OpenSCToken icon indicating copy to clipboard operation
OpenSCToken copied to clipboard

Published 20 hours ago verified publisher icon frankmorgner

IDPrime 840 card from latest OpenSC nightly won't request PIN for TLS authentication in Safari

Open kirichkov opened this issue 4 years ago • 6 comments

IDPrime 840 for v3 was just added in the latest OpenSC Nightly. I've verified that the OpenSC library works by using it to sign files with the certificate that's on the card. The OpenSC pkcs11 module works fine with Firefox.

When I try to use it for TLS authentication in Safari the certificate on the card is presented for selection. I select it three times but PIN prompt never appears. It doesn't appear that this locks the card as the pin-try limit is set to 3 and I can login using pkcs11-tool --login --test without unblocking it beforehand.

I've tested on x86 mac running macOS 10.15.7 and on an M1 running macOS 11.1 - same result on both.

kirichkov avatar Jan 27 '21 15:01 kirichkov

can you create an opensc log? see https://github.com/frankmorgner/OpenSCToken#configuring-opensctoken

frankmorgner avatar Jan 28 '21 09:01 frankmorgner

The x86 one is from 10.15.7, the M1 from 11.1:

https://gist.github.com/kirichkov/e4cb557ea52b8b410dabbf98183f5f65

kirichkov avatar Jan 28 '21 12:01 kirichkov

Some update on this, I'm running the latest currently available Nightly - the issue with TLS authentication remains, the token does appear in Mail.app, and signing/decrypting e-mails works.

I tested with Chrome on Intel - also an error is produced - "ERR_SSL_DECRYPT_ERROR_ALERT"

kirichkov avatar Apr 14 '21 14:04 kirichkov

Thanks for the update. Since decryption in Mail.app is working and in Chrome it is not, I assume both programs are using different decryption mechanisms. Maybe we need to adjust the conversion between Apple's identifiers and OpenSC's internal values: https://github.com/frankmorgner/OpenSCToken/blob/9e7cd767b7fd446573f921762f1d7467908ba27a/OpenSCToken/TokenSession.m#L44-L75

Maybe @Jakuje could have a view into the log of his driver.

frankmorgner avatar Apr 14 '21 14:04 frankmorgner

I assume this will be most probably the issue of mechanisms propagated through the OpenSCToken. Browsers these days usually use TLS 1.3, which requires RSA-PSS and as IDPrime does not support RAW RSA, you will need to propagete the PSS mechanisms. I do not see them mentioned anywhere in the above snippet.

Jakuje avatar Apr 14 '21 16:04 Jakuje

Thanks for the hint. I've created https://github.com/frankmorgner/OpenSCToken/pull/40, which should add PSS support.

However, I've noticed a a misconception about the signature input, which makes me wonder why signatures worked in the first place. I've passed down a hash function like SC_ALGORITHM_RSA_HASH_SHA1, where SC_ALGORITHM_RSA_HASH_NONE should have been... Maybe this worked because the lower layers were just ignoring the requested hash function.

frankmorgner avatar Apr 15 '21 03:04 frankmorgner

fixed with #40

frankmorgner avatar Jun 16 '23 06:06 frankmorgner