opensc-devel

[Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Alex S. <ml...@os...>]

Hi,

I am using OpenSC and pkcs11 with firefox to access some websites using 
my personal certificate and it works pretty well. But also i do have a 
cart with proprietary pkcs11 driver. It works fine if FireFox is closed, 
but if it is running it waits forever, probably trying to get exclusive 
access. This card is not supported by OpenSC project, so for me it is a 
little unclear why this happens. It seems that this provider is trying 
to get some kind of exclusive access to pcscd and failing if it is not 
possible.

Is it possible somehow to tell OpenSC to completely ignore this card 
based on it ATR? Or any other recommendations to prevent this issue, 
e.g. prevent firefox from auto scan? I am ready to send all the patches 
if needed.

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Mat A. <arg...@gm...>]

Are you  sure you are using opensc with firefox. I am asking, because Firefox 
usually uses NSS to access smartcards.

cheers
Mat

On Wednesday 17. July 2013 10:27:06 Alex Samorukov wrote:
> Hi,
> 
> I am using OpenSC and pkcs11 with firefox to access some websites using
> my personal certificate and it works pretty well. But also i do have a
> cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
> but if it is running it waits forever, probably trying to get exclusive
> access. This card is not supported by OpenSC project, so for me it is a
> little unclear why this happens. It seems that this provider is trying
> to get some kind of exclusive access to pcscd and failing if it is not
> possible.
> 
> Is it possible somehow to tell OpenSC to completely ignore this card
> based on it ATR? Or any other recommendations to prevent this issue,
> e.g. prevent firefox from auto scan? I am ready to send all the patches
> if needed.
> 
> 
> ----------------------------------------------------------------------------
> -- See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Alex S. <ml...@os...>]

On 07/17/2013 10:33 AM, Mat Arge wrote:
> Are you  sure you are using opensc with firefox. I am asking, because Firefox
> usually uses NSS to access smartcards.
>
> cheers
> Mat
I am using /usr/lib/opensc-pkcs11.so  which i added to NSS using FF 
configuration, so yes, of course i am sure. Problem is that when firefox 
is running it preventing other, proprietary PKCS11 driver to access 
card, and this specific card is not supported by OpenSC anyway, so i 
have no idea why it is blocked.

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Mat A. <arg...@gm...>]

On Wednesday 17. July 2013 11:16:39 Alex Samorukov wrote:
> On 07/17/2013 10:33 AM, Mat Arge wrote:
> > Are you  sure you are using opensc with firefox. I am asking, because
> > Firefox usually uses NSS to access smartcards.
> > 
> > cheers
> > Mat
> 
> I am using /usr/lib/opensc-pkcs11.so  which i added to NSS using FF
> configuration, so yes, of course i am sure. Problem is that when firefox
> is running it preventing other, proprietary PKCS11 driver to access
> card, and this specific card is not supported by OpenSC anyway, so i
> have no idea why it is blocked.

But you said before, that your card is not supported by opensc. Or are you 
talking about two different smartcards?

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Alex S. <ml...@os...>]

On 07/17/2013 11:31 AM, Mat Arge wrote:
> I am using /usr/lib/opensc-pkcs11.so  which i added to NSS using FF
> configuration, so yes, of course i am sure. Problem is that when firefox
> is running it preventing other, proprietary PKCS11 driver to access
> card, and this specific card is not supported by OpenSC anyway, so i
> have no idea why it is blocked.
> But you said before, that your card is not supported by opensc. Or are you
> talking about two different smartcards?

Yes, i have a lot of cards. Most of them are supported by OpenSC and 
thats why i need this OpenSC-PKCS11 driver in the browser. But also i do 
have a card which is not supported by opensc and using own PKCS11 
library. Problem is that if FF is running i am unable to use this 
driver. I posted dump of the falied session (using  OpenSC PKCS#11 spy)  
to the http://pastebin.com/8s9ErZJ1 . It starts to work very slowly on 
C_Initialize and finally dying on C_OpenSession. If FF is closed 
everything works well. So i assume that for some reason opensc-pkcs11.so 
with FF is locking this card and want to fix that.

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Douglas E. E. <dee...@an...>]

On 7/17/2013 3:33 AM, Mat Arge wrote:
> Are you  sure you are using opensc with firefox. I am asking, because Firefox
> usually uses NSS to access smartcards.

Yes Firefox uses NSS. The NSS "Security Devices" are PKCS#11  shared libs or dlls.
Thus NSS cal load multiple PKCS#11 libs, for different cards.


>
> cheers
> Mat
>
> On Wednesday 17. July 2013 10:27:06 Alex Samorukov wrote:
>> Hi,
>>
>> I am using OpenSC and pkcs11 with firefox to access some websites using
>> my personal certificate and it works pretty well. But also i do have a
>> cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
>> but if it is running it waits forever, probably trying to get exclusive
>> access. This card is not supported by OpenSC project, so for me it is a
>> little unclear why this happens. It seems that this provider is trying
>> to get some kind of exclusive access to pcscd and failing if it is not
>> possible.
>>
>> Is it possible somehow to tell OpenSC to completely ignore this card
>> based on it ATR? Or any other recommendations to prevent this issue,
>> e.g. prevent firefox from auto scan? I am ready to send all the patches
>> if needed.
>>
>>
>> ----------------------------------------------------------------------------
>> -- See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Ludovic R. <lud...@gm...>]

Hello,

2013/7/17 Alex Samorukov <ml...@os...>:
> On 07/17/2013 11:31 AM, Mat Arge wrote:
>> I am using /usr/lib/opensc-pkcs11.so  which i added to NSS using FF
>> configuration, so yes, of course i am sure. Problem is that when firefox
>> is running it preventing other, proprietary PKCS11 driver to access
>> card, and this specific card is not supported by OpenSC anyway, so i
>> have no idea why it is blocked.
>> But you said before, that your card is not supported by opensc. Or are you
>> talking about two different smartcards?
>
> Yes, i have a lot of cards. Most of them are supported by OpenSC and
> thats why i need this OpenSC-PKCS11 driver in the browser. But also i do
> have a card which is not supported by opensc and using own PKCS11
> library. Problem is that if FF is running i am unable to use this
> driver. I posted dump of the falied session (using  OpenSC PKCS#11 spy)
> to the http://pastebin.com/8s9ErZJ1 . It starts to work very slowly on
> C_Initialize and finally dying on C_OpenSession. If FF is closed
> everything works well. So i assume that for some reason opensc-pkcs11.so
> with FF is locking this card and want to fix that.

It may be bug in OpenSC that do not free some PC/SC resources.

Can you use PC/SC spy and generate a logfile file as documented in [1]
and send it?
To configure the spy with OpenSC you may have to edit /etc/opensc.conf and set:
provider_library = /usr/lib/libpcscspy.so

Bye

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Alex S. <ml...@os...>]

On 08/03/2013 11:14 AM, Ludovic Rousseau wrote:
> It may be bug in OpenSC that do not free some PC/SC resources.
>
> Can you use PC/SC spy and generate a logfile file as documented in [1]
> and send it?
> To configure the spy with OpenSC you may have to edit /etc/opensc.conf and set:
> provider_library = /usr/lib/libpcscspy.so
This is now fixed in trunk, by recent commit. Problem was that default 
driver was trying to detect card and it was busy. PKCS11 plugin from 
non-OpenSC comptatible card was not trying to open card if it was with 
"IN USE" flag.

Solution was to ignore unknown card in OpenSC with some exceptions. 
Commit 1a9729 works for me.

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Douglas E. E. <dee...@an...>]

On 7/17/2013 3:27 AM, Alex Samorukov wrote:
> Hi,
>
> I am using OpenSC and pkcs11 with firefox to access some websites using
> my personal certificate and it works pretty well. But also i do have a
> cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
> but if it is running it waits forever, probably trying to get exclusive
> access. This card is not supported by OpenSC project, so for me it is a
> little unclear why this happens. It seems that this provider is trying
> to get some kind of exclusive access to pcscd and failing if it is not
> possible.

Do you have both OpenSC PKCS#11 and the vendor's PKCS#11 libs/dlls
loaded as "Security Devices" in FireFox?

What order?

If both are defined, and the card is inserted, what does the
FireFox-> options-> Advanced-> Security Devices show for each of
the loaded PKCS#11 modules?

>
> Is it possible somehow to tell OpenSC to completely ignore this card
> based on it ATR? Or any other recommendations to prevent this issue,
> e.g. prevent firefox from auto scan? I am ready to send all the patches
> if needed.

An OpenSC trace, by changing the debug= in the opensc.conf would also help.
It sounds like OpenSC is trying to determine if it can support the card.
It would help show where OpenSC is failing to get access to the card.

Your suggestion of a list of ATRs to ignore is an excellent idea.
It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11
even if the card is supported by OpenSC.

>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Alex S. <ml...@os...>]

On 07/17/2013 06:28 PM, Douglas E. Engert wrote:
>
> I am using OpenSC and pkcs11 with firefox to access some websites using
> my personal certificate and it works pretty well. But also i do have a
> cart with proprietary pkcs11 driver. It works fine if FireFox is closed,
> but if it is running it waits forever, probably trying to get exclusive
> access. This card is not supported by OpenSC project, so for me it is a
> little unclear why this happens. It seems that this provider is trying
> to get some kind of exclusive access to pcscd and failing if it is not
> possible.
> Do you have both OpenSC PKCS#11 and the vendor's PKCS#11 libs/dlls
> loaded as "Security Devices" in FireFox?
>
> What order?
>
> If both are defined, and the card is inserted, what does the
> FireFox-> options-> Advanced-> Security Devices show for each of
> the loaded PKCS#11 modules?
No, in NSS only OpenSC PKCS11 is connected. Second library is using by 
proprietary software, without web browser. I have found that Firefox and 
OpenSC PKCS11 using polling loop to get updates from readers and this 
probably preventing second lib from working correclty. Not 100% sure 
yet, but its very likely.
>> Is it possible somehow to tell OpenSC to completely ignore this card
>> based on it ATR? Or any other recommendations to prevent this issue,
>> e.g. prevent firefox from auto scan? I am ready to send all the patches
>> if needed.
> An OpenSC trace, by changing the debug= in the opensc.conf would also help.
> It sounds like OpenSC is trying to determine if it can support the card.
> It would help show where OpenSC is failing to get access to the card.
>
> Your suggestion of a list of ATRs to ignore is an excellent idea.
> It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11
> even if the card is supported by OpenSC.
Thanks, i hope it will be implemented. I am ready to do any testing if 
needed. Also it would be great if anyone will fix this polling loop from 
FF NSS, it seems to be very non optimal.

I also have another, unrelated issue - in 0.13 NSS is not working with 
FF, it asks for password but not showing any certificates in the list. 
Now i`m using 0.12.2 and it works very well.

Re: [Opensc-devel] opensc-pkcs11 in FireFox conflicting with closed-source PKCS11 provider

[Alex S. <ml...@os...>]

On 07/17/2013 06:28 PM, Douglas E. Engert wrote:
> ccess to the card.
>
> Your suggestion of a list of ATRs to ignore is an excellent idea.
> It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11
> even if the card is supported by OpenSC.
This bug was affecting and annoying me, so i decided to write a patch 
[1]. Could you please take a look and commit if possible?
This works for me, at least.

[1] https://github.com/OpenSC/OpenSC/pull/175