Closed
Bug 326231
Opened 19 years ago
Closed 3 years ago
Entrust Enterprise digital certificates on a smart card and Firefox error
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: test_korisnik, Unassigned)
References
()
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 It is not possible to use the Entrust Enterprise digital certificates on a smart card (USB token) within the Firefox 1.5.0.1. Firefox locate Entrust Enterprise certificate on the tab Other People's, instead of the tab Your Certificates: http://www.geocities.com/test_korisnik/ff/EntrustEnterprise-card.jpg Encryption Certificate and keys info on the Datakey smart card: http://www.geocities.com/test_korisnik/ff/EncryptionCertificate.zip Verification Certificate and keys info on the Datakey smart card: http://www.geocities.com/test_korisnik/ff/VerificationCertificate.zip Smart card structure: http://www.geocities.com/test_korisnik/ff/SmartCard-structure.jpg I have tested SafeNet (Datakey) 330 smart card, SafeNet (Rainbow Technologies) iKey 2032 token and Aladdin eToken Pro token. ----------------------------------------------------------------- With the Entrust Web certificate on a smart card (USB token), everything is OK: http://www.geocities.com/test_korisnik/ff/EntrustWeb-card.jpg ----------------------------------------------------------------- Reproducible: Always Steps to Reproduce: 1. Put smart card with Entrust Enterprise digital certificates in a smart card reader. Actual Results: Firefox locate Entrust Enterprise certificates on the tab Other People's, instead of the tab Your Certificates. Expected Results: Firefox should locate Entrust Enterprise certificates on the tab Your Certificates.
this is not a security exploit, it's probably not even a bug. opening it so that people can help resolve it.
Assignee: nobody → wtchang
Group: security
Component: Form Manager → Libraries
Product: Firefox → NSS
QA Contact: form.manager → jason.m.reid
Whiteboard: [sg:nse]
Reporter | ||
Comment 2•19 years ago
|
||
Probably, it is a bug, because I can't use Entrust Enterprise digital certificates on a smart card (USB token) within the Firefox/Thunderbird/Netscape. With software Entrust Enterprise digital certificates and hardware and software Entrust Web certificates, everything is OK. Also, I can use Entrust Enterprise digital certificates on a smart card (USB token) within Microsoft application, Adobe (use PKCS#11 like FF),…
Updated•18 years ago
|
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
Reporter | ||
Comment 3•18 years ago
|
||
Hi I have tried the Giesecke & Devrient StarKey100 STARCOS SPK 2.3 token with SafeSign 2.1.6 and 2.2.0 middleware, but problem is the same. Dragan
Comment 4•18 years ago
|
||
I can confirm this behaviour with Thunderbird but, apparently, the problem is not with Mozilla but with Entrust. I'm told they are working on the issue. It should be possible to encrypt mail using an Entrust certificate/smart card but decrypting will not work. I'm told the problem is that despite using the same interface to the smart cards, Mozilla and Entrust handle one of the on-card object attributes slightly differently. The way Entrust handles the key/certificate pairings means that Mozilla can't find the pairs for decryption. The result of this is that the certificates appear in the wrong place. If this is indeed the case, I suggest -->INVALID and we take our complaint to Entrust ;-)
Reporter | ||
Comment 5•18 years ago
|
||
Hi I have tested Entrust Enterprise certificates and Entrust Web certificates on the Datakey smart card and iKey 2032 USB token within Mozilla Thunderbird 1.5.0.2 today. Results: 1. It is possible to use Entrust Web certificate on a smart card (token) within Mozilla Thunderbird 1.5.0.2 for encrypting / decrypting and signing / verifying of signed e-mails. 2. It is NOT possible to use Entrust Enterprise certificate on a smart card (token) within Mozilla Thunderbird 1.5.0.2 for encrypting and signing e-mails. User cannot select certificates on the form Account Settings, because location error: Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages. Certificate Manager can't locate a valid certificate that other people can use to send you encrypted email messages. ------------------------------------------------------------------------------------------------- [Andrew Done] It should be possible to encrypt mail using an Entrust certificate/smart card but decrypting will not work. Question: Which Entrust certificate category you think, Enterprise or Web? Dragan
Comment 6•18 years ago
|
||
Dragan, I'm talking about personal certificates on a corporate Smart Card so I believe that would make them Enterprise certificates.
Comment 7•18 years ago
|
||
Our corporate Smart Card/PKI Program Manager asked me to pass the following on. I quote:
> We have experienced the same and I have reported the issue to Entrust
> 1 month ago. This is being worked by them and a patch should be
> released to resolve this. Apparently this has to do with the
> labelling of the CKA_ID objects on the Token, which makes it
> complicated for Mozilla to locate the certificates in the right
> container. You can test that Netscape 4.78 (and previous) will work
> fine, but after this version the convention for this attribute has
> changed and Entrust never adapted their's.
Hope that's of some help. I'll report back when we get hold of this patch.
Comment 8•18 years ago
|
||
Firefox 2.0 has the same problem as previous versions.
Updated•17 years ago
|
Whiteboard: [sg:nse]
Comment 9•16 years ago
|
||
Firefox 3.0 Beta 5 also has the same problem as previos versions.
Comment 10•16 years ago
|
||
I was using SafeNet smart card with middleware SafeNet Bordless Security 7.0 SP2.
Comment 11•3 years ago
|
||
We have lots of smartcard stuff working now.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•