Chromium Embedded Framework Forum

[saversa]

Hi,
I'trying to fire out how to use CEF to access to certificates on a smart card.

Using Chromium browser, if I browse with to an url which require to access the smart card, a dialog "Sign in to Security Device" is shown (see attached screenshot) to enter the pin code to unlock the smart card inserted into the usb card reader,
and then access to the certificates;
the same url inside CEF, using the cefsimple sample application, doesn't show anything and is redirected to an error page.

I searched through the documentation and all I found is the CefRequestHandler::OnSelectClientCertificate method,
so I tried to attach an hook on OnSelectClientCertificate but it never gets called; it seems that if the "Sign in..." dialog is not shown, the OnSelectClientCertificate isn't called.

Is there any chance to show the "Sign in..." dialog on CEF?

OS: Ubuntu 16.04 64bit
Chromium browser: 59.0.3071.109
CEF version: 3.3071

To use the use the smart card reader with Chromium, I need to execute this command:
modutil -dbdir sql:.pki/nssdb/ -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Maybe it's needed to pass the full path of the "OpenSC" library to cef...

Thanks in advance

[magreenblatt]

This is not currently supported by CEF. The dialog is implemented in Chrome using CryptoModulePasswordDialogView via ChromeNSSCryptoModuleDelegate passed to the net::ClientCertStoreNSS constructor. We could expose a callback for this in CEF but you would need to implement the dialog yourself or provide a default dialog as part of the CEF implementation. Pull requests welcome.

[saversa]

At the end I solved using the same dialog as Chromium, but now I have another problem:
the first time the smart card is accessed, I have the pin request and everything works;
but if I change the smartcard into the reader, and goto another site requiring authentication I don't have a pin request anymore.

It seems that CEF query the smartcard reader only the first time that a website require an authentication, and then CEF keeps the certificate in memory;
is that behaviour correct?

If yes, is there any method to refresh the loaded certificates?

Thanks in advance

[ndesktop]

You can try to modify libcef/browser/net/network_delegate.cc and capture X509Certificate arriving on various callbacks right there, or make yourself a callback (mine is called OnSSLInfo) which invokes back into (cef)client.
Either way this would require a custom build. I have no better idea that this.

[saversa]

Thanks ndesktop,
I saw the network_delegate.cc stuff, but I think the problem is how chromium manage the smartcard:

I have the same problem on chromium-browser 64 on ubuntu 16.04, the use case is:
- insert smart card into usb reader
- open a site which requires client auth
- chrome opens the "insert pin" dialog
- choose client certificate
- the site opens
- remove the smart card
- insert another smart card
- reopen the site requiring client auth
- chrome shows an error page: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED

on the console I have this errors:
[14024:14229:0213/162646.106948:ERROR:ssl_platform_key_nss.cc(44)] PK11_SignWithMechanism failed: -8127 (SEC_ERROR_NO_TOKEN)
[14024:14055:0213/162646.107122:ERROR:ssl_client_socket_impl.cc(1040)] handshake failed; returned -1, SSL error code 1, net_error -141

Is it possible to force the reset current certificate db?

[magreenblatt]

I have the same problem on chromium-browser 64 on ubuntu 16.04

You should file a bug with Chromium at https://crbug.com/new.

[saversa]

Hi,
...resuming this thread...

I filed a bug on chromium (https://bugs.chromium.org/p/chromium/is ... ?id=813022) and is resolved in chromium version 66;
I tested and every time a smart card is inserted, the browser requests the pin to unlock the certificate.

I downloaded & build cef version 3396, and I have the same problem:
the first time a smart card is inserted, I have a pin request dialog...with the next smart cards I have an error "Error: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED (-141)"
and on the terminal I see this error:
0615/123634.334809:ERROR:ssl_platform_key_nss.cc(44)] PK11_SignWithMechanism failed: -8127 (SEC_ERROR_NO_TOKEN)
[0615/123634.334930:ERROR:ssl_client_socket_impl.cc(1026)] handshake failed; returned -1, SSL error code 1, net_error -141

Is there any difference with the chromium source regarding the handle of ssl certitificates?
It seems that the bugfix is ported to the cef source...but, in practice, it doesn't have any effect.

Thanks

[magreenblatt]

Thanks for updating with the Chromium issue. The comment above about needing to implement the dialog callback is still relevant.

[saversa]

Ok,
I built a custom version of cef 3396 with a call to the chromium pin dialog:
in file cef/libcef/browser/resource_context.cc:80

Code: Select all

std::unique_ptr<net::ClientCertStore>
CefResourceContext::CreateClientCertStore() {
#if defined(USE_NSS_CERTS)
  return std::unique_ptr<net::ClientCertStore>(new net::ClientCertStoreNSS(
        base::Bind(&CreateCryptoModuleBlockingPasswordDelegate, kCryptoModulePasswordClientAuth)));

The first time the dialog is shown, and the smartcard is read; if I change the smart card, no dialog is shown and I have the error above.

Maybe there's something else to do to show the dialog? In cef there's any method to reset the net::ClientCertStore ?

[saversa]

Problem solved:
I rebuilt CEF 3396 from scratch and now it works as expected

Thanks for the patience