Discussion:
Support for PKCS11 / Smartcard?
(too old to reply)
mailto428496
2018-12-01 02:41:49 UTC
Permalink
I originally submitted to webkit-help but then realized that this -gtk
specific list was probably more appropriate...


Hi,

It does not appear that webkit-gtk has support for PKCS 11 and hence
smartcard devices, unless I am missing something...? I was wondering if
there were any plans to implement this for webkit-gtk browsers?

To provide background, I am currently trying to use the Evolution mail
client on Linux with Micrisoft O365 mail using OAuth2. During this
process webkit is called to bring up the 3rd party auth page. I work
for a government agency where smartcards auth is preferred, but the
webkit browser (probably spawning something similar to MiniBrowser) does
not understand how to talk to the smartcard interface.

Any help / direction would be appreciated.

Thanks,


Jim
Michael Catanzaro
2018-12-01 17:14:07 UTC
Permalink
Post by mailto428496
It does not appear that webkit-gtk has support for PKCS 11 and hence
smartcard devices, unless I am missing something...? I was wondering if
there were any plans to implement this for webkit-gtk browsers?
Hm...

p11-kit is supported in Fedora, Arch, and any other distro that builds
GnuTLS using --with-default-trust-store-pkcs11="pkcs11:". It won't work
in Debian/Ubuntu/openSUSE or other distros that still use old-fashioned
ca-certificate file storage. But in distros with p11-kit enabled,
PKCS#11 assertions are supposed to be respected when performing server
certificate verification.

But I don't know about smartcards. So the answer to that is: maybe?
Maybe almost? WebKit doesn't currently support TLS client
authentication at all, so my guess is not at the WebKit level. That's
being actively worked on though, in
https://bugs.webkit.org/show_bug.cgi?id=164509. (I know there's not
much in the way of updates there, but it really is being worked on. :)

But that won't help if smartcards aren't working at the GLib level, and
I'm not sure about the status there. I am quite certain that nobody
working on this code has a smartcard or would know what to do with one,
though. :( We used to have separate support in glib-networking for
PKCS#11. I disabled it in 2.58 and recently deleted it entirely because
nobody could tell me if it does anything that GnuTLS can't do itself
nowadays. For details on that, see
https://gitlab.gnome.org/GNOME/glib-networking/issues/7. Now, if you
have an older version of glib-networking (2.56 or earlier) then you
could try it out with the environment variable
GIO_USE_TLS=gnutls-pkcs11, but remember that client authentication will
not work in WebKit regardless, and I'm not sure what other apps you
could use to test it. Anyway, my suspicion is that that code was not
important, and that if any extra work is needed to make smartcards
work, it should be done using the GnuTLS PKCS#11 APIs instead:

https://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html

but really, I don't know. It would need to be investigated by a
developer with a smartcard and some interest in figuring out how it's
supposed to work. You might know more than me! Did any of that make
sense?

Michael
Michael Catanzaro
2018-12-01 17:20:56 UTC
Permalink
On Sat, Dec 1, 2018 at 11:14 AM, Michael Catanzaro
It would need to be investigated by a developer with a smartcard and
some interest in figuring out how it's supposed to work. You might
know more than me! Did any of that make sense?
BTW to be clear:

* WebKit client auth is extremely likely to arrive sometime soonish.
Shame it's not working quite yet.
* But once client auth is ready, smartcards may or may not work. No
clue. There's a good chance they will, but it definitely won't be
tested in WebKit, so maybe 50/50 odds, I really don't know.

Michael
Igor Korot
2018-12-01 17:37:24 UTC
Permalink
Post by Michael Catanzaro
On Sat, Dec 1, 2018 at 11:14 AM, Michael Catanzaro
It would need to be investigated by a developer with a smartcard and
some interest in figuring out how it's supposed to work. You might
know more than me! Did any of that make sense?
* WebKit client auth is extremely likely to arrive sometime soonish.
Shame it's not working quite yet.
* But once client auth is ready, smartcards may or may not work. No
clue. There's a good chance they will, but it definitely won't be
tested in WebKit, so maybe 50/50 odds, I really don't know.
Whether it is an external reader or the keyboard one the driver has to
be installed.
I know RHEL provides such a driver in their kernel/repository.

Then all you do is to append the certificate to the browser and when you access
secure site it will ask you to provide a PIN.

But as I said - the first thing is to have an appropriate driver.
And when you do - attach the reader and insert the card.

The driver should kick in, the light on the reader should start blinking and
there should appear a dialog about the card successfully read.

If that part works - then we should start checking the browser.

Thank you.
Post by Michael Catanzaro
Michael
_______________________________________________
webkit-gtk mailing list
https://lists.webkit.org/mailman/listinfo/webkit-gtk
mailto428496
2018-12-02 00:09:26 UTC
Permalink
Igor,

I think what you are asking is whether the system has been correctly
setup for smartcard? The answer is yes. The EL7 system has all the
pcscd, opensc, etc. packages and smartcard works correctly for machine
login and using the firefox browser (via libcoolkey) for smartcard
enabled sites. The issue is just that the webkit-gtk browser (used by
Evolution for OAuth2) doesn't know how to talk to the smartcard device
(no hooks to libcoolkey, etc.), all the other framework is in place.

Thanks,


Jim
Post by Igor Korot
Post by Michael Catanzaro
On Sat, Dec 1, 2018 at 11:14 AM, Michael Catanzaro
It would need to be investigated by a developer with a smartcard and
some interest in figuring out how it's supposed to work. You might
know more than me! Did any of that make sense?
* WebKit client auth is extremely likely to arrive sometime soonish.
Shame it's not working quite yet.
* But once client auth is ready, smartcards may or may not work. No
clue. There's a good chance they will, but it definitely won't be
tested in WebKit, so maybe 50/50 odds, I really don't know.
Whether it is an external reader or the keyboard one the driver has to
be installed.
I know RHEL provides such a driver in their kernel/repository.
Then all you do is to append the certificate to the browser and when you access
secure site it will ask you to provide a PIN.
But as I said - the first thing is to have an appropriate driver.
And when you do - attach the reader and insert the card.
The driver should kick in, the light on the reader should start blinking and
there should appear a dialog about the card successfully read.
If that part works - then we should start checking the browser.
Thank you.
Post by Michael Catanzaro
Michael
_______________________________________________
webkit-gtk mailing list
https://lists.webkit.org/mailman/listinfo/webkit-gtk
Igor Korot
2018-12-02 02:45:19 UTC
Permalink
Hi, Jim,
Post by mailto428496
Igor,
I think what you are asking is whether the system has been correctly
setup for smartcard? The answer is yes. The EL7 system has all the
pcscd, opensc, etc. packages and smartcard works correctly for machine
login and using the firefox browser (via libcoolkey) for smartcard
enabled sites. The issue is just that the webkit-gtk browser (used by
Evolution for OAuth2) doesn't know how to talk to the smartcard device
(no hooks to libcoolkey, etc.), all the other framework is in place.
Since you were asking about this I would have guessed that you have
everything setup.
My E-mail is more targeted to people who is doig webkit-gtk to let
them understand what is
needed.

BTW, do you use external reader for testing or the one incorporated
into the keyboard?

Michael,
I believe you can buy an external card reader but it will probably be
a problem to do
testing without the actual card.

Thank you.
Post by mailto428496
Thanks,
Jim
Post by Igor Korot
Post by Michael Catanzaro
On Sat, Dec 1, 2018 at 11:14 AM, Michael Catanzaro
It would need to be investigated by a developer with a smartcard and
some interest in figuring out how it's supposed to work. You might
know more than me! Did any of that make sense?
* WebKit client auth is extremely likely to arrive sometime soonish.
Shame it's not working quite yet.
* But once client auth is ready, smartcards may or may not work. No
clue. There's a good chance they will, but it definitely won't be
tested in WebKit, so maybe 50/50 odds, I really don't know.
Whether it is an external reader or the keyboard one the driver has to
be installed.
I know RHEL provides such a driver in their kernel/repository.
Then all you do is to append the certificate to the browser and when you access
secure site it will ask you to provide a PIN.
But as I said - the first thing is to have an appropriate driver.
And when you do - attach the reader and insert the card.
The driver should kick in, the light on the reader should start blinking and
there should appear a dialog about the card successfully read.
If that part works - then we should start checking the browser.
Thank you.
Post by Michael Catanzaro
Michael
_______________________________________________
webkit-gtk mailing list
https://lists.webkit.org/mailman/listinfo/webkit-gtk
mailto428496
2018-12-02 20:25:15 UTC
Permalink
Igor,

I am using an external card reader, specifically the SCR331. You can
also buy smartcards for relatively cheap and create a self signed cert
for them for testing.

Thanks,


Jim
Post by Igor Korot
Hi, Jim,
Post by mailto428496
Igor,
I think what you are asking is whether the system has been correctly
setup for smartcard? The answer is yes. The EL7 system has all the
pcscd, opensc, etc. packages and smartcard works correctly for machine
login and using the firefox browser (via libcoolkey) for smartcard
enabled sites. The issue is just that the webkit-gtk browser (used by
Evolution for OAuth2) doesn't know how to talk to the smartcard device
(no hooks to libcoolkey, etc.), all the other framework is in place.
Since you were asking about this I would have guessed that you have
everything setup.
My E-mail is more targeted to people who is doig webkit-gtk to let
them understand what is
needed.
BTW, do you use external reader for testing or the one incorporated
into the keyboard?
Michael,
I believe you can buy an external card reader but it will probably be
a problem to do
testing without the actual card.
Thank you.
Post by mailto428496
Thanks,
Jim
Post by Igor Korot
Post by Michael Catanzaro
On Sat, Dec 1, 2018 at 11:14 AM, Michael Catanzaro
It would need to be investigated by a developer with a smartcard and
some interest in figuring out how it's supposed to work. You might
know more than me! Did any of that make sense?
* WebKit client auth is extremely likely to arrive sometime soonish.
Shame it's not working quite yet.
* But once client auth is ready, smartcards may or may not work. No
clue. There's a good chance they will, but it definitely won't be
tested in WebKit, so maybe 50/50 odds, I really don't know.
Whether it is an external reader or the keyboard one the driver has to
be installed.
I know RHEL provides such a driver in their kernel/repository.
Then all you do is to append the certificate to the browser and when you access
secure site it will ask you to provide a PIN.
But as I said - the first thing is to have an appropriate driver.
And when you do - attach the reader and insert the card.
The driver should kick in, the light on the reader should start blinking and
there should appear a dialog about the card successfully read.
If that part works - then we should start checking the browser.
Thank you.
Post by Michael Catanzaro
Michael
_______________________________________________
webkit-gtk mailing list
https://lists.webkit.org/mailman/listinfo/webkit-gtk
mailto428496
2018-12-02 00:01:05 UTC
Permalink
Michael,

Thanks for the response!
Post by Michael Catanzaro
Post by mailto428496
It does not appear that webkit-gtk has support for PKCS 11 and hence
smartcard devices, unless I am missing something...? I was wondering if
there were any plans to implement this for webkit-gtk browsers?
Hm...
p11-kit is supported in Fedora, Arch, and any other distro that builds
GnuTLS using --with-default-trust-store-pkcs11="pkcs11:". It won't
work in Debian/Ubuntu/openSUSE or other distros that still use
old-fashioned ca-certificate file storage. But in distros with p11-kit
enabled, PKCS#11 assertions are supposed to be respected when
performing server certificate verification.
I am testing this on CentOS 7 and it appears that the server cert ca
verification is working (we have the CA stores installed locally), at
least it doesn't complain that the site cert is invalid, but I suppose
it could just not be checking at all (which wouldn't be so great either...).
Post by Michael Catanzaro
But I don't know about smartcards. So the answer to that is: maybe?
Maybe almost? WebKit doesn't currently support TLS client
authentication at all, so my guess is not at the WebKit level. That's
being actively worked on though, in
https://bugs.webkit.org/show_bug.cgi?id=164509. (I know there's not
much in the way of updates there, but it really is being worked on. :)
It's good to hear there is some work in that direction. It sounds like
some of the background work is being done but probably not the actual
hooks for pulling in the libraries for interfacing with smartcard (as I
mention below)?
Post by Michael Catanzaro
But that won't help if smartcards aren't working at the GLib level,
and I'm not sure about the status there. I am quite certain that
nobody working on this code has a smartcard or would know what to do
with one, though. :( We used to have separate support in
glib-networking for PKCS#11. I disabled it in 2.58 and recently
deleted it entirely because nobody could tell me if it does anything
that GnuTLS can't do itself nowadays. For details on that, see
https://gitlab.gnome.org/GNOME/glib-networking/issues/7. Now, if you
have an older version of glib-networking (2.56 or earlier) then you
could try it out with the environment variable
GIO_USE_TLS=gnutls-pkcs11, but remember that client authentication
will not work in WebKit regardless, and I'm not sure what other apps
you could use to test it. Anyway, my suspicion is that that code was
not important, and that if any extra work is needed to make smartcards
https://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html
I think there would need to be an interface to the opensc or coolkey
libraries in order for it to access the smartcard. It sounds like it is
a bit more complicated where there are multiple layers and packages
involved that would all need to support each other in order for this to
work.
Post by Michael Catanzaro
but really, I don't know. It would need to be investigated by a
developer with a smartcard and some interest in figuring out how it's
supposed to work. You might know more than me! Did any of that make
sense?
There has been discussion of contracting a developer to help with this
(if we can get funding, etc.) and if that happened I would hope that any
result could be contributed back to the open source community (but given
that it's the government that is another whole process).

I wanted to be sure that I wasn't missing something and that support was
not already included - which it sounds pretty clear that it isn't yet,
but maybe some of the groundwork is getting there? And I wanted to get
an idea of what it might take to implement - which sounds non-trivial
but doable for someone willing to dig into the weeds and figure out how
all the pieces need to work together.

Thanks again!


Jim
Michael Catanzaro
2018-12-02 19:58:17 UTC
Permalink
Post by mailto428496
I am testing this on CentOS 7 and it appears that the server cert ca
verification is working (we have the CA stores installed locally), at
least it doesn't complain that the site cert is invalid, but I suppose
it could just not be checking at all (which wouldn't be so great either...).
It definitely checks TLS certificates. That's only impressive if you
have the server cert stored on your smartcard, though, which I assume
is probably not what you're doing, right?

(Beware that the version of WebKit shipped by CentOS is always old and
doesn't receive security updates.)
Post by mailto428496
I think there would need to be an interface to the opensc or coolkey
libraries in order for it to access the smartcard. It sounds like it is
a bit more complicated where there are multiple layers and packages
involved that would all need to support each other in order for this to
work.
I've never heard of these libraries before today, but I don't think so.
From
https://fedoraproject.org/wiki/Changes/Replace_Coolkey_with_OpenSC I
gather that p11-kit wraps these libraries. And GnuTLS uses p11-kit as
its default trust store (looks like since CentOS 7.3). Did you try
GIO_USE_TLS=gnutls-pkcs11?
Post by mailto428496
There has been discussion of contracting a developer to help with this
(if we can get funding, etc.) and if that happened I would hope that any
result could be contributed back to the open source community (but given
that it's the government that is another whole process).
I wanted to be sure that I wasn't missing something and that support was
not already included - which it sounds pretty clear that it isn't yet,
but maybe some of the groundwork is getting there? And I wanted to get
an idea of what it might take to implement - which sounds non-trivial
but doable for someone willing to dig into the weeds and figure out how
all the pieces need to work together.
It's not clear to me at all. Until a couple months ago, we had tons of
code for PKCS#11 in glib-networking. It didn't write itself for no
reason. The problem is that I wound up inheriting all the code, without
knowing if it's still important, or if anyone at all is using it with
smartcards, and with nobody to test it or tell me if it's working, and
every indication that it's obsoleted by GnuTLS-level support for
PKCS#11, and with the code having never been enabled except behind a
secret environment variable, I decided to delete it (in glib-networking
2.58; you have 2.56 if you have CentOS 7.6). For the code to have
remained, I needed someone interested to come forward and tell me that
it was both working and also not redundant with the GnuTLS-level
PKCS#11 support, and that didn't happen.

So set aside the WebKit-level client authentication issue, which will
be solved soon regardless. Take WebKit out of the picture. We have
support for PKCS#11 in GnuTLS. Your main concern right now is to make
sure that the gnutls-pkcs11 backend I just removed from glib-networking
is not important for you, because if so we just took a lot of steps
backwards. That can be undone now far more easily than a e.g. year from
now. So you want to be sure that glib-networking's gnutls backend can
do everything the gnutls-pkcs11 backend could. In CentOS 7.6, you are
in a good spot to do this, because you have glib-networking 2.56, which
is the first version of glib-networking that uses GnuTLS's default
trust store and also the last version that has the gnutls-pkcs11
backend built by default. (In 2.58 it's disabled by default at build
time. And in 2.60 it will be gone.)

Once TLS client authentication is working, there should be zero code in
WebKit required to support smartcards. All of that code lives at the
glib-networking and GnuTLS levels (and maaaybe libsoup, but I don't
think so). So you can test whether this works today... just not using
WebKit. (Not sure how exactly you would test it without WebKit, though.
Without any support for client auth at the WebKit level, I'm really not
sure what the code was written for.)

Michael
Michael Catanzaro
2018-12-02 20:05:57 UTC
Permalink
On Sun, Dec 2, 2018 at 1:58 PM, Michael Catanzaro
In CentOS 7.6, you are in a good spot to do this, because you have
glib-networking 2.56, which is the first version of glib-networking
that uses GnuTLS's default trust store
Oops, that's not true; looks like 2.58 was the first version for this.
So there is no PKCS#11 support at all (because in 2.56 and older,
glib-networking bypasses GnuTLS's trust store and loads CA's from a
certificate file) unless you use the gnutls-pkcs11 backend (again,
that's now removed, but still present in 2.56). So that means what
you're testing on CentOS 7.6 will be completely different than the
current code.

So if you check the state of PKCS#11 in glib-networking in CentOS 7.6,
you're going to want to turn around and check again in Fedora 29 as
well, due to these huge changes.

Michael
mailto428496
2018-12-03 06:37:29 UTC
Permalink
Michael,

I ignored testing GIO_USE_TLS=gnutls-pkcs11 because I thought you were
saying that it would not be implemented in webkit but I just tested now
and it does appear to change the behavior! I ran MiniBrowser with
strace remotely on a machine with a card reader (no card in reader
though so I couldn't fully test, will tomorrow though) and it does
appear to cause it to access the opensc/coolkey libraries and the card
reader!

Running MiniBrowser with/without "export GIO_USE_TLS=gnutls-pkcs11"
egrep "cool|opensc" /tmp/out1
With:

[pid 171854] stat("/usr/share/p11-kit/modules/coolkey.module",
<unfinished ...>
[pid 171854] open("/usr/share/p11-kit/modules/coolkey.module",
O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 171854] stat("/usr/share/p11-kit/modules/opensc.module",
<unfinished ...>
[pid 171854] open("/usr/share/p11-kit/modules/opensc.module",
O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 171854] open("/usr/lib64/pkcs11/libcoolkeypk11.so",
O_RDONLY|O_CLOEXEC) = 15
[pid 171854] open("/usr/lib64/pkcs11/opensc-pkcs11.so",
O_RDONLY|O_CLOEXEC) = 15
[pid 171854] open("/usr/lib64/webkit2gtk-4.0/libopensc.so.4",
O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 171854] open("/lib64/libopensc.so.4", O_RDONLY|O_CLOEXEC) = 15
[pid 171854] mkdir("/var/cache/coolkey", 01777) = -1 EEXIST (File exists)
[pid 171854] open("/var/cache/coolkey/coolkeypk11tDell Dell Smart Card
Reader Keyboard 00 00-4609", O_RDWR|O_CREAT|O_EXCL|O_APPEND, 0600) = -1
EEXIST (File exists)
[pid 171854] open("/var/cache/coolkey/coolkeypk11tDell Dell Smart Card
Reader Keyboard 00 00-4609", O_RDWR|O_NOFOLLOW) = 16
[pid 171854] open("/etc/opensc-x86_64.conf", O_RDONLY) = 19

So, maybe it actually will work!

I will test tomorrow and let you know!

Thanks,


Jim
Post by mailto428496
I am testing this on CentOS 7 and it appears that the server cert ca
verification is working (we have the CA stores installed locally), at
least it doesn't complain that the site cert is invalid, but I suppose
it could just not be checking at all (which wouldn't be so great either...).
It definitely checks TLS certificates. That's only impressive if you
have the server cert stored on your smartcard, though, which I assume
is probably not what you're doing, right?
(Beware that the version of WebKit shipped by CentOS is always old and
doesn't receive security updates.)
Post by mailto428496
I think there would need to be an interface to the opensc or coolkey
libraries in order for it to access the smartcard. It sounds like it is
a bit more complicated where there are multiple layers and packages
involved that would all need to support each other in order for this to
work.
I've never heard of these libraries before today, but I don't think
so. From
https://fedoraproject.org/wiki/Changes/Replace_Coolkey_with_OpenSC I
gather that p11-kit wraps these libraries. And GnuTLS uses p11-kit as
its default trust store (looks like since CentOS 7.3). Did you try
GIO_USE_TLS=gnutls-pkcs11?
Post by mailto428496
There has been discussion of contracting a developer to help with this
(if we can get funding, etc.) and if that happened I would hope that any
result could be contributed back to the open source community (but given
that it's the government that is another whole process).
I wanted to be sure that I wasn't missing something and that support was
not already included - which it sounds pretty clear that it isn't yet,
but maybe some of the groundwork is getting there? And I wanted to get
an idea of what it might take to implement - which sounds non-trivial
but doable for someone willing to dig into the weeds and figure out how
all the pieces need to work together.
It's not clear to me at all. Until a couple months ago, we had tons of
code for PKCS#11 in glib-networking. It didn't write itself for no
reason. The problem is that I wound up inheriting all the code,
without knowing if it's still important, or if anyone at all is using
it with smartcards, and with nobody to test it or tell me if it's
working, and every indication that it's obsoleted by GnuTLS-level
support for PKCS#11, and with the code having never been enabled
except behind a secret environment variable, I decided to delete it
(in glib-networking 2.58; you have 2.56 if you have CentOS 7.6). For
the code to have remained, I needed someone interested to come forward
and tell me that it was both working and also not redundant with the
GnuTLS-level PKCS#11 support, and that didn't happen.
So set aside the WebKit-level client authentication issue, which will
be solved soon regardless. Take WebKit out of the picture. We have
support for PKCS#11 in GnuTLS. Your main concern right now is to make
sure that the gnutls-pkcs11 backend I just removed from
glib-networking is not important for you, because if so we just took a
lot of steps backwards. That can be undone now far more easily than a
e.g. year from now. So you want to be sure that glib-networking's
gnutls backend can do everything the gnutls-pkcs11 backend could. In
CentOS 7.6, you are in a good spot to do this, because you have
glib-networking 2.56, which is the first version of glib-networking
that uses GnuTLS's default trust store and also the last version that
has the gnutls-pkcs11 backend built by default. (In 2.58 it's disabled
by default at build time. And in 2.60 it will be gone.)
Once TLS client authentication is working, there should be zero code
in WebKit required to support smartcards. All of that code lives at
the glib-networking and GnuTLS levels (and maaaybe libsoup, but I
don't think so). So you can test whether this works today... just not
using WebKit. (Not sure how exactly you would test it without WebKit,
though. Without any support for client auth at the WebKit level, I'm
really not sure what the code was written for.)
Michael
Michael Catanzaro
2018-12-03 18:37:21 UTC
Permalink
I think won't work to authenticate you to the website, because WebKit
doesn't (yet) support client authentication (that's on my TODO). So try
to find some way to test it without using WebKit. Admittedly, that's a
sticking point, because I'm really not sure how you would do that....

Michael
mailto428496
2018-12-04 02:16:19 UTC
Permalink
Michael,

As you predicted it didn't work for smartcard authentication with WebKit
(MiniBrowser) (perhaps I was overly optimistic that somehow it would
magically work ;) and I am not sure how else to test it? But setting
the GIO_USE_TLS=gnutls-pkcs11 variable does cause it to start looking at
smartcard related libraries. So that sounds like there is hope that it
would work after you got the client authentication working, that I
assume would interface with whatever gnutls-pkcs11 provided? Any idea
when that might happen? Also, it seems like it would be useful to leave
the pkcs11 code around that you had recently removed ;)

Let me know if you have any ideas on how to test the glib-networking
without WebKit, I am just not sure what else smartcard auth related
would use it?

Also, this might be a long shot, but how hard would it be to get WebKit
to redirect to another browser like firefox that could do the auth, or
is the WebKit API just too specific for that to ever work? For fun I
actually linked WebKitWebProcess to firefox and it does pop up firefox,
but not surprisingly none of the information gets passed.


Thanks,


Jim
Post by Michael Catanzaro
I think won't work to authenticate you to the website, because WebKit
doesn't (yet) support client authentication (that's on my TODO). So
try to find some way to test it without using WebKit. Admittedly,
that's a sticking point, because I'm really not sure how you would do
that....
Michael
Michael Catanzaro
2018-12-04 15:28:49 UTC
Permalink
Post by mailto428496
Michael,
As you predicted it didn't work for smartcard authentication with WebKit
(MiniBrowser) (perhaps I was overly optimistic that somehow it would
magically work ;) and I am not sure how else to test it? But setting
the GIO_USE_TLS=gnutls-pkcs11 variable does cause it to start looking at
smartcard related libraries. So that sounds like there is hope that it
would work after you got the client authentication working, that I
assume would interface with whatever gnutls-pkcs11 provided? Any idea
when that might happen? Also, it seems like it would be useful to leave
the pkcs11 code around that you had recently removed ;)
That's what we need to figure out. Maybe you could do the same thing
with glib-networking 2.58 (e.g. in Fedora 29) and see if the smartcard
libraries are still being used? I think it should still be used, just
via GnuTLS rather than via gnutls-pkcs11. Not sure.
Post by mailto428496
Let me know if you have any ideas on how to test the glib-networking
without WebKit, I am just not sure what else smartcard auth related
would use it?
I'll ask around and see if someone has ideas.
Post by mailto428496
Also, this might be a long shot, but how hard would it be to get WebKit
to redirect to another browser like firefox that could do the auth, or
is the WebKit API just too specific for that to ever work? For fun I
actually linked WebKitWebProcess to firefox and it does pop up
firefox,
but not surprisingly none of the information gets passed.
Hehe, there's no way to make that work, indeed.

We just need to fix https://bugs.webkit.org/show_bug.cgi?id=164509. It
shouldn't be too hard and it's on my TODO. I can't promise when I'll
get to it, though.

Michael
mailto428496
2018-12-06 06:19:49 UTC
Permalink
Michael,
Post by Michael Catanzaro
Post by mailto428496
Michael,
As you predicted it didn't work for smartcard authentication with WebKit
(MiniBrowser) (perhaps I was overly optimistic that somehow it would
magically work ;) and I am not sure how else to test it? But setting
the GIO_USE_TLS=gnutls-pkcs11 variable does cause it to start looking at
smartcard related libraries. So that sounds like there is hope that it
would work after you got the client authentication working, that I
assume would interface with whatever gnutls-pkcs11 provided? Any idea
when that might happen? Also, it seems like it would be useful to leave
the pkcs11 code around that you had recently removed ;)
That's what we need to figure out. Maybe you could do the same thing
with glib-networking 2.58 (e.g. in Fedora 29) and see if the smartcard
libraries are still being used? I think it should still be used, just
via GnuTLS rather than via gnutls-pkcs11. Not sure.
I will have to see about setting up Fedora 29 in a VM to test.
Post by Michael Catanzaro
Post by mailto428496
Let me know if you have any ideas on how to test the glib-networking
without WebKit, I am just not sure what else smartcard auth related
would use it?
I'll ask around and see if someone has ideas.
Post by mailto428496
Also, this might be a long shot, but how hard would it be to get WebKit
to redirect to another browser like firefox that could do the auth, or
is the WebKit API just too specific for that to ever work? For fun I
actually linked WebKitWebProcess to firefox and it does pop up firefox,
but not surprisingly none of the information gets passed.
Hehe, there's no way to make that work, indeed.
We just need to fix https://bugs.webkit.org/show_bug.cgi?id=164509. It
shouldn't be too hard and it's on my TODO. I can't promise when I'll
get to it, though.
Ok, do you have a ballpark on when you might have time to work on this?
Are we talking a few months, or a year or more?

Thanks,


Jim

Michael Catanzaro
2018-12-04 15:40:32 UTC
Permalink
Post by mailto428496
Let me know if you have any ideas on how to test the glib-networking
without WebKit, I am just not sure what else smartcard auth related
would use it?
I hear it might have worked with a previous version of Evolution's
Exchange support. My guess is this only ever worked in Evolution, but
nowadays doesn't.

Michael
Loading...