Issue metadata
Sign in to add a comment
|
Error when using multiple smartcard for authentication
Reported by
jonny.ba...@gmail.com,
Feb 16 2018
|
||||||||||||||||||||||
Issue descriptionChrome Version: 64.0.3282.119 (Official Build) Built on Ubuntu , running on Ubuntu 16.04 (32-bit) Is this the most recent version: no OS + version: Ubuntu 16.04.2 LTS CPU architecture (32-bit / 64-bit): intel i5 7260U 64bit Window manager: ubuntu default (compiz) URLs (if relevant): n/a Behavior in Linux Firefox: correct: the unlock smartcard dialog is shown everytime I change the smartcard Requirements: - website with smartcard authentication - usb smart card reader - two smartcards with pin unlock What steps will reproduce the problem? (1) open a website requiring login with smartcard authentication (2) unlock the smartcard using its pin (3) the website accepts the authentication (4) log out (5) clear cache&history (6) change the smartcard (7) repeat from (1) using the second smartcard What is the expected result? chrome should show the unlock smartcard dialog for the second smartcard What happens instead? no dialog is shown and the authentication fails Please provide any additional information below. Attach a screenshot and backtrace if possible. If I launch chromium-browser on command line, I have this error when using the second smartcard: [14024:14229:0213/162646.106948:ERROR:ssl_platform_key_nss.cc(44)] PK11_SignWithMechanism failed: -8127 (SEC_ERROR_NO_TOKEN) [14024:14055:0213/162646.107122:ERROR:ssl_client_socket_impl.cc(1040)] handshake failed; returned -1, SSL error code 1, net_error -141
,
Feb 19 2018
jonny.balotas@ - Thanks for filing the issue...!! Could you please provide a sample test file/url to test the issue from Te-end. This will help us in triaging the issue further. Thanks...!!
,
Feb 20 2018
,
Feb 20 2018
Please disregard Comment #2, as it will require the specific physical devices to test. Can you please include a NetLog, as described at https://dev.chromium.org/for-testers/providing-network-details
,
Feb 22 2018
Hi, this is the standard NetLog as described at https://dev.chromium.org/for-testers/providing-network-details; I made a standard NetLog (with "Strip private information" options); let me know if it's ok or if you need a detailed netlog. Since this log contains the visited urls, can you restrict the visibility of this bug report? Thanks
,
Feb 22 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 22 2018
Given the error says SEC_ERROR_NO_TOKEN and there's a smartcard change involved, I imagine this is the age-old problem where we have no way of knowing the private key handle has been invalidated. If you try again at that point, I think it should work. Here's a crazy thought... what if, when we get an SSLPrivateKey from SSLClientAuthCache and the handshake fails with ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED, we just retried and did the client certificate selection again?
,
Feb 22 2018
Just to make sure I indeed have the scenario right, when this happens for you, if you refresh the page or otherwise try again, does it work again? I.e. is the problem that Chrome needs some help retrying after it finds the first smartcard is gone, or has it managed to get completely stuck?
,
Feb 23 2018
Yes, you're correct: if I refresh/retry, the smartcard authentication works as expected (pin & choose certificate dialog).
,
Feb 23 2018
,
Feb 23 2018
Thanks! I'll take a look at trying to do that try more automatically.
,
Feb 23 2018
,
Feb 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/76a40adc6e37be621cdc45c72eaf8b2b24254e75 commit 76a40adc6e37be621cdc45c72eaf8b2b24254e75 Author: David Benjamin <davidben@chromium.org> Date: Sat Feb 24 22:22:08 2018 Request a new client certificate if a cached one is stale. If an SSLPrivateKey is backed by a smartcard or other interesting module, the handle may eventually stop working. In particular, the smartcard may be removed at some point. Ideally, the OS would provide reliable fine-grained signals to clear relevant the cache entries, but the OS tends not to provide these APIs. We do drop the cache entry on failure, but the user is required to retry the operation. Instead, if an SSLPrivateKey was grabbed from the SSLClientAuthCache, assume it is potentially stale. Should the signing operation fail, we can not only drop the cache entry, but retry the request. This CL does not implement this logic for proxy client certificates, only server client certificates. Proxy client certificates a missing the cache clearing logic (https://crbug.com/814911), so we can fill this in once the plumbing is in place. Along the way, fill in some URLRequest-level client certificate unit tests. Bug: 813022 Change-Id: I9f0450e9f4df1383dd8b73d0297ebea5e3368fec Reviewed-on: https://chromium-review.googlesource.com/935723 Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#539022} [modify] https://crrev.com/76a40adc6e37be621cdc45c72eaf8b2b24254e75/net/http/http_network_transaction.cc [modify] https://crrev.com/76a40adc6e37be621cdc45c72eaf8b2b24254e75/net/http/http_network_transaction.h [modify] https://crrev.com/76a40adc6e37be621cdc45c72eaf8b2b24254e75/net/url_request/url_request_unittest.cc
,
Feb 25 2018
That should smooth things over. Setting a reminder to ask in a week to confirm whether it worked on the next Dev channel (google-chrome-unstable) release.
,
Mar 2 2018
The NextAction date has arrived: 2018-03-02
,
Mar 2 2018
Looks like the next Linux Dev channel cut hasn't happened yet. Snoozing for a bit longer.
,
Mar 7 2018
The NextAction date has arrived: 2018-03-07
,
Mar 7 2018
Sigh. Why is Dev channel being so slow right now. Resnoozing...
,
Mar 14 2018
The NextAction date has arrived: 2018-03-14
,
Mar 14 2018
Okay, after much delay, the fix should be in the Dev channel. If you install google-chrome-unstable, does this case work better? (It uses a separate profile directory and installs in parallel, so it won't clobber your existing state.)
,
Jun 14 2018
A bit later :) but I tested the issue on chromium release 66.0.3359.181 and it works as expected. Thanks
,
Jun 14 2018
Thanks for confirming! Glad to hear that worked. (Client certificate issues often need to be fixed blind, so we're often unsure whether we actually solved the problem or not. :-D) |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by krajshree@chromium.org
, Feb 18 2018