open-eid / chrome-token-signing Goto Github PK

In the script /usr/bin/esteid-update-nssdb at line 29 the installation script fails with the error ld: command not found, I solved it by installing gcc-8 manually, but if it's required like that to enable ID-card functionality in Chrome(/ium) then it should be the package's dependency.

I have a Gemalo smartCard reader and I install the extension in my chrome browser but there is no certificat list showed when I run it? I don't know where is the problem??
can I use Gemalto smartCard reader with chrome token signing? or it's not supported?

https://www.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist

On startup in Ubuntu 16.10

There is no extension at Mozilla's site. Why not to add it there?

https://addons.mozilla.org/en-US/firefox/search/?q=open-eid&type=extension

How does one buid this on Fedora 28?

Hello everyone,

I'm using a A3 certificate, but happens techinical_error after getCertificate with the message Incompatible key. I found this CngCapiSigner.cpp, but I don't know how to debug or test that problem, can anyone helps me?

OS: Windows 10
Type of certificate: Token(pen drive) A3

What library is this CryptAcquireCertificatePrivateKey ?

"This Chrome extension allows you to sign documents on the web with your eID smart card."

Do I understand correctly that this extension is not anymore limited to Chrome?
Should the documentation be updated to reflect that? Maybe the repository name should also be changed to something like "nativem-token-signing"?

doesn't work

I am using a Luxtrust signing stick.
I have installed Chrome extension (v0.0.29) and Chrome Token Signing Software (v1.0.6)

When I try the hwcrypto demo (hwcrypto/demo/sign.html), I receive a "technical_error" message.
(When the signing stick is unplugged, I receive a "no_certificates" error.)
Here is the output of background.js on the console :

background.js:169 SEND 2: {"type":"VERSION","nonce":"68k713g3zptw3pff","src":"page.js","origin":"https:/host.com","tab":2}
background.js:174 OPEN 2: ee.ria.esteid
background.js:169 SEND 2: {"type":"CERT","lang":"en","nonce":"sfvc9kvmlqpoz93o","src":"page.js","origin":"https://hostcom","tab":2}
background.js:183 RECV 2: {"api":1,"nonce":"68k713g3zptw3pff","result":"ok","version":"1.0.6.485"}
background.js:183 RECV 2: {"api":1,"message":null,"nonce":"sfvc9kvmlqpoz93o","result":"technical_error"}

The extension is making pdf pages stop loading and a blank page to appear.

http://line-mode.cern.ch/www/hypertext/WWW/TheProject.html

Displays the page.js content.

I have setup Jetty web server which requires client certificate and I use it to authenticate my users with id-card. Everything works fine on Windows and OSX machines with Firefox and Chrome browsers. For Linux everything is fine with Firefox but I noticed a weird issue with Chrome:

First time when I try to authenticate then everything is fine. But when I "logout" and remove my id-card from the reader, then next time I can authenticate without any id-card being in the reader. Problem occurs only when I do not close browser between first and second attempt. Looks like my server somehow still receives last user's id-card certificate.

Any ideas?

How to build on Fedora linux ?

A simple option page with a checkbox, that sends a simple "enable debug" message.

https://developer.chrome.com/extensions/optionsV2

Using OpenSuSE 15.0. I installed chrome-token-signing and pkcs11-firefox-loader. Got into eesti.ee in firefox by providing both pins, so the authentication part works.

Now I am trying to sign an application in https://www.eesti.ee/portaal/!rrteenus.avaldused?aliik=A01

When I click 'Edasi allkirjastamisele', nothing happens.

JS console shows 'TypeError: this.errorHandler is not a function'. (That's bug number 1, perhaps you know who to report eesti.ee bugs to?)

With some javascript tracing, the error turns out to be hwcrypto.NO_IMPLEMENTATION. What do I do to debug this further?

Note that both PIN1 and PIN2 show as having been loaded in Settings->Security Devices.

I added and enabled both the "PKCS11 loader" plugin and the "Token signing" plugin to firefox on openSuSE. When trying to log into eesti.ee, the card is not being read, all I get is
"Kas Teie ID-kaart on kaardilugejasse sisestatud?"

How do I debug this? Is OpenSuSE supported at all?

I also tried installing packages from kentaur, but those seem to make incorrect assumptions about firefox extension paths, so I gave up.

From the wiki, https://open-eid.github.io/hwcrypto.js/sign.html gives me a 404

As far, as Chrome handles pages depend on the content type, injection of the JavaScript into pages, where JavaScript is disabled, causes injection of the text.

Test page:
https://www.w3.org/2001/XMLSchema-instance

Result

Chrome version:
Version 62.0.3202.94 (Official Build) (64-bit)

Masking passphrase entry has been considered a not-so-great addition to actual password/passphrase security. Also, some (USB) tokens support/require alphanumeric passphrases instead of a numeric PIN.

OSX PIN input requires numbers. Instead of this restriction it would be better to add a "show PIN" button to reveal the input field while pressed, so that possible errors could be noticed.

We are facing a problem with some users generating an invalid signature, so I started to investigate what is happening and I think the NativeSigner class is the problem. I am not a Windows API expert, so let me know if I misunderstand something.

At line 81 the function CryptAcquireCertificatePrivateKey is used to determine if the key is obtained with CriptoAPI or CNG (flag CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG) and the result is stored in spec variable, which is later used within a switch at line 98.

Analyzing the CERT_NCRYPT_KEY_SPEC case (1) some checks of algorithm and size are done and finally called the function NCryptSignHash to sign the informed digest with the user's private key.

But inside the AT_SIGNATURE case (2) there is a call to CryptCreateHash and CryptSetHashParam functions, which calculates a hash from the informed digest to then pass it to CryptSignHashW function.

So, at (1) it is generating a RSA signature from hash and at (2) it is generating a SHA256 RSA signature from hash. Considering that the sign function does not let you select the algorithm I think the behavior of the two cases need to be the same because when the structure of the signature is built, for example a CMS signature, it is necessary to inform the encryption algorithm OID, which will be different: (1) 1.2.840.113549.1.1.1 rsaEncryption and (2) 1.2.840.113549.1.1.11 sha256WithRSAEncryption.

I'm trying to use it in on MacOS High Sierra (v 10.13.3) on Chrome, but it doesn't work.

I get an error as follows:

I followed install instructions:

1. Installed Belgian eID driver software
2. Installed Chrome Token Signing extension
3. Restarted Chrome
4. Inserted smart card to the reader
5. Tried to test it on https://hwcrypto.github.io/hwcrypto.js/sign.html

But I'm getting the error above.

I have successfully compiled and installed the extension and the chrome-token-signing tool in my system (OpenSUSE 42.3). The Token signing extension is listed in Firefox and the chrome-token-signing application can be executed in the command line and doesn't error (digicert application is also installed).

However, the hwcrypto.js still fails to make use of the installed extension (even though it sees it, I think check/test fails though).

In Google Chrome, though, things work well (after running ./esteid-update-nssdb from the installer at least) and I can sign documents online.

Is there anything I can do to have this working in Firefox too?

Right now the extension is hardwired for RIA. All forks have mostly done changes on the native side. So to be able to re-use a single extensions (and thus provide a consistent frontend for website developers) some adjustments need to be done.
Maybe a discovery method can be made, without hard-wiring a name into the extension codebase, or settle on a generic name to be installed outside of scope of the extension.

Currently the plugin doesn't work with arbitrary smart cards. Which is normal, because of the lack of standardization and openness of smartcard vendors.

For the purposes of reuse, however, it would be good to have some how-to and a clear way to add support for other smartcards. For example via adding a single file per smartcard type, which lists everything needed for the plugin to interact with the card (I'm hypothesizing here).

While setting a macOS system policy to forcefully install the token signing extension (as requested in #29) is a rather rude thing to do without the user's permission, the benefits of this might have overweighed the negative sides so far.

However, starting from a recent Chrome update (most likely Chrome 73), the fact that a system policy has been set shows up in Chrome's main menu as a rather visible statement "Managed by your organization" (some identical-looking screenshots here).

I've already witnessed a few people getting confused and scared by this message, only to find out this was due to having installed this browser extension. I hereby suggest repeating the cost-benefit analysis of setting unsolicited system policies.

Via OpenID X509 ID Token.

https://github.com/martinpaljak/x509-webauth/wiki/OpenID-X509-ID-Token

I cannot find the file jsonxx.cc and jsonxx.h.

I can not generate the .msi file what is the problem exactly the wix file is needed for its generation since in browser token signing there is a wix file

As Firefox (and soon MS Edge) will support the same WebExtensions approach, chrome is misleading.

maybe webext-token-signing ?

Chromium browser is now officially included starting with Fedora 25: https://fedoraproject.org/wiki/Chromium

Google has released smartcard connector framework for ChromeOS devices: https://github.com/GoogleChrome/chromeos_smart_card_connector

Please add ID-card support for Chrome OS

This currently leads to weird situations, where certificate listing window has a proper CN, but PIN entry window contains two commas.

Using an ACR38T-D1, and Aventra MyEID, and OpenSC v0.19.0, I get the following from the test app:

sign() clicked on Sat, 29 Dec 2018 12:05:49 GMT
Signing SHA-256: 413140d54372f9baf481d4c54e2d5c7bcf28fd6087000280e07976121dd54af2
Debug: hwcrypto.js 0.0.11 with Chrome native messaging extension 0.0.29/1.0.8.500
getCertificate() failed: Error: no_certificates

During the signing process the smartcard flashes to indicate that a signing attempt is taking place.

The key on the smartcard looks like this:

Private RSA Key [XXX]
Object Flags : [0x3], private, modifiable
Usage : [0x22E], decrypt, sign, signRecover, unwrap, nonRepudiation
Access Flags : [0xD], sensitive, alwaysSensitive, neverExtract
ModLength : 2048
Key ref : 1 (0x1)
Native : yes
Auth ID : 01

The code contains debug logging such as this below, however there are no instructions that I can see to confirm where to find this log. Using the debug log on Chrome shows up no obvious messages:

Looking at the code, it looks like there are error paths where the error is dropped and replaced with the "no certificates" response, such as this line:

I installed the latest open-eid version using the script install-open-eid.sh from https://installer.id.ee/media/ubuntu/. When I tried to get the certificates I received driver_error message. Enabling logging I got the this:

atrList() [PKCS11Path.cpp:69] found reader: AKS ifdh [Main Interface] 00 00
atrList() [PKCS11Path.cpp:82] Set ATR = 3BD518008131FE7D8073C82110F4 for reader AKS ifdh [Main Interface] 00 00
[2840] PKCS11CardManager() [PKCS11CardManager.h:124] Function List not loaded /usr/local/lib/libeTPkcs11.dylib: /usr/local/lib/libeTPkcs11.dylib: não é possível abrir arquivo compartilhado: Arquivo ou diretório inexistente
2019-04-11 17:25:44 [2840] write() [chrome-host.cpp:132] Response(66) {
"nonce": "dh0asknzlvfj9gvm",
"result": "driver_error"
}

As far as I know the dylib extension is only for Mac OS. Investigating further I found in PKCS11Path.cpp at line 127 the constant definition:

static const std::string eTokenPath("/usr/local/lib/libeTPkcs11.dylib");

I think the right path would be /usr/lib/libeTPkcs11.so. At least on my machine I created a symbolic link from /usr/local/lib/libeTPkcs11.dylib to /usr/lib/libeTPkcs11.so and solved the problem.

Hi,

finally took time to report the issue.

Running Chromium 53 on Ubuntu 16.04 here.

Certain HP keyboards have ridiculously long card names resulting in more than 100 characters. This causes Chrome plugin to go nuts when attempting to sign anything:

getCertificate()
VM149:8 Page received: 
VM149:9 Object {nonce: "mzwmh78ghbapwz1z", result: "technical_error", src: "background.js", extension: "0.0.22"}

A workaround is to substitute card reader name in pcscd driver database:

sed -i -e 's/Hewlett-Packard Company HP /HP /g' /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist
service pcscd restart

A real fix probably should be implemented in the plugin itself by lifting card reader name size limitations or at least reserving 200 characters for the card reader name.

Hello, it seems that the project doesn't support local file certificate (A1 type), right?

What is the alternative to look for all available certificates Token plus Browser Installed or Local Files?

Thanks in advance guys!

When accidentally starting chrome-token-signin process via window manager run dialog, process's stdin points to /dev/null and this causes process to run at 100% CPU.

Easiest way to test: chrome-token-signing </dev/null

Probably easiest way to fix it (assuming stdin only accepts input via pipes):

if (!isatty(fileno(stdin)) {
    // expecting stdin to be pipe
    exit(-1)
}

Hi,

IMHO, the reversal of the signature before the resize would cause 0 array in final signature if final size < initial size.

Code for reference:

https://github.com/open-eid/chrome-token-signing/blob/master/host-windows/CngCapiSigner.cpp#L130

For example, what if CryptSignHashW produce 128-bit signature? Is it not intended to handle this case?

Anyway, what's the reasoning behind the signature reversal to begin with?

Thanks,

As described in hwcrypto/hwcrypto.js#28

OSX 10.11 and later remove OpenSSL headers from the system and encourage the usage of OSX specific interfaces.

Currently host-osx makes use of the shared component for PKCS#11, which in turn makes use of OpenSSL for certificate parsing, like here:

https://github.com/open-eid/chrome-token-signing/blob/master/host-shared/PKCS11CardManager.h#L127

Refactor this to either remove OpenSSL, isolate it with ifdefs or move the necessary filtering and parsing to the host-osx part.

how can I Update Firefox extension from 0.0.27 to another version I try this by change version in this file but nothing change.
https://github.com/open-eid/chrome-token-signing/blob/master/extension/manifest.json

Trying to test on the upcoming Ubuntu 18.04 LTS. Token signing fails with the following kernel error:

kernel: traps: chrome-token-si[27145] general protection ip:7f704bf51ca5 sp:7fff3cfdeba8 error:0 in libcrypto.so.1.0.0[7f704be37000+219000]

Outlined here: https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy and also taking into account localhost https://www.w3.org/TR/secure-contexts/#localhost

Inspired by hwcrypto/hwcrypto.js#20

On Ubuntu, using the official binaries with my Luxtrust signing stick, I can choose the certificate, enter the PIN, then I got the following error :

2018-08-03 13:31:13 [23497] parse() [chrome-host.cpp:61] Message size: 3570
2018-08-03 13:31:13 [23497] parse() [chrome-host.cpp:71] Message (3570): {"type":"SIGN","cert":"","hashtype":"SHA-256","lang":"en","info":"","nonce":"250dmhhh2o3umzas","src":"page.js","origin":"https://personal.url.fr","tab":2918}
2018-08-03 13:31:13 [23497] atrList() [PKCS11Path.cpp:69] found reader: Gemalto USB Shell Token V2 (2F948309) 00 00
2018-08-03 13:31:13 [23497] atrList() [PKCS11Path.cpp:82] Set ATR = 3B7D96000080318065B0830201F383009000 for reader Gemalto USB Shell Token V2 (2F948309) 00 00
2018-08-03 13:31:13 [23497] getPkcs11ModulePath() [PKCS11Path.cpp:165] Unknown ATR '3B7D96000080318065B0830201F383009000' using default module 'opensc-pkcs11.so'
2018-08-03 13:31:13 [23497] C_GetFunctionList() [PKCS11CardManager.h:125] return value 0
2018-08-03 13:31:13 [23497] PKCS11CardManager() [PKCS11CardManager.h:126] initializing module opensc-pkcs11.so
2018-08-03 13:31:15 [23497] C_Initialize() [PKCS11CardManager.h:127] return value 0
2018-08-03 13:31:15 [23497] C_GetSlotList() [PKCS11CardManager.h:154] return value 0
2018-08-03 13:31:15 [23497] tokens() [PKCS11CardManager.h:155] slotCount = 1
2018-08-03 13:31:15 [23497] C_GetSlotList() [PKCS11CardManager.h:157] return value 0
2018-08-03 13:31:15 [23497] C_GetTokenInfo() [PKCS11CardManager.h:164] return value 0
2018-08-03 13:31:15 [23497] C_OpenSession() [PKCS11CardManager.h:170] return value 0
2018-08-03 13:31:15 [23497] C_FindObjectsInit() [PKCS11CardManager.h:88] return value 0
2018-08-03 13:31:15 [23497] C_FindObjects() [PKCS11CardManager.h:91] return value 0
2018-08-03 13:31:15 [23497] C_FindObjectsFinal() [PKCS11CardManager.h:92] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:71] return value 0
2018-08-03 13:31:15 [23497] C_GetAttributeValue() [PKCS11CardManager.h:74] return value 0
2018-08-03 13:31:15 [23497] C_CloseSession() [PKCS11CardManager.h:188] return value 0
2018-08-03 13:31:18 [23497] C_OpenSession() [PKCS11CardManager.h:197] return value 0
2018-08-03 13:31:18 [23497] C_Login() [PKCS11CardManager.h:198] return value 0
2018-08-03 13:31:18 [23497] C_FindObjectsInit() [PKCS11CardManager.h:88] return value 0
2018-08-03 13:31:18 [23497] C_FindObjects() [PKCS11CardManager.h:91] return value 0
2018-08-03 13:31:18 [23497] C_FindObjectsFinal() [PKCS11CardManager.h:92] return value 0
2018-08-03 13:31:18 [23497] sign() [PKCS11CardManager.h:206] found 1 private keys in slot, using key ID cefc19c0
2018-08-03 13:31:18 [23497] C_GetAttributeValue() [PKCS11CardManager.h:210] return value 0
2018-08-03 13:31:18 [23497] C_SignInit() [PKCS11CardManager.h:213] return value 0
2018-08-03 13:31:18 [23497] C_Sign() [PKCS11CardManager.h:239] return value 0
2018-08-03 13:31:18 [23497] C_Sign() [PKCS11CardManager.h:241] return value 7
2018-08-03 13:31:18 [23497] C_Finalize() [PKCS11CardManager.h:133] return value 0
2018-08-03 13:31:18 [23497] write() [chrome-host.cpp:132] Response(69) {
"nonce": "250dmhhh2o3umzas",
"result": "technical_error"
}

Return 7 from the second call to C_Sign is CKR_ARGUMENTS_BAD, so I don't understand what's wrong...
For information signatureLength after the 1st call to C_Sign is equal to 256

Here is the output of the demo :
This is sign.html running on
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36
sign() clicked on Fri, 03 Aug 2018 11:40:32 GMT
Signing SHA-256: 413140d54372f9baf481d4c54e2d5c7bcf28fd6087000280e07976121dd54af2
Debug: hwcrypto.js 0.0.13 with Chrome native messaging extension 0.0.29/1.0.7.498
Using certificate:
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
sign() failed: Error: technical_error

I have a YubiKey 4 Nano always connected and used by the pgp-agent, in exclusive mode:

$ opensc-tool -lv
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey 4 U2F+CCID
     3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 [EXCLUSIVE]
1    Yes             Gemalto PC Twin Reader
     3b:fe:18:00:00:80:31:fe:45:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:a8 EstEID 3.0 (dev1) cold 

This results in chrome-token-signing to fail in spectacular way:

SEND 123: {"type":"CERT","lang":"en","nonce":"j9nfuxqwqbtq1xkh","src":"page.js","origin":"https://open-eid.github.io","tab":123}
background.js:174 RECV 123: {"result":"technical_error","nonce":"j9nfuxqwqbtq1xkh","ver":1}

While I understand that this might be a problem with the underlying PKCS#11 implementation, it is not nice nor acceptable to fail this way.

$ pkcs11-tool -L
Available slots:
Slot 0 (0x0): (GetSlotInfo failed, CKR_DEVICE_ERROR)
Slot 1 (0x4): Gemalto PC Twin Reader
  token label        : PIN1 (PALJAK,MARTIN,38207162722)
  token manufacturer : AS Sertifitseerimiskeskus
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : AA0448165
Slot 2 (0x5): Gemalto PC Twin Reader
  token label        : PIN2 (PALJAK,MARTIN,38207162722)
  token manufacturer : AS Sertifitseerimiskeskus
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : AA0448165

This is a spin-off of #126. Problem still exists on Linux systems, cripples G Suite users and makes this extension look like malware.