Menu
▾
▴
Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider
|
From: Alex S. <ml...@os...> - 2013-07-17 16:43:14
|
On 07/17/2013 06:28 PM, Douglas E. Engert wrote: > > I am using OpenSC and pkcs11 with firefox to access some websites using > my personal certificate and it works pretty well. But also i do have a > cart with proprietary pkcs11 driver. It works fine if FireFox is closed, > but if it is running it waits forever, probably trying to get exclusive > access. This card is not supported by OpenSC project, so for me it is a > little unclear why this happens. It seems that this provider is trying > to get some kind of exclusive access to pcscd and failing if it is not > possible. > Do you have both OpenSC PKCS#11 and the vendor's PKCS#11 libs/dlls > loaded as "Security Devices" in FireFox? > > What order? > > If both are defined, and the card is inserted, what does the > FireFox-> options-> Advanced-> Security Devices show for each of > the loaded PKCS#11 modules? No, in NSS only OpenSC PKCS11 is connected. Second library is using by proprietary software, without web browser. I have found that Firefox and OpenSC PKCS11 using polling loop to get updates from readers and this probably preventing second lib from working correclty. Not 100% sure yet, but its very likely. >> Is it possible somehow to tell OpenSC to completely ignore this card >> based on it ATR? Or any other recommendations to prevent this issue, >> e.g. prevent firefox from auto scan? I am ready to send all the patches >> if needed. > An OpenSC trace, by changing the debug= in the opensc.conf would also help. > It sounds like OpenSC is trying to determine if it can support the card. > It would help show where OpenSC is failing to get access to the card. > > Your suggestion of a list of ATRs to ignore is an excellent idea. > It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11 > even if the card is supported by OpenSC. Thanks, i hope it will be implemented. I am ready to do any testing if needed. Also it would be great if anyone will fix this polling loop from FF NSS, it seems to be very non optimal. I also have another, unrelated issue - in 0.13 NSS is not working with FF, it asks for password but not showing any certificates in the list. Now i`m using 0.12.2 and it works very well. |
