Open Bug 506965 Opened 15 years ago Updated 4 months ago

NSS does not support CKR_FUNCTION_CANCELED from C_Login


(NSS :: Libraries, enhancement, P5)



(Not tracked)



(Reporter: martin, Unassigned)


(Blocks 1 open bug)


User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; et-ee) AppleWebKit/530.19.2 (KHTML, like Gecko) Version/4.0.2 Safari/530.19
Build Identifier: 

When using Firefox with a pinpad reader and user cancels the PIN entry with the red button, OpenSC PKCS#11 returns CKR_FUNCTION_CANCELED, as defined in PKCS#11 v2.11. NSS maps this to a generic failure and Firefox continues to ask for the PIN.

Reproducible: Always

Steps to Reproduce:
1. Use a pinpad reader with a PKCS#11 provider that supports it, like SCM SPR532 with OpenSC and Estonian eID
2. Go to a website requiring a client certificate from the token
3. When asked to enter the PIN on the pinpad, press cancel (TheRedButton)
Actual Results:  
A new popup window appears asking me to enter the PIN on the pinpad again, repeated 3 times and ends with an error screen with ssl_error_handshake_failure_alert

Expected Results:  
After pressing cancel, an information window with "operation cancelled by user" message should appear. If the client certificate was optional, firefox should continue. If it was required, an information screen with "Can not continue without a client certificate" should be displayed.
Blocks: 506939
Why do you think this is a bug?
I think you are asking for the product to work differently than it was 
designed to work.
Severity: normal → enhancement
PKCS#11 spec: CKR_FUNCTION_CANCELED: ..... It also happens 
to a function that performs PIN entry through a protected path. The method used to cancel 
a protected path PIN entry operation is device dependent. 

Firefox/NSS apparently supports pinpad authentication as simple verification in simple cases works and Firefox knows how to display an information window "Please enter PIN on pinpad". So I assume the product is designed to work with pinpads.

In fact, not only C_Login can return this return code but any operation with PKCS#11 that might require authenticatin (like C_Sign). The way NSS translates it to SEC_ERROR_LIBRARY_FAILURE sure seems a bug to me.
Blocks: 506974
Severity: normal → S3
Severity: S3 → N/A
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.