Bug 239961 - Add nonRepudiation fix for smartcard authentication
Add nonRepudiation fix for smartcard authentication
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kai Engert (:kaie)
https://bugzilla.mozilla.org/show_bug...
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-13 09:01 EDT by Juha Tuomala
Modified: 2008-04-08 12:08 EDT (History)
2 users (show)

See Also:
Fixed In Version: Fedora 7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-08 12:05:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 328346 None None None Never

  None (edit)
Description Juha Tuomala 2007-05-13 09:01:57 EDT
Description of problem:

When using Firefox with opensc pkcs#11 plugin to authenticate SSL protected 
website, the nonRepudiation bit is not honored and firefox opens pin dialog 
also for RSA key meant for digital signatures - which should never be used for 
authentication.


Version-Release number of selected component (if applicable):

firefox-1.5.0.10-5.fc6

How reproducible:

Always.

Steps to Reproduce:

1. Add smartcard and its reader using pcsc-lite or openct drivers. 

2. Configure opensc pkcs11 plugin (if not loaded already) for firefox.

3. Try to login into www-site using the smartcard authentication.
  
Actual results:

Browser asks pin code for nonRepudiation key.

Expected results:

Only pin code for keypair without nonRepudiation key should be asked.


Additional info:

Below 'Allekirjastamine' stands for 'signing'.

$ pkcs15-tool -k
Private RSA Key [Isikutuvastus]
        Usage       : [0x3F], encrypt, decrypt, sign, signRecover, wrap, 
unwrap
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local

Private RSA Key [Allkirjastamine]
        Usage       : [0x200], nonRepudiation
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local


Mozilla project bug with attached patch for firefox 2.0:

  https://bugzilla.mozilla.org/show_bug.cgi?id=328346
Comment 2 Matěj Cepl 2007-05-30 12:33:58 EDT
I guess, this belongs to nss component, reassigning.
Comment 3 Kai Engert (:kaie) 2007-06-10 20:38:16 EDT
Are you requesting that we backport the patch from upstream mozilla 239961 and
its regression fix 328346 into Fedora's FF/TB 1.5.x?

Chris, the fix is not at the NSS level, but at the application level. Patches
would have to get applied to Firefox and Thunderbird applications.

While I would be ok to drive this in, the right bugzilla component is
Firefox/Thunderbird.
Comment 4 Juha Tuomala 2007-06-14 13:47:50 EDT
Well, don't know how big effort that would be. SCM head has also so called 
onepine plugin that sees only the first certificate and is some kind of 
workaround for broken browsers.

I guess everything depends on how much there is existing users and lifespan 
left for fc6, for fc7 there is newer browser.
Comment 5 Bug Zapper 2008-04-04 03:14:41 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 6 Juha Tuomala 2008-04-08 12:08:41 EDT
i guess f7 doesn't have 1.5 ff so we don't need this anymore. thank you for 
your utter intrest for this matter and making fedora better!

Note You need to log in before you can comment on or make changes to this bug.