On Sat, Dec 1, 2018 at 6:01 PM, mailto428496 <mailto628...@cox.net>
wrote:
I am testing this on CentOS 7 and it appears that the server cert ca
verification is working (we have the CA stores installed locally), at
least it doesn't complain that the site cert is invalid, but I suppose
it could just not be checking at all (which wouldn't be so great
either...).
It definitely checks TLS certificates. That's only impressive if you
have the server cert stored on your smartcard, though, which I assume
is probably not what you're doing, right?
(Beware that the version of WebKit shipped by CentOS is always old and
doesn't receive security updates.)
I think there would need to be an interface to the opensc or coolkey
libraries in order for it to access the smartcard. It sounds like it
is
a bit more complicated where there are multiple layers and packages
involved that would all need to support each other in order for this
to
work.
I've never heard of these libraries before today, but I don't think so.
From
https://fedoraproject.org/wiki/Changes/Replace_Coolkey_with_OpenSC I
gather that p11-kit wraps these libraries. And GnuTLS uses p11-kit as
its default trust store (looks like since CentOS 7.3). Did you try
GIO_USE_TLS=gnutls-pkcs11?
There has been discussion of contracting a developer to help with this
(if we can get funding, etc.) and if that happened I would hope that
any
result could be contributed back to the open source community (but
given
that it's the government that is another whole process).
I wanted to be sure that I wasn't missing something and that support
was
not already included - which it sounds pretty clear that it isn't yet,
but maybe some of the groundwork is getting there? And I wanted to
get
an idea of what it might take to implement - which sounds non-trivial
but doable for someone willing to dig into the weeds and figure out
how
all the pieces need to work together.
It's not clear to me at all. Until a couple months ago, we had tons of
code for PKCS#11 in glib-networking. It didn't write itself for no
reason. The problem is that I wound up inheriting all the code, without
knowing if it's still important, or if anyone at all is using it with
smartcards, and with nobody to test it or tell me if it's working, and
every indication that it's obsoleted by GnuTLS-level support for
PKCS#11, and with the code having never been enabled except behind a
secret environment variable, I decided to delete it (in glib-networking
2.58; you have 2.56 if you have CentOS 7.6). For the code to have
remained, I needed someone interested to come forward and tell me that
it was both working and also not redundant with the GnuTLS-level
PKCS#11 support, and that didn't happen.
So set aside the WebKit-level client authentication issue, which will
be solved soon regardless. Take WebKit out of the picture. We have
support for PKCS#11 in GnuTLS. Your main concern right now is to make
sure that the gnutls-pkcs11 backend I just removed from glib-networking
is not important for you, because if so we just took a lot of steps
backwards. That can be undone now far more easily than a e.g. year from
now. So you want to be sure that glib-networking's gnutls backend can
do everything the gnutls-pkcs11 backend could. In CentOS 7.6, you are
in a good spot to do this, because you have glib-networking 2.56, which
is the first version of glib-networking that uses GnuTLS's default
trust store and also the last version that has the gnutls-pkcs11
backend built by default. (In 2.58 it's disabled by default at build
time. And in 2.60 it will be gone.)
Once TLS client authentication is working, there should be zero code in
WebKit required to support smartcards. All of that code lives at the
glib-networking and GnuTLS levels (and maaaybe libsoup, but I don't
think so). So you can test whether this works today... just not using
WebKit. (Not sure how exactly you would test it without WebKit, though.
Without any support for client auth at the WebKit level, I'm really not
sure what the code was written for.)
Michael
_______________________________________________
webkit-gtk mailing list
webkit-gtk@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-gtk
