Closed
Bug 613507
Opened 14 years ago
Closed 12 years ago
PK11_FindObjectForCert forces a PKCS#11 module to search every object on the card
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.14
People
(Reporter: deengert, Assigned: deengert)
Details
Attachments
(1 file, 3 obsolete files)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2) Build Identifier: nss-3.13.7 NSS-3.12.7 does a C_FindObjects for a certificate using only CKA_VALUE in the template. This can cause a PKCS#11 to try and read every object off a smart card. Not only is this an performance issue, it can compound the problems because NSS does not support CKA_ALWAYS_AUTHENTICATE The reading of these additional objects off the card can come between the pin operation from the C_Login and a C_Sign operation. On some cards this resets the security status, and the C_Sign will fail. See bugs 357025 and 613496 for more information. The attached patch adds to the search template CKA_TYPE=CKO_CERTIFICATE which then tells the PKCS#11 to only look at certificate objects. Reproducible: Always
Assignee | ||
Comment 1•14 years ago
|
||
Comment 2•13 years ago
|
||
Comment on attachment 491843 [details] [diff] [review] Add CKA_TYPE=CKO_CERTIFICATE to template I'll clean this patch up a little and commit it
Attachment #491843 -
Flags: review+
Updated•13 years ago
|
Assignee: nobody → deengert
Priority: -- → P2
Target Milestone: --- → 3.13
Comment 3•13 years ago
|
||
Comment on attachment 491843 [details] [diff] [review] Add CKA_TYPE=CKO_CERTIFICATE to template This patch doesn't compile, as is. (I fixed that.) Are you sure you tested this? Maybe you can attach the patch that you actually tested?
Comment 4•13 years ago
|
||
Updated•13 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → 3.12
Updated•13 years ago
|
Attachment #510349 -
Attachment is patch: true
Updated•13 years ago
|
Summary: A c_FindObject with only CKA_VALUE forces a PKCS#11 module to search every object on the card → PK11_FindObjectForCert forces a PKCS#11 module to search every object on the card
Comment 5•13 years ago
|
||
Doug, Do you have steps to reproduce? What can I do in FF or TB to force this function to be called?
Assignee | ||
Comment 6•13 years ago
|
||
In response to Comment 3: Yes I did test it using the SUNPro compiler on Solaris 10. It was part of a set of patches to allow opensc-pkcs11 to work with HSPD-12 PIV cards including using ECDSA keys on the card. It was tested with Thunderbird. On the January 11 version of the patch, when compiling on Windows I see I removed two "&"s before searchTemplate in two calls, which looks like the issue you were seeing. The Sun compiler may have let me get away with a warning in November.
Assignee | ||
Comment 7•13 years ago
|
||
In response to Comment 5: I was using a smartcard to sign e-mail. The newer PIV cards enforce the requirement that the pin be entered just before any crypto operation for the signing key. Using the opensc-pkcs11spy as a security device, I could trace the PKCS11 calls. When sending a signed email, after the pin is sent to the card, a call to C_FindObjectsInit is made with a template that did not include the CKO_CERETIFICATE attribute. This would then cause all the objects on the card to have to be read. (The OpenSC had cached the certificate so it was not read from the card.) The C_FindObjects* would then be followed by a C_SignInit. I was also working with mods to enfore CKA_ALWAYS_AUTHENTICATE which is also needed by these newer cards. I don't have any good trace data without this change, but could set somthing up tommorrow.
Assignee | ||
Comment 8•13 years ago
|
||
This is an updated patch for nss-0.12.10 tested with TB 5.0 on Solaris 10 ans using OpenSC-pkcs11.so to access HSPD-12 PIV smartcard. This is both a performance improvement, and helps avoid invalidating a CKA_ALWAYS_AUTHENTICATE operation. With out the change, a card may be asked to
Attachment #491843 -
Attachment is obsolete: true
Assignee | ||
Comment 9•13 years ago
|
||
(Comment 8 is incomplete. It should continue:) read *EVERY* object on a card, just to find a certificate that has already been cached, This can be a performance problem if the card has objects like fingerprints, photos, and other large data objects that need not be read. Also If this happens during a CKA_ALWAYS_AUTHENTICATE operation, (which was how this problem was found) the operation will fail, as some cards like the PIV require the presentation of the PIN to be immediately followed by the signing operation.
Assignee | ||
Comment 10•12 years ago
|
||
Comment on attachment 552173 [details] [diff] [review] Performance, and avoid invalidating a CKA_ALWAYS_AUTHENTICATE operation As suggested by Robert Relyea, I am requesting wan-Teh to review of this modification.
Attachment #552173 -
Flags: review?(wtc)
Comment 11•12 years ago
|
||
Doug: thank you for the patch. You're not a distant cousin of Kai Engert's, are you? :-) I fixed a similar bug in PK11_GetLowLevelKeyIDForCert. Patch checked in on the NSS trunk (NSS 3.14). Checking in pk11cert.c; /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11cert.c,v <-- pk11cert.c new revision: 1.182; previous revision: 1.181 done
Attachment #510349 -
Attachment is obsolete: true
Attachment #552173 -
Attachment is obsolete: true
Attachment #552173 -
Flags: review?(wtc)
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: 3.13 → 3.14
You need to log in
before you can comment on or make changes to this bug.
Description
•