282437 - User prompted for token password even when device has own authentication hardware (e.g. biometrics)

Status: RESOLVED DUPLICATE of bug 119500

(Core Graveyard :: Security: UI, enhancement)

Description

[Nelson Bolyard (seldom reads bugmail)]

Some PKCS11 devices have their own hardware for authenticating their
users.  These devices do not need (or want) the user to enter a 
password through mozilla UI.  NSS provides a function by which 
mozilla can ask it "Does this device need a password dialog?"
but mozilla apparently does not call it or use the result.  
Consequently, mozilla users get prompted for token passwords 
when they should not.  

The solution is to get mozilla's password callback function, 
PK11PasswordPrompt, (see
http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp#134
to call PK11_ProtectedAuthenticationPath() and use its answer.  

Bug 110062 shows the history of this issue in NSS.
RFE 229023 requested example code of how to use NSS's function
PK11_ProtectedAuthenticationPath in a password callback function.
In a nutshell, if PK11_ProtectedAuthenticationPath returns true,
the password callback function should return a strdup'ed empty string
without prompting the user for a password.  

Perhaps it would be OK for mozilla to display a dialog that says 
"authenticate to your token now, and then click OK".  This would 
alert the user to the action he must take, and would not misdirect
him to enter an unneeded password.

Comment 1

[Wan-Teh Chang]

Nelson, isn't this a duplicate of bug 119500?

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Yes, it's a dup.  I searched for a PSM bug about this issue, prior to 
filing this bug, but didn't find it.  Thanks for finding the dup.  

*** This bug has been marked as a duplicate of 119500 ***