Commit 22f9ad7 breaks cert login on Firefox #849
Comments
|
NSS shouldn't be using a non-standard method to identify objects; it should conform to RFC7512. This is partly fixed by patches filed in Mozilla bug 1162897 so at least things like curl will work with I'd be interested to know how this is failing in Firefox... having enumerated the certificates to use and shown them in a GUI, is it somehow remembering that choice purely by nickname? If so, let's file a Firefox bug too and make sure it's changed to use the RFC7512 identifier instead. |
If I remember correctly the call chain looks like this: Earlier in CERT_FindUserCertsByUsage() CERT_GetCertNicknames() was called to collect possible
Looks like FF certificate viewer does not use this codepath so all certificates were correctly presented |
Commit 22f9ad7 breaks certificate login on at least Firefox.
You can see in NSS source ( https://hg.mozilla.org/projects/nss/file/tip/lib/pk11wrap/pk11cert.c ) that
PK11_FindCertFromNickname() function uses ':' as a separator between PKCS#11 token name and
certificate nickname.
Example name that this function parses: "OpenPGP card (User PIN):Cardholder certificate",
commit 22f9ad7 changed it into "User PIN: OpenPGP card:Cardholder certificate".
Such name results in PK11_FindCertFromNickname() trying to locate PKCS#11 token with name of
"User PIN" which of course fails and so certificates on OpenSC token aren't available for login.
They are shown all right in FF certificate viewer, however as it does not use that function.
While it is understood that using magic separators is bad on NSS side it has been like that at least since year 2000 and this commit was only introduced in April so I think this will need to be changed on OpenSC side.
Other NSS-based software is likely also affected.
The text was updated successfully, but these errors were encountered: