kenh / keychain-pkcs11 Goto Github PK

View Code? Open in Web Editor NEW

95.0 95.0 10.0 369 KB

A shared library that implements a PKCS#11 interface to the Apple Security framework

Makefile 1.32% Shell 0.09% M4 0.98% C 94.76% Objective-C 2.19% Rich Text Format 0.66%

keychain-pkcs11's People

Stargazers

Watchers

Forkers

dcossey014 elmostafaidrassi letsunlockiphone notjames pr0x1ma-byte zubeyirbayraktaroglu pinkdiamond1 gabrielfalcao chrisliaw

keychain-pkcs11's Issues

Crash in [@ DERDecodeSeqContentInit] in Firefox

Hi, we're seeing some crash reports from Firefox users who have this module loaded. See https://bugzilla.mozilla.org/show_bug.cgi?id=1668593

Unable to use keychain-pkcs11 to list certificate stored into Keychain

I'm looking for a way to use the certificates stored in the MacOS Keychain (with the private key export option disabled) via a PKCS#11 API.

I tried using keychain-pkcs11 with Java PKCS#11 provider but it doesn't work.

Java error log:

Information for provider SunPKCS11-Keychain-PKCS11
Library info:
  cryptokiVersion: 2.40
  manufacturerID: U.S. Naval Research Lab         
  flags: 0
  libraryDescription: Keychain PKCS#11 Bridge Library 
  libraryVersion: 1.00
All slots: 0
Slots with tokens: (none)
Exception in thread "main" java.security.ProviderException: Initialization failed
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:387)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
	at Pkcs11MutualAuthenticationTest.listCertificates(Pkcs11MutualAuthenticationTest.java:49)
	at Pkcs11MutualAuthenticationTest.main(Pkcs11MutualAuthenticationTest.java:30)
Caused by: java.security.ProviderException: slotListIndex is 0 but token only has 0 slots
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:368)
	... 6 more

Here MacOS event log:

➜  ~ log stream --predicate 'subsystem = "mil.navy.nrl.cmf.pkcs11"' --level debug
Filtering the log data using "subsystem == "mil.navy.nrl.cmf.pkcs11""
Timestamp                       Thread     Type        Activity             PID    TTL  
2022-09-14 20:55:47.615569+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetFunctionList called
2022-09-14 20:55:47.615842+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetFunctionList returning CKR_OK
2022-09-14 20:55:47.615995+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_Initialize called
2022-09-14 20:55:47.616034+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] OS_LOCKING_OK set, using pthread locking
2022-09-14 20:55:47.617304+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] Program "java" is NOT set to ask for PIN, will let Security ask for the PIN
2022-09-14 20:55:47.617434+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] Program "java" has the Keychain Certificate slot DISABLED
2022-09-14 20:55:47.625206+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] Looking for identities for token com.apple.setoken
2022-09-14 20:55:47.627565+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] No identities found
2022-09-14 20:55:47.627644+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] Looking for identities for token com.apple.setoken:aks
2022-09-14 20:55:47.628745+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] No identities found
2022-09-14 20:55:47.628858+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_Initalize returning CKR_OK
2022-09-14 20:55:47.629072+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetInfo called
2022-09-14 20:55:47.629113+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetInfo returning CKR_OK
2022-09-14 20:55:47.640315+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetSlotList called
2022-09-14 20:55:47.640372+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] tokens_present = false, slot_list = 0x60000255c680, slot_num = 125601792
2022-09-14 20:55:47.640407+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetSlotList returning CKR_OK
2022-09-14 20:55:47.640425+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetSlotList called
2022-09-14 20:55:47.640442+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] tokens_present = false, slot_list = 0x60000255c680, slot_num = 1
2022-09-14 20:55:47.640462+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetSlotList returning CKR_OK
2022-09-14 20:55:47.641374+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetSlotList called
2022-09-14 20:55:47.641443+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] tokens_present = true, slot_list = 0x60000255c680, slot_num = 125601792
2022-09-14 20:55:47.641525+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetSlotList returning CKR_OK
2022-09-14 20:55:47.641550+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetSlotList called
2022-09-14 20:55:47.641568+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] tokens_present = true, slot_list = 0x60000255c680, slot_num = 0
2022-09-14 20:55:47.641587+0200 0x25321    Debug       0x0                  14552  0    java: (keychain-pkcs11.dylib) [mil.navy.nrl.cmf.pkcs11:general] C_GetSlotList returning CKR_OK

Here some commands to determine my context:

➜  ~ security smartcards token -l
# (previous command return nothing)
➜  ~ sudo security smartcards token -e com.apple.CryptoTokenKit.pivtoken
Token is already enabled.
➜  ~ sw_vers
ProductName:	macOS
ProductVersion:	12.6
BuildVersion:	21G115

Do you know what's wrong?

using for ssh key from a smartcard times out in a weird way

I'm using keychain-pkcs11 to authenticate to SSH using a smartcard-derived key by doing ssh-add -s /usr/local/lib/keychain-pkcs11.dylib. This works fine initially, but if some time passes, the PIN seems to time out, because when I try to make an ssh connection using that key it pops up a GUI pin entry window. The GUI appears to accept the pin, but this always leads to a failed ssh login (next time it happens I'll save the error message and post here). I then have to re-init the ssh agent by doing ssh-add -e /usr/lib...pkcs11.dylib; ssh-add -s /usr/lib...pkcs11.dylib. During this reinit it again asks for my CAC pin, but with a text prompt, not a GUI window popup, and then the ssh works.

Current master fails to work as PKCS#11 library for OpenSSL

Self-explanatory:

$ p11tool --list-token-urls
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=00000xxxxxxxxxxxxxxxxxxx
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d6c523c6b0054a64;token=xxxxxxxxxxxx
. . . . .
$ p11tool --list-all "pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001"
Object 0:
	URL: pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%00%00%00%00%00%00%00%00;object=Certificate%20For%20PIV%20Authentication%20%28xxxxxxxxxxxx%29;type=cert
	Type: X.509 Certificate
	Label: Certificate For PIV Authentication (xxxxxxxxxxxxxx)
	ID: 00:00:00:00:00:00:00:00

Object 1:
	URL: pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%00%00%00%00%00%00%00%00;type=private
	Type: Private key
	Label: 
	Flags: CKA_PRIVATE; 
	ID: 00:00:00:00:00:00:00:00

Object 2:
	URL: pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%01%00%00%00%00%00%00%00;object=Certificate%20For%20Card%20Authentication%20%28xxxxxxxxxxxxxx;type=cert
	Type: X.509 Certificate
	Label: Certificate For Card Authentication (xxxxxxxxxxxxx)
	ID: 01:00:00:00:00:00:00:00

Object 3:
	URL: pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%01%00%00%00%00%00%00%00;type=private
	Type: Private key
	Label: 
	Flags: CKA_PRIVATE; 
	ID: 01:00:00:00:00:00:00:00

Object 4:
	URL: pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%02%00%00%00%00%00%00%00;object=Certificate%20For%20Digital%20Signature%20%28xxxxxxxxxxxxxxxxxxxx;type=cert
	Type: X.509 Certificate
	Label: Certificate For Digital Signature (xxxxxxxxxxxx)
	ID: 02:00:00:00:00:00:00:00

Object 5:
	URL: pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%02%00%00%00%00%00%00%00;type=private
	Type: Private key
	Label: 
	Flags: CKA_PRIVATE; 
	ID: 02:00:00:00:00:00:00:00

Object 6:
	URL: pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%03%00%00%00%00%00%00%00;object=Certificxxxxxxxxxxxxxxxxxxxxxxxxxxxx;type=cert
	Type: X.509 Certificate
	Label: Certificate For Key Management (xxxxxxxxxxxx)
	ID: 03:00:00:00:00:00:00:00

Object 7:
	URL: pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%03%00%00%00%00%00%00%00;type=private
	Type: Private key
	Label: 
	Flags: CKA_PRIVATE; 
	ID: 03:00:00:00:00:00:00:00

$ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:model=Unknown%20Model;manufacturer=Unknown%20Manufacturer;serial=000001;id=%02%00%00%00%00%00%00%00;type=private" -sha256 -out /tmp/d.sig /tmp/d.dat
engine "pkcs11" set.
PKCS11_get_private_key returned NULL
cannot load key file from engine
140735945642952:error:8206F012:PKCS#11 module:pkcs11_getattr_int:Attribute type invalid:p11_attr.c:48:
140735945642952:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load key file
$

Here's the complete log that includes SPY debugging output:
ken1.txt

Also, using another tool designed to work with PKCS#11 modules:

$ pkcs11-tool --module /usr/local/lib/keychain-pkcs11.dylib -l --sign --mechanism SHA384-RSA-PKCS --id 02 -i /tmp/d.dat2 -o /tmp/d.sig2
Using slot 0 with a present token (0x1)
error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_WRITE_PROTECTED (0xe2)
Aborting.
$ pkcs11-tool --module /usr/local/lib/keychain-pkcs11.dylib -l --sign --mechanism SHA384-RSA-PKCS --id 02:00:00:00:00:00:00:00 -i /tmp/d.dat2 -o /tmp/d.sig2
Using slot 0 with a present token (0x1)
error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_WRITE_PROTECTED (0xe2)
Aborting.
$ pkcs11-tool --module /usr/local/lib/keychain-pkcs11.dylib -l --sign --mechanism SHA384-RSA-PKCS --id 0200000000000000 -i /tmp/d.dat2 -o /tmp/d.sig2
Using slot 0 with a present token (0x1)
error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_WRITE_PROTECTED (0xe2)
Aborting.
$ pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.dylib -l  --sign --mechanism SHA384-RSA-PKCS --id 02 -i /tmp/d.dat2 -o /tmp/d.sig2
Using slot 0 with a present token (0x0)
Logging in to "xxxxxxxx".
Please enter User PIN: 
Using signature algorithm SHA384-RSA-PKCS
Logging in to "xxxxxxxx".
Please enter context specific PIN: 
$  pkcs11-tool -r --id 02 --type pubkey -o /tmp/sign.key.der
Using slot 0 with a present token (0x0)
$ openssl dgst -verify /tmp/sign.key.der -keyform DER -sha384 -signature /tmp/d.sig2 /tmp/d.dat2
Verified OK
$

How to use with Brew?

Thank you for creating this library.

I installed this package outside of brew, but brew now complains with:

Warning: Unbrewed dylibs were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected dylibs:
  /usr/local/lib/keychain-pkcs11.dylib

I'm wondering if you know of a way to have this package live alongside brew and suppressing this warning?

Thanks again 🙏🏻

Fails to compile under Xcode-10

MacOS 10.13.6. Xcode-10.0. Smartcard, etc. are working fine with OpenSC.

Here's configure (after ./autogen.sh):

$ ./configure --prefix=/opt/local --disable-silent-rules CC=clang
checking for a BSD-compatible install... /opt/local/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /opt/local/bin/gmkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports the include directive... yes (GNU style)
checking for gcc... clang
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether clang accepts -g... yes
checking for clang option to accept ISO C89... none needed
checking whether clang understands -c and -o together... yes
checking dependency style of clang... gcc3
checking for ar... ar
checking the archiver (ar) interface... ar
checking for gcc... gcc
checking whether we are using the GNU Objective C compiler... yes
checking whether gcc accepts -g... yes
checking dependency style of gcc... gcc3
checking whether ln -s works... yes
checking build system type... x86_64-apple-darwin17.7.0
checking host system type... x86_64-apple-darwin17.7.0
checking how to print strings... printf
checking for a sed that does not truncate output... /opt/local/bin/gsed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by clang... /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld
checking if the linker (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /opt/local/bin/nm -B
checking the name lister (/opt/local/bin/nm -B) interface... BSD nm
checking the maximum length of command line arguments... 196608
checking how to convert x86_64-apple-darwin17.7.0 file names to x86_64-apple-darwin17.7.0 format... func_convert_file_noop
checking how to convert x86_64-apple-darwin17.7.0 file names to toolchain format... func_convert_file_noop
checking for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... no
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /opt/local/bin/nm -B output from clang object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking for dsymutil... dsymutil
checking for nmedit... nmedit
checking for lipo... lipo
checking for otool... otool
checking for otool64... no
checking for -single_module linker flag... yes
checking for -exported_symbols_list linker flag... yes
checking for -force_load linker flag... yes
checking how to run the C preprocessor... clang -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if clang supports -fno-rtti -fno-exceptions... yes
checking for clang option to produce PIC... -fno-common -DPIC
checking if clang PIC flag -fno-common -DPIC works... yes
checking if clang static flag -static works... no
checking if clang supports -c -o file.o... yes
checking if clang supports -c -o file.o... (cached) yes
checking whether the clang linker (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld) supports shared libraries... yes
checking dynamic linker characteristics... darwin17.7.0 dyld
checking how to hardcode library paths into programs... immediate
checking for dlopen in -ldl... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked program can dlopen itself... yes
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for setprogname... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
$

The compilation fails:

/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-am
depbase=`echo localauth.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
        /bin/sh ./libtool    --mode=compile gcc -DHAVE_CONFIG_H -I.     -g -O2 -MT localauth.lo -MD -MP -MF $depbase.Tpo -c -o localauth.lo localauth.m &&\
        mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -g -O2 -MT localauth.lo -MD -MP -MF .deps/localauth.Tpo -c localauth.m  -fno-common -DPIC -o .libs/localauth.o
In file included from /usr/include/os/object.h:101,
                 from /usr/include/dispatch/dispatch.h:59,
                 from /System/Library/Frameworks/CoreFoundation.framework/Headers/CFStream.h:20,
                 from /System/Library/Frameworks/CoreFoundation.framework/Headers/CFPropertyList.h:17,
                 from /System/Library/Frameworks/CoreFoundation.framework/Headers/CoreFoundation.h:60,
                 from /System/Library/Frameworks/Foundation.framework/Headers/Foundation.h:6,
                 from /System/Library/Frameworks/LocalAuthentication.framework/Headers/LAContext.h:8,
                 from /System/Library/Frameworks/LocalAuthentication.framework/Headers/LocalAuthentication.h:8,
                 from localauth.m:63:
/usr/include/objc/NSObject.h:22:4: error: unknown type name 'instancetype'
 - (instancetype)self;
    ^~~~~~~~~~~~
/usr/include/objc/NSObject.h:36:4: error: unknown type name 'instancetype'
 - (instancetype)retain OBJC_ARC_UNAVAILABLE;

Why on earth would it try GCC?! And Xcode GCC at that? When a perfectly usable Clang is available?

Here's the complete log (a tad too long to post):
make-out.txt

Update
A workaround for this problem is adding CC=clang OBJC=clang to ./configure ... command. I don't know enough of autotools to figure how to fix it there.

Async scan seems to fail or result is not waited on

Hi Ken,

OSX version is Mojave 10.14.5, compiling master.

I am using your library to expose the keychain via PKCS#11 to the Viscosity VPN client ( https://www.sparklabs.com/viscosity/ ).

The behaviour that I am seeing is that the async call for the certificates either never completes, or, the code (or the caller of the shlib?) is not waiting for the list to be populated; as such, no certificates are being offered up.

If I move the background_cert_scan call into the foreground then it works as expected.

I didn't really understand your comment preceding the async dispatch (not delved much further into your code yet); as mentioned, I am not using this for Firefox but Viscosity. Having said that, I see the same behaviour when using p11tool to interact with the dylib.

Is this a bug that only manifests on Mojave, perhaps?

Any interest in making a brew package for this?

We at the MITRE SAF would be willing to help.

SecCertificateCopyPublicKey deprecated

src/keychain_pkcs11.c:2568:9: warning: 'SecCertificateCopyPublicKey' is deprecated: first deprecated in macOS 10.14 [-Wdeprecated-declarations]
                ret = SecCertificateCopyPublicKey(id_list[i].cert,
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~
                      SecCertificateCopyKey
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h:180:10: note: 
      'SecCertificateCopyPublicKey' has been explicitly marked deprecated here
OSStatus SecCertificateCopyPublicKey(SecCertificateRef certificate, SecKeyRef * __nonnull CF_RETURNS_RETAINED key)

Code signing certificate showing revoked

codesign --verify --strict --deep --verbose=4 keychain-pkcs11.dylib

keychain-pkcs11.dylib: CSSMERR_TP_CERT_REVOKED

In architecture: x86_64

Fails to find slots

MacOS 10.14.6 current/latest security patch applied. Xcode-11.2.1 with Command Line Tools 11.2.

Current master.

$ ./pkcs11_test 
PKCS#11 Version: 2.40
Lib manufacturer: U.S. Naval Research Lab         
Lib description: Keychain PKCS#11 Bridge Library 
Lib version: 1.0
Lib flags: 0
Error getting Slot List
$ lldb pkcs11_test 
(lldb) target create "pkcs11_test"
Current executable set to 'pkcs11_test' (x86_64).
(lldb) run
Process 82225 launched: '/Users/ur20980/src/keychain-pkcs11/pkcs11_test' (x86_64)
2019-11-18 12:03:13.127297-0500 pkcs11_test[82225:6628650] [general] C_GetFunctionList called
2019-11-18 12:03:13.127469-0500 pkcs11_test[82225:6628650] [general] C_GetFunctionList returning CKR_OK
2019-11-18 12:03:13.127477-0500 pkcs11_test[82225:6628650] [general] C_Initialize called
2019-11-18 12:03:13.127481-0500 pkcs11_test[82225:6628650] [general] init was set to NULL
2019-11-18 12:03:13.129897-0500 pkcs11_test[82225:6628650] [general] Program "pkcs11_test" is NOT set to ask for PIN, will let Security ask for the PIN
2019-11-18 12:03:13.129926-0500 pkcs11_test[82225:6628650] [general] Program "pkcs11_test" has the Keychain Certificate slot DISABLED
2019-11-18 12:03:13.129933-0500 pkcs11_test[82225:6628650] [general] C_Initalize returning CKR_OK
2019-11-18 12:03:13.129950-0500 pkcs11_test[82225:6628650] [general] C_GetInfo called
2019-11-18 12:03:13.129957-0500 pkcs11_test[82225:6628650] [general] C_GetInfo returning CKR_OK
PKCS#11 Version: 2.40
Lib manufacturer: U.S. Naval Research Lab         
Lib description: Keychain PKCS#11 Bridge Library 
Lib version: 1.0
Lib flags: 0
2019-11-18 12:03:13.129990-0500 pkcs11_test[82225:6628650] [general] C_GetSlotList called
2019-11-18 12:03:13.129994-0500 pkcs11_test[82225:6628650] [general] tokens_present = true, slot_list = 0x0, slot_num = 0
2019-11-18 12:03:13.130004-0500 pkcs11_test[82225:6628650] [general] Performing identity scan
2019-11-18 12:03:13.143299-0500 pkcs11_test[82225:6628650] [general] We have 14 identities, previously we had 0
2019-11-18 12:03:13.143321-0500 pkcs11_test[82225:6628650] [general] Rebuilding identity list and object tree
2019-11-18 12:03:13.154614-0500 pkcs11_test[82225:6628650] [general] 14 identities found
2019-11-18 12:03:13.154639-0500 pkcs11_test[82225:6628650] [general] Copying identity 1
2019-11-18 12:03:13.160282-0500 pkcs11_test[82225:6628650] [general] Persistent ref SecItemCopyMatching failed: OSStatus -26276
2019-11-18 12:03:13.160405-0500 pkcs11_test[82225:6628650] [general] C_GetSlotList returning CKR_FUNCTION_FAILED
Error getting Slot List
Process 82225 exited with status = 6 (0x00000006) 
(lldb) ^D
$ pkcs11-tool -L
Available slots:
Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
  token label        : xxxxxxxxxxx
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : fexxxxxxxxxxxxxx
  pin min/max        : 4/8
$

Does not call any C_Sign function ... when signing

Testing the library I have seen that it does not enter any PKCS11 signing function, my questions are:
what are you signing?
can you make it sign the PKCS11 function?

Thanks greetings

Won't load in Firefox 61.0.1 64b/Mac

Compiled fine, tho.

This is a persistent problem w/ FF over the years, so may not be your issue.

-- T

Log trace:

$ log stream --predicate 'subsystem = "mil.navy.nrl.cmf.pkcs11"' --level debug
Filtering the log data using "subsystem == "mil.navy.nrl.cmf.pkcs11""
Timestamp Thread Type Activity PID TTL
2018-08-06 08:56:34.438039-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] C_GetFunctionList called
2018-08-06 08:56:34.438163-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] C_GetFunctionList returning CKR_OK
2018-08-06 08:56:34.438244-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] C_Initialize called
2018-08-06 08:56:34.438307-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] OS_LOCKING_OK set, using pthread locking
2018-08-06 08:56:34.438386-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] C_Initalize returning CKR_OK
2018-08-06 08:56:34.438433-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] C_GetInfo called
2018-08-06 08:56:34.438474-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] flags is nonzero!
2018-08-06 08:56:34.438520-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] C_GetInfo returning CKR_ARGUMENTS_BAD
2018-08-06 08:56:34.438563-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] C_Finalize called
2018-08-06 08:56:34.438661-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] destroy_mutex returned 16
2018-08-06 08:56:34.438807-0500 0x11bab0 Debug 0x0 33163 firefox: (keychain-pkcs11.so) [mil.navy.nrl.cmf.pkcs11:general] C_Finalize returning CKR_OK

Decrypt fails with Twocanoes CTK plugin and keychain-pkcs11

This is possibly an issue with their plugin, but posting here in case there's a fix here, a workaround, or additional debugging I can sent on to the vendor.

 > pluginkit -m -p com.apple.ctk-tokens
     [...]
     com.twocanoes.Smart-Card-Utility.pivtoken(4.5)

Attempting operations with the card (e.g., through gpgsm) gives me a generic error, but pkcs11-tool throws additional stuff:

> pkcs11-tool -O --module /usr/local/lib/keychain-pkcs11.dylib
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      Certificate For PIV Authentication (REDACTED)
  subject:    DN: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=REDACTED
  serial:     REDACTED
  ID:         00
Public Key Object; RSA 2048 bits
  label:      Certificate For PIV Authentication (REDACTED)
  ID:         00
warning: PKCS11 function C_GetAttributeValue(VERIFY_RECOVER) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

  Usage:      encrypt, verify
  Access:     local
  ...

kenh / keychain-pkcs11 Goto Github PK

keychain-pkcs11's People

Stargazers

Watchers

Forkers

keychain-pkcs11's Issues

Recommend Projects

Recommend Topics

Recommend Org