Description of problem: Firefox pulls p11-kit-trust package that creates security modules for PKCS#11 always at startup. These do not work with OpenSC onepin module that was created to respect the certificate non-repudiation attribute, which is needed with cards that hold more than one ceriticate. Currently p11-kit pushes itself as a second pkcs11-authentication on every fscking browser startup and causes multiple PIN-code dialogs for id-card authentication and most likely will lock the card to require PUK-code-release - or render goverment issued id-card useless. Apparently whoever packaged this does not use id-cards for authentication with browsers, not it was not properly tested. Version-Release number of selected component (if applicable): p11-kit-0.23.16.1-1.fc30.x86_64 How reproducible: Always, requires always manual removal and will re-appear at every startup. Steps to Reproduce: 1. Start firefox.
Thank you for the bug report. The onepin module does not care about the non-repudation attribute nor it does anything with the amount of certificates. The onepin only exposes one slot with the first pin, which is usually what is needed to avoid the issues you describe. I think we can modify the opensc modules exposed to p11-kit to load the onepin module for firefox (and maybe thunderbird), while still using the normal module in other cases? Can you try if modification of the module files like this would work for you? # cat /usr/share/p11-kit/modules/opensc.module module: opensc-pkcs11.so disable-in: firefox thunderbird-bin # cat /usr/share/p11-kit/modules/opensc-onepin.module module: opensc-pkcs11.so enable-in: firefox thunderbird-bin Unfortunately, our government does not provide ID cards that would be readable and usable by any opensource tools so I could not verify that for you.
(In reply to Jakub Jelen from comment #1) > Thank you for the bug report. The onepin module does not care which is why it was created in the first place. > Unfortunately, our government does not provide ID cards that would be > readable and usable by any opensource tools so I could not verify that for > you. So why are you pushing this into hundreds of thousands desktops without being able even to test it? I alone have lost many work hours for this which i don't need. Do you want to pay those hours?
This was properly communicated through the release notes of Fedora 29: https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/Security/
(In reply to Jakub Jelen from comment #3) > This was properly communicated through the release notes of Fedora 29: > > https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/ > Security/ It doesn't properly communicate my question in #comment 3: > So why are you pushing this into hundreds of thousands desktops without being able even to test it?
(In reply to Jakub Jelen from comment #3) > This was properly communicated through the release notes of Fedora 29: > > https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/ > Security/ I would say this is communicated: https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules and as we now see, it's full of errors. Like chapters 'compatibility impact' or 'User experience'. Change template and Fedora process asks correct questions and this bug report is proof that template is there for reason. Is Ueno or Jkurik able to test this? https://fedoraproject.org/w/index.php?title=Changes/NSSLoadP11KitModules&action=history
(In reply to Juha Tuomala from comment #2) > So why are you pushing this into hundreds of thousands desktops without > being able even to test it? Because for most of these desktops will not have any issues with this change. Either because they are not using any smart card at all or they are using smart cards with single pin. In that case, it will simplify their lifes. As for corner cases this is what we are trying to handle here in this bug report (see the comment #1 for the proposed solution).
(In reply to Jakub Jelen from comment #6) > (In reply to Juha Tuomala from comment #2) > > So why are you pushing this into hundreds of thousands desktops without > > being able even to test it? > > Because for most of these desktops will not have any issues with this > change. Either because they are not using any smart card at all or they are > using smart cards with single pin. Most? You think there are more purchasing certificate cards than whole European population who get certificates automatically if they choose to get goverment issued id-card ? https://webgate.ec.europa.eu/tl-browser/#/ > In that case, it will simplify their lifes. That was not the case.
I'd be happy to do any testing to help this issue along as it's rather big problem for me :) I just upgraded to Fedora 31 (from Fedora 30, which worked fine). Now, in Firefox, when I access a protected site, Firefox will prompt me for my smart card's PIN but then not show my smart card's certificates in the resulting dialog (only the file based client certificates are listed). I have all of the requisite packages to get this working installed as it did work on Fedora 30. I'm using opensc. I also tried making the configuration changes suggested in comment 1, but they made no difference. My smart card is a US DoD issued CAC (Common Access Card). I can see that the card is detected and working (the most obvious indicator is that Firefox prompts for the PIN). Again, I'm happy to provide any information or perform testing. Thank you!
(In reply to Craig from comment #8) > I'd be happy to do any testing to help this issue along as it's rather big > problem for me :) > > I just upgraded to Fedora 31 (from Fedora 30, which worked fine). Now, in > Firefox, when I access a protected site, Firefox will prompt me for my smart > card's PIN but then not show my smart card's certificates in the resulting > dialog (only the file based client certificates are listed). Well, is it really the same problem as this? This bug was reported against F30 and the reporter says it doesn't work, though I can't tell what is actually happening as the description is too vague. I would suggest opening a new bug, with detailed information (e.g., firefox and opensc version). Note that in firefox 69.0-3 update, we've done some mitigation to the annoying PIN popup (bug 1650578).
(In reply to Daiki Ueno from comment #9) > Well, is it really the same problem as this? This bug was reported against > F30 and the reporter says it doesn't work, though I can't tell what is > actually happening as the description is too vague. Why don't you just quote those 'too vague' lines?
(In reply to Craig from comment #8) > I'd be happy to do any testing to help this issue along as it's rather big > problem for me :) I just prevents you using strong authentication, which is typically used for real life scenarios like online banking, official matters like government, local authority etc that requires actual real authentication. So it is 'a rather big problem' for everyone using it. > Now, in > Firefox, when I access a protected site, Firefox will prompt me for my smart > card's PIN Multiple times as multiple plugins are doing the same thing, plus p11-kit is also reading all sertificates as it removes the solution that onepin-plugin solved. > but then not show my smart card's certificates in the resulting > dialog (only the file based client certificates are listed). Which is the symptom of not getting through those pin-dialogs. With my two certificate card, I get more than three dialogs and start worrying bricking my official id-card into PUK-state. It has three failed attempts per certificate. > I also tried making the configuration changes suggested in comment 1, but > they made no difference. > > My smart card is a US DoD issued CAC (Common Access Card). I can see that > the card is detected and working (the most obvious indicator is that Firefox > prompts for the PIN). How many certificates it has? pkcs15-tool -c command lists them. > Again, I'm happy to provide any information or perform testing. Being able to actually test it, would qualify you to package it too! It's such a great ability while packaging software to others.
Juha, please don't start with that again. Fedora is a community project and it is not possible to everyone know every corner case of each and every user. This is why we have bugzilla, this bug and we are trying to solve the issues for everyone who is interested in the solution. Since you are the only one having this problem, I proposed a possible solution comment #1 one month ago and I am willing to provide this fix in the next update of OpenSC, if you would be willing to cooperated and check the proposed fix will work for you.
(In reply to Daiki Ueno from comment #9) > (In reply to Craig from comment #8) > > I'd be happy to do any testing to help this issue along as it's rather big > > problem for me :) > > > > I just upgraded to Fedora 31 (from Fedora 30, which worked fine). Now, in > > Firefox, when I access a protected site, Firefox will prompt me for my smart > > card's PIN but then not show my smart card's certificates in the resulting > > dialog (only the file based client certificates are listed). > > Well, is it really the same problem as this? This bug was reported against > F30 and the reporter says it doesn't work, though I can't tell what is > actually happening as the description is too vague. > > I would suggest opening a new bug, with detailed information (e.g., firefox > and opensc version). > Note that in firefox 69.0-3 update, we've done some mitigation to the > annoying PIN popup (bug 1650578). You were right... I was mistaken and I am not experiencing the issue reported here. My problem is reported at bug 1756326 Again, sorry for the trouble, and thank you for all the great work you've done for Fedora!
After last update I have *four* hardware tokens when only *one* is needed and getting PIN-code dialog *four* times when logging in with national id-card. This package is not only improperly tested, but also wrongly packaged.
Patches and contributions are always welcomed.
(In reply to Jakub Jelen from comment #15) > Patches and contributions are always welcomed. As well basic packaging skills and testing the end result before pushing it into production. You actually *work* at the company that does it as its core business, and fail on it. What Greta would say about that?
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Still exists in 33.
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 33 changed to end-of-life (EOL) status on 2021-11-30. Fedora 33 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.