935639 - PKCS#11: Firefox does not correctly support CKA_ALWAYS_AUTHENTICATE when CKF_PROTECTED_AUTHENTICATION_PATH is set

Status: UNCONFIRMED

(Core :: Security, defect)

Description

[phtandeo]

User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

Steps to reproduce:

1. Configure Firefox to use a PKCS#11 module that returns CKF_PROTECTED_AUTHENTICATION_PATH in the token flags (this PKCS#11 module displays its own PIN GUI)
2. Perform an SSL authent using a certificate whose private key has attribute CKA_ALWAYS_AUTHENTICATE set to CK_TRUE (this private key requires login before any protected operation)
3. PKCS#11 module prompts for the PIN
4. Enter PIN


Actual results:

SSL authent fails. Firefox PKCS#11 call sequence is:
- C_SignInit
- C_Logout
- C_Login(CKU_USER, no PIN): corresponds to step 4. Enter PIN
- C_Sign: fails


Expected results:

According to PKCS#11 2.20 specifications: "The CKA_ALWAYS_AUTHENTICATE attribute can be used to force reauthentication (...) Re-authentication occurs by calling C_Login with userType set to CKU_CONTEXT_SPECIFIC immediately after a cryptographic operation using the key has been initiated (e.g. after C_SignInit)."
In above call sequence, C_Logout should not occur and C_Login should be called with CKU_CONTEXT_SPECIFIC parameter.

Note: same scenario works properly when CKF_PROTECTED_AUTHENTICATION_PATH is not set.