506939 - Firefox does not understand and inform the user when PKCS#11 token PIN is invalid or blocked.

Status: UNCONFIRMED

(Core :: Security: PSM, enhancement, P5)

Description

[Martin Paljak]

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; et-ee) AppleWebKit/530.19.2 (KHTML, like Gecko) Version/4.0.2 Safari/530.19
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; et; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Firefox (or Thunderbird) does not understand when PKCS#11 module returns CKR_PIN_INCORRECT. No meaningful error is shown to the user, the PIN dialog just re-appears. Nor does it understand CKR_PIN_LOCKED. If a card PIN is in locked state when Firefox starts using it, it still tries to display the PIN dialog 3 times before giving up.

In other words, Firefox does not understand token flags CKF_USER_PIN_LOCKED and  CKF_USER_PIN_COUNT_LOW nor return codes CKR_PIN_LOCKED and CKR_PIN_INCORRECT

Reproducible: Always

Steps to Reproduce:
1. Enter a card with a configured pkcs#11 provider (OpenSC for example) that has 3 retires before it becomes locked
2. Go to a website requiring a certificate on that token
3. Enter a PIN 3 times wrongly (or as many times required to block the PIN) - Note: You actually get to enter the PIN 6 times.
Actual Results:  
Firefox display an identical window asking for the password of the token 6 times in a row and finally displays a cryptic error page with "ssl_error_handshake_failure_alert". Pressing cancel in any of those windows has no effect as the next input window is displayed until 3 times pass and again the cryptic SSL error message is displayed

Expected Results:  
1. After the first wrong PIN is entered, a new window pops up with "you entered a wrong PIN, please try again"
2. In any of those windows, pressing Cancel actually stops the process and displays a "can not connect to the remote site because you refused to send a certificate" status page, or if the client certificate was optional on that SSL site, continues without a certificate.
3. When PIN is blocked, a notification window is displayed stating "Your PIN is blocked"

If I have 3 retires and I enter a wrong PIN all times, I get to enter it 6 times before the SSL  handshake error is displayed. Apparently Firefox has a hardcoded "lets try three times" counter that gets triggered when it sees CKR_PIN_LOCKED status from  the card. If I enter a card with a locked PIN, I get to enter a PIN (or press cancel) 3 times, even though every time C_Login returns CKR_PIN_LOCKED.

This affects the usability of all smart cards (like national eID cards in Europe or PIV/CAC cards in US) that are used daily by many people (and a reason why some people continue to use IE. Because Firefox fails).

All tests have been made with OpenSC PKCS#11 and Estonian eID.

Comment 1

[Wan-Teh Chang]

NSS maps CKR_PIN_INCORRECT to SEC_ERROR_BAD_PASSWORD, but
maps CKR_PIN_LOCKED to the default SEC_ERROR_IO error:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap/pk11err.c&rev=1.10&mark=104-106,148,157#104

The SEC_ERROR_xxx error codes are what Firefox sees.  So
Firefox sees SEC_ERROR_IO when the token returns CKR_PIN_LOCKED
to NSS.

Firefox's handling of CKR_PIN_INCORRECT is correct.  You're
just asking for a different message in the second and
subsequent password dialog.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Martin, you're requesting two changes:
a) Change the password dialog UI to show different things for some cases.
b) change NSS to report a different (new) nss error code for CKR_PIN_LOCKED.

Please file a separate NSS request for enhancement about that latter point, 
and mark it as blocking this bug.