Closed Bug 326231 Opened 19 years ago Closed 3 years ago

Entrust Enterprise digital certificates on a smart card and Firefox error

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: test_korisnik, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

It is not possible to use the Entrust Enterprise digital certificates on a smart card (USB token) within the Firefox 1.5.0.1. Firefox locate Entrust Enterprise certificate on the tab Other People's, instead of the tab Your Certificates:

http://www.geocities.com/test_korisnik/ff/EntrustEnterprise-card.jpg

Encryption Certificate and keys info on the Datakey smart card:
http://www.geocities.com/test_korisnik/ff/EncryptionCertificate.zip

Verification Certificate and keys info on the Datakey smart card:
http://www.geocities.com/test_korisnik/ff/VerificationCertificate.zip

Smart card structure:
http://www.geocities.com/test_korisnik/ff/SmartCard-structure.jpg

I have tested SafeNet (Datakey) 330 smart card, SafeNet (Rainbow Technologies) iKey 2032 token and Aladdin eToken Pro token.
-----------------------------------------------------------------
With the Entrust Web certificate on a smart card (USB token), everything is OK:

http://www.geocities.com/test_korisnik/ff/EntrustWeb-card.jpg
-----------------------------------------------------------------

Reproducible: Always

Steps to Reproduce:
1. Put smart card with Entrust Enterprise digital certificates in a smart card reader.

Actual Results:  
Firefox locate Entrust Enterprise certificates on the tab Other People's, instead of the tab Your Certificates.

Expected Results:  
Firefox should locate Entrust Enterprise certificates on the tab Your Certificates.
this is not a security exploit, it's probably not even a bug. opening it so that people can help resolve it.
Assignee: nobody → wtchang
Group: security
Component: Form Manager → Libraries
Product: Firefox → NSS
QA Contact: form.manager → jason.m.reid
Whiteboard: [sg:nse]
Probably, it is a bug, because I can't use Entrust Enterprise digital certificates on a smart card (USB token) within the Firefox/Thunderbird/Netscape. With software Entrust Enterprise digital certificates and hardware and software Entrust Web certificates, everything is OK.

Also, I can use Entrust Enterprise digital certificates on a smart card (USB token) within Microsoft application, Adobe (use PKCS#11 like FF),…
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
Hi

I have tried the Giesecke & Devrient StarKey100 STARCOS SPK 2.3 token with SafeSign 2.1.6 and 2.2.0 middleware, but problem is the same.

Dragan

I can confirm this behaviour with Thunderbird but, apparently, the problem is not with Mozilla but with Entrust. I'm told they are working on the issue.

It should be possible to encrypt mail using an Entrust certificate/smart card but decrypting will not work.

I'm told the problem is that despite using the same interface to the smart cards, Mozilla and Entrust handle one of the on-card object attributes slightly differently. The way Entrust handles the key/certificate pairings means that Mozilla can't find the pairs for decryption.

The result of this is that the certificates appear in the wrong place.

If this is indeed the case, I suggest -->INVALID and we take our complaint to Entrust ;-)
Hi

I have tested Entrust Enterprise certificates and Entrust Web certificates on the Datakey smart card and iKey 2032 USB token within Mozilla Thunderbird 1.5.0.2 today. Results:

1. It is possible to use Entrust Web certificate on a smart card (token) within Mozilla Thunderbird 1.5.0.2 for encrypting / decrypting and signing / verifying of signed e-mails.

2. It is NOT possible to use Entrust Enterprise certificate on a smart card (token) within Mozilla Thunderbird 1.5.0.2 for encrypting and signing e-mails. User cannot select certificates on the form Account Settings, because location error:

Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages.

Certificate Manager can't locate a valid certificate that other people can use to send you encrypted email messages.
-------------------------------------------------------------------------------------------------
[Andrew Done] It should be possible to encrypt mail using an Entrust certificate/smart card but decrypting will not work.

Question: Which Entrust certificate category you think, Enterprise or Web?

Dragan

Dragan, I'm talking about personal certificates on a corporate Smart Card so I believe that would make them Enterprise certificates.
Our corporate Smart Card/PKI Program Manager asked me to pass the following on. I quote:

> We have experienced the same and I have reported the issue to Entrust
> 1 month ago. This is being worked by them and a patch should be
> released to resolve this. Apparently this has to do with the
> labelling of the CKA_ID objects on the Token, which makes it
> complicated for Mozilla to locate the certificates in the right
> container. You can test that Netscape 4.78 (and previous) will work
> fine, but after this version the convention for this attribute has
> changed and Entrust never adapted their's.

Hope that's of some help. I'll report back when we get hold of this patch.
Firefox 2.0 has the same problem as previous versions.
Whiteboard: [sg:nse]
Firefox 3.0 Beta 5 also has the same problem as previos versions.
I was using SafeNet smart card with middleware SafeNet Bordless Security 7.0 SP2.

We have lots of smartcard stuff working now.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.