-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login in one application triggers logout in Firefox, breaks application #2897
Comments
https://source.redwax.eu/projects/RST/repos/redwax-signtext/browse/src/linux/crypto.c#641 may be the problem, as "logout" may cause the card/token to lose its login state. FireFox may not recognize this. What is version of OpenSC? (0.24.0-rc1 has some logout changes.) When did you see the problem? (Did it ever work, never worked or when did it start failing.) From the web site, I see it is using p11kit. Firefox uses NSS to call pkcs11 or may use Windows or MacOS services with or without OpenSC. Can you get an OpenSC debug log for both FireFox and your application. https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC |
Caching PINs won't work for either firefox or the native application, as this needs to work on smartcard readers with a pinpad. What does "disconnect=leave" do?
OpenSC v0.21.0-1 on a raspberry pi. MyEID card. Firefox v102.15.1esr (64 bit).
Works fine when firefox does not use a smartcard, and the native application is using the smartcard. Tried using a site that requires a smartcard to log in, and this is where we saw the breakage.
This is Linux - definitely using OpenSC.
This generates 1.6MB of logs, which has low level details of the card in it. Is there a way to get it to you? |
Further observation - the moment the native application finishes signing, firefox starts behaving unpredictably. Sometimes, firefox will stop reading from the native application, which causes the native application to throb indicating it is alive but noone is listening - at the same time the original webpage is still awake and functional and can still access things (possibly with cached connections?). Sometimes firefox will popup a "please enter your PIN" dialog. Sometimes firefox shows a page showing various failures (that I now cannot reproduce). |
@frankmorgner @Jakuje This problem maybe related to #2807 |
Using Ubuntu 22.04 with OMNIKEY AG CardMan 3821 00 00 and Myeid card from 2017 (Thanks @hhonkanen) and OpenSC version: 0.24.0-rc1 it worked as expected. It did not print a prompt on terminal but did on pin-pad reader and created a signature. GDB below shows pkcs11-tool does call myeid_logout.
And it did indeed logout.
So problem is not with zero length pin and pin pad reader. |
Can you try with 0.24.0-rc1 ?
this would prevent resetting the smart card when the opensc disconnects from the smart card. Not sure exactly when this happens, if the logout, does it or finalize. The 0.21.0 defaults is disconnect=reset (unless modified by distribution) so you can try to modify the opensc.conf to use https://github.com/OpenSC/OpenSC/blob/0.21.0/etc/opensc.conf.example.in#L78 I do not see any explicit logout in the myeid driver in the 0.21.0 tag: https://github.com/OpenSC/OpenSC/blob/0.21.0/src/libopensc/card-myeid.c |
I suspect this problem is caused by some code not being capable of handling concurrency correctly. PKCS#11 specifically mentions some use cases and I tend to assume that OpenSC's improvements up to the current version support conformance to the standard. However, many applications seem to have problems with some corner cases (NSS/Firefox 👀).
If you cannot solve your problem, please describe more detailed what you mean by Firefox breaks application. And please try to reproduce this problem without your native app, e.g. by using |
When you say "should be changed", does this refer to the defaults as shipped with opensc, or something more specific?
This is exactly what I want in the application - for the PIN pad reader to force the user to enter the PIN ever time it is used. I definitely don't want this for Firefox, that will drive users mad.
The intention is to package this software and make it available for mere mortals to use, when you say "you can customize opensc.conf for each application", do you mean that it is possible for an OS package to drop a file into a directory like /etc/opensc.d/myapp.conf, or does a human (or some script) have to fiddle with the opensc.conf file on install?
To be more specific, it appears this is "application breaks Firefox". Most specifically, an application (whose source code for logging into the card and cleaning up is show above) successfully causes Firefox to log out of the smartcard, triggering a new request in Firefox to provide the PIN again, surprising the user and making their life difficult. |
If you plan to package something for real users, you should switch to a version with less vulnerabilities! Most smart cards don't support concurrent acces (which card do you use?), so every concurrency is implemented in software. This requires trusting the said software. If you do, then you can also trust the software to enforce a PIN verification when you want it to (even if the card is technically unlocked already). So, the simplest solution to your problem would be to track the login state of your token in your app without consulting the card and to not perform a logout (or reset) on cleanup. |
If you plan to package only the native app and not the Firefox, you basically cannot influence Firefox's behavior to benefit from the |
@dengert to some extent you're right as this is related to #2807. Not in the sense that implementing the logout functionality causes a problem, but in revealing that we are explicitly logging out of a token, when we close a PKCS#11 session. This happens, for example, on |
@minfrin can you build either the version of OpenSC you have or OpenSC 0.24.0-rc1 and try this patch:
and add "logout = 0;" to your opensc.conf so it looks something like this:
|
@frankmorgner two decades ago is a step in the right direction. But OpenSC is run by each application in its own process. There is not system wide tracking of sessions and login state. And possibly by different users. The only OS that I know of that provided a system wide PKCS11 was Sun's Solaris. It used it for all crypto operations. (I had a Sun workstation many years ago.) PC/SC is usually only run by the OS. But it does not keep track of login state. The PC/SC docs say it could keep track of users but AFAIK PCSClite does not. @LudovicRousseau ? The patch I suggested to @minfrin is simple way around the logout problem. It (or some similar patch) could be added to 0.24.0 incase other users run into the same problem. In the @minfrin case, p11kit is also being used which may complicate the situation. |
@dengert "The PC/SC docs say it could keep track of users but AFAIK PCSClite does not." Do you have a pointer to this PC/SC documentation? |
http:https://pcscworkgroup.com/Download/Specifications/pcsc1_v2.01.01.pdf Talks about:
This might require the OS to limit access to the reader at the device level to a specific user, much like limiting access to the keyboard and mouse to the terminal user. And this maybe sufficient. But if PC/SC is running as root accessing the device on behalf or a different user, this could lead to bypassing the OS access restrictions. I am not sure if this a problem or not or what it would take to fix it. Although smart cards are normally used on single user workstations, these workstations may allow network access to other users( for example SSH) thus making these workstations: "multiuser, multiple terminal computers." So depending on what the OS can do, PC/SC may need to enforce: "the user is also the ICC cardholder." We also have HSM devices that may allow multiple users to access them. I believe SoftHSM controls access because user data is stored in files only accessible by the user. |
I see. This is not the same as the pcsc-lite supports polkit (https://github.com/LudovicRousseau/PCSC/blob/master/doc/README.polkit). Some GNU/Linux distribution (RedHat & Fedora, maybe others) only allow the use the PC/SC interface for the locally connected user. Maybe that can help. |
Windows and Apple are tracking login states across process boundaries (via Minidriver and CTK). And this would also be possible to do via PKCS#11: Run a daemon in background that is the single process which accesses a token; then create a PKCS#11 library to connect to this daemon and forwarding every request including information about the requesting process/user. https://github.com/p11-glue/p11-kit could be the right place to implement such an access control, but as far as I know, this currently out of scope. |
@LudovicRousseau polkit appears to address my concern. pcscd installs /usr/share/doc/pcscd/README.polkit but appear it was not built with --enable-polkit and does not install ./doc/org.debian.pcsc-lite.policy. This is very helpful: https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html Thanks. |
@frankmorgner good to hear: "Windows and Apple are tracking login states across process boundaries (via Minidriver and CTK)." and pcsc-lite can restrict access to readers if configured with --enable-polkit and polkit is also installed. But I am afraid 0.24.0 with always logout from PKCS11 is going to introduce problems for many users. We should still wait for @minfrin to try the patch. |
Just one more clearification: We were talking about explicit logout of the token if a session is closed. However, when calling C_Logout explicitly, the login state of the token will be reset as well. Since according to PKCS#11, C_Logout is also limited to the calling application only, we may want to not logout explicitly here as well as this may impact other applications running in parallel. Your patch Doug, does the job, so it is good for testing purposes. However, I think there are some problems with it.
My preference would be to make this option part of the PKCS#11 configuration, which would respect 1. and avoid big refactoring (2.). |
@frankmorgner A parameter to pkcs11/misc.c and opensc.conf something like this:
PKCS11 calls sc_logout is called from pkcs15_logout here: and pkcs15_logout is called indirectly from: https://github.com/OpenSC/OpenSC/blob/master/src/pkcs11/pkcs11-session.c#L442 C_logout is used to cleanup memory but does not need to call sc_logout. |
I am not happy with introducing yet another configuration option that would be up to user/system administrator/packager to tune, modify and make sure it is set up correctly for given deployment/use-case. In any case, I think we should have some sane default that should work. And in linux, multiple applications using the same pkcs11 module is still unsolved issue.
I think if we want to address both of the issues, the card logout should not be called from I think developing and deploying system-wide pkcs11 module in linux would be a long shot (I think opencryptoki has something like that, pkcslotd daemon, but it requires complete rethink of the access to the tokens). Something like that could be already put together using p11-kit remoting but users are used to access pkcs11 modules directly over the last decades so the change wont be fast. We might want to have a look into this more later, but we will need some short-term solution earlier for 0.24.0 release as this seems to be quite pain with rc1. |
@Jakuje I agree, although I find it sad to re-implement the PIN status tracking in software even though the card is doing the same. I also like the idea of a background service (have seen this in proprietary PKCS#11 modules as well), which may also give us the opportunity to throw away some of todays complexity of opensc-pkcs11.so. We could also think about implementing this e.g. in rust... As a side note, if we rely on the PKCS#11 module's pin status tracking as intermediate solution, we also need to restrict the use of |
Most cards can respond to VERIFY with Lc=0 to query number of retries SW=(63 CX) or login state is logged_in SW=(90 00) Form a PIV perspective, NIST did not define a logout command until 800-73-4: d7fadae was added by @frankmorgner post 0.23.0 which will try logout any every PIV type card in 0.24.0-rc1. |
You can find my proposal here: #2907 That being said, I'm not quite sure if it fixes the OP's issue, because above it was stated that login in process A triggers logout in process B and I cannot quite see how this can happen at all... |
needs
Where does "it" say that? Only if a different PIN pin is used? Or the error handling in Process B can not handle card/token returning 69 82 which should return to to calling application CKR_USER_NOT_LOGGED_IN. |
The combination of login/logout is stated in the OP's title. Could you elaborate on the issue regarding SW 69 82? |
If the merge #2907 didn't solve the problem, please elaborate. |
Finally got a chance to properly test this, I needed to rebuild a system from scratch to do it - TL;DR it works great. Firefox+OpenSC v0.25 on a Mac, along with VMWare Fusion containing Fedora Rawhide+OpenSC v0.25 and Windows 11 + Aventra drivers, all sharing the same smartcard at the same time, and no more login popups (caused by apps logging other apps out). Thank you for this. |
Problem Description
I have a native messaging web application for Firefox that signs some text using the PKCS11 APIs.
This native messaging web application is a standalone app that is spawned by Firefox and communicates with Firefox via stdin/stdout.
The native messaging web application is successfully able to sign some text, asking for the user's PIN to do so.
When the response is given back to Firefox, the session that Firefox has with the smartcard breaks, and the response cannot be sent back upstream to the server.
It appears that the native messaging web application is doing something to smartcard that breaks Firefox, a totally separate application.
Is the code involved doing something wrong, or is this a bug in opensc?
Code that does the login before the signing:
https://source.redwax.eu/projects/RST/repos/redwax-signtext/browse/src/linux/crypto.c#1082
Code that does the logout after the signing ready to sign the next text:
https://source.redwax.eu/projects/RST/repos/redwax-signtext/browse/src/linux/crypto.c#641
Proposed Resolution
Application A doesn't break application B.
The text was updated successfully, but these errors were encountered: