrelyea0264)
Comment on attachment 137738 [details] [diff] [review]
untested patch v1

It would be nice to test this. patch.

BTW, PSM *DID* have support for protected pin path. A vendor did the work and
it was checked into PSM a couple of years ago. My guess is the Firebird code
has regressed. There was a similiar bug I saw on this as well.

Attachment #137738 - Flags: review?(rrelyea0264) → review+
Bob, I don't see any evidence of any protected pin path code in the CVS log
for the source file that contains mozilla's password callback function.
Are you sure that work got checked in?  on the PSM trunk?

Do you know any protected pin path module with which the above patch can be 
The submittor of this bug tested this patch for me and verified that it works
with his PKCS11 module.

/cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v  <--  secutil.c
new revision: 1.60; previous revision: 1.59

/cvsroot/mozilla/security/nss/cmd/lib/secutil.h,v  <--  secutil.h
new revision: 1.14; previous revision: 1.13
Closed: 21 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.9.1
Hey there,

this is an important fix - and i do not understand why it did not make its way 
to a mozilla build yet, as of today - the current mozilla build 1.7.2 still has 
this bug.

In comment 1, Nelson changed to scope of this bug
to cover only the password callback function used
in NSS's QA test programs.  We did not fix the
password callback function in Mozilla.  This is
why Mozilla 1.7.2 still has this bug.

You should open a bug against the product "PSM".
At the end of comment 1, Nelson's answer to the
question "Is there a solution for the problem?"
describes how one might fix this bug in Mozilla.
I encourage you to submit a patch.
The reason that mozilla's PSM is unfixed is that no-one works on PSM.
PSM is effectively an orphan.  I filed this bug against NSS, not PSM,
because it was apparent that the most that we (NSS team) could do about it 
was to be exemplary in the proper handling of it in NSS sample programs.
ok, i thought anyone opened already a BUG report for the PSM module - i know 
its an orphan and i feel that it is really a shame - no smime V3 or anything in 
near time...there will be a time when Windows Users will have to use outlook to 
use newer technology, ugh.

Anybody here know by chance were within the mozilla code this kind of patch 
could be applied ? I would need a good mozilla build for presentation purpose 
and this password popup is really silly...
Blocks: 282437
You need to log in before you can comment on or make changes to this bug.