opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Alex Samorukov
Hi,

I am using OpenSC and pkcs11 with firefox to access some websites using
my personal certificate and it works pretty well. But also i do have a
cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
but if it is running it waits forever, probably trying to get exclusive
access. This card is not supported by OpenSC project, so for me it is a
little unclear why this happens. It seems that this provider is trying
to get some kind of exclusive access to pcscd and failing if it is not
possible.

Is it possible somehow to tell OpenSC to completely ignore this card
based on it ATR? Or any other recommendations to prevent this issue,
e.g. prevent firefox from auto scan? I am ready to send all the patches
if needed.


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Mat Arge
Are you  sure you are using opensc with firefox. I am asking, because Firefox
usually uses NSS to access smartcards.

cheers
Mat

On Wednesday 17. July 2013 10:27:06 Alex Samorukov wrote:

> Hi,
>
> I am using OpenSC and pkcs11 with firefox to access some websites using
> my personal certificate and it works pretty well. But also i do have a
> cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
> but if it is running it waits forever, probably trying to get exclusive
> access. This card is not supported by OpenSC project, so for me it is a
> little unclear why this happens. It seems that this provider is trying
> to get some kind of exclusive access to pcscd and failing if it is not
> possible.
>
> Is it possible somehow to tell OpenSC to completely ignore this card
> based on it ATR? Or any other recommendations to prevent this issue,
> e.g. prevent firefox from auto scan? I am ready to send all the patches
> if needed.
>
>
> ----------------------------------------------------------------------------
> -- See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Alex Samorukov
On 07/17/2013 10:33 AM, Mat Arge wrote:
> Are you  sure you are using opensc with firefox. I am asking, because Firefox
> usually uses NSS to access smartcards.
>
> cheers
> Mat
I am using /usr/lib/opensc-pkcs11.so  which i added to NSS using FF
configuration, so yes, of course i am sure. Problem is that when firefox
is running it preventing other, proprietary PKCS11 driver to access
card, and this specific card is not supported by OpenSC anyway, so i
have no idea why it is blocked.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Mat Arge
On Wednesday 17. July 2013 11:16:39 Alex Samorukov wrote:

> On 07/17/2013 10:33 AM, Mat Arge wrote:
> > Are you  sure you are using opensc with firefox. I am asking, because
> > Firefox usually uses NSS to access smartcards.
> >
> > cheers
> > Mat
>
> I am using /usr/lib/opensc-pkcs11.so  which i added to NSS using FF
> configuration, so yes, of course i am sure. Problem is that when firefox
> is running it preventing other, proprietary PKCS11 driver to access
> card, and this specific card is not supported by OpenSC anyway, so i
> have no idea why it is blocked.

But you said before, that your card is not supported by opensc. Or are you
talking about two different smartcards?

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Alex Samorukov
On 07/17/2013 11:31 AM, Mat Arge wrote:
> I am using /usr/lib/opensc-pkcs11.so  which i added to NSS using FF
> configuration, so yes, of course i am sure. Problem is that when firefox
> is running it preventing other, proprietary PKCS11 driver to access
> card, and this specific card is not supported by OpenSC anyway, so i
> have no idea why it is blocked.
> But you said before, that your card is not supported by opensc. Or are you
> talking about two different smartcards?

Yes, i have a lot of cards. Most of them are supported by OpenSC and
thats why i need this OpenSC-PKCS11 driver in the browser. But also i do
have a card which is not supported by opensc and using own PKCS11
library. Problem is that if FF is running i am unable to use this
driver. I posted dump of the falied session (using  OpenSC PKCS#11 spy)  
to the http://pastebin.com/8s9ErZJ1 . It starts to work very slowly on
C_Initialize and finally dying on C_OpenSession. If FF is closed
everything works well. So i assume that for some reason opensc-pkcs11.so
with FF is locking this card and want to fix that.


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Douglas E. Engert
In reply to this post by Mat Arge


On 7/17/2013 3:33 AM, Mat Arge wrote:
> Are you  sure you are using opensc with firefox. I am asking, because Firefox
> usually uses NSS to access smartcards.

Yes Firefox uses NSS. The NSS "Security Devices" are PKCS#11  shared libs or dlls.
Thus NSS cal load multiple PKCS#11 libs, for different cards.


>
> cheers
> Mat
>
> On Wednesday 17. July 2013 10:27:06 Alex Samorukov wrote:
>> Hi,
>>
>> I am using OpenSC and pkcs11 with firefox to access some websites using
>> my personal certificate and it works pretty well. But also i do have a
>> cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
>> but if it is running it waits forever, probably trying to get exclusive
>> access. This card is not supported by OpenSC project, so for me it is a
>> little unclear why this happens. It seems that this provider is trying
>> to get some kind of exclusive access to pcscd and failing if it is not
>> possible.
>>
>> Is it possible somehow to tell OpenSC to completely ignore this card
>> based on it ATR? Or any other recommendations to prevent this issue,
>> e.g. prevent firefox from auto scan? I am ready to send all the patches
>> if needed.
>>
>>
>> ----------------------------------------------------------------------------
>> -- See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Douglas E. Engert
In reply to this post by Alex Samorukov


On 7/17/2013 3:27 AM, Alex Samorukov wrote:

> Hi,
>
> I am using OpenSC and pkcs11 with firefox to access some websites using
> my personal certificate and it works pretty well. But also i do have a
> cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
> but if it is running it waits forever, probably trying to get exclusive
> access. This card is not supported by OpenSC project, so for me it is a
> little unclear why this happens. It seems that this provider is trying
> to get some kind of exclusive access to pcscd and failing if it is not
> possible.

Do you have both OpenSC PKCS#11 and the vendor's PKCS#11 libs/dlls
loaded as "Security Devices" in FireFox?

What order?

If both are defined, and the card is inserted, what does the
FireFox-> options-> Advanced-> Security Devices show for each of
the loaded PKCS#11 modules?

>
> Is it possible somehow to tell OpenSC to completely ignore this card
> based on it ATR? Or any other recommendations to prevent this issue,
> e.g. prevent firefox from auto scan? I am ready to send all the patches
> if needed.

An OpenSC trace, by changing the debug= in the opensc.conf would also help.
It sounds like OpenSC is trying to determine if it can support the card.
It would help show where OpenSC is failing to get access to the card.

Your suggestion of a list of ATRs to ignore is an excellent idea.
It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11
even if the card is supported by OpenSC.

>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Alex Samorukov
On 07/17/2013 06:28 PM, Douglas E. Engert wrote:

>
> I am using OpenSC and pkcs11 with firefox to access some websites using
> my personal certificate and it works pretty well. But also i do have a
> cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
> but if it is running it waits forever, probably trying to get exclusive
> access. This card is not supported by OpenSC project, so for me it is a
> little unclear why this happens. It seems that this provider is trying
> to get some kind of exclusive access to pcscd and failing if it is not
> possible.
> Do you have both OpenSC PKCS#11 and the vendor's PKCS#11 libs/dlls
> loaded as "Security Devices" in FireFox?
>
> What order?
>
> If both are defined, and the card is inserted, what does the
> FireFox-> options-> Advanced-> Security Devices show for each of
> the loaded PKCS#11 modules?
No, in NSS only OpenSC PKCS11 is connected. Second library is using by
proprietary software, without web browser. I have found that Firefox and
OpenSC PKCS11 using polling loop to get updates from readers and this
probably preventing second lib from working correclty. Not 100% sure
yet, but its very likely.

>> Is it possible somehow to tell OpenSC to completely ignore this card
>> based on it ATR? Or any other recommendations to prevent this issue,
>> e.g. prevent firefox from auto scan? I am ready to send all the patches
>> if needed.
> An OpenSC trace, by changing the debug= in the opensc.conf would also help.
> It sounds like OpenSC is trying to determine if it can support the card.
> It would help show where OpenSC is failing to get access to the card.
>
> Your suggestion of a list of ATRs to ignore is an excellent idea.
> It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11
> even if the card is supported by OpenSC.
Thanks, i hope it will be implemented. I am ready to do any testing if
needed. Also it would be great if anyone will fix this polling loop from
FF NSS, it seems to be very non optimal.

I also have another, unrelated issue - in 0.13 NSS is not working with
FF, it asks for password but not showing any certificates in the list.
Now i`m using 0.12.2 and it works very well.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Alex Samorukov
In reply to this post by Douglas E. Engert
On 07/17/2013 06:28 PM, Douglas E. Engert wrote:
> ccess to the card.
>
> Your suggestion of a list of ATRs to ignore is an excellent idea.
> It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11
> even if the card is supported by OpenSC.
This bug was affecting and annoying me, so i decided to write a patch
[1]. Could you please take a look and commit if possible?
This works for me, at least.

[1] https://github.com/OpenSC/OpenSC/pull/175

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Ludovic Rousseau
In reply to this post by Alex Samorukov
Hello,

2013/7/17 Alex Samorukov <[hidden email]>:

> On 07/17/2013 11:31 AM, Mat Arge wrote:
>> I am using /usr/lib/opensc-pkcs11.so  which i added to NSS using FF
>> configuration, so yes, of course i am sure. Problem is that when firefox
>> is running it preventing other, proprietary PKCS11 driver to access
>> card, and this specific card is not supported by OpenSC anyway, so i
>> have no idea why it is blocked.
>> But you said before, that your card is not supported by opensc. Or are you
>> talking about two different smartcards?
>
> Yes, i have a lot of cards. Most of them are supported by OpenSC and
> thats why i need this OpenSC-PKCS11 driver in the browser. But also i do
> have a card which is not supported by opensc and using own PKCS11
> library. Problem is that if FF is running i am unable to use this
> driver. I posted dump of the falied session (using  OpenSC PKCS#11 spy)
> to the http://pastebin.com/8s9ErZJ1 . It starts to work very slowly on
> C_Initialize and finally dying on C_OpenSession. If FF is closed
> everything works well. So i assume that for some reason opensc-pkcs11.so
> with FF is locking this card and want to fix that.

It may be bug in OpenSC that do not free some PC/SC resources.

Can you use PC/SC spy and generate a logfile file as documented in [1]
and send it?
To configure the spy with OpenSC you may have to edit /etc/opensc.conf and set:
provider_library = /usr/lib/libpcscspy.so

Bye

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

Alex Samorukov
On 08/03/2013 11:14 AM, Ludovic Rousseau wrote:
> It may be bug in OpenSC that do not free some PC/SC resources.
>
> Can you use PC/SC spy and generate a logfile file as documented in [1]
> and send it?
> To configure the spy with OpenSC you may have to edit /etc/opensc.conf and set:
> provider_library = /usr/lib/libpcscspy.so
This is now fixed in trunk, by recent commit. Problem was that default
driver was trying to detect card and it was busy. PKCS11 plugin from
non-OpenSC comptatible card was not trying to open card if it was with
"IN USE" flag.

Solution was to ignore unknown card in OpenSC with some exceptions.
Commit 1a9729 works for me.

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel