[webkit-gtk] Support for PKCS11 / Smartcard?

Michael Catanzaro mcatanzaro at igalia.com
Sat Dec 1 09:14:07 PST 2018 

On Fri, Nov 30, 2018 at 8:41 PM, mailto428496 <mailto628496 at cox.net> 
wrote:
> It does not appear that webkit-gtk has support for PKCS 11 and hence
> smartcard devices, unless I am missing something...?  I was wondering 
> if
> there were any plans to implement this for webkit-gtk browsers?

Hm...

p11-kit is supported in Fedora, Arch, and any other distro that builds 
GnuTLS using --with-default-trust-store-pkcs11="pkcs11:". It won't work 
in Debian/Ubuntu/openSUSE or other distros that still use old-fashioned 
ca-certificate file storage. But in distros with p11-kit enabled, 
PKCS#11 assertions are supposed to be respected when performing server 
certificate verification.

But I don't know about smartcards. So the answer to that is: maybe? 
Maybe almost? WebKit doesn't currently support TLS client 
authentication at all, so my guess is not at the WebKit level. That's 
being actively worked on though, in 
https://bugs.webkit.org/show_bug.cgi?id=164509. (I know there's not 
much in the way of updates there, but it really is being worked on. :)

But that won't help if smartcards aren't working at the GLib level, and 
I'm not sure about the status there. I am quite certain that nobody 
working on this code has a smartcard or would know what to do with one, 
though. :( We used to have separate support in glib-networking for 
PKCS#11. I disabled it in 2.58 and recently deleted it entirely because 
nobody could tell me if it does anything that GnuTLS can't do itself 
nowadays. For details on that, see 
https://gitlab.gnome.org/GNOME/glib-networking/issues/7. Now, if you 
have an older version of glib-networking (2.56 or earlier) then you 
could try it out with the environment variable 
GIO_USE_TLS=gnutls-pkcs11, but remember that client authentication will 
not work in WebKit regardless, and I'm not sure what other apps you 
could use to test it. Anyway, my suspicion is that that code was not 
important, and that if any extra work is needed to make smartcards 
work, it should be done using the GnuTLS PKCS#11 APIs instead:

https://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html

but really, I don't know. It would need to be investigated by a 
developer with a smartcard and some interest in figuring out how it's 
supposed to work. You might know more than me! Did any of that make 
sense?

Michael

More information about the webkit-gtk mailing list