search

aeolwyr / tergent

A cryptoki library that uses Android keystore as the backend
GNU General Public License v3.0
74 stars 7 forks source link

Auth fails with "error in libcrypto" #20

Open daguej opened 1 year ago

daguej commented 1 year ago

Setting up a new device (Yoga Tab 11) and am unable to successfully connect to my server.

Key generation seemed to work fine and ssh-keygen reports the key is available:

$ ssh-keygen -D $PREFIX/lib/libtergent.so
ssh-rsa AAAA... josh

...and I added the public key to my server. However, connecting fails with a cryptic error:

$ ssh -v josh@server
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: josh RSA SHA256:... token
debug1: Server accepts key: josh RSA SHA256:... token
debug1: pkcs11_check_obj_bool_attrib: provider "/data/data/com.termux/files/usr/lib/libtergent.so" slot 0 object 0: attrib 514 = 0
debug1: identity_sign: sshkey_sign: error in libcrypto
sign_and_send_pubkey: signing failed for RSA "josh": error in libcrypto
debug1: pkcs11_k11_free: parent 0xb400007b97d32690 ptr 0x0 idx 1
debug1: No more authentication methods to try.

Any idea what's happening or how I can get more information about the error in libcrypto?

daguej commented 1 year ago

Additionally:

$ termux-keystore list
[
  {
    "alias": "josh",
    "algorithm": "RSA",
    "size": 2048,
    "inside_secure_hardware": true,
    "user_authentication": {
      "required": false,
      "enforced_by_secure_hardware": false,
      "validity_duration_seconds": 0
    }
  }
]
daguej commented 1 year ago

It appears this only happens with RSA keys.

I deleted the RSA key and generated a new EC key, and that works. Not sure if there's something wrong in the code or if I just passed a bad arg to termux-api Keystore -e command generate. (Is the README incorrect? It's unclear what you're supposed to use for ALGORITHM.)

bretello commented 8 months ago

This started happening after upgrading to Android 14.

Might be related to https://github.com/termux/termux-api/issues/661 since the fingerprint confirmation does not show.

JacobTDC commented 7 months ago

This started happening after upgrading to Android 14.

Might be related to https://github.com/termux/termux-api/issues/661 since the fingerprint confirmation does not show.

I believe it is, because tergent was how I first noticed the issue, as well (author of referenced issue).

daguej commented 6 months ago

While both issues result in failed ssh connections, I don't think the error in this issue is related to https://github.com/termux/termux-api/issues/661, termux-fingerprint on Android 14.

I'm also now seeing the fingerprint problem on Android 14. However, super hacky workaround: I opened Google Wallet and clicked the "Verify it's you" button, triggering the system fingerprint prompt. I then immediately switched back to Termux and initiated a ssh connection, which worked. This did the trick since it doesn't really matter what app triggers fingerprint auth; the secure enclave only cares that auth has happened recently.