search

LacunaSoftware / docs

Lacuna Software Docs
10 stars 64 forks source link

Failure to list certificate on smartcard G&D Sm@rtCafe Expert 3.2 #6

Closed frgomes closed 3 years ago

frgomes commented 3 years ago

Scenario

The failure occurs when visiting the page https://assinatura.e-notariado.org.br, becoming impossible to proceed on the navigation. The failure only happens on Debian11; everything works as expected on Windows10.

Environment on Windows10

Smartcard reader: Feitian R502 Dual - https://www.ftsafe.com/Products/Card_Reader/Dual_Interface/Specification
Smartcard reader firmware version: FT_SCR502B_Update_20190929_V3.51.bin
Smartcard: G&D Sm@rtCafe Expert 3.2 StdR (80kb)
Middleware: SafeSign Standard Windows **3.5.0.0-AET.000**
Lacuna Web PKI version: 2.15.1 (native **2.10.3**)
Lacuna Web PKI Trusted Sites: e-notariado.grantid.e-notariado.org.br
Lacuna Web PKI Crypto Devices: all devices disabled
Firefox 91.0.2

Environment on Debian11

Smartcard reader: Feitian R502 Dual - https://www.ftsafe.com/Products/Card_Reader/Dual_Interface/Specification
Smartcard reader firmware version: FT_SCR502B_Update_20190929_V3.51.bin
Smartcard: G&D Sm@rtCafe Expert 3.2 StdR (80kb)
Middleware: SafeSign Standard Windows **3.6.0.0-AET.000**
Lacuna Web API version: 2.15.1 (native **2.11.5**)
Lacuna Web PKI Trusted Sites: e-notariado.grantid.e-notariado.org.br
Lacuna Web PKI Crypto Devices: all devices disabled
Firefox 91.0.2

Solution (or: how to circumvent)

Lacuna Web PKI Crypto devices must be necessarily enabled when running on Debian11, namely:

brunocapu commented 3 years ago

Dear @frgomes Thank you for your analysis.

But this is actually the intended behavior. Web PKI has a default integration with certificates and devices from OS default crypto repositories (e.g.: Windows CertMgr, macOS Keychain Access). The PKCS#11 is an optional feature for devices which does not implement the OS default integration or for OS which does not have such thing.

When the PKCS#11 feature is enabled, Web PKI will call external unknown third-party libraries, with no guarantee that it is up-to-date or compatible with the current system, which may result in unexpected behavior or crashes.

So, enabling PKCS#11 integration is a user explicit intention and only recommended if you have the device manufacturer support.

And also highly recommended to enable only the PKCS#11 lib for your current device. For instance, if you are using a G&D Sm@rtCafe smartcard, enable only the SafeSign AET devices feature, which is the corresponding manufacturer, or type in any other (.so, .dll or .dylib) custom library provided by the manufacturer.

Therefore, PKCS#11 feature not being enabled by default is not considered a failure.

We appreciate the report, but this repository might not be the proper place for Web PKI questions. We would kindly request that you use our user support channel (support@lacunasoftware.com) for other Web PKI operating questions or reports. Thank you

frgomes commented 3 years ago

We appreciate the report, but ...

The intent of this ticket here is making the information and resolution available online, so that users can find help quickly themselves over the weekend or 2am in the morning. Next time someone googles for Debian Lacuna WEB PKI Sm@artCafe ... well... they will find this ticket here. Thanks