Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[probably a bug] ECDSA (NIST P-384)/SHA384-signed certificates are not recognized on Windows 10 #42

Open
vessokolev opened this issue Feb 25, 2024 · 2 comments
Open

[probably a bug] ECDSA (NIST P-384)/SHA384-signed certificates are not recognized on Windows 10 #42

vessokolev opened this issue Feb 25, 2024 · 2 comments

Comments

@vessokolev
Copy link

vessokolev commented Feb 25, 2024
edited

Description of the problem: If the HSM token hosts both RSA and ECDSA certificates (the latter based on NIST P-384 curve and signed by SHA-384), only the RSA-based ones are detected by Windows.

Note: It is not clear what causes the problem. Consider this issue primarily as a request for comment.

Expected result: ECDSA certificates to be accessible as Windows Digital IDs

Is reproducible: Yes, always (three fresh Windows 10 Pro and one Windows 10 Enterprise installations are currently being examined)

Environment: Freshly installed Windows 10 Pro/Enterprise with all security updates applied; OpenSC 0.24, shm-middleware-x64-2.12, SHA-384 and SHA-512 support is added to the Registry.

Other symptoms: Mozilla Firefox and Thunderbird are capable of displaying all certificates installed in the token (both RSA and ECDSA-based) and operating with them, provided the correct PKCS#11 module is configured with the NSS (either sc-hsm-pkcs11.dll or opensc-pkcs11.dll). Google Chrome, Brave, and Microsoft Edge can operate only with the RSA-based certificates hosted by the token. Adobe Acrobat can operate with the RSA-based certificates natively (no custom PKCS#11 provider is configured). If PKCS#11 provider is loaded in Adobe Acrobat (either sc-hsm-pkcs11.dll or opensc-pkcs11.dll), the ECDSA-based certificates become visible in the list with DigitalIDs, but due to the limitation of Adobe Acrobat and its well-know lack of cryptography support, those ECDSA certificates cannot be used for signing through any PKCS#11 provider (correct me if I am wrong). FoxitReader cannot utilize ECDSA certificates at all (regardless of the provider).

Logs and tests: (see the attached file - output generated by The Microsoft Smart Card Resource Manager) It misses to show two ECDSA-based certificates installed inside the token and shows information only about the RSA-based certificates stored there.
log_windows_ecdsa_sha384_issues.log
@vessokolev
Copy link
Author

Just a short update. It appears that the SHM tokens produced by Yubico, like YubiKey 5 Nano, express the same issue on Windows 10 Pro/Enterprise, so it is likely a general bug of misconfiguration. I would greatly appreciate any comments or suggestions that could help me identify the source of the issue.

@vessokolev
Copy link
Author

After some discussion with Yubico support, we managed to solve the problem with their tokens - once their mini driver is installed, the ECDSA token on the token is recognized as Windows Digital ID. Does that mean that the problem reported above is due to a problem with sc-hsm-middleware?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vessokolev