Red Hat Bugzilla – Bug 239961
Add nonRepudiation fix for smartcard authentication
Last modified: 2018-04-11 03:27:27 EDT
Description of problem: When using Firefox with opensc pkcs#11 plugin to authenticate SSL protected website, the nonRepudiation bit is not honored and firefox opens pin dialog also for RSA key meant for digital signatures - which should never be used for authentication. Version-Release number of selected component (if applicable): firefox-1.5.0.10-5.fc6 How reproducible: Always. Steps to Reproduce: 1. Add smartcard and its reader using pcsc-lite or openct drivers. 2. Configure opensc pkcs11 plugin (if not loaded already) for firefox. 3. Try to login into www-site using the smartcard authentication. Actual results: Browser asks pin code for nonRepudiation key. Expected results: Only pin code for keypair without nonRepudiation key should be asked. Additional info: Below 'Allekirjastamine' stands for 'signing'. $ pkcs15-tool -k Private RSA Key [Isikutuvastus] Usage : [0x3F], encrypt, decrypt, sign, signRecover, wrap, unwrap Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local Private RSA Key [Allkirjastamine] Usage : [0x200], nonRepudiation Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local Mozilla project bug with attached patch for firefox 2.0: https://bugzilla.mozilla.org/show_bug.cgi?id=328346
I guess, this belongs to nss component, reassigning.
Are you requesting that we backport the patch from upstream mozilla 239961 and its regression fix 328346 into Fedora's FF/TB 1.5.x? Chris, the fix is not at the NSS level, but at the application level. Patches would have to get applied to Firefox and Thunderbird applications. While I would be ok to drive this in, the right bugzilla component is Firefox/Thunderbird.
Well, don't know how big effort that would be. SCM head has also so called onepine plugin that sees only the first certificate and is some kind of workaround for broken browsers. I guess everything depends on how much there is existing users and lifespan left for fc6, for fc7 there is newer browser.
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers
i guess f7 doesn't have 1.5 ff so we don't need this anymore. thank you for your utter intrest for this matter and making fedora better!