Open Bug 506939 Opened 11 years ago Updated 3 years ago
Firefox does not understand and inform the user when PKCS#11 token PIN is invalid or blocked
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; et-ee) AppleWebKit/530.19.2 (KHTML, like Gecko) Version/4.0.2 Safari/530.19 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; et; rv:188.8.131.52) Gecko/20090715 Firefox/3.5.1 Firefox (or Thunderbird) does not understand when PKCS#11 module returns CKR_PIN_INCORRECT. No meaningful error is shown to the user, the PIN dialog just re-appears. Nor does it understand CKR_PIN_LOCKED. If a card PIN is in locked state when Firefox starts using it, it still tries to display the PIN dialog 3 times before giving up. In other words, Firefox does not understand token flags CKF_USER_PIN_LOCKED and CKF_USER_PIN_COUNT_LOW nor return codes CKR_PIN_LOCKED and CKR_PIN_INCORRECT Reproducible: Always Steps to Reproduce: 1. Enter a card with a configured pkcs#11 provider (OpenSC for example) that has 3 retires before it becomes locked 2. Go to a website requiring a certificate on that token 3. Enter a PIN 3 times wrongly (or as many times required to block the PIN) - Note: You actually get to enter the PIN 6 times. Actual Results: Firefox display an identical window asking for the password of the token 6 times in a row and finally displays a cryptic error page with "ssl_error_handshake_failure_alert". Pressing cancel in any of those windows has no effect as the next input window is displayed until 3 times pass and again the cryptic SSL error message is displayed Expected Results: 1. After the first wrong PIN is entered, a new window pops up with "you entered a wrong PIN, please try again" 2. In any of those windows, pressing Cancel actually stops the process and displays a "can not connect to the remote site because you refused to send a certificate" status page, or if the client certificate was optional on that SSL site, continues without a certificate. 3. When PIN is blocked, a notification window is displayed stating "Your PIN is blocked" If I have 3 retires and I enter a wrong PIN all times, I get to enter it 6 times before the SSL handshake error is displayed. Apparently Firefox has a hardcoded "lets try three times" counter that gets triggered when it sees CKR_PIN_LOCKED status from the card. If I enter a card with a locked PIN, I get to enter a PIN (or press cancel) 3 times, even though every time C_Login returns CKR_PIN_LOCKED. This affects the usability of all smart cards (like national eID cards in Europe or PIV/CAC cards in US) that are used daily by many people (and a reason why some people continue to use IE. Because Firefox fails). All tests have been made with OpenSC PKCS#11 and Estonian eID.
NSS maps CKR_PIN_INCORRECT to SEC_ERROR_BAD_PASSWORD, but maps CKR_PIN_LOCKED to the default SEC_ERROR_IO error: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap/pk11err.c&rev=1.10&mark=104-106,148,157#104 The SEC_ERROR_xxx error codes are what Firefox sees. So Firefox sees SEC_ERROR_IO when the token returns CKR_PIN_LOCKED to NSS. Firefox's handling of CKR_PIN_INCORRECT is correct. You're just asking for a different message in the second and subsequent password dialog.
Martin, you're requesting two changes: a) Change the password dialog UI to show different things for some cases. b) change NSS to report a different (new) nss error code for CKR_PIN_LOCKED. Please file a separate NSS request for enhancement about that latter point, and mark it as blocking this bug.
Assignee: nobody → kaie
Severity: major → enhancement
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Version: unspecified → 1.9.1 Branch
Priority: -- → P5
Whiteboard: [psm-smartcard] → [psm-smartcard][psm-blocked]
You need to log in before you can comment on or make changes to this bug.