New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't use Secure Transport backend with Crypto Token Kit #7048
Comments
After some investigation, I think I've narrowed this down to how the keychain query is generated in the code. Currently, the query is built using these parameters: Lines 1125 to 1138 in fa050ff
When I was writing code to load the identity in my own program, I had to also include the key/value |
You could add the key-value to the dictionary, recompile, and see if that solves the problem for you. If it does, then please create a PR with the change, since I don't have a smart card for development or testing. Thanks. |
Ok, in my free time the past couple days, I've tried out a couple different things here, but I haven't had any complete success. diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
index 4276b89cf..05379bd29 100644
--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@@ -1116,8 +1116,8 @@ static OSStatus CopyIdentityWithLabel(char *label,
kSecClassIdentity was introduced in Lion. If both exist, let's use them
to find the certificate. */
if(SecItemCopyMatching != NULL && kSecClassIdentity != NULL) {
- CFTypeRef keys[5];
- CFTypeRef values[5];
+ CFTypeRef keys[4];
+ CFTypeRef values[4];
CFDictionaryRef query_dict;
CFStringRef label_cf = CFStringCreateWithCString(NULL, label,
kCFStringEncodingUTF8);
@@ -1130,17 +1130,13 @@ static OSStatus CopyIdentityWithLabel(char *label,
values[2] = kSecMatchLimitAll; /* kSecMatchLimitOne would be better if the
* label matching below worked correctly */
keys[2] = kSecMatchLimit;
- /* identity searches need a SecPolicyRef in order to work */
- values[3] = SecPolicyCreateSSL(false, NULL);
- keys[3] = kSecMatchPolicy;
- /* match the name of the certificate (doesn't work in macOS 10.12.1) */
- values[4] = label_cf;
- keys[4] = kSecAttrLabel;
+ /* match tokens in CTK */
+ values[3] = kSecAttrAccessGroupToken;
+ keys[3] = kSecAttrAccessGroup;
query_dict = CFDictionaryCreate(NULL, (const void **)keys,
- (const void **)values, 5L,
+ (const void **)values, 4L,
&kCFCopyStringDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
- CFRelease(values[3]);
/* Do we have a match? */
status = SecItemCopyMatching(query_dict, (CFTypeRef *) &keys_list); Which matches exactly the query I use in other software, and does successfully find the identity. However, trying to use that in the subsequent
Any thoughts what might be the issue here? This is still just a |
Being concerned by the same KeyChain/CryptoTokenKit problem, I'm glad I'm not alone (and that's why I'm still using Mojave). |
The patch works on Big Sur as well (latest release), with the same token type (tested this time on the normal slot). |
I did this
In the past, I have been able to run this command on macOS successfully, when a key has been generated in the keychain and the related signed client certificate has been loaded into the keychain.
However, after switching to an identity provided via Crypto Token Kit, i.e. where the key has been loaded from a smart card, this command no longer works and reports that it was unable to find the identity in the keychain. I know the identity is present and available for use, because I have used it successfully in both the Safari and Chrome browsers.
I expected the following
Since the identity is still loaded using the same keychain APIs, I expected that curl would be able to load the identity and successfully complete the request.
curl/libcurl version
I've tried with both the version of curl that ships with macOS:
And also one installed via
brew
:operating system
macOS/Darwin
Big Sur 11.3.1
The text was updated successfully, but these errors were encountered: