Open Bug 511652 Opened 16 years ago Updated 1 year ago

Add a GUI option to toggle the "Friendly certs" option of NSS

Categories

(Core :: Security: PSM, enhancement, P5)

Product:
Core
Component:
Security: PSM
Platform:
x86
macOS
Type:
enhancement

Tracking

()

People

(Reporter: martin, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-smartcard])

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; et-ee) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; et; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 As discussed in bug 322145, Firefox & Thunderbird currently do not provide a GUI to toggle the "friendly" bit in NSS for PKCS#11 modules, which causes usability issues. Firefox and Thunderbird should consider changing the default and/or provide a GUI option to set/unset this flag. When adding a new module into Firefox, the module loading dialog could include a checkbox "Publicly readable certificates" (to mimic the pkcs11.load() JS call, where a flag can be set) and/or add a button similar to the "Enable FIPS mode" button, to enable/disable the "friendly certs" feature for a PKCS#11 module. Reproducible: Always
Blocks: 322145
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody. Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Firefox 8.0b1 has finally fixed the issue with nonrepudiation only certificates. Meaning that when presented two certificates (one with KU=NR and one with KU=sign,encr and EKU=TLSclient) FF will not consider using the certificate without EKU=TLSClient at all. Which is nice. Now the only thing remaining to be fixed to be able to work with several EU eID cards (like the Estonian eID) is to provide a fix for the "asking every PIN before showing certificate selection" problem, AKA marking all slots in all modules with the "friendly" flag by default or by providing a GUI flag to do the same. I still believe that the default behaviour should be with the flag *enabled* (AKA only do a login if a slot does *not* present certificates wihout login)
Whiteboard: [psm-auth][psm-smartcard]
Is this still necessary? What does the "friendly" bit do?
Flags: needinfo?(martin)
I think so. But given that the whole automagic PKCS#11 module loading via JS extensions is under possible removal, there can be bigger problems elsewhere. Making "friendly certs" the default option would be the logical solution, bus as there was conceptual misunderstanding about what the feature does and why, possibility to adjust the most-probably-wrong-default-for-many option via exposed configurability.
Flags: needinfo?(martin)
Martin, I still don't understand what the "friendly bit" is for or why it would be helpful to have this feature. Perhaps it would be best to assume I only have a rudimentary understanding of how smartcards and pkcs#11 modules work. (Also, I receive an email that is more distinct from other bugmail when you cancel a needinfo request, so it's more likely I'll see you've responded if you do that rather than leave the request open - thanks.)
Flags: needinfo?(martin)
Without the "friendly bit" set on a slot (or was it token?) NSS by default assumes that *before* trying to read public objects (such as certificates or public keys) from the token, a login must be made. For actual smart cards with pin codes, this results in a PIN prompt *before* a certificate selection is being made. Things get worse if you have a device with multiple slots and multiple PIN codes. Even though the selection of the right certificate could be made before, the user is asked for the PIN codes of all slots before any automatic decision is made. That's bad UX. OpenSC has long fought with this issue by providing an extra PKCS#11 module that exposes just a single PIN with the certificate that is most likely used for client certificate authentication.
This bug would be irrelevant if the default behaviour would be sane. But at the time of reporting it was not possible to agree upon "sane defaults", thus this bug.
Ok, now I think I get it. Thanks for explaining that. This may be a shortcoming of how Gecko uses NSS, in which case it hopefully wouldn't be too hard to fix the underlying issue.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(martin)
Priority: -- → P5
Severity: normal → S3

I am suffering from this issue as well. I can say the same for a handful of colleagues who also have a PKCS#11 hard cert/smart card.

This issue notes that there is no GUI based way to set the "friendly" flag to enable read of public certs on tokens, but is there a more advanced way/workaround such as a flag in about:config?

The interval at which my PKCS#11 Module under Settings > Privacy & Security > Security > Security Devices > <MY_SMARTCARD> automatically logs itself out is super painful. It automatically logs out at ~ a 2 minute interval any time I am actively using it to connect to the server that requires it.

Is there a way to enable the friendly flag at all at present? If not, is there a way to extend the duration that the smart card is considered "logged in"? As it is, I've been suffering typing in my pin every two minutes for going on a year, but this is the only viable path at my company for myself and my colleagues.

Please provide details concerning any known workarounds if possible. Thank you!

I am imagining the solution to this issue looks like two new about:config values

security.pki.enable_friendly_certs (bool)
security.pki.logged_in_time_out (int)

I do not care what the defaults are for this, but I'd expect if the first proposed configuration value is set to true, then pub certs are readable without a pin. For the second config, the value could represent a number of minutes before a smart badge logs out and requires a pin for all certs if the latter config is false, or for only private certs if the latter config is true.

This is my single biggest problem with Firefox. I created a Bugzilla account specifically to share how important I consider this.

Flags: needinfo?(dkeeler)

What OS are you using?
One thing you could do is write a web extension that installs your PKCS#11 module with the correct flags: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/pkcs11/installModule

Flags: needinfo?(dkeeler) → needinfo?(davidhinton23)

OS is Windows 10

Most of our machines are locked down pretty hard with corporate policy. Likely a custom solution like what you’ve suggested would (unfortunately) not pass security requirements for wider distributon, but I can look into it in any case. Does an extension to install such a module already exist perhaps in an extensions marketplace that is known to be reputable? Regardless, a native solution would be strongly preferable over something custom/third party in the long term.

Any way to change the settings on a security device that’s already installed perhaps?

Flags: needinfo?(davidhinton23) → needinfo?(dkeeler)

You could have a look at https://github.com/open-eid/firefox-pkcs11-loader, which I believe corresponds to https://addons.mozilla.org/en-US/firefox/addon/pkcs11-module-loader/

Why do you need to load a PKCS#11 module at all? Does osclientcerts not work? (about:config -> security.osclientcerts.autoload should be true by default).

Flags: needinfo?(dkeeler) → needinfo?(davidhinton23)

First time I hear about it. Firefox now has smart card support via platform keychain/cng key/cert support? This is built into FF: https://github.com/mozkeeler/osclientcerts ? Super cool in that case.

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #13)

You could have a look at https://github.com/open-eid/firefox-pkcs11-loader, which I believe corresponds to https://addons.mozilla.org/en-US/firefox/addon/pkcs11-module-loader/

Why do you need to load a PKCS#11 module at all? Does osclientcerts not work? (about:config -> security.osclientcerts.autoload should be true by default).

The flag is disabled as the default smart cards provided to employees are basic assurance, but we have specific medium assurance certs that don't play nicely with company defaults, so the security.osclientcerts.autoload is disabled for our use case and we load our MA certs manually to deconflict.

Flags: needinfo?(davidhinton23)

I will look at the plugin you referenced! Thanks Dana.

(In reply to Martin Paljak from comment #14)

First time I hear about it. Firefox now has smart card support via platform keychain/cng key/cert support? This is built into FF: https://github.com/mozkeeler/osclientcerts ? Super cool in that case.

Can you provide context for how this relates to this discussion? If this is built into FF, then starting with what version?

Flags: needinfo?(martin)

(In reply to davidhinton23 from comment #16)

I will look at the plugin you referenced! Thanks Dana.

Unfortunately the referenced extension is not created by FF or another well known publisher. It's also not Open Source (that I know of). Given all that, security wont go for it. So this specific avenue is not viable for my use case. Could be exactly what someone else needs though, so thank you in any case!

(In reply to davidhinton23 from comment #17)

(In reply to Martin Paljak from comment #14)

First time I hear about it. Firefox now has smart card support via platform keychain/cng key/cert support? This is built into FF: https://github.com/mozkeeler/osclientcerts ? Super cool in that case.

Can you provide context for how this relates to this discussion? If this is built into FF, then starting with what version?

Apologies. I think I understand now, but please correct me if I'm wrong. The functionality provided by security.osclientcerts.autoload started with the referenced Github repository? The only hangup I have is that the README for mozkeeler/osclientcerts repo indicates:

For the time being, this module must be manually compiled and added to Firefox.

That said, are you mozkeeler @Dana Keeler? If so, I'm sure you know the full story.

Flags: needinfo?(dkeeler)

Yes, that's my github account. That repo is out of date and unnecessary now - the functionality it provided is built-in to Firefox. It mainly exists for historical purposes at this point.

(In reply to davidhinton23 from comment #15)

Why do you need to load a PKCS#11 module at all? Does osclientcerts not work? (about:config -> security.osclientcerts.autoload should be true by default).

The flag is disabled as the default smart cards provided to employees are basic assurance, but we have specific medium assurance certs that don't play nicely with company defaults, so the security.osclientcerts.autoload is disabled for our use case and we load our MA certs manually to deconflict.

Can you share more information here? What is the difference between "basic assurance" and "medium assurance" certificates? Why don't the medium assurance certificates work with your company's defaults?

Flags: needinfo?(dkeeler) → needinfo?(davidhinton23)

(In reply to davidhinton23 from comment #18)

(In reply to davidhinton23 from comment #16)

I will look at the plugin you referenced! Thanks Dana.

Unfortunately the referenced extension is not created by FF or another well known publisher. It's also not Open Source (that I know of). Given all that, security wont go for it. So this specific avenue is not viable for my use case. Could be exactly what someone else needs though, so thank you in any case!

It is open source (as the link referenced to is github), published by Estonian e-gov (where all client software is open source)

Flags: needinfo?(martin)

Clear a needinfo that is pending on an inactive user.

Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.

For more information, please visit BugBot documentation.

Flags: needinfo?(davidhinton23)
Severity: S3 → N/A
Type: defect → enhancement
Whiteboard: [psm-auth][psm-smartcard] → [psm-smartcard]
You need to log in before you can comment on or make changes to this bug.