Issue metadata
Sign in to add a comment
|
Authentication using smartcard on macOS 10.12 does not work
Reported by
tony.r...@gmail.com,
Nov 18 2016
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36 Example URL: Steps to reproduce the problem: 1. Enter URL for smartcard enabled website 2. Attempt to authenticate with smartcard 3. After a long duration certificates are presented 4. Select proper certificate 5. Chrome never instigates prompt for PIN 6. authentication fails What is the expected behavior? 1. Enter URL for smartcard enabled website 2. Attempt to authenticate with smartcard 3. After a **short** duration certificates are presented 4. Select proper certificate 5. Chrome instigates prompt for PIN 6. authentication succeeds What went wrong? Dialog asking for certificate took 10-15 seconds, No prompt for PIN, authentication fails with ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY Did this work before? Yes macOS 10.11.6 (same Chrome version) Chrome version: 54.0.2840.98 Channel: stable OS Version: OS X 10.12.1 Flash Version: Shockwave Flash 23.0 r0 Will likely affect all of Federal Government and many large corporations.
,
Nov 22 2016
,
Nov 22 2016
Removing version targets, as this is part of the OS integration (which Apple significantly rewrote in 10.12) and third-party code interactions (smartcard driver)
,
Nov 30 2016
OP: Per comment #1, please post a URL that consistently reproduces this problem. Thank you.
,
Dec 8 2016
,
Dec 8 2016
,
Dec 8 2016
Per comment #1, please attach a net-internals log, not just the URL. In addition, I since think a lot of our smartcard logic logs errors elsewhere, please also attach a log file per these instructions. https://www.chromium.org/for-testers/enable-logging Finally, what kind of smartcard are you using? Thanks! (Apologies for the runaround. Comment #4 requested too little.)
,
Dec 9 2016
NASA PIV Card - FIPS 201-2 (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf)
,
Dec 9 2016
Hah. Of course you hit the one function call we forgot to add logging for! :-) I'm guessing SecKeyGetCSSMKey is failing. https://chromium.googlesource.com/chromium/src/+/62d2f9506be2329c87d4c74a8369de4b8846c969/net/ssl/ssl_platform_key_mac.cc#235 I'll go add the missing logging for next time this breaks. In the meantime, +rsleevi, does CSSM no longer working some of the time in 10.12 sound familiar? Do we need to add a new codepath here?
,
Dec 9 2016
Yeah, Starting with 10.12, which reintroduced smart card support (which I'd missed), they stopped providing the CSSM equivalence shim and rewrote a whole new interaction layer. I was (regrettably) reading up on the docs over holiday. The new path (AFAICT) only works through SecTransforms, so we'll likely have to rewrite all of the OS X smartcard support -_-
,
Dec 9 2016
This is only for smartcard-backed keys and not normal ones? If we'd broken those too, I would think we'd have gotten more complaints. (Which are the docs?)
,
Dec 9 2016
,
Dec 9 2016
Only smartcards, AFAICT. The 10.12-only function is SecKeyCreateSignature / SecKeyCreateEncryptedData / SecKeyCopyKeyExchangeResult
,
Dec 9 2016
Oh, and the docs for these are nonexistent on the public site (AFAICT). Only in the SecKey.h header file.
,
Dec 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/eb8e118a97f9690d1e8f3cce0d64e8b932970f0e commit eb8e118a97f9690d1e8f3cce0d64e8b932970f0e Author: davidben <davidben@chromium.org> Date: Fri Dec 09 22:55:56 2016 Add missing logging codepaths for client certificate lookup. BUG= 666796 Review-Url: https://codereview.chromium.org/2565843002 Cr-Commit-Position: refs/heads/master@{#437675} [modify] https://crrev.com/eb8e118a97f9690d1e8f3cce0d64e8b932970f0e/net/ssl/ssl_platform_key_mac.cc [modify] https://crrev.com/eb8e118a97f9690d1e8f3cce0d64e8b932970f0e/net/ssl/ssl_platform_key_util.cc
,
Dec 10 2016
Ah, okay. Looks like we only need SecKeyCreateSignature and some of the constants for this, then gate on a version check. Should be pretty straight-forward. I can try to hack it up next week if no one beats me to it. It'd also be nice if we could get some unit tests one of these days... but maybe fix this first and then we'll try to plug the unit test hole afterwards. We can probably adapt ssl_platform_key_android_unittest.cc with some work, supposing we can figure out how to make a working SecKeyRef without writing to anything persistent. I remember looking into this a couple years ago and concluding Apple fixed the bug that prevented us from doing it at some point. Chatted with +erikchen about how to call the symbols. He says we're not building against the 10.12 SDK yet, so we'll need to copy the prototypes and add weak_import for this stuff: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/WeakLinking.html Then we'll need to guard those by [something] for when we do use the 10.12 SDK (at which point, hopefully the __OSX_AVAILABLE macros Apple puts in its headers will weak_import for us) Basically, whoever ends up doing this should have Erik look over the CL to make sure we're doing the version stuff right. :-)
,
Dec 10 2016
> Then we'll need to guard those by [something] for when we do use the 10.12 SDK
This is apparently:
#if !defined(MAC_OS_X_VERSION_10_12) || \
MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_12
,
Dec 13 2016
,
Dec 13 2016
Was there any additional information/testing/logging required from my end? Looks like you guys noticed the 10.12 change from CDSA/Tokend to CrypTokenKit. Tokend does still function...if a tokend is installed; however, native functionality is CrypTokenKit and CDSA is (per Apple) to be fully deprecated in 10.13/14.
,
Dec 13 2016
Should be all set for now as far as information on your end, thanks! When the change has gone in, hopefully later this week, we'll probably ask you to confirm on Chrome Canary that it worked, but right now it's just sitting on my laptop. (I need to finish testing it.)
,
Dec 13 2016
Would be my pleasure, thanks for the update.
,
Dec 13 2016
Cl is uploaded, pending review: https://codereview.chromium.org/2566273008/
,
Dec 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29 commit ebe0803de7a569dee0c7b0ab6b4685dc749b8f29 Author: davidben <davidben@chromium.org> Date: Wed Dec 14 02:22:07 2016 Use SecKeyCreateSignature on macOS 10.12 and later. macOS 10.12 breaks the CSSM code for smartcards. Switch to the new APIs. In the process, refactor the Android unit tests to be common on all platforms and unit test this stuff. SecKeychainCreate finally works, so we can unit test the entire path from certificate to key and compare signatures against OpenSSL. That second part probably bears repeating. Eight years into the project's lifetime, we FINALLY have unit tests for this code! BUG= 666796 , 673058 Review-Url: https://codereview.chromium.org/2566273008 Cr-Commit-Position: refs/heads/master@{#438392} [modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/net.gypi [modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key.h [modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_android.cc [modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_android_unittest.cc [modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_chromecast.cc [modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_mac.cc [add] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_mac.h [add] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_mac_unittest.cc [modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_nss.cc [modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_win.cc [add] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_private_key_test_util.cc [add] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_private_key_test_util.h
,
Dec 14 2016
(Looks like I just barely missed the most recent canary, but it'll probaby be in the next one.)
,
Dec 14 2016
Thanks, will test as soon as it drops. Results and/or logs to be posted imminently following release.
,
Dec 15 2016
The fix should now be in the latest canary (make sure you have 57.0.2952.0 or later). If you could confirm whether the issue is resolved for you, that'd be great! Thanks!
,
Dec 15 2016
Verified 57.0.2952.0 canary (64-bit) works as expected on three smartcard enabled websites. Will continue to test to ensure no further interoperability concerns exist with this change, but will only report back if anything is found.
,
Dec 15 2016
Excellent. Thanks for your help here! The fix should follow Chrome 57 as it makes it through the release process (hitting stable channel around March).
,
Feb 8 2018
As of Chrome 64.0.3282.140, this issue has been reintroduced on macOS 10.13.3/4. Please ensure CrypTokenKit it being used in all future releases of Chrome.
,
Feb 8 2018
That code is still calling SecKeyCreateSignature. This bug was fixed more than a year ago. Please file a *NEW* bug and attach a NetLog per these instructions: https://dev.chromium.org/for-testers/providing-network-details
,
Feb 8 2018
(My guess is RSA-PSS support, added in M64 and macOS 10.13, is tickling a different bug in your smartcard.)
,
Feb 8 2018
Thanks for responding davidben, new ticket created: https://bugs.chromium.org/p/chromium/issues/detail?id=810451 |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by csharrison@chromium.org
, Nov 18 2016Labels: Needs-Feedback