If you want to use Hardware tokens, PKCS #11, and Firefox you
either must be nuts, a masochist, very smart, or highly committed.
For ordinary users it makes little sense.
Hardware tokens: there are any number of different types
PKCS #11: the most difficult to program and administer middleware known to
mankind
Firefox: doesn't support CA issuers or Windows CSPs
Linux: doesn't even provide a crypto service API, or does it?
Anders
Nelson B Bolyard wrote:
On 2009-07-02 02:58 PDT, Udo Puetz wrote:
I want to authenticate against a juniper SA 2500 firewall with a user and
password AND a certificate.
I have a safenet iKey 1032 token where I imported the p12 certificate.
In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet
K1PK112.DLL PKCS#11 module. In the firefox cryptography module manager I
now see the token and can (after entering the pin) see the certificate.
So firefox _can_ read the certificate off of the token.
While in this state, go into Firefox's certificate manager, and look through
the tabs to find the cert. Tell us in which tab(s) the cert
appears. In particular, does it appear in the "Your Certificates" tab?
Also, in that tab, note the value in the "Security Device" column in the
row for your certificate.
Then, Select your certificate and click the "View" button. A Certificate
Viewer Dialog will appear. In that Dialog, select the "Details" tab.
In that tab are 3 boxes or "panes", the top one of which is labeled
"Certificate Hierarchy". That box will contain some number of lines.
Please copy the contents of that box (you may have to retype it by hand).
I will explain below what to do with this information.
But when I go to the juniper firewall website I get the error message
that the certificate can't be found.
Where do you see this message? Is it in a Juniper log file? Or Firefox?
If it is a Juniper log file, can you tell from the message whether it is saying:
a) That it received no certificate from the browser, or
b) That it cannot validate the certificate chain received, or
b) That it does not recognize the validated cert as being authorized?
When I (for testing) take out the token and import the p12 certificate
directly into the firefox certificate store I can authenticate against
the juniper firewall website with user and pass and the certificate.
So the problem seems to be that in the cyrpto module manager firefox can
read a certificate off of a token and can't read it off when queried by a
website.
While in this state, please repeat the steps I gave above, noting the tab of
the certificate manager in which your certificate appears, the security
device associated with your certificate, and the contents of the Certificate
Hierarchy pane in the Certificate Viewer.
Then compare these two sets of results. I suspect they will differ.
It may be that, in one case the certificate appears in "Your Certificates"
tab, and in the other case, it does not appear in that tab, but appears
in some other tab. Or, it may be that in one case the Certificate Hierarchy
contains multiple lines (corresponding to multiple certificates) and in the
other case, it contains fewer lines (perhaps only one).
Or perhaps you will find both of these differences. Or perhaps neither.
Any of these differences could explain your problem, I believe.
If you do not find any of these differences, then I can suggest some
additional (more complicated) diagnostic steps.
Where would you think is the problem?
Is it within firefox or a problem with the third-party pkcs#11 module?
(I'm also in contact with the safenet folks)
At this point, with the information I have, I can only speculate.
There are many possibilities. Here are some:
1) In addition to needing the certificate, Firefox also needs to be able
to access the private key on the token. It may be that it cannot access
the private key on the token, but can access it when you import the PKCS#12
file into Firefox's own software token (a.k.a. "Software Security Device").
If Firefox can access the private key, then the certificate should appear
in "Your Certificates", otherwise it will appear in one of the other tabs.
If you find that the certificate does not appear in "Your Certificates",
then that is the problem. This would very likely be a problem in the
PKCS#11 module and/or token, not in Firefox.
2) It may be that your certificate has a hierarchy with more than two
certificates in it, and all of those certificates are stored in Firefox's
software token when you import the PKCS#12 file there, but not all those
certificates are being stored on the token when you import the PKCS#12 file
there. In order to be able to successfully do client cert authentication,
Firefox needs access to the entire correct certificate hierarchy. It cannot
succeed if certs are missing from the hierarchy. If you find that
the two hierarchies seen in the steps above are different, that is the
likely cause. In that case, you really should try to import the missing
certs into the token. If you cannot do that, that is a bug in the token
or PKCS#11 module, however, there is a workaround. You can import the
missing CA certs into Firefox's software token instead.
Hope this helps.
Thanks a lot,
regards
Udo Puetz
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
