search

mguessan / davmail

DavMail POP/IMAP/SMTP/Caldav/Carddav/LDAP Exchange and Office 365 Gateway - Synced with main subversion repository at
http://davmail.sourceforge.net
GNU General Public License v2.0
558 stars 82 forks source link

PKCS11 not working on linux #319

Open thuck opened 7 months ago

thuck commented 7 months ago

Hi;

I'm trying to use the pkcs11 and I keep getting the error:

davmail.http.DavMailX509KeyManager  - No Private Keys found

I setup the configuration as:

davmail.ssl.pkcs11Library=/usr/lib/libIDPrimePKCS11.so
davmail.ssl.clientKeystoreType=PKCS11
davmail.ssl.clientKeystorePass=XXXX

I tested also with:

keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11.config -list

And I can see all the certificates; although on keytool the list is always in lower case and in davmail it is case sensitive.
For example on davmail log I can see something like: 0=Xxxx in the keytool output I see o=xxx

Am I missing something in the configuration or is it possible that we have a bug on the detection of the certificates on the pkcs11?

thuck commented 7 months ago

I did the same exercise on Windows, on Windows the list of certificates are showed as a pop up to be selected.
Maybe this is a problem because I'm using wayland? But all other windows shows up properly, the internal browser, the pop up for O365Manual. On Windows I'm using the native PKCS11 implementation.

And just to clarify since I didn't include this in the original post I'm using the latest release on Linux and Windows.

mguessan commented 6 months ago

Look for the "Find client certificates issued by" message in DavMail logs, client certificates are filtered in issuer requested by server.

Relevant code is in DavMailX509KeyManager

thuck commented 6 months ago

Hi @mguessan, thanks for your reply.
I can see the "find client certificates"; they list my certs, but after it prints the No Private Keys found.
On windows for the same operation the list is showed as a pop up, on linux it doesn't show up.
The certificates should be fine, since I can connect on the proper services using Firefox without any problem.

Any suggestion? Maybe I can force the certificates somehow?

mguessan commented 6 months ago

no private keys found means no alias matched criteria.

You may want to enable ssl logging with: -Djavax.net.debug=ssl

or -Djavax.net.debug=keymanager

thuck commented 6 months ago

Enabled:
javax.net.ssl|DEBUG|26|URL-Loader-15|2023-12-12 10:32:49.233 CST|X509KeyManagerImpl.java:451|KeyMgr: no matching alias found

But as I mentioned this works when using firefox, I can select the proper certificate. I did a lot tests, did some code modifications to understand better the situation, and looks like that the PKCS11 is not being used.
The PIN is never asked, so the keys are never enabled.
I tried to force the code to use my pin, with something like:

+        String password = "XXXXXXXXX";
+        KeyStore.Builder scBuilder = KeyStore.Builder.newInstance("PKCS11", null, getProtectionParameter(password));

I know that the smartcard is being read when davmail starts, because if I change the library to something incorrect I get an exception, but I guess the Keystore and the TLS part have some interaction that is not working? I'm not sure what could be the problem here, or if I'm missing something.