search

open-eid / chrome-token-signing

DEPRECATED Chrome and Firefox extension for signing with your eID on the web
https://github.com/open-eid/chrome-token-signing/wiki
GNU Lesser General Public License v2.1
206 stars 75 forks source link

Mac OSX issues #183

Closed kurtuluso closed 3 years ago

kurtuluso commented 3 years ago

I have important problems with Mac OSX installations. OSX 10.13.6 (High Sierra), Token: eToken

- Release 1.1.0 works:

in ~/tmp/chrome-signing.log: 2020-11-01 09:54:57 [91237] main() [chrome-host.mm:54] Starting native host 1.1.0.511 2020-11-01 09:54:57 [91237] main_block_invoke() [chrome-host.mm:80] Message size: 110 2020-11-01 09:54:57 [91237] main_block_invoke() [chrome-host.mm:95] Message (110): {"type":"VERSION","nonce":"003fb5zpcpfgexxj","src":"page.js","origin":"https://hwcrypto.github.io","tab":1065} 2020-11-01 09:54:57 [91237] write() [chrome-host.mm:38] Response(72) {"result":"ok","nonce":"003fb5zpcpfgexxj","ver":1,"version":"1.1.0.511"} 2020-11-01 09:54:57 [91237] main_block_invoke() [chrome-host.mm:80] Message size: 119 2020-11-01 09:54:57 [91237] main_block_invoke() [chrome-host.mm:95] Message (119): {"type":"CERT","lang":"en","nonce":"9lxaw8l8crmeywjg","src":"page.js","origin":"https://hwcrypto.github.io","tab":1065} 2020-11-01 09:54:57 [91237] atrList() [PKCS11Path.cpp:69] found reader: SafeNet eToken 5100 2020-11-01 09:54:57 [91237] atrList() [PKCS11Path.cpp:82] Set ATR = 3BD518008131FE7D8073C82110F4 for reader SafeNet eToken 5100 2020-11-01 09:54:57 [91237] C_GetFunctionList() [PKCS11CardManager.h:127] return value 0 2020-11-01 09:54:57 [91237] PKCS11CardManager() [PKCS11CardManager.h:128] initializing module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib 2020-11-01 09:54:57 [91237] C_Initialize() [PKCS11CardManager.h:129] return value 0 2020-11-01 09:54:57 [91237] C_GetSlotList() [PKCS11CardManager.h:156] return value 0 2020-11-01 09:54:57 [91237] tokens() [PKCS11CardManager.h:157] slotCount = 1 2020-11-01 09:54:57 [91237] C_GetSlotList() [PKCS11CardManager.h:159] return value 0 2020-11-01 09:54:57 [91237] C_GetTokenInfo() [PKCS11CardManager.h:166] return value 0 2020-11-01 09:54:57 [91237] C_OpenSession() [PKCS11CardManager.h:172] return value 0 2020-11-01 09:54:57 [91237] C_FindObjectsInit() [PKCS11CardManager.h:90] return value 0 2020-11-01 09:54:57 [91237] C_FindObjects() [PKCS11CardManager.h:93] return value 0 2020-11-01 09:54:57 [91237] C_FindObjectsFinal() [PKCS11CardManager.h:94] return value 0 2020-11-01 09:54:57 [91237] C_GetAttributeValue() [PKCS11CardManager.h:73] return value 0 2020-11-01 09:54:57 [91237] C_GetAttributeValue() [PKCS11CardManager.h:76] return value 0 2020-11-01 09:54:57 [91237] C_GetAttributeValue() [PKCS11CardManager.h:73] return value 0 2020-11-01 09:54:57 [91237] C_GetAttributeValue() [PKCS11CardManager.h:76] return value 0 2020-11-01 09:54:57 [91237] C_CloseSession() [PKCS11CardManager.h:190] return value 0 2020-11-01 09:54:57 [91237] C_Finalize() [PKCS11CardManager.h:135] return value 0 2020-11-01 09:54:57 [91237] -[CertificateSelection init:]() [CertificateSelection.mm:90] token has valid signing certificate, adding it to selection

**OSX 10.15.7 (Catalina - a new MacBook pro), Token: eToken** 
- For all revisions, I can build, create the package, and install the package but CAN NOT RUN on my own computer:
Direct build with the current code:

in ~/Library/Containers/ee.ria.chrome-token-signing/Data/tmp/chrome-signing.log: 2020-11-01 09:39:47 [27411] main_block_invoke() [chrome-host.mm:80] Message size: 132 2020-11-01 09:39:47 [27411] main_block_invoke() [chrome-host.mm:95] Message (132): {"type":"CERT","lang":"tr","filter":"SIGN","nonce":"cbldcituukxff3nk","src":"page.js","origin":"https://app.imzayeri.com" ,"tab":819} 2020-11-01 09:39:47 [27411] atrList() [PKCS11Path.cpp:69] found reader: SafeNet eToken 5100 2020-11-01 09:39:47 [27411] atrList() [PKCS11Path.cpp:82] Set ATR = 3BD518008131FE7D8073C82110F4 for reader SafeNet eToken 5100 2020-11-01 09:39:47 [27411] PKCS11CardManager() [PKCS11CardManager.h:124] Function List not loaded /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib: dlopen(/Library/Frameworks/eToken. framework/Versions/Current/libeToken.dylib, 6): no suitable image found. Did find: /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib: code signature in (/Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib: stat() failed with errno=1


If I open XCode and enable Hardening Runtime and give library loading exception, it stops on the loading phase (I think):

in ~/Library/Containers/ee.ria.chrome-token-signing/Data/tmp/chrome-signing.log: 2020-11-01 09:03:51 [22357] main_block_invoke() [chrome-host.mm:80] Message size: 109 2020-11-01 09:03:51 [22357] main_block_invoke() [chrome-host.mm:95] Message (109): {"type":"VERSION","nonce":"zxzpikvmuu110cwi","src":"page.js","origin":"https://hwcrypto.github.io","tab":923} 2020-11-01 09:03:51 [22357] write() [chrome-host.mm:38] Response(70) {"result":"ok","nonce":"zxzpikvmuu110cwi","ver":1,"version":"1.1.0.0"} 2020-11-01 09:03:51 [22357] main_block_invoke() [chrome-host.mm:80] Message size: 118 2020-11-01 09:03:51 [22357] main_block_invoke() [chrome-host.mm:95] Message (118): {"type":"CERT","lang":"en","nonce":"klz1g31h9eon5lyi","src":"page.js","origin":"https://hwcrypto.github.io","tab":923} 2020-11-01 09:03:51 [22357] atrList() [PKCS11Path.cpp:69] found reader: SafeNet eToken 5100 2020-11-01 09:03:51 [22357] atrList() [PKCS11Path.cpp:82] Set ATR = 3BD5180081313A7D8073C8211030 for reader SafeNet eToken 5100


- Official Release 1.1.2
Is not working again

2020-11-01 16:52:27 [15297] main() [chrome-host.mm:54] Starting native host 1.1.2.520 2020-11-01 16:52:27 [15297] main_block_invoke() [chrome-host.mm:80] Message size: 109 2020-11-01 16:52:27 [15297] main_block_invoke() [chrome-host.mm:95] Message (109): {"type":"VERSION","nonce":"rbls8tuua1xxhkht","src":"page.js","origin":"https://hwcrypto.github.io","tab":856} 2020-11-01 16:52:27 [15297] write() [chrome-host.mm:38] Response(72) {"result":"ok","nonce":"rbls8tuua1xxhkht","ver":1,"version":"1.1.2.520"} 2020-11-01 16:52:27 [15297] main_block_invoke() [chrome-host.mm:80] Message size: 118 2020-11-01 16:52:27 [15297] main_block_invoke() [chrome-host.mm:95] Message (118): {"type":"CERT","lang":"en","nonce":"f8ofiavllh215f1q","src":"page.js","origin":"https://hwcrypto.github.io","tab":856} 2020-11-01 16:52:27 [15297] atrList() [PKCS11Path.cpp:69] found reader: SafeNet eToken 5100 2020-11-01 16:52:27 [15297] atrList() [PKCS11Path.cpp:82] Set ATR = 3BD518008131FE7D8073C82110F4 for reader SafeNet eToken 5100


-Release 1.10
It works!!!!
metsma commented 3 years ago

Seems we need add eToken exceptions to sandbox https://github.com/open-eid/DigiDoc4-Client/blob/master/qdigidoc4.eToken.entitlements#L26-L35

kurtuluso commented 3 years ago

It has different problems in different OSX versions and it works (both osx 10.13 and 10.15) with 1.1.0 release. However If I build 1.1.0 release on my OSX 10.15 It is not working :( And those may be common problems for different drivers

metsma commented 3 years ago

Can you test if you add the eToken exception to plist?

    <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
    <array>
        <string>/private/etc/eToken.conf</string>
        <string>/private/etc/eToken.common.conf</string>
    </array>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <array>
        <string>/private/tmp/eToken.lock/</string>
        <string>/private/var/tmp/eToken.cache/</string>
    </array>
metsma commented 3 years ago

What is the eToken software version?

kurtuluso commented 3 years ago

I put the snippet into both Info.plist and chrome-token-signing.entitlements but unfortunately same result. eToken version: 10.2 (Latest) I see a crash in the console: image

metsma commented 3 years ago

Can you get crash report? Is there any sandbox violation logs?

metsma commented 3 years ago

Seems like the eToken.dylib wants to use openssl libcrypto.dylib This workaround works for me.

mkdir -p /usr/local/lib
ln -s /usr/lib/libcrypto.0.9.8.dylib /usr/local/lib/libcrypto.dylib
kurtuluso commented 3 years ago

Unfortunately :( There is no crash report and creating the link did not work. There should be something to get a clue.

kurtuluso commented 3 years ago

I captured the command called by Chrome and run myself:

/Library/Google/Chrome/NativeMessagingHosts/chrome-token-signing.app/Contents/MacOS/chrome-token-signing chrome-extension://ckjefchnfjhjfedoccjbhjpbncimppeg/

2020-11-07 09:46:20.154 chrome-token-signing[50843:1641328] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[NSConcreteData getBytes:range:]: range {0, 4} exceeds data length 1'
*** First throw call stack:
(
        0   CoreFoundation                      0x00007fff33040b57 __exceptionPreprocess + 250
        1   libobjc.A.dylib                     0x00007fff6be8c5bf objc_exception_throw + 48
        2   Foundation                          0x00007fff356a8339 -[NSConcreteData getBytes:range:] + 535
        3   chrome-token-signing                0x00000001081bac2b chrome-token-signing + 68651
        4   Foundation                          0x00007fff35633784 -[__NSObserver _doit:] + 296
        5   CoreFoundation                      0x00007fff32fba80f __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
        6   CoreFoundation                      0x00007fff32fba7a3 ___CFXRegistrationPost1_block_invoke + 63
        7   CoreFoundation                      0x00007fff32fba718 _CFXRegistrationPost1 + 372
        8   CoreFoundation                      0x00007fff32fba384 ___CFXNotificationPost_block_invoke + 80
        9   CoreFoundation                      0x00007fff32f8a4fd -[_CFXNotificationRegistrar find:object:observer:enumerator:] + 1554
        10  CoreFoundation                      0x00007fff32f899a9 _CFXNotificationPost + 1351
        11  Foundation                          0x00007fff35607786 -[NSNotificationCenter postNotificationName:object:userInfo:] + 59
        12  Foundation                          0x00007fff3573e38e _performFileHandleSource + 1113
        13  CoreFoundation                      0x00007fff32fc4d52 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
        14  CoreFoundation                      0x00007fff32fc4cf1 __CFRunLoopDoSource0 + 103
        15  CoreFoundation                      0x00007fff32fc4b0b __CFRunLoopDoSources0 + 209
        16  CoreFoundation                      0x00007fff32fc383a __CFRunLoopRun + 927
        17  CoreFoundation                      0x00007fff32fc2e3e CFRunLoopRunSpecific + 462
        18  Foundation                          0x00007fff3565e1c8 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
        19  Foundation                          0x00007fff35710c6f -[NSRunLoop(NSRunLoop) run] + 76
        20  chrome-token-signing                0x00000001081ba7f4 chrome-token-signing + 67572
        21  libdyld.dylib                       0x00007fff6d034cc9 start + 1
        22  ???                                 0x0000000000000002 0x0 + 2
)
libc++abi.dylib: terminating with uncaught exception of type NSException
zsh: abort       chrome-extension://ckjefchnfjhjfedoccjbhjpbncimppeg/

This may not be the intended usage and this result may be normal. I could not reproduce the error above again

metsma commented 3 years ago

Can tou test the pull request and make the openssl symlink

kurtuluso commented 3 years ago

Unfortunately, same. It crashed at PKCS11CardManager.h: library = dlopen(module.c_str(), RTLD_LOCAL | RTLD_NOW);

metsma commented 3 years ago

can you trace the opened files?

sudo fs_usage chrome-token-signing-pid_nr |grep crypto
kurtuluso commented 3 years ago 
sudo fs_usage chrome-token-signing-pid_nr |grep crypto
11:27:05  stat64            /usr/lib/system/libcorecrypto.dylib                                              0.000005   chrome-token
11:27:06  stat64            /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib                  0.000004   chrome-token
11:27:06  stat64            /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib                  0.000003   chrome-token
11:27:06  stat64            libcrypto.dylib                                                                  0.000002   chrome-token
11:27:06  stat64            libcrypto.dylib                                                                  0.000001   chrome-token
11:27:06  stat64            /usr/lib/libcrypto.dylib                                                         0.000834   chrome-token
11:27:06  stat64            libcrypto.dylib                                                                  0.000003   chrome-token
11:27:06  stat64            /usr/lib/libcrypto.35.dylib                                                      0.000013   chrome-token
kurtuluso commented 3 years ago 
kurtulus@kurmac vagrant % stat /usr/lib/system/libcorecrypto.dylib
16777224 1152921500312586706 -rwxr-xr-x 1 root wheel 0 1292144 "Sep 22 02:28:40 2020" "Sep 22 02:28:40 2020" "Oct 28 12:02:13 2020" "Sep 22 02:28:40 2020" 4096 1232 0x80020 /usr/lib/system/libcorecrypto.dylib

kurtulus@kurmac vagrant % stat /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib
stat: /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib: stat: No such file or directory

kurtulus@kurmac vagrant % stat /usr/lib/libcrypto.dylib 
16777224 1152921500312586762 -rwxr-xr-x 1 root wheel 0 32944 "Sep 22 02:29:52 2020" "Sep 22 02:29:52 2020" "Oct 28 12:02:13 2020" "Sep 22 02:29:52 2020" 4096 16 0x80020 /usr/lib/libcrypto.dylib

kurtulus@kurmac vagrant % stat /usr/lib/libcrypto.35.dylib
16777224 1152921500312586660 -rwxr-xr-x 1 root wheel 0 1483824 "Sep 22 02:29:09 2020" "Sep 22 02:29:09 2020" "Oct 28 12:02:13 2020" "Sep 22 02:29:09 2020" 4096 1408 0x80020 /usr/lib/libcrypto.35.dylib
kurtuluso commented 3 years ago

I created /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib -> /usr/lib/libcrypto.dylib link. Now I do not see /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib in fs_usage but nothing improved on library loading

metsma commented 3 years ago

Try to create link to libcrypto.0.9.8.dylib -> libcrypto.dylib

This should be openssl library. The other is boringssl

kurtuluso commented 3 years ago

👍👍👍 ln -s /usr/lib/libcrypto.0.9.8.dylib /Library/Frameworks/eToken.framework/Versions/A/libcrypto.dylib did the magic!

We should do something in the post-install process to create the link.

kurtuluso commented 3 years ago

Now, I can not enter the password for signing. It is waiting for a PIN longer than 8 characters. I changed the setting from SafeNet Tool (this works in Windows) but nothing happens. somehow it always take minPinLen=8 from PKCS11 lib.

metsma commented 3 years ago

Does it work under linux? Seems like the macOS eToken driver is old and unmaintained.

kurtuluso commented 3 years ago

I do not have a Linux signing client now. I have to check it

kurtuluso commented 3 years ago

@metsma Can you please add AKIS permission to mac osx? 

<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
        <array>
                <string>/private/etc/eToken.conf</string>
                <string>/private/etc/eToken.common.conf</string>
                <string>/usr/local/lib/libakisp11.dylib</string>
        </array>
metsma commented 3 years ago

@metsma Can you please add AKIS permission to mac osx?

<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
        <array>
                <string>/private/etc/eToken.conf</string>
                <string>/private/etc/eToken.common.conf</string>
                <string>/usr/local/lib/libakisp11.dylib</string>
        </array>

@kurtuluso Sorry I found now your coment. My PR got merged. Can you create new pull request for AKIS driver?

kurtuluso commented 3 years ago

sure