PKCS#11: Firefox does not correctly support CKA_ALWAYS_AUTHENTICATE when CKF_PROTECTED_AUTHENTICATION_PATH is set




5 years ago
5 years ago


(Reporter: phtandeo, Unassigned)


25 Branch
Mac OS X

Firefox Tracking Flags

(Not tracked)




5 years ago
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

Steps to reproduce:

1. Configure Firefox to use a PKCS#11 module that returns CKF_PROTECTED_AUTHENTICATION_PATH in the token flags (this PKCS#11 module displays its own PIN GUI)
2. Perform an SSL authent using a certificate whose private key has attribute CKA_ALWAYS_AUTHENTICATE set to CK_TRUE (this private key requires login before any protected operation)
3. PKCS#11 module prompts for the PIN
4. Enter PIN

Actual results:

SSL authent fails. Firefox PKCS#11 call sequence is:
- C_SignInit
- C_Logout
- C_Login(CKU_USER, no PIN): corresponds to step 4. Enter PIN
- C_Sign: fails

Expected results:

According to PKCS#11 2.20 specifications: "The CKA_ALWAYS_AUTHENTICATE attribute can be used to force reauthentication (...) Re-authentication occurs by calling C_Login with userType set to CKU_CONTEXT_SPECIFIC immediately after a cryptographic operation using the key has been initiated (e.g. after C_SignInit)."
In above call sequence, C_Logout should not occur and C_Login should be called with CKU_CONTEXT_SPECIFIC parameter.

Note: same scenario works properly when CKF_PROTECTED_AUTHENTICATION_PATH is not set.


5 years ago
OS: Windows 7 → Mac OS X


5 years ago
Component: Untriaged → Security
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.