Chromium

[Empty comment from Monorail migration]

We removed support for --use-system-ssl some time ago, as it presented risks to security, stability, and speed, and have no plans to re-introduce it.

It would be good if you can indicate exactly what Smartcard and Smart Card middleware you're using. If this is a national ID card, a reference to the national ID website that we can look into things further would be great.

[Empty comment from Monorail migration]

[Comment Deleted]

[Comment Deleted]

[Comment Deleted]

We are using the clauer project software http://clauer.nisu.org/ with self signed certificates.

I'm using the national ID card of Belgium. The site is http://eid.belgium.be. Since "--use-system-ssl" support has been removed, it doesn't work any more.

@koen: Are you also on Windows?

@rsleevi: Yes (Win7 32bit), Chrome: 26.0.1410.43 m

[Empty comment from Monorail migration]

The Belgium EID middleware source is available at https://code.google.com/p/eid-mw/source/browse

The relevant CSP hasn't been updated since 2010. A quick inspection of the CSP shows it supports the necessary CP* functions that Chrome expects on http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslplatf.c?view=log#revHEAD

Namely, it supports CPGetUserKey (CryptGetUserKey), CPGetKeyParam (CryptGetKeyParam) with KP_ALGID, CPCreateHash, CPGetHashParam (with HP_HASHSIZE), CPSetHashParam (with HP_HASHVAL), and CPSignHash. So it's not immediately clear to me why it's failing.

Likely need to add more diagnostic capabilities, such as recording the OS error and/or additional logging. Alternatively, writing a sample tool for conformance tests.

I don't see myself being able to get this in the next two weeks, so marking it Available in case someone wants to take a stab at it.

[Empty comment from Monorail migration]

Hi Georgi, Rossen, et al.

I'm looking into this issue and it appears that at least in Clauer device case the problem is that it does not report correct algorithm in response to CPGetKeyParam with KP_ALGID.

Could you try attached test app (run from command line without parameters) and update the issue with the results?

thanks,
-m

No Test Parameters, entering interactive mode
The store has been opened.
Got Cert:
Private Alg:1.2.840.113549.1.1.5
Public Alg:1.2.840.113549.1.1.1
Acquiring Private Key Context.
Acquired Context, Test Signing.
*** keyAlg is 0, default to CALG_RSA_SIGN
***Unknown Alg: 0
PORT_SetError:-8152, GetLastError()=0x00000000
PORT_SetError:-1, GetLastError()=0x00000000
Signature Test Failed!

[Empty comment from Monorail migration]

Actually punting this one back to mef@. The Windows failures are unrelated to the client cert failures on other platforms.

The issue with the Belgian eID (national ID card) has been resolved with the last middleware update.

https://code.google.com/p/eid-mw/downloads/list (7363b)

[Empty comment from Monorail migration]

@webdbase, thanks! This confirms my experiment and should be sufficient to produce the fix.

------------------------------------------------------------------------
r195619 | mef@chromium.org | 2013-04-22T22:02:44.328205Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/nss/exports_win.def?r1=195619&r2=195618&pathrev=195619

- Added export of CERT_GetCertKeyType for ssl platform support

BUG=226455

Review URL: https://chromiumcodereview.appspot.com/14416002
------------------------------------------------------------------------

------------------------------------------------------------------------
r196010 | mef@chromium.org | 2013-04-24T02:38:51.778241Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=196010&r2=196009&pathrev=196010

Update nss_revision to r195619 to pick up the export of CERT_GetCertKeyType from crnss

BUG=226455

The underlying CL is https://codereview.chromium.org/14416002/

R=wtc@chromium.org
TEST=no build errors on iOS, Mac OS X, and Windows.

Review URL: https://chromiumcodereview.appspot.com/14200046
------------------------------------------------------------------------

[Empty comment from Monorail migration]

------------------------------------------------------------------------
r196824 | mef@chromium.org | 2013-04-26T20:53:31.162431Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/ssl3con.c?r1=196824&r2=196823&pathrev=196824
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslimpl.h?r1=196824&r2=196823&pathrev=196824
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslplatf.c?r1=196824&r2=196823&pathrev=196824

Use CERT_GetCertKeyType to get KeyType for ssl3_PlatformSignHashes.

This is based on https://crbug.com/chromium/14187006, which was closed due to invalid Base URL.

BUG=226455

Review URL: https://chromiumcodereview.appspot.com/13843023
------------------------------------------------------------------------

I've tried the fix on Windows XP with Clauer device.

Hello,
I presume that this issue is fixed.
Where can I download the patch from?
This is urgent.

Yes, it is fixed in M28, currently available in Dev channel: http://www.chromium.org/getting-involved/dev-channel

That's great! I tried version 28.0.1500.11 dev-m with the Clauer device and it works!

Excellent, thank you for testing!

This issue was migrated from crbug.com/chromium/226455?no_tracker_redirect=1

[Monorail mergedwith: crbug.com/chromium/230760]
[Monorail components added to Component Tags custom field.]