New issue
Advanced search Search tips

Issue 810451 link

Starred by 2 users
Status: Duplicate
Merged: issue 769699
Owner: ----
Closed: Feb 2018
Cc:
davidben@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

FIPS 201 smartcards / PIV no longer work in Chrome 61+ using CrypTokenKit.

Reported by tony.r...@gmail.com, Feb 8 2018 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36

Example URL:
Any smartcard enforced site, but https://piv.max.gov/ and https://auth.launchpad.nasa.gov/ can be used as examples.

Steps to reproduce the problem:
1.  Don't install tokend (use native CrypTokenKit)
2. Enter URL for smartcard enabled website
3. Select option to authenticate with smartcard
4. After no duration no certificates are presented
5.  Chrome never instigates prompt for Certificate Selection or PIN
6.  Authentication fails

What is the expected behavior?
What is the expected behavior?
1. Enter URL for smartcard enabled website
2. Attempt to authenticate with smartcard
3. After a **short** duration certificates are presented
4. Select proper certificate
5.  Chrome instigates prompt for PIN
6.  Authentication succeeds

What went wrong?
It appears that Chrome, starting with approximately Chrome 61 may have reverted to requiring PIV.Tokend / CDSA in lieu of CrypTokenKit.

Installation of PIV.Tokend does allow intermittently proper behavior; however, Apple has deprecated CDSA / Tokend.

Did this work before? Yes Pre-61, macOS 10.12

Chrome version: 64.0.3282.140  Channel: stable
OS Version: OS X 10.13.3
Flash Version: 

Related ticket where CrypTokenKit was first fixed: https://bugs.chromium.org/p/chromium/issues/detail?id=666796
chrome-net-export-log_launchpad.nasa.gov.json
1.8 MB View Download
chrome-net-export-log_max.gov.json
1.7 MB View Download

Comment 1 by davidben@chromium.org, Feb 8 2018

Components: -Internals>Network Internals>Network>SSL

Comment 2 by rsleevi@chromium.org, Feb 8 2018 

Can you please attempt with Chrome 65 and see if  Issue 769699  resolves your issue?

Comment 3 by davidben@chromium.org, Feb 8 2018

Labels: Needs-Feedback
Specifically, the NetLog shows this is a completely different issue from #666796. Rather than failing to sign anything with the key, we don't seem to be attempting to provide a client certificate in the first place. So something around certificate lookup seems to be going wrong.

macOS 10.13 changed some stuff around there, which broke Chrome. The fix for that will be in Chrome 65.

Comment 4 by manoranj...@chromium.org, Feb 8 2018

Labels: Needs-Triage-M64

Comment 5 by tony.r...@gmail.com, Feb 8 2018 

Dev - 65.0.3325.51
     -Resolves the issue (certificate dialog is presented, PIN using piv.token dialog is presented, authentication is accepted)
Canary - 66.0.3343.0
     -Same as above


Thanks for the quick response guys, sorry I didn't test Dev/Canary prior to bug submittal.
Project Member

Comment 6 by sheriffbot@chromium.org, Feb 8 2018

Cc: davidben@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "davidben@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by rsleevi@chromium.org, Feb 8 2018

Status: WontFix (was: Unconfirmed)
Thanks for confirming!

This is related to the 10.13 upgrade, rather than 61<->64. I'm glad 65 resolves this issue for you.

Comment 8 by davidben@chromium.org, Feb 8 2018

Mergedinto: 769699
Status: Duplicate (was: WontFix)

Sign in to add a comment