Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 129 users

Comments by non-members will not trigger notification emails to users who starred this issue.
Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Chrome interaction with smart cards in Linux
Reported by xleon.m...@gmail.com, Apr 20 2010 Back to list
Chrome Version (from the about:version page): 5.0.382.0 (Developer Build 
44999) Ubuntu
Is this the most recent version: Yes
OS + version: Ubuntu Karmic Koala (9.10)
CPU architecture (32-bit / 64-bit): 32-bit
Window manager: Gnome
URLs (if relevant):
Behavior in Linux Firefox: OK
Behavior in Windows Chrome (if you have access to it): OK

What steps will reproduce the problem?
1. Enter a website which requests a user certificate (which I have stored 
in a PKCS#11 compliant smart card)

What is the expected result?
The browser asks you for the pin of the smart card and the authentication 
is successful.

What happens instead?
The browser does not ask for the pin and the authentication fails.

Some background and debugging...

1. I have configured NSS adding the corresponding PKCS#11 modules. Attached 
the output (modutil-output.txt) of the command "modutil -list -dbdir 
.pki/nssdb" which lists the crypto modules installed. You can see the "3. 
DNI-e PKCS#11 Module" which is the one used by firefox to make my card 
work. So NSS is configured correctly in principle.

2. When I try to list the certificates through NSS I use the following 
command: 
Command: certutil -L -d .pki/nssdb/ 
Output:  certutil-BAD-output.txt 

This command shows the certificates stored in the database... As you can 
see, the output is empty (no certificates returned).

3. I try to list the certificates through NSS specifying a specific crypto 
token (instead of the default which is "internal") with the option -h:

Command: certutil -L -d .pki/nssdb/ -h "all"
Output:  certutil-OK-output.txt

This command shows the certificates stored in the database specifying the 
token to look at. As you can see, NOW the certutil command asks for the pin 
of my smartcard and shows the certificates stored in there.

I guess chrome asks for the default token to NSS and, as it does not return 
any certificate, the authentication fails.

If you need any more information which could point you to the right 
direction, I would be happy to provide it.
 
certutil-BAD-output.txt
258 bytes View Download
modutil-output.txt
1.1 KB View Download
certutil-OK-output.txt
567 bytes View Download
Comment 1 by evan@chromium.org, Apr 22 2010
Assigning to the NSS expert.
Hi, this bug has no priority yet. Is it usually that way? I still need Firefox to pay 
my taxes without spending hours in the tax office :p I guess there is still few people 
using smart cards in linux? --sorry for the useless comment, it was just sort of a 
bump.
Bug confirmed in Ubuntu 10.04

~/.pki/nssdb$ modutil -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. Root Certs
	library name: ./libnssckbi.so
	 slots: 1 slot attached
	status: loaded

	 slot: NSS Builtin Objects
	token: Builtin Object Token

  3. izenpe
	library name: /usr/lib/opensc-pkcs11.so
	 slots: 16 slots attached
	status: loaded

	 slot: Gemplus GemPC Twin 00 00
	token: IZENPE-TSE

	 slot: Gemplus GemPC Twin 00 00
	token: 

	 slot: Gemplus GemPC Twin 00 00
	token: 

	 slot: Gemplus GemPC Twin 00 00
	token: 

The browser is NOT asking for the PIN and the autentication fails.
Comment 4 by wtc@chromium.org, May 24 2010
Labels: -Area-Undefined Area-Internals Internals-Network Mstone-6 Pri-2
Status: Assigned
Thanks for the bug report.  I think this is because Chrome doesn't
provide a password callback function for NSS.  See
http://mxr.mozilla.org/mozilla-central/ident?i=PK11_SetPasswordFunc
http://mxr.mozilla.org/mozilla-central/ident?i=PK11PasswordPrompt
Google Chrome version was:

Google Chrome	6.0.408.1 (Build oficial 47574) dev
Comment 6 by tuuleh...@gmail.com, May 26 2010
"I guess there is still few people using smart cards in linux?"

Most of Estonian people are using it, since it's our national ID card to identify 
yourself in various portals.

https://id.eesti.ee/idtrac/wiki/ArendajaSissejuhatus
https://id.eesti.ee/idtrac/wiki/SysteemiKirjeldus
Comment 7 by tuuleh...@gmail.com, May 26 2010
...and linux is becoming more and more popular here, because it's free.
Comment 8 Deleted
Most agreed with above comments.

Furthermore, similar eID smart cards are in use in Finland, Belgium, Portugal and Lithuania. 
There are already eGov establishments that work across these EU countries and there's 
no reason it shouldn't make it into the official European eID standard.

Even though this deals with Linux support only, Mac OS X support tackles similar issues, 
see http://code.google.com/p/chromium/issues/detail?id=44075 I reported some time ago.
Also Spanish and Basque governments are using it, and the services that support smart
card are becoming more and more popular.
Comment 11 by evan@chromium.org, Jun 7 2010
Labels: HelpWanted
Comment 12 by wtc@chromium.org, Jun 22 2010
Labels: -Mstone-6 Mstone-7
Which kind of help are you looking for in order to get it done for mstone6?
Comment 14 by wtc@chromium.org, Jun 22 2010
xleon.mail: we're looking for a programmer affected by this bug to write a patch for
Chromium.  I gave some hints in comment 4 on what needs to be done.

Note: davidben will work on this bug this summer.
Labels: -Mstone-7 Mstone-8
Status: Started
Started hooking up callback in http://codereview.chromium.org/3186021/show

Moving this to Mstone-8. I'll either make CLs with the other unfinished branches (started over several times), or (hopefully) just finish a first revision and put it up for review at some point.

If I'm not the one to finish this, I'll document some stuff: The primary difficulty here is that NSS expects a blocking callback for the password function, and it is not always easy to predict where NSS will attempt to authenticate. Because we do not place every SSL connection on a worker thread, we cannot block the IO thread on the UI thread for each of these. As such, each potential call will need to be specially handled, usually via one of two approaches:

1. Move the piece that calls the function onto a worker thread and use a callback which blocks on the UI thread.

2. If we can predict which slot will be authenticated, we can query ourselves whether authentication will be required, asynchronously request a password ourselves, and pass to PK11_CheckUserPassword ourselves. This will require us to reimplement the (trivial) retry loop that NSS does. (I believe in PK11_DoPassword?)

Authenticating to list certificates for "unfriendly" stores in NSS will be particularly difficult; that code currently runs within the GetClientDataHook callback in NSS's SSL implementation. Long-term, we probably want to move the certificate filtering completely out of the socket implementation, but, short-term, it would be good to avoid making the SSLClientSocketNSS state machine different on Linux from the other two platforms, so I think it's best to simply not support it for now.

For friendly certificates, we should only require authenticating after certificate selection to obtain the private key. That can be done browser-side before continuing the request instead of within the GetClientDataHook callback.

A final subtlety lies in stores with a protected authentication path. To authenticate to those, call C_Login with NULL parameters. The call blocks until the user has made an authentication attempt. Since PK11_CheckUserPassword will automatically NULL arguments to C_Login for protected authentication, we must correctly detect them to avoid blocking. The first implementation can probably fail in that case and not support them. Adding support later should be fairly simple; instead of displaying a dialog, spawn a worker thread to do PK11_CheckUserPassword while displaying a dialog instructing the user to authenticate to the smart card. In the blocking callback codepath, one also calls PK11_CheckUserPassword and returns one of two magic strings as the password to control the retry loop.

(There's also the nuisance that one of the instances where we will authenticate (keygen) does not currently have enough information to display a tab-constrained dialog; WebKit never passes us the relevant tab responsible. That interface should be fixed anyway, as it currently blocks the renderer. The first implementation will probably just open a normal dialog for simplicity.)
Labels: -Mstone-8 Mstone-X
Moving this to Mstone-X as I don't really have time to finish it for Mstone-8. :-(

So, another trouble that I've run into was that, as noted above, WebKit does not give enough information for the keygen request to be a routed IPC, so you don't know which RenderViewHost is requesting the key, just the RenderProcessHost. But StopHangMonitorTimeout and friends are methods of the RVH, so I can't really stop the hang monitor. Chromium will incorrectly report a tab as hung if it's waiting for a password. We actually have this problem on OS X as well. If you lock your Keychain before generating a key, you get a password dialog that too many trigger a hung tab dialog.

Wan-teh, who should I talk to to get involved with WebKit from the Chromium end? We probably should just fix the WebKit end of keygen instead of coming up with worse and worse compromises for keygen. Although, I guess a first implementation could just not support drawing the dialog on keygen.
Comment 17 by wtc@chromium.org, Oct 9 2010
davidben: I suggest that you talk to abarth about the WebKit changes.

But, this bug is not about <keygen>.  This is about adding the NSS
password dialog on Linux.
Right. One of the places where we'll need the NSS password dialog is <keygen>, but that's difficult because of the way WebKit implements keygen; it doesn't give Chromium enough information to hook the password dialog properly.
Comment 19 by wtc@chromium.org, Nov 17 2010
Labels: -Mstone-X -Pri-2 -HelpWanted Mstone-10 Pri-1
Status: Assigned
Comment 20 by wtc@chromium.org, Nov 17 2010
mattm: two NSS functions to look at are:

1. http://mxr.mozilla.org/mozilla-central/ident?i=PK11_SetPasswordFunc

This gives some examples of NSS password callbacks.  In particular,
Mozilla's password callback is
http://mxr.mozilla.org/mozilla-central/ident?i=PK11PasswordPrompt

2. http://mxr.mozilla.org/mozilla-central/ident?i=PK11_DoPassword

This shows how NSS uses the password callback.

A "protected auth path" token is a token that has its own key pad
for entering the password.  NSS handles such tokens specially.

davidben described possible ways to avoid blocking the IO thread
by password input in comment 15.

Let me know if you have any questions.
Comment 21 by mattm@chromium.org, Nov 18 2010
Status: Started
Project Member Comment 22 by bugdroid1@chromium.org, Jan 13 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=71281

------------------------------------------------------------------------
r71281 | mattm@chromium.org | Wed Jan 12 17:48:43 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database_nss.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/dom_ui/options/certificate_manager_handler.h?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/certificate_manager_model.h?r1=71281&r2=71280&pathrev=71281
 A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/pk11_password_dialog_nss.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/mozilla_security_manager/nsKeygenHandler.h?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/net.gyp?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/certificate_manager_model.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/dom_ui/options/certificate_manager_handler.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_message_filter.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database_nss_unittest.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler_nss.cc?r1=71281&r2=71280&pathrev=71281
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/crypto_module_nss.cc?r1=71281&r2=71280&pathrev=71281
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/crypto_module.h?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler.h?r1=71281&r2=71280&pathrev=71281
 A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/gtk/pk11_password_dialog.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/base/nss_util.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/generated_resources.grd?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/mozilla_security_manager/nsPKCS12Blob.h?r1=71281&r2=71280&pathrev=71281
 A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/pk11_password_dialog.h?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/chrome_browser.gypi?r1=71281&r2=71280&pathrev=71281
 A http://src.chromium.org/viewvc/chrome/trunk/src/base/crypto/pk11_blocking_password_delegate.h?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database.h?r1=71281&r2=71280&pathrev=71281
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/gtk/ssl_client_certificate_selector.cc?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/mozilla_security_manager/nsKeygenHandler.cpp?r1=71281&r2=71280&pathrev=71281
 M http://src.chromium.org/viewvc/chrome/trunk/src/base/base.gypi?r1=71281&r2=71280&pathrev=71281

NSS: PKCS 11 password prompt.

This was based off of davidben's WIP cl http://codereview.chromium.org/3186021/show.

BUG=42073
TEST=add password to NSS DB with "certutil -d sql:.pki/nssdb -W", try client auth, <keygen>, cert manager

Review URL: http://codereview.chromium.org/5686002
------------------------------------------------------------------------
Project Member Comment 23 by bugdroid1@chromium.org, Jan 19 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=71749

------------------------------------------------------------------------
r71749 | mattm@chromium.org | Tue Jan 18 19:01:23 PST 2011

Changed paths:
 D http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/pk11_password_dialog.cc?r1=71749&r2=71748&pathrev=71749
 D http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/pk11_password_dialog_nss.cc?r1=71749&r2=71748&pathrev=71749
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/dom_ui/options/certificate_manager_handler.cc?r1=71749&r2=71748&pathrev=71749
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_message_filter.cc?r1=71749&r2=71748&pathrev=71749
 A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/crypto_module_password_dialog_openssl.cc?r1=71749&r2=71748&pathrev=71749 (from /trunk/src/chrome/browser/ui/pk11_password_dialog_openssl.cc revision 71748)
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/ssl_client_certificate_selector.cc?r1=71749&r2=71748&pathrev=71749
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler_nss.cc?r1=71749&r2=71748&pathrev=71749
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler.h?r1=71749&r2=71748&pathrev=71749
 D http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/pk11_password_dialog_openssl.cc?r1=71749&r2=71748&pathrev=71749
 M http://src.chromium.org/viewvc/chrome/trunk/src/base/nss_util.cc?r1=71749&r2=71748&pathrev=71749
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/generated_resources.grd?r1=71749&r2=71748&pathrev=71749
 A http://src.chromium.org/viewvc/chrome/trunk/src/base/crypto/crypto_module_blocking_password_delegate.h?r1=71749&r2=71748&pathrev=71749 (from /trunk/src/base/crypto/pk11_blocking_password_delegate.h revision 71748)
 D http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/pk11_password_dialog.h?r1=71749&r2=71748&pathrev=71749
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/chrome_browser.gypi?r1=71749&r2=71748&pathrev=71749
 D http://src.chromium.org/viewvc/chrome/trunk/src/base/crypto/pk11_blocking_password_delegate.h?r1=71749&r2=71748&pathrev=71749
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/keygen_handler.cc?r1=71749&r2=71748&pathrev=71749
 A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/crypto_module_password_dialog_nss.cc?r1=71749&r2=71748&pathrev=71749 (from /trunk/src/chrome/browser/ui/pk11_password_dialog_nss.cc revision 71748)
 A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/crypto_module_password_dialog.cc?r1=71749&r2=71748&pathrev=71749 (from /trunk/src/chrome/browser/ui/gtk/pk11_password_dialog.cc revision 71748)
 A http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/crypto_module_password_dialog.h?r1=71749&r2=71748&pathrev=71749 (from /trunk/src/chrome/browser/ui/pk11_password_dialog.h revision 71748)
 M http://src.chromium.org/viewvc/chrome/trunk/src/base/base.gypi?r1=71749&r2=71748&pathrev=71749

Cleanup for r71281: replace usage of "pk11" with "pkcs11" or "crypto module", as appropriate.

BUG=42073
TEST=manual,trybotss

Review URL: http://codereview.chromium.org/6303004
------------------------------------------------------------------------
Hey Matt,

Looks like there were some changes here, is this fixed?
Comment 25 by mattm@chromium.org, Jan 24 2011
There are still a few parts left:

1) Handle devices which use protected auth path (keypad on the device itself).
2) UI for choosing which device to use for creating/importing a cert/key.
3) Prefs UI for configuring devices.

They don't all necessarily need to get done in the same milestone.
Comment 26 by mattm@chromium.org, Jan 24 2011
The current change should be sufficient to address the original reported issue, so I'll create separate bugs for the other parts.

I don't have a smartcard to test with, so I would appreciate if the original reporter or someone else who has starred the bug could test with the latest Linux dev channel release and verify that the issue is fixed for you.
Comment 28 by sco.x...@gmail.com, Jan 24 2011
I think that something is still missing. I tried to add opensc library in pkcs11.txt in ~/.pki/nssdb (using modutil has no success and I dont know if it's possible to add device with certutil). Now when I run chromium I see in certificate manager personal certificates which are stored in smartcard device. But when I open page with cert authorization I'm not asked for PIN and authorization failed. If I lock nssdb with password everything is OK (one issue is that if I import new certificate on hard drive, I have to restart chromium - without restart authorization failed too...).
Comment 29 by wtc@chromium.org, Jan 25 2011
Labels: -Mstone-10 Mstone-11
sco.x...: thank you for the report.  modutil is the command to
use to add a PKCS #11 library to ~/.pki/nssdb/pkcs11.txt.  To
eliminate the possibility that you added the opensc library to
~/.pki/nssdb/pkcs11.txt incorrectly, could you please try the
following command?

    modutil -dbdir sql:$HOME/.pki/nssdb -add "My smart card" -libfile /path/to/opensc/library

For more info on modutil, please see
http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html#1042489
Last chrome dev: 10.0.642.2 dev

I'm the original reporter of the bug. I tested it but unfortunately it doesn't work for me. I have added the corresponding pkcs#11 lib with the following command:

modutil -dbdir sql:$HOME/.pki/nssdb -add "My Card" -libfile /usr/lib/opensc-pkcs11.so

I also added the corresponding certificate authorities... 

In the certificate manager, under personal certificate, it only shows an intermediate certificate authority (not my personal certificates). If I try to export this certificate, it asks me for the PIN but it fails to export. After that, my personal certificates are shown correctly (sign and auth) but I cannot export them. Besides, every time I try to login to a webpage which asks for a certificate, the page does not load and hangs... nothing else.

I already tried to delete the nssdb and recreate it in case I messed the db last time.

The smart card is from the spanish government in case somebody else is in the same situation.

Any hint on what info do you need to debug this?
Comment 31 by wtc@chromium.org, Jan 25 2011
xleon.m...: thanks for your report.  These two reports confirmed that
although the code can handle the NSS software crypto device (when
protected with a password), it still cannot handle a real smart card.

The best way for us to debug this is to get a real smart card.  mattm
and I will look into that.
Comment 32 by sco.x...@gmail.com, Jan 26 2011
Hi,
doesn't work for me too. I tried to add pkcs11 module with the modutil command and the result is the same as if I edit pkcs11.txt manually - I can see personal certificates but I'm not asked for the pin and then authentication failed.
Comment 33 by screa...@gmail.com, Jan 28 2011
I'd love to help you testing.

I am running 10.0.650.0 (72596) on Ubuntu 10.10. My Estonia ID card is being recognized by my system without any problems. Works in Firefox (Thought installed some Firefox plugin http://habreffect.ru/files/1c4/ea14a235e/screenshot1.png) but doesn't work in Chromium.

Let me know if i can provide you any information.
I tried with Chromium 11.0.658.0 (73582) Ubuntu 10.04, Gemplus reader, CoolKey middleware, and a US Dept of Defense Common Access Card... with similar results to other testers.  

The certificate manager dialog will show my certs, and prompts for pin on export, but then reports "Unknown error." 

Connecting to a web site that requires a cert does not prompt for pin and fails to authenticate.


Comment 35 by feni...@gmail.com, Mar 1 2011
Ubuntu 10.10  Chrome 11.0.686.0 dev
Tested with Alladin eToken PRO Java 72K OS755
Connecting to a web site that requires a cert does not prompt for pin and fails to authenticate.

Project Member Comment 36 by bugdroid1@chromium.org, Mar 5 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=77024

------------------------------------------------------------------------
r77024 | mattm@chromium.org | Fri Mar 04 18:20:44 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database_nss.cc?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/certificate_manager_model.cc?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/app/generated_resources.grd?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/certificate_manager_model.h?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/crypto_module_password_dialog_openssl.cc?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database.h?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/options/certificate_manager_handler.cc?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_database_openssl.cc?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/crypto_module_password_dialog_nss.cc?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/gtk/crypto_module_password_dialog.cc?r1=77024&r2=77023&pathrev=77024
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/crypto_module_password_dialog.h?r1=77024&r2=77023&pathrev=77024

NSS: Unlock crypto devices when populating cert manager.

BUG=42073
TEST=try to use cert manager with "unfriendly" device.

Review URL: http://codereview.chromium.org/6580058
------------------------------------------------------------------------
Comment 37 by wtc@chromium.org, Mar 7 2011
Labels: -Mstone-11 Mstone-12
Fedora 14 x86_64 / Chrome 11.0.696.12 dev
WORKS ! 
Reader - HID (Omnikey )6121; Smartcard - Siemens 

1. Go to Menu->Pref.->Under the bonnet->Manage Certificates ; Chrome ask for PIN ! (don't skip !)
2. Close  'Manage Certificates'
3. Connect to web site, Chrome will ask for certificate !
(test with module opensc :  
~/.pki/nssdb/pkcs11.txt
> library=/usr/lib64/opensc-pkcs11.so
> name=OpenSC
)

11.0.696.12 (78147) Ubuntu 10.10 amd64
ACR38-U reader, Siemens smartcard
Also works.
First user have to authorize to sc with PIN via prefs (as in comment 38), which is not straight forward. When requested client auth by a site, the browser should present user it the PIN dialogue.
However, it's a huge progress, congratulations!
Comment 40 by Deleted ...@, Mar 18 2011
12.0.707.0 (78659) Ubuntu 10.10 i386
Aladdin eToken Pro
Working too.
Comment 41 by feni...@gmail.com, Mar 18 2011
Every time when you re-open browser, you need to go into the preferences to enter a PIN. It's sad.
Comment 42 by mattm@chromium.org, Mar 18 2011
Hi everyone,
Thanks for your testing reports!  

I'm aware of the need for a PIN prompt before client auth, and have been working on a patch for that.  It's a bit deeper of a change so it's not quite ready yet.  Have patience. :)
Comment 43 by screa...@gmail.com, Mar 18 2011
I can't figure out where you should enter pin.
I am using Estonian ID card and unfortunately, it doesnt prompts mine PIN.

Ubuntu 10.10
Comment 44 by mattm@chromium.org, Mar 18 2011
It doesn't prompt when you enter the certificate manager?  If you run "modutil -dbdir sql:$HOME/.pki/nssdb -list" does the card show up?  Keep in mind configuration firefox uses is not shared, if you need to add your device see the example in comment 29 & 30.
Comment 45 by mattm@chromium.org, Apr 15 2011
Labels: -Mstone-12 Mstone-13
Comment 46 by hotbe...@gmail.com, May 10 2011
I'm have the Belgian eID software and an ex-pats eID card running on Ubuntu 11.04

     modutil -dbdir sql:$HOME/.pki/nssdb -list
gives:

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. Root Certs
	library name: sql:/home/simon/.pki/nssdb/libnssckbi.so
	 slots: 1 slot attached
	status: loaded

	 slot: NSS Builtin Objects
	token: Builtin Object Token
==================================================================

None of this echoes much of the language of the certificate info that I can access with the reader app.
Comment 47 by mattm@chromium.org, May 10 2011
hotbe...: You'll need to add an appropriate PKCS #11 module using a modutil command like in Comment 29. 
Comment 48 by hotbe...@gmail.com, May 11 2011
Thanks, but I'm not sure what to substitute as "my smart card" - needless to say the card has numerous unique identifiers.

Meanwhile I discovered that opensc had not been installed yet by my Ubuntu distro (unless the Belgian eID middleware had installed it and now I have two copies) and only libopenct1 was installed (so I added openct as that came up in one of the intermediary error messages)
Comment 49 Deleted
Comment 50 by hotbe...@gmail.com, May 13 2011
However, once I installed opensc and openct, I discovered that the card reader did not work the next time I booted the computer (and this issue is confirmed in the readme that came with the middleware from the government)!

However, on closer inspection of the file that came with the middleware I found
 

         else if (navigator.platform.indexOf("Linux") >= 0)
            p11Lib = "/usr/local/lib/libbeidpkcs11.so";

        res = pkcs11.addmodule(p11Name, p11Lib, 0, 0);

I therefore tried this:

sudo modutil -dbdir sql:$HOME/.pki/nssdb -add "Belgium Identity Card PKCS#11" -libfile /usr/local/lib/libbeidpkcs11.so

and got

ERROR: Failed to add module "Belgium Identity Card PKCS#11". Probable cause : "security library: received bad data.".
Labels: -Pri-1 Pri-2
Labels: -Mstone-13 Mstone-14 MovedFrom13
Moving !type=meta|regression and !releaseblocker to next mstone
I just want to thank all of the devs and testers out there who are working on this issue.  This is a very important feature if Chromium/Chrome wants penetration onto  government desktops and devices.  Keep up the good work.
Comment 54 by Deleted ...@, Jul 8 2011
Hi!

Im running 14.0.803.0-r90 and when i have logged in to my pkcs11-tokens with the certificate manager, and then points the browser to a site requesting a client certificate, i get the "choose-certificate" dialog but after that the browser just errors out with a "Error 2 (net::ERR_FAILED): Unknown error."

This have worked before but have stopped working a couple of weeks ago.

Im running the google-chrome-unstable builds on Ubuntu 10.04 and 11.10 Alpha2 with the same behavior.
Let me just also add that this smart card issue is not an issue with Chrome under MS Windows 7. Smart cards, the readers, and the certificates are handled by the OS, which is a new feature to W7.  When I use Chrome (W7 versions) to access a smart card authenticated web site, as long a the smart card is plugged in, the OS will ask for a PIN, using (what appears be) the same dialogue box as what is presented if I were using IE. As long as the PIN is entered correctly and website doesn't reject Chrome as a browser, there is not any access restrictions.

It seems like under Linux, we have something similar with the OpenSC, PCSC lite, and coolkey.  It appears from above Chrome is using NSS (from Mozilla).  Maybe we should look into using OpenSC, PCSC, and Coolkey.  Maybe we already are I just don't know what I am talking about.  Wish I knew more (like how to code)... (BTW currently working on that)

 


Comment 56 by sco.x...@gmail.com, Jul 15 2011
I think that Chrome under Windows is using MS Crypto API (which is there longer - not only in W7). It's quite similar like PKCS#11 and many smartcards come with PKCS#11 library and plugin to the MS Crypto API (without it it's not working under IE for example). But OpenSC has only PKCS#11 library (eh, there is existing crypto api plugin for OpenSC but it's not working very well...) so I think that will be usefull if chrome supports PKCS#11 under Windows too.
Comment 57 by mattm@chromium.org, Jul 22 2011
Labels: Mstone-15
Labels: Mstone-16
Comment 59 by laforge@google.com, Oct 24 2011
Labels: -Mstone-16 MovedFrom-16 Mstone-17
Comment 60 by k...@google.com, Dec 19 2011
Labels: -Mstone-17 Mstone-18 MovedFrom-17
Moving bugs marked as Started but not blockers from M17 to M18.  Please move back if you think this is a blocker, and add the ReleaseBlock-Stable label.  If you're able.
Comment 61 by kareng@google.com, Feb 7 2012
Labels: MovedFrom18 Mstone-19
Since 17 version lines in ~/.pki/nssdb/pkcs11.txt
.pki/nssdb/pkcs11.txt 

library=/usr/lib/libeToken.so.8
name=Etoken

stopped working

Comment 63 by mattm@chromium.org, Mar 13 2012
pdobryakov: Probably  issue 114134 .  See if it works on the dev channel.
Yes, in 19 version all ok
Comment 65 by mattm@chromium.org, Mar 26 2012
Labels: -Mstone-19 Mstone-20
Labels: -Mstone-20 bulkmove MovedFrom-20 Mstone-21
M20 is about to sail in couple of days. If this should be part of M20, add it back.
Hello,

I am desperate to get this working so I can finally ditch firefox, as I have to use coolkey/cackey in firefox to access sites with CAC card.

cat pkcs11.txt 
library=/usr/lib64/libcackey_g.so
name=CAC Reader (DoD Configuration Extension)


I still am not prompted on these sites for my cac card pin, as I would be in firefox.  What do I need to do?
Comment 68 by mattm@chromium.org, Jun 20 2012
Labels: -Mstone-21 Mstone-22
Comment 69 Deleted
Comment 70 by Deleted ...@, Aug 14 2012
@H0wdyD3...@gmail.com

cat .pki/nssdb/pkcs11.txt

library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/xyz/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

library=/usr/lib/pkcs11/libcoolkeypk11.so
name=CAC Reader

###########################
Then go to settings, manage certificates and VOILA, coolkey shoul ask you for PIN!
For me it started working today, when I upgraded chrome to Version 21.0.1180.77.
I also confirm that it's now working on chrome 21.0.1180.77

I'm using ubuntu precise pangolin and an official card reader and national eid portuguese card!

cat .pki/nssdb/pkcs11.txt

library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/xyz/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

library=/usr/local/lib/libpteidpkcs11.so
name=CartaoDeCidadao

### Finally, I can start implementing an "all-smartcard-based" security environment on my company! Hurray!!!!!
half works for me. can't get to web based email (military), but I can get to other sites. seems to be related to which cert I use, the first one is for authentication and works fine, the second for encryption (for webmail, etc) but can't logon with that one as I can in FF.
@comment 67: If you go to Settings (under the Wrench menu pre-Chrome 20, under the three-bars post-Chrome 20), click Show Advanced Settings, and then click Manage Certificates, you should be prompted for your cackey PIN. Then it should be usable for sites.

@comment 72: Can you file a new bug ( http://new.crbug.com ) and include the chrome://net-internals log, as described at https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details ?
@comment 73: yes, see issue :  142845 , log files attached there.
This is not working for me in Chromium in Ubuntu 12.04 (18.0.1025.168 Developer Build 134367).

My card works properly in FF.

I ran this to add my card reader to the Chromium NSS DB:
modutil -dbdir sql:.pki/nssdb/ -add "Card Reader PKCS#11 Module" -libfile /usr/lib/opensc-pkcs11.so

$ modutil -dbdir sql:.pki/nssdb/ -list
  2. Card Reader PKCS#11 Module
        library name: /usr/lib/opensc-pkcs11.so
         slots: 2 slots attached
        status: loaded

         slot: Virtual hotplug slot
        token: 

         slot: SCM SCR 3340 ExpressCard54 [CCID Interface] (21221142204126) 00
        token: PIV_II (PIV Card Holder pin)
$  certutil -d sql:.pki/nssdb/ -L -h all

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "PIV_II (PIV Card Holder pin)":
<redacted intermediate cert name>                            c,,  
<redacted intermediate cert name>                            c,,  
PIV_II (PIV Card Holder pin):Certificate for PIV Authentication u,u,u
PIV_II (PIV Card Holder pin):Certificate for Digital Signature u,u,u
$

So, it looks to me like NSS is configured properly.

In Chromium, Settings -> Under the Hood -> Manage Certificates...
I am not prompted for a PIN, and there are no certificates listed under "Your Certificates".
I do see my intermediate certs listed under "Authorities", so I know it is reading the correct NSS DB.
If I go to a website that requires a cert, it just fails.
If I use the following to add my card reader:
modutil -dbdir sql:.pki/nssdb/ -add "Card Reader PKCS#11 Module" -libfile /usr/lib/opensc-pkcs11.so -mechanisms FRIENDLY -force

Then go to a website requiring a cert with Chromium, it pops up a cert selection dialog that lists my certificate.  However, clicking OK does nothing (the dialog doesn't go away).  I have to click Cancel to get it to close the dialog.

I also installed Chrome 21.0.1180.79, which seems to work perfectly fine.

Without '-mechanisms FRIENDLY', I have to go to Manage Certificates to get the PIN prompt.  With '-mechanisms FRIENDLY', it prompts me for my PIN after I click OK on the cert selection dialog.
(Sorry for all the messages)

I guess Chromium that comes with Ubuntu 12.04 is just too old.  I upgraded to Chromium 20.0.1132.47 from Ubuntu Quantal, and it behaves the same as Chrome.  (YAY!)
Comment 78 by k...@google.com, Oct 2 2012
Labels: -Mstone-22 Mstone-24 MovedFrom-22
Moving out to M24, Please pull back in to previous milestones if needed.
Comment 79 by mattm@chromium.org, Oct 31 2012
Labels: -Mstone-24 Mstone-25
Comment 80 by Deleted ...@, Nov 13 2012
When is it suppose to be fix?

I think this solution it is a "middle solution".

You always postpone this bug and it will never be fixed.
As a user of Chrome/Chromium and smartcards, I thought this issue was already fixed.  It's working great for me.  You may want to be specific as to why you believe it's a "middle solution" so that it can be addressed instead of just the developers just guessing what you mean.
Comment 82 by Deleted ...@, Nov 13 2012
Totally agree with Carlos. No final solution for over two years (except in Windows as mentioned in #81) and I am still forced to use Firefox for Estonian national ID card.
I'm currently using Chromium 22.0.1229.94 in Linux (I installed the chromium-browser package from Ubuntu Quantal 12.10 on Ubuntu Precise 12.04), and smartcards are working fine for me.

What problems are you still experiencing, and on what version?
Let me clarify #81, I am a user of Chrome/Chromium, smartcards, and Linux... This issue is fixed from my standpoint.  It is not a Windows only solution.
Comment 85 by feni...@gmail.com, Nov 14 2012
There is no solution to automatically prompt pass phrase.  After manual entering in Settings, everything is working fine. I'm using Alladin E-Token.
Comment 86 by Deleted ...@, Nov 15 2012
I mean that "Manual entering in Settings to be prompted" is a "middle solution".

How can you say that this "solution" is fixed?

I am a linux user (ubuntu & fedora). I know that in windows works fine, but in Linux no.

Is it too dificult to prompt user pin in linux?
Fair enough for unfriendly cards, using the FRIENDLY nss configuration as is noted in #76 the issue is solved.
Comment 88 by kareng@google.com, Nov 20 2012
Labels: -Mstone-25 MstoneRemoved
Bugs that have been moved 5 or more times. Removing Mstone label.
Comment 89 by Deleted ...@, Nov 21 2012
Using the FRIENDLY nss configuration as is noted in #76 does 'nothing'.

Chromium 22. Ubuntu 12.10. Spanish National Card. Opensc modified to run with Spanish National Card.
Comment 90 Deleted
Comment 91 by Deleted ...@, Feb 11 2013
Works for me only after login into the token in the Settings menu.
Using the Aladdin eToken Pro 64k. Had to change the $HOME/.pki/nssdb/pkcs11.txt file from comment #38 because the token name was not completely delivered to modutil/certutil by NSS. Replaced the reference to opensc-pkcs11.so with libeToken.so:

library=/usr/lib/libeToken.so
name=OpenSC

---------
Ubuntu 12.04.2 LTS
3.2.0-37-generic #58-Ubuntu x86_64 x86_64 x86_64 GNU/Linux
pcscd, libpcsclite1: 1.8.6-3ubuntu1
openct: 0.6.20-1.2
opensc: 0.12.2-2ubuntu1
safenetauthenticationclient: 8.1.0-4
chromium-browser: 24.0.1312.56-0ubuntu0.12.04.1
Project Member Comment 92 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-Internals -Internals-Network Cr-Internals Cr-Internals-Network
On Linux Mint Debian Edition 64 bits to use the brazilian e-cpf I had to do:

modutil -dbdir sql:$HOME/.pki/nssdb -add "eToken" -libfile /usr/lib64/libeTPkcs11.so -mechanisms FRIENDLY -force

But I still have to open the "Manage certificates" to be able to use it.


Comment 94 Deleted
Labels: -MovedFrom13 -MovedFrom-16 -MovedFrom-17 -MovedFrom18 -bulkmove -MovedFrom-20 -MovedFrom-22 -MstoneRemoved
Chrome will never automatically send a certificate by default. This may be configured through Enterprise Policies, however, but it sounds from your description that that is unlikely.

See http://www.chromium.org/administrators/policy-list-3#AutoSelectCertificateForUrls
Labels: Restrict-AddIssueComment-EditIssue Cr-Internals-Network-SSL
I'm going to mark this bug Restrict-AddIssueComment-EditIssue, because I don't want this bug to become a meta-bug for a series of unrelated bugs and/or possible regressions.

Please see the additional bugs from comment 27 ( https://code.google.com/p/chromium/issues/detail?id=42073#c27 ) or file a new bug, and we'll be happy to assess further if it's the same bug.
Comment 98 by laforge@google.com, Apr 28 2015
Cc: -wtc@chromium.org
Comment 99 by b...@chromium.org, May 6 2015
Labels: -Cr-Internals
Project Member Comment 100 by sheriffbot@chromium.org, Jun 27 2016
Labels: Hotlist-OpenBugWithCL
A change has landed for this issue, but it's been open for over 6 months. Please review and close it if applicable. If this issue should remain open, remove the "Hotlist-OpenBugWithCL" label. If no action is taken, it will be archived in 30 days.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Components: -Internals>Network
Sign in to add a comment