Does not call any C_Sign function ... when signing

[Aekoldh]

Testing the library I have seen that it does not enter any PKCS11 signing function, my questions are: what are you signing? can you make it sign the PKCS11 function?

Thanks greetings

[kenh]

Testing the library I have seen that it does not enter any PKCS11 signing function, my questions are: what are you signing? can you make it sign the PKCS11 function?

Thanks greetings

I .... do not understand your question! Could you elaborate?

It is possible you are misunderstanding the purpose of this library. It does not call any PKCS#11 functions, it PROVIDES them. As in, it implements C_Sign(), it doesn't CALL C_Sign(). It calls Apple Security Framework function to do the actual signing (in this specific case, it calls SecKeyCreateSignature()).

[Aekoldh]

It's true, I'm sorry, I think I didn't explain myself well. If I load the library in firefox, during authentication, firefox should call C_SignInit -> C_Sign -> etc... however it is not going through these methods, I have verified it in debug.

I know you are using SecKeyCreateSignature to do the signing, but you never go into these C_SignInit -> C_Sign -> C_SignFinal methods. Could it be because of the localauth?

Another question, if I load a .p12 with the private key and all the certificates in the keychain it works fine. But if I try to upload just a public key, firefox doesn't recognize it. Do you know if it is possible to work on a MAC without having the private key, to be able to do the signing in an external HSM.

Thank you very much, greetings

[kenh]

It's true, I'm sorry, I think I didn't explain myself well. If I load the library in firefox, during authentication, firefox should call C_SignInit -> C_Sign -> etc... however it is not going through these methods, I have verified it in debug.

So I can speak with some authority on how this works with Firefox since I use Firefox every day with keychain-pkcs11 and I used Firefox to test it a lot.

The key thing to understand is that keychain-pkcs11 is designed to work with Smartcards that are supported by the native MacOS X drivers (which right now I believe is only cards which implement the PIV standard). It specifically only selects identities which appear under the TkTokenWatcher API, which are typically backed by actual hardware. It's not a generic PKCS#11 interface for all identities in the Keychain.

Specifically for Firefox, Firefox WILL call the keychain-pkcs11 functions for identities that keychain-pkcs11 knows about. If you want to know what identities keychain-pkcs11 knows about, the easiest way to determine that is to go under Settings -> Privacy & Security -> View Certificates and select "Your Certificates" and see if any certificates appear under the security device that keychain-pkcs11 is named (which typically is named based on the Common Name of the primary certificate it knows about, but you can figure that out by selecting "Security Devices" and seeing what the label is for that slot).

You can also use the debug logging (see the keychain-pkcs11 man page for how to do that) to see what identities keychain-pkcs11 detects at library initialization.

The simplest test is to run the command security list-smartcards at a Terminal prompt. If you don't get anything, keychain-pkcs11 won't work with it.

I know you are using SecKeyCreateSignature to do the signing, but you never go into these C_SignInit -> C_Sign -> C_SignFinal methods. Could it be because of the localauth?

I ... do not think so? If you don't feed it a PIN via PKCS#11 it should pop up a PIN prompt automatically; the Security framework takes care of all of that. Most of localauth.m isn't used in that case.

Another question, if I load a .p12 with the private key and all the certificates in the keychain it works fine. But if I try to upload just a public key, firefox doesn't recognize it. Do you know if it is possible to work on a MAC without having the private key, to be able to do the signing in an external HSM.

I think that the answer to that specific question depends on the details of the HSM, the drivers the HSM provides, and the application you're using. For applications that use PKCS#11 (like Firefox), my understanding is the general assumption is that the public key, certificate, and the corresponding private key are all available on the same PKCS#11 slot and you can match them up by the CKA_ID attribute. I've never seen an application (except maybe outside of using openssl on the command line) where you could say, "Okay, private key is HERE, and the certificate and public key is over THERE".

[kenh]

I know you are using SecKeyCreateSignature to do the signing, but you never go into these C_SignInit -> C_Sign -> C_SignFinal methods. Could it be because of the localauth?

Re-reading this, I realized that maybe this isn't clear.

It's not MY responsibility (by 'my', I mean, "keychain-pkcs11") to call C_SignInit. That's the responsibility of the application that is using keychain-pkcs11. If Firefox (for example) never calls keychain-pkcs11's C_SignInit then there's not much I can do about it.

It may be true that keychain-pkcs11 isn't returning the correct information from other PKCS#11 function calls so it doesn't have the right information about available Smartcards, so Firefox doesn't think it should call C_SignInit. Certainly I ran into that plenty of times in the past during keychain-pkcs11's development. But saying "you never go into those functions" is fundamentally misunderstanding how PKCS#11 is supposed to be used.

I think my previous response had enough information in it to help you debug this further; I'd work on the output of security list-smartcards and example the debug log output (you can look at the man page for keychain-pkcs11 on how to see the debug log). Also more information on debugging is available here

[kenh]

I'm assuming at this point this is a non-issue. Please open another issue if you have more questions