> Is this a known bug?i implemented a pkcs#11 device using an external pinpad for pin input. Therefore the CKF_PROTECTED_AUTHENTICATION_PATH flag has been set in the CK_TOKEN_INFO struct returned by C_GetTokenInfo().
Altough this flag has been set the Mozilla/Firebird prompts the user with a Pin Dialog for pin input!?! Normally he should recognize the flag and pass NULL_PTR to C_Login() like the pkcs#11 standard says!
It is now that you've reported it. See http://bugzilla.mozilla.org/show_bug.cgi?id=229023
How can i prevent NSS from prompting the user with a pin input dialog?
NSS doesn't prompt the user directly. It calls a callback function provided by the applicatin program (e.g. the browser). That function, the "password callback function", which is part of the browser, not NSS, does whatever it wants to with respect to prompting the user.
NSS provides a function by which a password callback function can ask NSS (does the token in this slot have a protected authentication path?" That function is PK11_ProtectedAuthenticationPath(). The application's password callback function is supposed to call it, but mozilla/*bird do not have code that does so.
The reason why NSS calls the callback, even when the CKF_PROTECTED_AUTHENTICATION_PATH is present, is that the application
MAY need to prompt the user to enter the PIN on the external pinpad.
The application would use the return value from
PK11_ProtectedAuthenticationPath, and the "retry" flag (an argument to
the password callback function itself) to decide whether to display
any prompt, and whether that prompt should say "Enter your password
here in this dialog" or "Enter your password on the PinPad now".
> Why does all Mozilla/Firebirds ignore the flag?
I think the answer is that their password callback functions were
modelled after the NSS QA test programs, none of which call PK11_ProtectedAuthenticationPath(). In that respect, the NSS QA
test programs are not particularly exemplary.
Is there a solution for the problem?
The solution is to get mozilla's password callback function,
PK11PasswordPrompt, (see http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp#120
to call PK11_ProtectedAuthenticationPath() and use its answer.
Since there is no full-time staff working on PSM now
(PSM is the part of the mozilla browser that interfaces to NSS),
this change is not likely to happen until some volunteer constributes
a patch that does it (hint, hint).
Also, an NSS engineer should add some code to the NSS QA test password callback function to demonstrate the use of PK11_ProtectedAuthenticationPath().
There is also a workaround. When mozilla asks for a password, just type in some random string and click OK (or press enter). When the password callback returns to NSS, NSS will notice the CKF_PROTECTED_AUTHENTICATION_PATH flag, and will "pass NULL_PTR to C_Login() like the pkcs#11 standard says!" regardless of what password you entered (provided you entered a non-empty password).
So, all you need to do is get past the password callback function and the right thing should happen. But don't try to get past it without entering some non-empty password.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
