User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) Steps to reproduce: 1. Configure Firefox to use a PKCS#11 module that returns CKF_PROTECTED_AUTHENTICATION_PATH in the token flags (this PKCS#11 module displays its own PIN GUI) 2. Perform an SSL authent using a certificate whose private key has attribute CKA_ALWAYS_AUTHENTICATE set to CK_TRUE (this private key requires login before any protected operation) 3. PKCS#11 module prompts for the PIN 4. Enter PIN Actual results: SSL authent fails. Firefox PKCS#11 call sequence is: - C_SignInit - C_Logout - C_Login(CKU_USER, no PIN): corresponds to step 4. Enter PIN - C_Sign: fails Expected results: According to PKCS#11 2.20 specifications: "The CKA_ALWAYS_AUTHENTICATE attribute can be used to force reauthentication (...) Re-authentication occurs by calling C_Login with userType set to CKU_CONTEXT_SPECIFIC immediately after a cryptographic operation using the key has been initiated (e.g. after C_SignInit)." In above call sequence, C_Logout should not occur and C_Login should be called with CKU_CONTEXT_SPECIFIC parameter. Note: same scenario works properly when CKF_PROTECTED_AUTHENTICATION_PATH is not set.
You need to log in before you can comment on or make changes to this bug.