Closed Bug 367667 Opened 15 years ago Closed 5 years ago

problem with security device password

Categories

(Core :: Security: PSM, defect)

x86
Linux
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: sander, Unassigned)

Details

(Whiteboard: [psm-smartcard])

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; et-EE; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; et-EE; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1

in estonia id card (http://www.id.ee/pages.php/0303) is becoming more and more popular (also linux) but when i try to access page through id card i'll get error code -8037 (that if i have choose one automatically selected under certificates, if there is ask every time, i'll get option to choose one of the certificates on the card and after that the same error code will appear)

at the same time on commandline it will output that:

[sander@localhost ~]$ /home/soft/firefox/firefox
iso7816.c:99:iso7816_check_sw: Record not found
iso7816.c:155:iso7816_read_record: returning with: Record not found
card.c:610:sc_read_record: returning with: Record not found
iso7816.c:99:iso7816_check_sw: Record not found
iso7816.c:155:iso7816_read_record: returning with: Record not found
card.c:610:sc_read_record: returning with: Record not found
iso7816.c:99:iso7816_check_sw: Security status not satisfied
card-mcrd.c:1266:mcrd_compute_signature: Card returned error: Security status not satisfied
sec.c:53:sc_compute_signature: returning with: Security status not satisfied
pkcs15-sec.c:331:sc_pkcs15_compute_signature: sc_compute_signature() failed: Security status not satisfied

the problem can be bypassed if i log in under security device dialog, then everything is working flawless (still it's annoying to open every time that dialog to enter passwords)

Reproducible: Always

Steps to Reproduce:
1. go to webpage
2. try to access through id card
Actual Results:  
will output error code -8037

Expected Results:  
should ask for certificate's password

to use id card, there must be installed opensc + pcscd and opensc-pkcs11.so module must be loaded into firefox

if i remember right this is not a problem in windows
Assignee: nobody → kengert
Component: Disability Access → Security: PSM
Product: Firefox → Core
QA Contact: disability.access
Version: unspecified → Trunk
-8037 means: SEC_ERROR_TOKEN_NOT_LOGGED_IN

This explains why it works when you log in manually before trying the other operation.

Sander, can you give us a link: What is the page that you access, that requires the card?

Bob, for some reason our just-in-time-login to smartcard seems to be broken?
https://www.sk.ee/cgi-bin/tervitus  this page is official test page to see if everything works.. under windows it asks for password, with linux it shows error..
I belive You should confirm this bug, it is known to be a problem for FF 2.0 on all distros. I personally have had this problem on Mandriva 2007, Kubuntu Edgy, Kubuntu Feisty and OpenSuse 10.2 on different computers, so it is really confirmed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This sounds like a bug in the PKCS #11 driver for your token. NSS does not prompt for a password for a token which indicates that it is already logged in. Most likely you have a buggy C_GetSessionInfo.

I regularly test this functionality with coolkey on both windows and Linux.

bob
(In reply to comment #4)
> This sounds like a bug in the PKCS #11 driver for your token. NSS does not
> prompt for a password for a token which indicates that it is already logged in.


Bob, what happens when a token indicates "already logged in" and you open the device manager? Will the dialog still offer "log in" (as Sander experiences)?
No, the device manager will list to token status as "logged in".
If the token says it doesn't need to log in, that device manager says "ready".

In either case The 'Log In' button will be grayed out.

The other common problem is somehow the token is marked as a friendly token, but does not have the public key for the cert on the token. This doesn't seem to be the case because we appear to be getting into the token's signature function (if the token was marked friendly we wouldn't even get there.

So I would like to know the following:


1) While logged out, if you open preferences->Advanced->Security Devices and select your token, what does the Status: line say?
2) While logged out, if you open preferences->Advanced->Certificates, do you get prompted for the token PIN? If you aren't prompted for the token pin, does the certs show up in the cert dialgos?
3) Was this token working correctly in a previous version of Firefox or mozilla, and if so, which version?
4) Fetch a copy of modutil (Most modern Linux distributions include it in nss-tools or mozilla-nss-tools package). run modutil --list --dbdir ~/.mozilla/firefox/{funny salt} and attach the output. [{funny salt} is a random value ending in .default it will be a directory].

bob
QA Contact: psm
1) Status: Not Logged In
2) It shows up and i can see correct info
3) It works with Mozilla 1.7 (http://releases.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7/mozilla-i686-pc-linux-gnu-1.7.tar.gz) also acts the same way as firefox in 1) and 2).
4) modutil for firefox:
[sander@localhost ~]$ modutil -list -dbdir /home/sander/.mozilla/firefox/za20o766.default/
Using database directory /home/sander/.mozilla/firefox/za20o766.default...
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. opensc-pkcs11
        library name: /usr/lib/opensc-pkcs11.so
         slots: 8 slots attached
        status: loaded

         slot: SCR24x Smart Card Reader 00 00
        token: ID-kaart (PIN1, Isikutuvastus)

         slot: SCR24x Smart Card Reader 00 00
        token: ID-kaart (PIN2, Allkirjastamine)

         slot: SCR24x Smart Card Reader 00 00
        token: ID-kaart (PUK)

         slot: SCR24x Smart Card Reader 00 00
        token:

         slot: OpenCT reader (detached)
        token:

         slot: OpenCT reader (detached)
        token:

         slot: OpenCT reader (detached)
        token:

         slot: OpenCT reader (detached)
        token:

  3. Builtin Roots Module
        library name: /home/soft/firefox/libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot:
        token: Builtin Object Token
-----------------------------------------------------------
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory

and the same for mozilla:
[sander@localhost ~]$ modutil -list -dbdir /home/sander/.mozilla/Default\ User/6ci66zlc.slt/
Using database directory /home/sander/.mozilla/Default User/6ci66zlc.slt...
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. Builtin Roots Module
        library name: /home/soft/seamonkey/seamonkey/libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot:
        token: Builtin Object Token

  3. opensc-pkcs11
        library name: /usr/lib/opensc-pkcs11.so
         slots: 8 slots attached
        status: loaded

         slot: SCR24x Smart Card Reader 00 00
        token: ID-kaart (PIN1, Isikutuvastus)

         slot: SCR24x Smart Card Reader 00 00
        token: ID-kaart (PIN2, Allkirjastamine)

         slot: SCR24x Smart Card Reader 00 00
        token: ID-kaart (PUK)

         slot: SCR24x Smart Card Reader 00 00
        token:

         slot: OpenCT reader (detached)
        token:

         slot: OpenCT reader (detached)
        token:

         slot: OpenCT reader (detached)
        token:

         slot: OpenCT reader (detached)
        token:
-----------------------------------------------------------
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory

library name: /home/soft/seamonkey/seamonkey/libnssckbi.so  --- this is because i tried it with seamonkey but as it uses firefox engin now.. it also didn't work out.. but it's working in mozilla..
this is NOT nice, but i will push it up a bit as it's a showstopper for estonian linux users who dare to use ID-Card :)
Any news?
This can be very good marketing tip in Estonia to use Firefox. Right now many enterprises can't use Firefox because that...
Same thing here
Bob R: FYI, your questions from comment 6 have been answered in comment 7.
So answer 1 indicates the token is appearently setting the Session Info correctly.
Answer 2 seems to indicate that the token is either set to 'Publically readable certs' or there is some funkiness in the token driver itself.

modutil -list opensc-pkcs11 -dbdir . 

should tell is whether the publically readable certs is set.
the large amount of diagnostic output from the token is a bit disturbing (the 'Error: can't open /var/run/openct/status: No such file or directory' message is generated by the pkcs #11 module, and may indicate some misconfiguration going on with openct.

The evidence seems to indicate a misbehaving PKCS #11 module, but it's not certain (It may be the PKCS #11 module is behaving oddly, but not 'illegally' and NSS is not handling that behavior correctly).
Gents, 

same kind of problem appears to be with Latvian e-me cards as well, w slight difference, but (I guess) those are related things: our users are prompted for PIN entry by PKCS#11 module (we use the one supplied by Gemalto), but after entering PIN they always get "Error establishing an encrypted connection to <host name>. Error Code: -12205".

Needless to say, number of e-me card (local e-ID and digital signature card) based authentication services are growing in Latvia, and if those are accessible to IE users only - FF is no getting the best publicity, and we, as holders of www.e-me.lv, get Qs asked we can't answer. :-(
This problem comes related to #328346, the specific OpenSC module that was used (opensc-pkcs11.so vs onepin-opensc-pkcs11.so which is created especially to please FF) and a usability bug in that version of OpenSC.

Problem comes from a module that exposes three PIN-s (PIN1, PIN2, PUK) and certificates, out of which one is a non-repudiation digital signature certificate which Firefox thinks can be used for web authentication. As the object is a user consent object (which requires a login before each and every operation with the private key) you get the mentioned error.

I don't know if the "firendly certs" issue plays a role in this as well or not, btu I don't see this as a bug that can be acted upon. I'll try to break down the problem into actionable tickets
Assignee: kaie → nobody
Whiteboard: [psm-smartcard]
This seems to be due to a buggy driver/device.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.