Bug 1745920 - p11-kit-trust breaks pkcs11 client-certificate authentication with Firefox
Summary: p11-kit-trust breaks pkcs11 client-certificate authentication with Firefox
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: p11-kit
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daiki Ueno
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-27 08:48 UTC by Juha Tuomala
Modified: 2021-11-30 17:59 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-30 17:59:46 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Juha Tuomala 2019-08-27 08:48:48 UTC
Description of problem:
Firefox pulls p11-kit-trust package that creates security modules for PKCS#11 always at startup. These do not work with OpenSC onepin module that was created to respect the certificate non-repudiation attribute, which is needed with cards that hold more than one ceriticate.

Currently p11-kit pushes itself as a second pkcs11-authentication on every fscking browser startup and causes multiple PIN-code dialogs for id-card authentication and most likely will lock the card to require PUK-code-release - or render goverment issued id-card useless.

Apparently whoever packaged this does not use id-cards for authentication with browsers, not it was not properly tested.

Version-Release number of selected component (if applicable):
p11-kit-0.23.16.1-1.fc30.x86_64

How reproducible:
Always, requires always manual removal and will re-appear at every startup.

Steps to Reproduce:
1. Start firefox.

Comment 1 Jakub Jelen 2019-08-27 10:04:33 UTC
Thank you for the bug report. The onepin module does not care about the non-repudation attribute nor it does anything with the amount of certificates. The onepin only exposes one slot with the first pin, which is usually what is needed to avoid the issues you describe.

I think we can modify the opensc modules exposed to p11-kit to load the onepin module for firefox (and maybe thunderbird), while still using the normal module in other cases?

Can you try if modification of the module files like this would work for you?

# cat /usr/share/p11-kit/modules/opensc.module
module: opensc-pkcs11.so
disable-in: firefox thunderbird-bin
# cat /usr/share/p11-kit/modules/opensc-onepin.module
module: opensc-pkcs11.so
enable-in: firefox thunderbird-bin

Unfortunately, our government does not provide ID cards that would be readable and usable by any opensource tools so I could not verify that for you.

Comment 2 Juha Tuomala 2019-08-27 10:18:08 UTC
(In reply to Jakub Jelen from comment #1)
> Thank you for the bug report. The onepin module does not care 

which is why it was created in the first place.

> Unfortunately, our government does not provide ID cards that would be
> readable and usable by any opensource tools so I could not verify that for
> you.

So why are you pushing this into hundreds of thousands desktops without being able even to test it?

I alone have lost many work hours for this which i don't need. Do you want to pay those hours?

Comment 3 Jakub Jelen 2019-08-27 11:28:08 UTC
This was properly communicated through the release notes of Fedora 29:

https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/Security/

Comment 4 Juha Tuomala 2019-08-28 08:34:43 UTC
(In reply to Jakub Jelen from comment #3)
> This was properly communicated through the release notes of Fedora 29:
> 
> https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/
> Security/

It doesn't properly communicate my question in #comment 3:

> So why are you pushing this into hundreds of thousands desktops without being able even to test it?

Comment 5 Juha Tuomala 2019-08-28 08:45:31 UTC
(In reply to Jakub Jelen from comment #3)
> This was properly communicated through the release notes of Fedora 29:
> 
> https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/
> Security/

I would say this is communicated:

  https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules

and as we now see, it's full of errors. Like chapters 'compatibility impact' or 'User experience'.

Change template and Fedora process asks correct questions and this bug report is proof that template is there for reason. 

Is Ueno or Jkurik able to test this?

https://fedoraproject.org/w/index.php?title=Changes/NSSLoadP11KitModules&action=history

Comment 6 Jakub Jelen 2019-08-28 10:51:02 UTC
(In reply to Juha Tuomala from comment #2)
> So why are you pushing this into hundreds of thousands desktops without
> being able even to test it?

Because for most of these desktops will not have any issues with this change. Either because they are not using any smart card at all or they are using smart cards with single pin. In that case, it will simplify their lifes.

As for corner cases this is what we are trying to handle here in this bug report (see the comment #1 for the proposed solution).

Comment 7 Juha Tuomala 2019-08-28 11:24:13 UTC
(In reply to Jakub Jelen from comment #6)
> (In reply to Juha Tuomala from comment #2)
> > So why are you pushing this into hundreds of thousands desktops without
> > being able even to test it?
> 
> Because for most of these desktops will not have any issues with this
> change. Either because they are not using any smart card at all or they are
> using smart cards with single pin. 

Most? 

You think there are more purchasing certificate cards than whole European population who get certificates automatically if they choose to get goverment issued id-card ?

  https://webgate.ec.europa.eu/tl-browser/#/


> In that case, it will simplify their lifes.

That was not the case.

Comment 8 Craig 2019-09-26 16:53:21 UTC
I'd be happy to do any testing to help this issue along as it's rather big problem for me :)

I just upgraded to Fedora 31 (from Fedora 30, which worked fine). Now, in Firefox, when I access a protected site, Firefox will prompt me for my smart card's PIN but then not show my smart card's certificates in the resulting dialog (only the file based client certificates are listed).

I have all of the requisite packages to get this working installed as it did work on Fedora 30. I'm using opensc.

I also tried making the configuration changes suggested in comment 1, but they made no difference.

My smart card is a US DoD issued CAC (Common Access Card). I can see that the card is detected and working (the most obvious indicator is that Firefox prompts for the PIN).

Again, I'm happy to provide any information or perform testing.

Thank you!

Comment 9 Daiki Ueno 2019-09-27 08:22:11 UTC
(In reply to Craig from comment #8)
> I'd be happy to do any testing to help this issue along as it's rather big
> problem for me :)
> 
> I just upgraded to Fedora 31 (from Fedora 30, which worked fine). Now, in
> Firefox, when I access a protected site, Firefox will prompt me for my smart
> card's PIN but then not show my smart card's certificates in the resulting
> dialog (only the file based client certificates are listed).

Well, is it really the same problem as this? This bug was reported against F30 and the reporter says it doesn't work, though I can't tell what is actually happening as the description is too vague.

I would suggest opening a new bug, with detailed information (e.g., firefox and opensc version).
Note that in firefox 69.0-3 update, we've done some mitigation to the annoying PIN popup (bug 1650578).

Comment 10 Juha Tuomala 2019-09-27 08:54:08 UTC
(In reply to Daiki Ueno from comment #9)
> Well, is it really the same problem as this? This bug was reported against
> F30 and the reporter says it doesn't work, though I can't tell what is
> actually happening as the description is too vague.

Why don't you just quote those 'too vague' lines?

Comment 11 Juha Tuomala 2019-09-27 09:12:10 UTC

(In reply to Craig from comment #8)
> I'd be happy to do any testing to help this issue along as it's rather big
> problem for me :)

I just prevents you using strong authentication, which is typically used for real life scenarios like online banking, official matters like government, local authority etc that requires actual real authentication. So it is 'a rather big problem' for everyone using it.
 
> Now, in
> Firefox, when I access a protected site, Firefox will prompt me for my smart
> card's PIN 

Multiple times as multiple plugins are doing the same thing, plus p11-kit is also reading all sertificates as it removes the solution that onepin-plugin solved.

> but then not show my smart card's certificates in the resulting
> dialog (only the file based client certificates are listed).

Which is the symptom of not getting through those pin-dialogs. With my two certificate card, I get more than three dialogs and start worrying bricking my official id-card into PUK-state. It has three failed attempts per certificate.

> I also tried making the configuration changes suggested in comment 1, but
> they made no difference.
> 
> My smart card is a US DoD issued CAC (Common Access Card). I can see that
> the card is detected and working (the most obvious indicator is that Firefox
> prompts for the PIN).

How many certificates it has? pkcs15-tool -c    command lists them.


> Again, I'm happy to provide any information or perform testing.

Being able to actually test it, would qualify you to package it too! It's such a great ability while packaging software to others.

Comment 12 Jakub Jelen 2019-09-27 12:25:20 UTC
Juha, please don't start with that again. Fedora is a community project and it is not possible to everyone know every corner case of each and every user. This is why we have bugzilla, this bug and we are trying to solve the issues for everyone who is interested in the solution.

Since you are the only one having this problem, I proposed a possible solution comment #1 one month ago and I am willing to provide this fix in the next update of OpenSC, if you would be willing to cooperated and check the proposed fix will work for you.

Comment 13 Craig 2019-09-27 23:59:56 UTC
(In reply to Daiki Ueno from comment #9)
> (In reply to Craig from comment #8)
> > I'd be happy to do any testing to help this issue along as it's rather big
> > problem for me :)
> > 
> > I just upgraded to Fedora 31 (from Fedora 30, which worked fine). Now, in
> > Firefox, when I access a protected site, Firefox will prompt me for my smart
> > card's PIN but then not show my smart card's certificates in the resulting
> > dialog (only the file based client certificates are listed).
> 
> Well, is it really the same problem as this? This bug was reported against
> F30 and the reporter says it doesn't work, though I can't tell what is
> actually happening as the description is too vague.
> 
> I would suggest opening a new bug, with detailed information (e.g., firefox
> and opensc version).
> Note that in firefox 69.0-3 update, we've done some mitigation to the
> annoying PIN popup (bug 1650578).

You were right... I was mistaken and I am not experiencing the issue reported here. My problem is reported at bug 1756326

Again, sorry for the trouble, and thank you for all the great work you've done for Fedora!

Comment 14 Juha Tuomala 2020-01-16 13:29:14 UTC
After last update I have *four* hardware tokens when only *one* is needed and getting PIN-code dialog *four* times when logging in with national id-card. This package is not only improperly tested, but also wrongly packaged.

Comment 15 Jakub Jelen 2020-01-16 13:36:39 UTC
Patches and contributions are always welcomed.

Comment 16 Juha Tuomala 2020-01-16 13:40:59 UTC
(In reply to Jakub Jelen from comment #15)
> Patches and contributions are always welcomed.

As well basic packaging skills and testing the end result before pushing it into production.

You actually *work* at the company that does it as its core business, and fail on it.


What Greta would say about that?

Comment 17 Ben Cotton 2020-04-30 20:32:55 UTC
This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 18 Ben Cotton 2020-05-26 18:09:58 UTC
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 19 Juha Tuomala 2021-02-15 10:18:29 UTC
Still exists in 33.

Comment 20 Ben Cotton 2021-11-04 16:05:19 UTC
This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 21 Ben Cotton 2021-11-30 17:59:46 UTC
Fedora 33 changed to end-of-life (EOL) status on 2021-11-30. Fedora 33 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.