Personal certificates on smart card not recognized as personal but shown in "other" tab

RESOLVED INVALID

Status

NSS
Libraries
RESOLVED INVALID
8 years ago
8 years ago

People

(Reporter: Nikolay Shopik, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

8 years ago
Firefox seems doesn't recognize my personal certificates which used for site authentication. Extended key usage - TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) have this attribute. And this certificate property detected in IE8 and can be used. This certificate stored in Aladdin eToken.
(Reporter)

Comment 1

8 years ago
This apply to both Firefox and Thunderbird, thus moving to NSS.
Assignee: nobody → nobody
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → libraries
Summary: Personal certificates doesn't recognized as personal shown in "other" tab → Personal certificates doesn't recognized as personal but shown in "other" tab
Version: 3.6 Branch → unspecified
The only certificates shown in the "personal" tab are those for which FF 
and/or TB have access to the corresponding private key.  I'll bet you've 
never put the private key into FF's key DB.  Right?
Summary: Personal certificates doesn't recognized as personal but shown in "other" tab → Personal certificates not recognized as personal but shown in "other" tab
(Reporter)

Comment 3

8 years ago
> I'll bet you've 
> never put the private key into FF's key DB.  Right?
How I'm gonna do that? And isn't that defeat purpose having private key stored on hardware token?
I overlooked your mention of the Aladdin eToken.  Sorry.  Is FF configured to know about the PKCS#11 software module for your Aladdin eToken ?  See

https://developer.mozilla.org/en/PKCS11_Module_Installation#Using_the_Firefox_Preferences_Dialog_to_Install_PKCS11_Modules
(Reporter)

Comment 5

8 years ago
Created attachment 433588 [details]
device manager screenshot

Yeah I've installed need drivers. Have look into screenshot. I have Thawte personal certificate which is working just fine for example, and show up in "Personal" tab for exmaple. But these from other site doesn't show up in Personal as I said earlier only in other tab, any thoughts on that?
FF will only show a cert in the tab of "your personal" certificates if/when
it can find the corresponding private key in some PKCS#11 module.  Possible
reasons FF may not be able to find that key, even if it is in an available
token, can include:

- you may not be logged in to the token, and the key in question may be configured to be invisible unless you are logged in - that is, it may be 
configured such that the token will not reveal its presence when you are 
not logged in to the token

- Then key and the certificate each have an identifying number, the CKA_ID
by which the application (FF) can reference them.  The key and the cert 
should have the SAME CKA_ID number, to make it obvious that they correspond.
FF creates its keys and certs that way, as do most apps.  But it's possible
that whatever app created these objects on the token did not give them the
same CKA_IDs, in which case FF may not be able to determine that the key 
corresponds to the cert.  If the objects on the token have been installed
in a way that doesn't enable FF to tell that they correspond, there isn't
much FF can do.

I suggest you try forcefully logging into your token, using that same device manager panel, and then bring up the cert manager panel (don't have the 
panel already up somewhere, open it after logging in) and see if the cert is
shown in the personal certs tab.  

If that doesn't work, then the next step would be to run a program that enumerates all the certs and keys and shows their CKA_IDs, to see if the 
token shows that it has a key corresponding to the cert.
(Reporter)

Comment 7

8 years ago
(In reply to comment #6)
> I suggest you try forcefully logging into your token, using that same device
> manager panel, and then bring up the cert manager panel (don't have the 
> panel already up somewhere, open it after logging in) and see if the cert is
> shown in the personal certs tab.  
> 
> If that doesn't work, then the next step would be to run a program that
> enumerates all the certs and keys and shows their CKA_IDs, to see if the 
> token shows that it has a key corresponding to the cert.
You mean Tools->Options->Advanced->Encryption->View Certificates? - After pressing this button it will ask my password but I could cancel and still show for example my Thawte in "personal" tab. But I will try that for not working certificate (its on different token right now).

How can I enumerate certs and keys to show their CKA_IDs?
> You mean Tools->Options->Advanced->Encryption->View Certificates?

I think you're asking if that's what I meant by "forcefully logging into your token, using that same device manager panel".  No, I'm referring to the same
panel you showed in the screen shot you attached.  In that screen shot, you 
will notice buttons labeled "log in" and "log out". If you select the slot 
with your eToken on the left, then those buttons will be enabled (they will 
not be gray).  You can click "log in" to log in.

Remember, each cert may have a separate configuration in the token.  One cert
may be configured to show up at all times, even when the token is not logged 
in.  Another cert (or key) may be configured to only appear when logged in.
(Reporter)

Comment 9

8 years ago
Nelson, usually I've always logged in already, because Firefox keep spamming me about my token password usually on every page I open. But I'll double check, but I really doubt this is case.
Your token may be one of those that logs out out immediately after each time
you use it, to force you to log in again before the next time you use it,
or it may have a login timeout time that is extremely short.
(Reporter)

Comment 11

8 years ago
Sorry, I've been not clear enough. What I mean is FF keep asking me password on every page but I'm keep pressing cancel, but after I enter password it stop popuping password dialog promt for all pages and stay logged in.
(Reporter)

Comment 12

8 years ago
Created attachment 433890 [details]
Screenshot-Certificate Manager

As you can see even though I'm logged in, it still shows in other tab
(Reporter)

Comment 13

8 years ago
Created attachment 433981 [details]
certificate viewer

Maybe my problem because of Cyrillic name of certificate? Notice title border have wrong encoding.
No, the problem with the name in the title bar is a known issue with the UI
code, but not relevant to NSS's ability to match cert and key in the module.
(Reporter)

Comment 15

8 years ago
So, what my next step will be, enumerate certs and keys to show their CKA_IDs?
Yes, I'm looking for the right tool to do that now.
(Reporter)

Comment 17

8 years ago
Nelson, I tried to generate private/public key in file and import to FF it works loads perfectly fine. Looks like issue only when private key stored on hardware token, still don't understand why IE8 works :(
(Reporter)

Comment 18

8 years ago
Looks like I've found root of my problem. a program which writes generate private key on token is outdated and written for old version of driver, so to make it work I had to use new version of program(with new driver) and certificate appears on "Personal" tab. I'll double check and if this is true, close this bug as invalid.
(Reporter)

Comment 19

8 years ago
Aladdin etoken 3.65 drivers works with old version of program and newer drivers require new version program to correctly create private key so FF recognize it.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
Nikokay, Thank you for telling us the solution you found to your problem.
Perhaps it will help other users also.
Summary: Personal certificates not recognized as personal but shown in "other" tab → Personal certificates on smart card not recognized as personal but shown in "other" tab
You need to log in before you can comment on or make changes to this bug.