Google/Chrome uses deprecated SecIdentitySearchCreate and SecIdentitySearchCopyNext
Reported by
imelikl...@gmail.com,
Sep 28 2017
|
||||
Issue descriptionChrome Version: Version 61.0.3163.100 (Official Build) (64-bit) What steps will reproduce the problem? -------------------------------------------------- 1. Insert smartcard with PIV token 2. Login to site with Client Certificate authentication enabled 3. Certificate selection dialog is empty What is the expected result? ------------------------------------ 1. Certficate selection dialog shows PIV card certificate (Similar to Safari) What happens instead? ------------------------------- 1. Empty certificate dialog is shown. Additional info: We discovered that google uses deprecated SecIdentitySearchCreate and SecIdentitySearchCopyNext API (since 10.7). https://chromium.googlesource.com/chromium/src/+/master/net/ssl/client_cert_store_mac.cc#278 Instead of SecIdentitySearchCreate shall be used SecItemCopyMatching (available 10.6). For hardware token parameter (bridge id)kSecAttrAccessGroup: (bridge id)kSecAttrAccessGroupToken, must be used.
,
Sep 28 2017
https://codereview.chromium.org/2910893002/ would use SecItemCopyMatching, although it doesn't have kSecAttrAccessGroup, and is blocked on a CLA. Alex, any updates on that?
,
Sep 28 2017
CLA is resolved, there's now merge conflicts which I haven't made time to review. Ryan Sleevi suggested to me that time/priority permitting he might take over the patch.
,
Oct 10 2017
,
Oct 16 2017
Can we get some attention with this ticket? Estonia is starting to migrate to ECDSA keys and we need working tokend implementation. https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
,
Nov 1 2017
+1. I am an Estonian ID card user who now has to use Firefox for tasks related to national ID, because no other browser currently supports our new certificates on Mac. Would very much like to stick with Chrome, but cannot at this time.
,
Dec 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ba850bd35df98b5c02334f20b6e2e994e62f5606 commit ba850bd35df98b5c02334f20b6e2e994e62f5606 Author: Ryan Sleevi <rsleevi@chromium.org> Date: Mon Dec 04 20:31:21 2017 Improved support for loading smart card client certs on macOS Beginning with macOS 10.12, the APIs Chromium uses to enumerate client certificates in the Keychain may miss certificates from some smartcards; notably, ECDSA certificates on Tokend-backed cards. This is because Chromium uses the deprecated macOS APIs for detecting client certificates. However, those legacy APIs are the only way to access some identities on other cards. To resolve this, use both the deprecated and the current API to enumerate client identities, deduplicating along the way. This is largely based on a patch from agaynor@mozilla.com in https://codereview.chromium.org/2910893002/, updated for the current API. Bug: 769699 Change-Id: I706ad121d0e6827ac4830f36aeacbc7d1c959560 Reviewed-on: https://chromium-review.googlesource.com/804118 Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#521431} [modify] https://crrev.com/ba850bd35df98b5c02334f20b6e2e994e62f5606/net/ssl/client_cert_store_mac.cc
,
Feb 8 2018
,
Feb 8 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by ligim...@chromium.org
, Sep 28 2017