Open Bug 506939 Opened 10 years ago Updated 2 years ago

Firefox does not understand and inform the user when PKCS#11 token PIN is invalid or blocked.

Categories

(Core :: Security: PSM, enhancement, P5)

1.9.1 Branch
enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: martin, Unassigned)

References

(Depends on 1 open bug)

Details

(Whiteboard: [psm-smartcard][psm-blocked])

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; et-ee) AppleWebKit/530.19.2 (KHTML, like Gecko) Version/4.0.2 Safari/530.19
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; et; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Firefox (or Thunderbird) does not understand when PKCS#11 module returns CKR_PIN_INCORRECT. No meaningful error is shown to the user, the PIN dialog just re-appears. Nor does it understand CKR_PIN_LOCKED. If a card PIN is in locked state when Firefox starts using it, it still tries to display the PIN dialog 3 times before giving up.

In other words, Firefox does not understand token flags CKF_USER_PIN_LOCKED and  CKF_USER_PIN_COUNT_LOW nor return codes CKR_PIN_LOCKED and CKR_PIN_INCORRECT

Reproducible: Always

Steps to Reproduce:
1. Enter a card with a configured pkcs#11 provider (OpenSC for example) that has 3 retires before it becomes locked
2. Go to a website requiring a certificate on that token
3. Enter a PIN 3 times wrongly (or as many times required to block the PIN) - Note: You actually get to enter the PIN 6 times.
Actual Results:  
Firefox display an identical window asking for the password of the token 6 times in a row and finally displays a cryptic error page with "ssl_error_handshake_failure_alert". Pressing cancel in any of those windows has no effect as the next input window is displayed until 3 times pass and again the cryptic SSL error message is displayed

Expected Results:  
1. After the first wrong PIN is entered, a new window pops up with "you entered a wrong PIN, please try again"
2. In any of those windows, pressing Cancel actually stops the process and displays a "can not connect to the remote site because you refused to send a certificate" status page, or if the client certificate was optional on that SSL site, continues without a certificate.
3. When PIN is blocked, a notification window is displayed stating "Your PIN is blocked"

If I have 3 retires and I enter a wrong PIN all times, I get to enter it 6 times before the SSL  handshake error is displayed. Apparently Firefox has a hardcoded "lets try three times" counter that gets triggered when it sees CKR_PIN_LOCKED status from  the card. If I enter a card with a locked PIN, I get to enter a PIN (or press cancel) 3 times, even though every time C_Login returns CKR_PIN_LOCKED.

This affects the usability of all smart cards (like national eID cards in Europe or PIV/CAC cards in US) that are used daily by many people (and a reason why some people continue to use IE. Because Firefox fails).

All tests have been made with OpenSC PKCS#11 and Estonian eID.
NSS maps CKR_PIN_INCORRECT to SEC_ERROR_BAD_PASSWORD, but
maps CKR_PIN_LOCKED to the default SEC_ERROR_IO error:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap/pk11err.c&rev=1.10&mark=104-106,148,157#104

The SEC_ERROR_xxx error codes are what Firefox sees.  So
Firefox sees SEC_ERROR_IO when the token returns CKR_PIN_LOCKED
to NSS.

Firefox's handling of CKR_PIN_INCORRECT is correct.  You're
just asking for a different message in the second and
subsequent password dialog.
Martin, you're requesting two changes:
a) Change the password dialog UI to show different things for some cases.
b) change NSS to report a different (new) nss error code for CKR_PIN_LOCKED.

Please file a separate NSS request for enhancement about that latter point, 
and mark it as blocking this bug.
Assignee: nobody → kaie
Severity: major → enhancement
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Version: unspecified → 1.9.1 Branch
Depends on: 506966
Depends on: 506965
Assignee: kaie → nobody
Whiteboard: [psm-smartcard]
Priority: -- → P5
Whiteboard: [psm-smartcard] → [psm-smartcard][psm-blocked]
You need to log in before you can comment on or make changes to this bug.