Unable to use custom driver

[Ottunger]

Hi,

I have a smart card with a custom non-complete PKCS11 driver for it.
I have added its configuration to the card.json file:

{
		"id": "3B9D188131FC358031C0694D54434F5373020505D3",
		"name": "MCARD",
		"file": {
			"windows": "C:/Program Files/ONECI/mcard/mcard-pkcs11.dll"
		}
	}

If I use the same driver for pkcs11-tool, it works flawlessly:

"C:\Program Files\OpenSC Project\OpenSC\tools\pkcs11-tool.exe" -M --module="C:\Program Files\ONECI\mcard\mcard-pkcs11.dll"
Using slot 0 with a present token (0x0)
Supported mechanisms:
  ECDSA, keySize={256,384}, hw, sign
  ECDSA-SHA256, keySize={256,256}, hw, sign
  ECDSA-SHA384, keySize={384,384}, hw, sign

But when I access tools.fortifyapp.com, I can see the token, but no certificate on it. This is happening on a windows 10 x64.
On a windows 8.1 x64, the tools.fortifyapp.com prompts for the PIN of the card and then can display certificates.

Is there anything I could investigate to understand why card is not unlocked?
The fortify.log remains empty.

Side note: I created PeculiarVentures/x509#11 about the certificates which are on this card. I will finally be able to test the signature after I can access the private keys.

Thanks,

[microshine]

Looks like Fortify uses pvpkcs11.dll module instead of mcard-pkcs11.dll. But it must try modules from cards.json first before pvpkcs11. But I don't see any logs about it

I think the simplest way to try your PKCS#11 module is to use node-webcrypto-p11 module. If that module shows certificates then Fortify must do the same

[microshine]

Please add your PKCS#11 module to ~/.fortify/config.json

{
  "cards": [
    {
      "name": "OMNIKEY AG Smart Card",
      "atr": "3b9d188131fc358031c0694d54434f5373020505d3",
      "readOnly": false,
      "libraries": [
        "C:/Program Files/ONECI/mcard/mcard-pkcs11.dll"
      ]
    }
  ]
}

[Ottunger]

By here we go I meant it failed:

{"source":"server","error":"Provider:open Cannot load library by path C:\\Program Files\\Fortify\\pvpkcs11.dll. CKR_GENERAL_ERROR","stack":"so: Provider:open Cannot load library by path C:\\Program Files\\Fortify\\pvpkcs11.dll. CKR_GENERAL_ERROR\n at new so (C:\\Program Files\\Fortify\\resources\\app.asar\\out\\main.js:281:76612)\n at Zo.open (C:\\Program Files\\Fortify\\resources\\app.asar\\out\\main.js:281:110383)\n at cc.open (C:\\Program Files\\Fortify\\resources\\app.asar\\out\\main.js:281:133089)\n at po.<anonymous> (C:\\Program Files\\Fortify\\resources\\app.asar\\out\\main.js:281:134677)\n at po.emit (events.js:315:20)\n at po.emit (C:\\Program Files\\Fortify\\resources\\app.asar\\out\\main.js:256:223819)\n at po.emit (C:\\Program Files\\Fortify\\resources\\app.asar\\out\\main.js:281:78457)\n at C:\\Program Files\\Fortify\\resources\\app.asar\\out\\main.js:281:79436\n at Server.<anonymous> (C:\\Program Files\\Fortify\\resources\\app.asar\\out\\main.js:281:79470)\n at Object.onceWrapper (events.js:421:28)","level":"error","message":"Server event error","timestamp":"2021-10-14T15:34:07.084Z"}

Can I have more detail on interface to support?

[Ottunger]

Hi again,

I did the change in config.json, and it works surprisingly better. My dll is loaded on top of generic PKCS11 and I can access the pin prompt.
Could it be card.json is no more used in win10?

Will keep you posted,

[microshine]

card.json must work. I'm wondering why it doesn't. Could you share card.json changes you did?

I added cards option to config.json file to simplify the process of trying and adding new cards and providers to Fortify. The main problem of card.json usage is that when you've got a new update for card.json it rewrites the file and you lose your custom cards.

I think we need to improve our UI and allow Users to add cards or HSMs to config.json (maybe something like Mozilla does in Firefox)

[Ottunger]

All in all, in card.json I had added

        {
		"id": "3B9D188131FC358031C0694D54434F5373020505D3",
		"name": "MCARD",
		"file": {
			"windows": "C:/Program Files/ONECI/mcard/mcard-pkcs11.dll"
		}
	}

With the ATR in uppercase as ID, because it's this way with all the other custom configs.

By the way, this configuration is for the official ID card of Côte d'Ivoire. What is the process to register for good configurations?

[microshine]

Please try something like this

{
  "cards": [
    {
      "atr": "3B9D188131FC358031C0694D54434F5373020505D3",
      "name": "MCARD",
      "driver": "5b9ac33100924d9d86b6109147de08c3"
    }
  ],
  "drivers": {
    "id": "5b9ac33100924d9d86b6109147de08c3",
    "name": "MCARD",
    "file": {
      "windows": "C:/Program Files/ONECI/mcard/mcard-pkcs11.dll"
    }
  }
}

card.json requires card and driver (where driever.id is randomly generated value)

[Ottunger]

I am also going back to PeculiarVentures/x509#11 as now I can sign, but I cannot verify signature.
Read you soon!

[Ottunger]

Hi @microshine @rmhrisk
Do you know if there is a standard way to add the configuration changes automatically after installation?
Or can I ask you to officially support this ATR?

Thanks

[microshine]

Does #439 (comment) work?

Does lib exist for Linux and MacOS?

I could add it to card.json file and include it in the next Fortify build.

Do you know if there is a standard way to add the configuration changes automatically after installation?

It's the file generated by Fortify application. You may create your own script for JSON file opening and editing.

[Ottunger]

Yes, editing the file works perfectly.

So, I should rewrap your MSI installer with a small script after installation? I guess the zip version cannot work that way, can it?

[microshine]

So, I should rewrap your MSI installer with a small script after installation? I guess the zip version cannot work that way, can it?

I think it's impossible.

[rmhrisk]

File a bug to support your card and provide all the associated details.

[microshine]

@Ottunger We published the new version of Fortify today v1.8.3. Also we published the new version of card.json.

Please restart the Fortify app to update your card.json. It includes MCARD config

[Ottunger]

Thank you so much, I will update and try.
By the way, the inno setup packaging was a temporarily working solution

[Ottunger]

Hi guys,

I just tested and nice job, no more need to change custom config for me!
So you know, we do not support mac/linux, but we do have both x32 and x64 drivers.

x64: "%PROGRAMFILES/ONECI/mcard/mcard-pkcs11.dll" (correct)
x32: "%PROGRAMFILES(x86)/ONECI/mcard/mcard-pkcs11.dll" (should be)

[rmhrisk]

@microshine please confirm card.json contains both.

@Ottunger do you have a link for the card details I can look at?

[Ottunger]

I checked card.json contains only one.

What do you call card details? But in any case, I'm afraid not.

[rmhrisk]

@Ottunger I am curious what the capabilities of the card are, what product you are using it with, etc.

[microshine]

In process. Adding x86 path to card.json and publishing module

[Ottunger]

Happy to have a chat but I don't have much info myself, and was told not to disclose too much on Github publicly.
Feel free to reach out to me by email greg.mathonet@gmail.com for some intel.

[microshine]

@donskov I fixed and published @webcrypto-local/cards. Could you sign and publish it?

[donskov]

@Ottunger cards.json updated. You need only restart your Fortify.