Closed kurtuluso closed 3 years ago
Seems we need add eToken exceptions to sandbox https://github.com/open-eid/DigiDoc4-Client/blob/master/qdigidoc4.eToken.entitlements#L26-L35
It has different problems in different OSX versions and it works (both osx 10.13 and 10.15) with 1.1.0 release. However If I build 1.1.0 release on my OSX 10.15 It is not working :( And those may be common problems for different drivers
Can you test if you add the eToken exception to plist?
<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
<array>
<string>/private/etc/eToken.conf</string>
<string>/private/etc/eToken.common.conf</string>
</array>
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
<string>/private/tmp/eToken.lock/</string>
<string>/private/var/tmp/eToken.cache/</string>
</array>
What is the eToken software version?
I put the snippet into both Info.plist and chrome-token-signing.entitlements but unfortunately same result. eToken version: 10.2 (Latest) I see a crash in the console:
Can you get crash report? Is there any sandbox violation logs?
Seems like the eToken.dylib wants to use openssl libcrypto.dylib This workaround works for me.
mkdir -p /usr/local/lib
ln -s /usr/lib/libcrypto.0.9.8.dylib /usr/local/lib/libcrypto.dylib
Unfortunately :( There is no crash report and creating the link did not work. There should be something to get a clue.
I captured the command called by Chrome and run myself:
/Library/Google/Chrome/NativeMessagingHosts/chrome-token-signing.app/Contents/MacOS/chrome-token-signing chrome-extension://ckjefchnfjhjfedoccjbhjpbncimppeg/
2020-11-07 09:46:20.154 chrome-token-signing[50843:1641328] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[NSConcreteData getBytes:range:]: range {0, 4} exceeds data length 1'
*** First throw call stack:
(
0 CoreFoundation 0x00007fff33040b57 __exceptionPreprocess + 250
1 libobjc.A.dylib 0x00007fff6be8c5bf objc_exception_throw + 48
2 Foundation 0x00007fff356a8339 -[NSConcreteData getBytes:range:] + 535
3 chrome-token-signing 0x00000001081bac2b chrome-token-signing + 68651
4 Foundation 0x00007fff35633784 -[__NSObserver _doit:] + 296
5 CoreFoundation 0x00007fff32fba80f __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
6 CoreFoundation 0x00007fff32fba7a3 ___CFXRegistrationPost1_block_invoke + 63
7 CoreFoundation 0x00007fff32fba718 _CFXRegistrationPost1 + 372
8 CoreFoundation 0x00007fff32fba384 ___CFXNotificationPost_block_invoke + 80
9 CoreFoundation 0x00007fff32f8a4fd -[_CFXNotificationRegistrar find:object:observer:enumerator:] + 1554
10 CoreFoundation 0x00007fff32f899a9 _CFXNotificationPost + 1351
11 Foundation 0x00007fff35607786 -[NSNotificationCenter postNotificationName:object:userInfo:] + 59
12 Foundation 0x00007fff3573e38e _performFileHandleSource + 1113
13 CoreFoundation 0x00007fff32fc4d52 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
14 CoreFoundation 0x00007fff32fc4cf1 __CFRunLoopDoSource0 + 103
15 CoreFoundation 0x00007fff32fc4b0b __CFRunLoopDoSources0 + 209
16 CoreFoundation 0x00007fff32fc383a __CFRunLoopRun + 927
17 CoreFoundation 0x00007fff32fc2e3e CFRunLoopRunSpecific + 462
18 Foundation 0x00007fff3565e1c8 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
19 Foundation 0x00007fff35710c6f -[NSRunLoop(NSRunLoop) run] + 76
20 chrome-token-signing 0x00000001081ba7f4 chrome-token-signing + 67572
21 libdyld.dylib 0x00007fff6d034cc9 start + 1
22 ??? 0x0000000000000002 0x0 + 2
)
libc++abi.dylib: terminating with uncaught exception of type NSException
zsh: abort chrome-extension://ckjefchnfjhjfedoccjbhjpbncimppeg/
This may not be the intended usage and this result may be normal. I could not reproduce the error above again
Can tou test the pull request and make the openssl symlink
Unfortunately, same.
It crashed at PKCS11CardManager.h:
library = dlopen(module.c_str(), RTLD_LOCAL | RTLD_NOW);
can you trace the opened files?
sudo fs_usage chrome-token-signing-pid_nr |grep crypto
sudo fs_usage chrome-token-signing-pid_nr |grep crypto
11:27:05 stat64 /usr/lib/system/libcorecrypto.dylib 0.000005 chrome-token
11:27:06 stat64 /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib 0.000004 chrome-token
11:27:06 stat64 /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib 0.000003 chrome-token
11:27:06 stat64 libcrypto.dylib 0.000002 chrome-token
11:27:06 stat64 libcrypto.dylib 0.000001 chrome-token
11:27:06 stat64 /usr/lib/libcrypto.dylib 0.000834 chrome-token
11:27:06 stat64 libcrypto.dylib 0.000003 chrome-token
11:27:06 stat64 /usr/lib/libcrypto.35.dylib 0.000013 chrome-token
kurtulus@kurmac vagrant % stat /usr/lib/system/libcorecrypto.dylib
16777224 1152921500312586706 -rwxr-xr-x 1 root wheel 0 1292144 "Sep 22 02:28:40 2020" "Sep 22 02:28:40 2020" "Oct 28 12:02:13 2020" "Sep 22 02:28:40 2020" 4096 1232 0x80020 /usr/lib/system/libcorecrypto.dylib
kurtulus@kurmac vagrant % stat /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib
stat: /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib: stat: No such file or directory
kurtulus@kurmac vagrant % stat /usr/lib/libcrypto.dylib
16777224 1152921500312586762 -rwxr-xr-x 1 root wheel 0 32944 "Sep 22 02:29:52 2020" "Sep 22 02:29:52 2020" "Oct 28 12:02:13 2020" "Sep 22 02:29:52 2020" 4096 16 0x80020 /usr/lib/libcrypto.dylib
kurtulus@kurmac vagrant % stat /usr/lib/libcrypto.35.dylib
16777224 1152921500312586660 -rwxr-xr-x 1 root wheel 0 1483824 "Sep 22 02:29:09 2020" "Sep 22 02:29:09 2020" "Oct 28 12:02:13 2020" "Sep 22 02:29:09 2020" 4096 1408 0x80020 /usr/lib/libcrypto.35.dylib
I created /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib -> /usr/lib/libcrypto.dylib link. Now I do not see /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib in fs_usage but nothing improved on library loading
Try to create link to libcrypto.0.9.8.dylib -> libcrypto.dylib
This should be openssl library. The other is boringssl
👍👍👍
ln -s /usr/lib/libcrypto.0.9.8.dylib /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib
did the magic!
We should do something in the post-install process to create the link.
Now, I can not enter the password for signing. It is waiting for a PIN longer than 8 characters. I changed the setting from SafeNet Tool (this works in Windows) but nothing happens. somehow it always take minPinLen=8 from PKCS11 lib.
Does it work under linux? Seems like the macOS eToken driver is old and unmaintained.
I do not have a Linux signing client now. I have to check it
@metsma Can you please add AKIS permission to mac osx?
<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
<array>
<string>/private/etc/eToken.conf</string>
<string>/private/etc/eToken.common.conf</string>
<string>/usr/local/lib/libakisp11.dylib</string>
</array>
@metsma Can you please add AKIS permission to mac osx?
<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key> <array> <string>/private/etc/eToken.conf</string> <string>/private/etc/eToken.common.conf</string> <string>/usr/local/lib/libakisp11.dylib</string> </array>
@kurtuluso Sorry I found now your coment. My PR got merged. Can you create new pull request for AKIS driver?
sure
I have important problems with Mac OSX installations. OSX 10.13.6 (High Sierra), Token: eToken
-release 1.1.1 (https://github.com/open-eid/chrome-token-signing/releases/download/v1.1.1/token-signing-chrome_1.1.1.513.pkg) again gives certificate error
in ~/tmp/chrome-signing.log: 2020-11-01 09:54:57 [91237] main() [chrome-host.mm:54] Starting native host 1.1.0.511 2020-11-01 09:54:57 [91237] main_block_invoke() [chrome-host.mm:80] Message size: 110 2020-11-01 09:54:57 [91237] main_block_invoke() [chrome-host.mm:95] Message (110): {"type":"VERSION","nonce":"003fb5zpcpfgexxj","src":"page.js","origin":"https://hwcrypto.github.io","tab":1065} 2020-11-01 09:54:57 [91237] write() [chrome-host.mm:38] Response(72) {"result":"ok","nonce":"003fb5zpcpfgexxj","ver":1,"version":"1.1.0.511"} 2020-11-01 09:54:57 [91237] main_block_invoke() [chrome-host.mm:80] Message size: 119 2020-11-01 09:54:57 [91237] main_block_invoke() [chrome-host.mm:95] Message (119): {"type":"CERT","lang":"en","nonce":"9lxaw8l8crmeywjg","src":"page.js","origin":"https://hwcrypto.github.io","tab":1065} 2020-11-01 09:54:57 [91237] atrList() [PKCS11Path.cpp:69] found reader: SafeNet eToken 5100 2020-11-01 09:54:57 [91237] atrList() [PKCS11Path.cpp:82] Set ATR = 3BD518008131FE7D8073C82110F4 for reader SafeNet eToken 5100 2020-11-01 09:54:57 [91237] C_GetFunctionList() [PKCS11CardManager.h:127] return value 0 2020-11-01 09:54:57 [91237] PKCS11CardManager() [PKCS11CardManager.h:128] initializing module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib 2020-11-01 09:54:57 [91237] C_Initialize() [PKCS11CardManager.h:129] return value 0 2020-11-01 09:54:57 [91237] C_GetSlotList() [PKCS11CardManager.h:156] return value 0 2020-11-01 09:54:57 [91237] tokens() [PKCS11CardManager.h:157] slotCount = 1 2020-11-01 09:54:57 [91237] C_GetSlotList() [PKCS11CardManager.h:159] return value 0 2020-11-01 09:54:57 [91237] C_GetTokenInfo() [PKCS11CardManager.h:166] return value 0 2020-11-01 09:54:57 [91237] C_OpenSession() [PKCS11CardManager.h:172] return value 0 2020-11-01 09:54:57 [91237] C_FindObjectsInit() [PKCS11CardManager.h:90] return value 0 2020-11-01 09:54:57 [91237] C_FindObjects() [PKCS11CardManager.h:93] return value 0 2020-11-01 09:54:57 [91237] C_FindObjectsFinal() [PKCS11CardManager.h:94] return value 0 2020-11-01 09:54:57 [91237] C_GetAttributeValue() [PKCS11CardManager.h:73] return value 0 2020-11-01 09:54:57 [91237] C_GetAttributeValue() [PKCS11CardManager.h:76] return value 0 2020-11-01 09:54:57 [91237] C_GetAttributeValue() [PKCS11CardManager.h:73] return value 0 2020-11-01 09:54:57 [91237] C_GetAttributeValue() [PKCS11CardManager.h:76] return value 0 2020-11-01 09:54:57 [91237] C_CloseSession() [PKCS11CardManager.h:190] return value 0 2020-11-01 09:54:57 [91237] C_Finalize() [PKCS11CardManager.h:135] return value 0 2020-11-01 09:54:57 [91237] -[CertificateSelection init:]() [CertificateSelection.mm:90] token has valid signing certificate, adding it to selection
in ~/Library/Containers/ee.ria.chrome-token-signing/Data/tmp/chrome-signing.log: 2020-11-01 09:39:47 [27411] main_block_invoke() [chrome-host.mm:80] Message size: 132 2020-11-01 09:39:47 [27411] main_block_invoke() [chrome-host.mm:95] Message (132): {"type":"CERT","lang":"tr","filter":"SIGN","nonce":"cbldcituukxff3nk","src":"page.js","origin":"https://app.imzayeri.com" ,"tab":819} 2020-11-01 09:39:47 [27411] atrList() [PKCS11Path.cpp:69] found reader: SafeNet eToken 5100 2020-11-01 09:39:47 [27411] atrList() [PKCS11Path.cpp:82] Set ATR = 3BD518008131FE7D8073C82110F4 for reader SafeNet eToken 5100 2020-11-01 09:39:47 [27411] PKCS11CardManager() [PKCS11CardManager.h:124] Function List not loaded /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib: dlopen(/Library/Frameworks/eToken. framework/Versions/Current/libeToken.dylib, 6): no suitable image found. Did find: /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib: code signature in (/Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib: stat() failed with errno=1
in ~/Library/Containers/ee.ria.chrome-token-signing/Data/tmp/chrome-signing.log: 2020-11-01 09:03:51 [22357] main_block_invoke() [chrome-host.mm:80] Message size: 109 2020-11-01 09:03:51 [22357] main_block_invoke() [chrome-host.mm:95] Message (109): {"type":"VERSION","nonce":"zxzpikvmuu110cwi","src":"page.js","origin":"https://hwcrypto.github.io","tab":923} 2020-11-01 09:03:51 [22357] write() [chrome-host.mm:38] Response(70) {"result":"ok","nonce":"zxzpikvmuu110cwi","ver":1,"version":"1.1.0.0"} 2020-11-01 09:03:51 [22357] main_block_invoke() [chrome-host.mm:80] Message size: 118 2020-11-01 09:03:51 [22357] main_block_invoke() [chrome-host.mm:95] Message (118): {"type":"CERT","lang":"en","nonce":"klz1g31h9eon5lyi","src":"page.js","origin":"https://hwcrypto.github.io","tab":923} 2020-11-01 09:03:51 [22357] atrList() [PKCS11Path.cpp:69] found reader: SafeNet eToken 5100 2020-11-01 09:03:51 [22357] atrList() [PKCS11Path.cpp:82] Set ATR = 3BD5180081313A7D8073C8211030 for reader SafeNet eToken 5100
2020-11-01 16:52:27 [15297] main() [chrome-host.mm:54] Starting native host 1.1.2.520 2020-11-01 16:52:27 [15297] main_block_invoke() [chrome-host.mm:80] Message size: 109 2020-11-01 16:52:27 [15297] main_block_invoke() [chrome-host.mm:95] Message (109): {"type":"VERSION","nonce":"rbls8tuua1xxhkht","src":"page.js","origin":"https://hwcrypto.github.io","tab":856} 2020-11-01 16:52:27 [15297] write() [chrome-host.mm:38] Response(72) {"result":"ok","nonce":"rbls8tuua1xxhkht","ver":1,"version":"1.1.2.520"} 2020-11-01 16:52:27 [15297] main_block_invoke() [chrome-host.mm:80] Message size: 118 2020-11-01 16:52:27 [15297] main_block_invoke() [chrome-host.mm:95] Message (118): {"type":"CERT","lang":"en","nonce":"f8ofiavllh215f1q","src":"page.js","origin":"https://hwcrypto.github.io","tab":856} 2020-11-01 16:52:27 [15297] atrList() [PKCS11Path.cpp:69] found reader: SafeNet eToken 5100 2020-11-01 16:52:27 [15297] atrList() [PKCS11Path.cpp:82] Set ATR = 3BD518008131FE7D8073C82110F4 for reader SafeNet eToken 5100