search

PeculiarVentures / fortify

Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment. This is the desktop application repository.
https://fortifyapp.com
Other
114 stars 32 forks source link

Fortify 2.0.0 not able to detect client certificate if Yubikey is unplugged and plugged again #582

Open pmhatre-swi opened 2 weeks ago

pmhatre-swi commented 2 weeks ago

Fortify 2.0.0 not able to detect client certificate if Yubikey is unplugged and plugged again. Fortify 2.0.0 is installed from below link: https://github.com/PeculiarVentures/fortify-releases/releases/tag/v2.0.0

This issue is observed during Operation Approval process in on the of feature.

Setup configuration: Environment: https://eu.airvantage.net/authorize

HC operation signer Laptop configuration: OS version: Windows 11 Browser: Mozilla Firefox Fortify version: 2.0.0 Yubikey version: Yubikey 5 NFC (FW version: 5.7.1)

Steps to re-produce the issue:

  1. Trigger multiple operations on device.
  2. The operation goes for approval.
  3. Connect the Yubikey to the Operation signer laptop.
  4. Approve single operation.
  5. Verify operation is successful.
  6. Unplug the Yubikey from laptop.
  7. Connect the Yubikey again to the laptop.
  8. Approve any operation.
  9. Fortify prompt on approval page does not detect any certificate loaded on Yubikey.

Observations:

  1. This issue is not seen with Fortify version 1.8.4
  2. This issue is seen with Yubikey 5.4.3 as well as Yubikey 5.7.1

Workaround: User need to close and re-open Fortify app running on the laptop.

Fortify logs are attached. Fortify Logs.txt

microshine commented 2 weeks ago

Thank you very much for the information provided. I have reviewed the logs provided and noted the following data:

{"message":"New token was added to the reader","source":"pcsc","reader":"Yubico YubiKey OTP+FIDO+CCID 0","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Token was added to the reader","source":"provider","reader":"Yubico YubiKey OTP+FIDO+CCID 0","name":"Yubico Yubikey 4 OTP+U2F+CCID","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Loading PKCS#11 library","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll"}
{"message":"Looking for slot","source":"provider","slots":1}
{"message":"Use ConfigTemplateBuilder","source":"provider"}
{"message":"PKCS#11 library information","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll","manufacturerId":"Yubico (www.yubico.com)","cryptokiVersion":{"major":2,"minor":40},"libraryVersion":{"major":2,"minor":52},"firmwareVersion":{"major":1,"minor":0}}
{"message":"Crypto provider was added to the list","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll","name":"Yubico Yubikey 4 OTP+U2F+CCID","reader":"Yubico YubiKey OTP+FIDO+CCID 0"}
{"message":"Amount of tokens was changed","source":"provider-service","added":1,"removed":0}
{"message":"Token was removed from the reader","source":"pcsc","reader":"Yubico YubiKey OTP+FIDO+CCID 0","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Token was removed from the reader","source":"provider","reader":"Yubico YubiKey OTP+FIDO+CCID 0","name":"Yubico Yubikey 4 OTP+U2F+CCID","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Token was removed from the reader","source":"pcsc","reader":"Yubico YubiKey OTP+FIDO+CCID 0","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Server event error","source":"server","error":"SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","stack":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)"}
{"message":"Server event error","source":"server","error":"SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","stack":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)"}
{"message":"Server event error","source":"server","error":"SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","stack":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)"}
{"message":"Server event error","source":"server","error":"Cannot find removed slot in PKCS#11 library C:\\WINDOWS\\System32\\libykcs11-1.dll. Win32 error 126","stack":"WebCryptoLocalError: Cannot find removed slot in PKCS#11 library C:\\WINDOWS\\System32\\libykcs11-1.dll. Win32 error 126\n    at new WebCryptoLocalError (C:\\snapshot\\fortify-app\\node_modules\\@webcrypto-local\\server\\build\\index.js:402:23)\n    at LocalProvider.onTokenRemove (C:\\snapshot\\fortify-app\\node_modules\\@webcrypto-local\\server\\build\\index.js:3083:40)"}
{"message":"uncaughtException","source":"server"}
{"message":"uncaughtException","source":"server"}
{"message":"Crypto provider was removed from the list","source":"provider"}
{"message":"Finalize crypto provider","source":"provider"}
{"message":"Amount of tokens was changed","source":"provider-service","added":0,"removed":1}

I was surprised to see that the application uses libykcs11.dll from Program Files when connecting, but uses a library from System32 when disconnecting. This could be a problem with incorrect application behavior.

Also, I noticed that it would be beneficial to expand the logs and add information about provider identifiers, so we can monitor which provider was added or removed from the application.

I will try to reproduce the problem locally and will let you know when I have more information.

microshine commented 2 weeks ago

I have reproduced the problem locally. I am identifying the cause and making corrections.

pmhatre-swi commented 1 week ago

I tried Fortify 2.0.2 test version provided by Ryan Hurst to verify the issue fix. [Test version Fortify app: https://drive.google.com/file/d/1IjTllOs769yhqcrxSS_RUCfM8iSgLRhE/view?usp=sharing]

I observed that Fortify Client is not detected while approving the operation. Fortify client not detected

Attached Fortify Logs: Fortify Logs.txt

microshine commented 1 week ago

Thank you for testing the update and providing the report. I have tried installing the version provided via the link and replicated the Yubico token connection. It worked without any issues on my end. However, there are a few things in the logs you've provided that caught my attention:

  1. No Record of the Site Connecting to the Fortify Server
    There should be log entries indicating the connection between the site and the Fortify server. If you search for the word "origin," you should see entries like:

    {"message":"Create a new connection","source":"server","origin":"https://tools.fortifyapp.com"}
{"message":"Push session to stack","source":"server","origin":"https://tools.fortifyapp.com"}

    This might indicate an issue with the server not starting correctly or a problem with the SSL certificate installation.

    To manually verify that the server is running and the certificate is installed correctly, you can visit the local link: https://127.0.0.1:31337/.well-known/webcrypto-socket

  2. Fortify Application Detects Yubico Token Connection and Disconnection
    According to the logs, the Fortify application is detecting the connection and disconnection of the Yubico token. The logs contain entries like:

    {"message":"PKCS#11 library information","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll","manufacturerId":"Yubico (www.yubico.com)","cryptokiVersion":{"major":2,"minor":40},"libraryVersion":{"major":2,"minor":52},"firmwareVersion":{"major":1,"minor":0}}
{"message":"Crypto provider was added to the list","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll","name":"Yubico Yubikey 4 OTP+U2F+CCID","reader":"Yubico YubiKey OTP+FIDO+CCID 0"}
{"message":"Amount of tokens was changed","source":"provider-service","added":1,"removed":0}

{"message":"Token was removed from the reader","source":"pcsc","reader":"Yubico YubiKey OTP+FIDO+CCID 0","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Token was removed from the reader","source":"provider","reader":"Yubico Yubikey 4 OTP+U2F+CCID 0","name":"Yubico Yubikey 4 OTP+U2F+CCID","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Crypto provider was removed from the list","source":"provider"}
{"message":"Finalize crypto provider","source":"provider"}
{"message":"Amount of tokens was changed","source":"provider-service","added":0,"removed":1}

Please check that the Fortify application is running properly and that the Fortify server is operational. I verified the connection/disconnection through https://tools.fortifyapp.com/. This site dynamically displays the list of connected devices.

image

pmhatre-swi commented 1 week ago

Hi,

Thank you for providing the insights. I checked on link https://127.0.0.1:31337/.well-known/webcrypto-socket, that the server is running fine. I am able to approve the operations after unplugging and plugging the Yubikey to the host laptop.

Issue is not seen with Fortify test version 2.0.2 (https://drive.google.com/file/d/1IjTllOs769yhqcrxSS_RUCfM8iSgLRhE/view?usp=sharing)

Please merge these changes into official Fortify release so that we can test with official Fortify release.