Closed Bug 613507 Opened 14 years ago Closed 12 years ago

PK11_FindObjectForCert forces a PKCS#11 module to search every object on the card

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Version:
3.12
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: deengert, Assigned: deengert)

Details

Attachments

(1 file, 3 obsolete files)

Performance, and avoid invalidating a CKA_ALWAYS_AUTHENTICATE operation, v4
3.07 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Build Identifier: nss-3.13.7

NSS-3.12.7 does a C_FindObjects for a certificate using only CKA_VALUE
in the template. This can cause a PKCS#11 to try and read every object
off a smart card. Not only is this an performance issue, it can 
compound the problems because NSS does not support CKA_ALWAYS_AUTHENTICATE

The reading of these additional objects off the card can come between
the pin operation from the C_Login and a C_Sign operation. On some cards
this resets the security status, and the C_Sign will fail. 

See bugs 357025 and 613496 for more information. 

The attached patch adds to the search template CKA_TYPE=CKO_CERTIFICATE
which then tells the PKCS#11 to only look at certificate objects. 


Reproducible: Always

    
    

    
  
Comment on attachment 491843 [details] [diff] [review]
Add CKA_TYPE=CKO_CERTIFICATE to template

I'll clean this patch up a little and commit it

        Attachment #491843 -
        Flags: review+
Assignee: nobody → deengert
Priority: -- → P2
Target Milestone: --- → 3.13

    
    

    
  
Comment on attachment 491843 [details] [diff] [review]
Add CKA_TYPE=CKO_CERTIFICATE to template

This patch doesn't compile, as is.  (I fixed that.)
Are you sure you tested this?  
Maybe you can attach the patch that you actually tested?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → 3.12

        Attachment #510349 -
        Attachment is patch: true
Summary: A c_FindObject with only CKA_VALUE forces a PKCS#11 module to search every object on the card → PK11_FindObjectForCert forces a PKCS#11 module to search every object on the card

    
    

    
  
Doug, Do you have steps to reproduce? 
What can I do in FF or TB to force this function to be called?

    
    

    
  
In response to Comment 3:

Yes I did test it using the SUNPro compiler on Solaris 10. It was part of
a set of patches to allow opensc-pkcs11 to work with HSPD-12 PIV cards
including using ECDSA keys on the card. It was tested with Thunderbird. 

On the January 11 version of the patch, when compiling on Windows I see I
removed two "&"s before searchTemplate in two calls, which looks like the issue
you were seeing.  The Sun compiler may have let me get away with a warning in
November.

    
    

    
  
In response to Comment 5:

I was using a smartcard to sign e-mail. The newer PIV cards enforce the requirement that the pin be entered just before any crypto operation for the signing key. Using the opensc-pkcs11spy as a security device, I could 
trace the PKCS11 calls. When sending a signed email, after the pin is 
sent to the card, a call to C_FindObjectsInit is made with a template that 
did not include the CKO_CERETIFICATE attribute. This would then cause all the objects on the card to have to be read. (The OpenSC had cached the certificate so it was not read from the card.) The C_FindObjects* would then be followed by a C_SignInit. 

I was also working with mods to enfore CKA_ALWAYS_AUTHENTICATE which
is also needed by these newer cards. 

I don't have any good trace data without this change, but could set somthing up tommorrow.

    
    

    
  


  
This is an updated patch for nss-0.12.10 tested with TB 5.0 on Solaris 10 
ans using OpenSC-pkcs11.so to access HSPD-12 PIV smartcard. 
This is both a performance improvement, and helps avoid invalidating
a CKA_ALWAYS_AUTHENTICATE operation. With out the change, a card may
be asked to

        Attachment #491843 -
        Attachment is obsolete: true

    
    

    
  
(Comment 8 is incomplete. It should continue:)

read *EVERY* object on a card, just to find a certificate that
has already been cached, This can be a performance problem if the
card has objects like fingerprints, photos, and other large data 
objects that need not be read. Also If this happens during a CKA_ALWAYS_AUTHENTICATE operation, (which was how this problem was found) 
the operation will fail, as some cards like the PIV require the 
presentation of the PIN to be immediately followed by the signing operation.

    
    

    
  
Comment on attachment 552173 [details] [diff] [review]
Performance, and avoid invalidating a CKA_ALWAYS_AUTHENTICATE operation

As suggested by Robert Relyea, I am requesting wan-Teh to review of this modification.

        Attachment #552173 -
        Flags: review?(wtc)

    
    

    
  


  
Doug: thank you for the patch.  You're not a
distant cousin of Kai Engert's, are you?  :-)

I fixed a similar bug in PK11_GetLowLevelKeyIDForCert.

Patch checked in on the NSS trunk (NSS 3.14).

Checking in pk11cert.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11cert.c,v  <--  pk11cert.c
new revision: 1.182; previous revision: 1.181
done

        Attachment #510349 -
        Attachment is obsolete: true

        Attachment #552173 -
        Attachment is obsolete: true

        Attachment #552173 -
        Flags: review?(wtc)

    
  
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: 3.13 → 3.14

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: