Closed
Bug 367667
Opened 18 years ago
Closed 9 years ago
problem with security device password
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: sander, Unassigned)
Details
(Whiteboard: [psm-smartcard])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; et-EE; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; et-EE; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1
in estonia id card (http://www.id.ee/pages.php/0303) is becoming more and more popular (also linux) but when i try to access page through id card i'll get error code -8037 (that if i have choose one automatically selected under certificates, if there is ask every time, i'll get option to choose one of the certificates on the card and after that the same error code will appear)
at the same time on commandline it will output that:
[sander@localhost ~]$ /home/soft/firefox/firefox
iso7816.c:99:iso7816_check_sw: Record not found
iso7816.c:155:iso7816_read_record: returning with: Record not found
card.c:610:sc_read_record: returning with: Record not found
iso7816.c:99:iso7816_check_sw: Record not found
iso7816.c:155:iso7816_read_record: returning with: Record not found
card.c:610:sc_read_record: returning with: Record not found
iso7816.c:99:iso7816_check_sw: Security status not satisfied
card-mcrd.c:1266:mcrd_compute_signature: Card returned error: Security status not satisfied
sec.c:53:sc_compute_signature: returning with: Security status not satisfied
pkcs15-sec.c:331:sc_pkcs15_compute_signature: sc_compute_signature() failed: Security status not satisfied
the problem can be bypassed if i log in under security device dialog, then everything is working flawless (still it's annoying to open every time that dialog to enter passwords)
Reproducible: Always
Steps to Reproduce:
1. go to webpage
2. try to access through id card
Actual Results:
will output error code -8037
Expected Results:
should ask for certificate's password
to use id card, there must be installed opensc + pcscd and opensc-pkcs11.so module must be loaded into firefox
if i remember right this is not a problem in windows
Updated•18 years ago
|
Assignee: nobody → kengert
Component: Disability Access → Security: PSM
Product: Firefox → Core
QA Contact: disability.access
Version: unspecified → Trunk
Comment 1•18 years ago
|
||
-8037 means: SEC_ERROR_TOKEN_NOT_LOGGED_IN
This explains why it works when you log in manually before trying the other operation.
Sander, can you give us a link: What is the page that you access, that requires the card?
Bob, for some reason our just-in-time-login to smartcard seems to be broken?
Reporter | ||
Comment 2•18 years ago
|
||
https://www.sk.ee/cgi-bin/tervitus this page is official test page to see if everything works.. under windows it asks for password, with linux it shows error..
Comment 3•18 years ago
|
||
I belive You should confirm this bug, it is known to be a problem for FF 2.0 on all distros. I personally have had this problem on Mandriva 2007, Kubuntu Edgy, Kubuntu Feisty and OpenSuse 10.2 on different computers, so it is really confirmed.
Updated•18 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•18 years ago
|
||
This sounds like a bug in the PKCS #11 driver for your token. NSS does not prompt for a password for a token which indicates that it is already logged in. Most likely you have a buggy C_GetSessionInfo.
I regularly test this functionality with coolkey on both windows and Linux.
bob
Comment 5•18 years ago
|
||
(In reply to comment #4)
> This sounds like a bug in the PKCS #11 driver for your token. NSS does not
> prompt for a password for a token which indicates that it is already logged in.
Bob, what happens when a token indicates "already logged in" and you open the device manager? Will the dialog still offer "log in" (as Sander experiences)?
Comment 6•18 years ago
|
||
No, the device manager will list to token status as "logged in".
If the token says it doesn't need to log in, that device manager says "ready".
In either case The 'Log In' button will be grayed out.
The other common problem is somehow the token is marked as a friendly token, but does not have the public key for the cert on the token. This doesn't seem to be the case because we appear to be getting into the token's signature function (if the token was marked friendly we wouldn't even get there.
So I would like to know the following:
1) While logged out, if you open preferences->Advanced->Security Devices and select your token, what does the Status: line say?
2) While logged out, if you open preferences->Advanced->Certificates, do you get prompted for the token PIN? If you aren't prompted for the token pin, does the certs show up in the cert dialgos?
3) Was this token working correctly in a previous version of Firefox or mozilla, and if so, which version?
4) Fetch a copy of modutil (Most modern Linux distributions include it in nss-tools or mozilla-nss-tools package). run modutil --list --dbdir ~/.mozilla/firefox/{funny salt} and attach the output. [{funny salt} is a random value ending in .default it will be a directory].
bob
Updated•18 years ago
|
QA Contact: psm
Reporter | ||
Comment 7•18 years ago
|
||
1) Status: Not Logged In
2) It shows up and i can see correct info
3) It works with Mozilla 1.7 (http://releases.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7/mozilla-i686-pc-linux-gnu-1.7.tar.gz) also acts the same way as firefox in 1) and 2).
4) modutil for firefox:
[sander@localhost ~]$ modutil -list -dbdir /home/sander/.mozilla/firefox/za20o766.default/
Using database directory /home/sander/.mozilla/firefox/za20o766.default...
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. opensc-pkcs11
library name: /usr/lib/opensc-pkcs11.so
slots: 8 slots attached
status: loaded
slot: SCR24x Smart Card Reader 00 00
token: ID-kaart (PIN1, Isikutuvastus)
slot: SCR24x Smart Card Reader 00 00
token: ID-kaart (PIN2, Allkirjastamine)
slot: SCR24x Smart Card Reader 00 00
token: ID-kaart (PUK)
slot: SCR24x Smart Card Reader 00 00
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
3. Builtin Roots Module
library name: /home/soft/firefox/libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
-----------------------------------------------------------
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
and the same for mozilla:
[sander@localhost ~]$ modutil -list -dbdir /home/sander/.mozilla/Default\ User/6ci66zlc.slt/
Using database directory /home/sander/.mozilla/Default User/6ci66zlc.slt...
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Builtin Roots Module
library name: /home/soft/seamonkey/seamonkey/libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
3. opensc-pkcs11
library name: /usr/lib/opensc-pkcs11.so
slots: 8 slots attached
status: loaded
slot: SCR24x Smart Card Reader 00 00
token: ID-kaart (PIN1, Isikutuvastus)
slot: SCR24x Smart Card Reader 00 00
token: ID-kaart (PIN2, Allkirjastamine)
slot: SCR24x Smart Card Reader 00 00
token: ID-kaart (PUK)
slot: SCR24x Smart Card Reader 00 00
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
-----------------------------------------------------------
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
Error: can't open /var/run/openct/status: No such file or directory
library name: /home/soft/seamonkey/seamonkey/libnssckbi.so --- this is because i tried it with seamonkey but as it uses firefox engin now.. it also didn't work out.. but it's working in mozilla..
Reporter | ||
Comment 8•18 years ago
|
||
this is NOT nice, but i will push it up a bit as it's a showstopper for estonian linux users who dare to use ID-Card :)
Comment 9•18 years ago
|
||
Any news?
This can be very good marketing tip in Estonia to use Firefox. Right now many enterprises can't use Firefox because that...
Comment 10•18 years ago
|
||
Same thing here
Comment 11•18 years ago
|
||
Comment 12•18 years ago
|
||
So answer 1 indicates the token is appearently setting the Session Info correctly.
Answer 2 seems to indicate that the token is either set to 'Publically readable certs' or there is some funkiness in the token driver itself.
modutil -list opensc-pkcs11 -dbdir .
should tell is whether the publically readable certs is set.
the large amount of diagnostic output from the token is a bit disturbing (the 'Error: can't open /var/run/openct/status: No such file or directory' message is generated by the pkcs #11 module, and may indicate some misconfiguration going on with openct.
The evidence seems to indicate a misbehaving PKCS #11 module, but it's not certain (It may be the PKCS #11 module is behaving oddly, but not 'illegally' and NSS is not handling that behavior correctly).
Comment 13•17 years ago
|
||
Gents,
same kind of problem appears to be with Latvian e-me cards as well, w slight difference, but (I guess) those are related things: our users are prompted for PIN entry by PKCS#11 module (we use the one supplied by Gemalto), but after entering PIN they always get "Error establishing an encrypted connection to <host name>. Error Code: -12205".
Needless to say, number of e-me card (local e-ID and digital signature card) based authentication services are growing in Latvia, and if those are accessible to IE users only - FF is no getting the best publicity, and we, as holders of www.e-me.lv, get Qs asked we can't answer. :-(
Comment 14•16 years ago
|
||
This problem comes related to #328346, the specific OpenSC module that was used (opensc-pkcs11.so vs onepin-opensc-pkcs11.so which is created especially to please FF) and a usability bug in that version of OpenSC.
Problem comes from a module that exposes three PIN-s (PIN1, PIN2, PUK) and certificates, out of which one is a non-repudiation digital signature certificate which Firefox thinks can be used for web authentication. As the object is a user consent object (which requires a login before each and every operation with the private key) you get the mentioned error.
I don't know if the "firendly certs" issue plays a role in this as well or not, btu I don't see this as a bug that can be acted upon. I'll try to break down the problem into actionable tickets
Updated•15 years ago
|
Assignee: kaie → nobody
Whiteboard: [psm-smartcard]
![]() |
||
Comment 15•9 years ago
|
||
This seems to be due to a buggy driver/device.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•