Created attachment 1506438 [details] screenshot Description of problem: When accessing a webUI using firefox or chrome, the crypto policy requires PIV auth and creates a popup. In cases where it is accessing data (like doing a Red Hat Repository page build in Satellite), this pop-up occurs 10 times during load. In order to work around the issue, the file: # rm /etc/crypto-policies/local.d/nss-p11-kit.config # update-crypto-policies However, if this were a truly smart-card required environment, this would not be an acceptable fix. Version-Release number of selected component (if applicable): p11-kit-server-0.23.14-1.fc29.x86_64 p11-kit-trust-0.23.14-1.fc29.x86_64 p11-kit-0.23.14-1.fc29.x86_64 How reproducible: Steps to Reproduce: 1. Take smart card enabled system and log into Satellite webUI 2. Click on Content -> Red Hat Repositories This particular page in Satellite, brings up the popup at least 10 times. Actual results: PIV popup during load Expected results: either 1 auth attempt or no popup at all Additional info: THere should be a way to specify or disable the auth for a particular case or service.
Would you be able to collect backtrace from the point the dialog actually appears? I think that should be possible with: 1. dnf debuginfo-install firefox nss 2. gdb /usr/lib64/firefox/firefox-bin (gdb) b PK11PasswordPrompt (gdb) r ... (gdb) bt
On F29, I can only reproduce it under the following condition: - softhsm package is installed, and a token is created - _no_ physical smartcard/hardware token is attached This is a bit different from the original description, and I am not really sure we are seeing the same issue. So I would like to clarify the following: - which PKCS#11 driver is in use (and yubikey version) - the call trace I asked in comment 1 FWIW, in my test, the call trace until PK11PasswordPrompt is: mozilla::net::CanEnableSpeculativeConnect -> nsNSSComponent::HasUserCertsInstalled -> CERT_FindUserCertsByUsage -> CERT_GetCertNicknames -> pk11_TraverseAllSlots -> PK11PasswordPrompt In CanEnableSpeculativeConnect, there are 2 checks on tokens attached to the system: 1. whether there is any removable slot: if there is any, it gives up 2. whether there is any user certificate (i.e. a certificate with a private key) in any token: if there is any, it gives up https://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#2475 The problem is in (2), which results in authenticating all tokens.
I do not currently have a smart card setup, but when I do it is USB to PIV card reader. The Yubikey is a nano, configured only for 2fa token generation
Here is the lsusb output Bus 001 Device 002: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
I believe the patch in the linked upstream bug (against firefox) should fix the issue. Moving to firefox.
I'll look at it, Thanks.
It's already included in firefox-69.0 package, closing.