[webkit-gtk] Support for PKCS11 / Smartcard?

[mailto428496]

Michael,

Thanks for the response!


On 12/01/2018 12:14 PM, Michael Catanzaro wrote:
> On Fri, Nov 30, 2018 at 8:41 PM, mailto428496 <mailto628496 at cox.net>
> wrote:
>> It does not appear that webkit-gtk has support for PKCS 11 and hence
>> smartcard devices, unless I am missing something...?  I was wondering if
>> there were any plans to implement this for webkit-gtk browsers?
>
> Hm...
>
> p11-kit is supported in Fedora, Arch, and any other distro that builds
> GnuTLS using --with-default-trust-store-pkcs11="pkcs11:". It won't
> work in Debian/Ubuntu/openSUSE or other distros that still use
> old-fashioned ca-certificate file storage. But in distros with p11-kit
> enabled, PKCS#11 assertions are supposed to be respected when
> performing server certificate verification.

I am testing this on CentOS 7 and it appears that the server cert ca
verification is working (we have the CA stores installed locally), at
least it doesn't complain that the site cert is invalid, but I suppose
it could just not be checking at all (which wouldn't be so great either...).

>
> But I don't know about smartcards. So the answer to that is: maybe?
> Maybe almost? WebKit doesn't currently support TLS client
> authentication at all, so my guess is not at the WebKit level. That's
> being actively worked on though, in
> https://bugs.webkit.org/show_bug.cgi?id=164509. (I know there's not
> much in the way of updates there, but it really is being worked on. :)

It's good to hear there is some work in that direction.  It sounds like
some of the background work is being done but probably not the actual
hooks for pulling in the libraries for interfacing with smartcard (as I
mention below)?

>
> But that won't help if smartcards aren't working at the GLib level,
> and I'm not sure about the status there. I am quite certain that
> nobody working on this code has a smartcard or would know what to do
> with one, though. :( We used to have separate support in
> glib-networking for PKCS#11. I disabled it in 2.58 and recently
> deleted it entirely because nobody could tell me if it does anything
> that GnuTLS can't do itself nowadays. For details on that, see
> https://gitlab.gnome.org/GNOME/glib-networking/issues/7. Now, if you
> have an older version of glib-networking (2.56 or earlier) then you
> could try it out with the environment variable
> GIO_USE_TLS=gnutls-pkcs11, but remember that client authentication
> will not work in WebKit regardless, and I'm not sure what other apps
> you could use to test it. Anyway, my suspicion is that that code was
> not important, and that if any extra work is needed to make smartcards
> work, it should be done using the GnuTLS PKCS#11 APIs instead:
>
> https://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html

I think there would need to be an interface to the opensc or coolkey
libraries in order for it to access the smartcard.  It sounds like it is
a bit more complicated where there are multiple layers and packages
involved that would all need to support each other in order for this to
work.

>
> but really, I don't know. It would need to be investigated by a
> developer with a smartcard and some interest in figuring out how it's
> supposed to work. You might know more than me! Did any of that make
> sense?
>

There has been discussion of contracting a developer to help with this
(if we can get funding, etc.) and if that happened I would hope that any
result could be contributed back to the open source community (but given
that it's the government that is another whole process).

I wanted to be sure that I wasn't missing something and that support was
not already included - which it sounds pretty clear that it isn't yet,
but maybe some of the groundwork is getting there?  And I wanted to get
an idea of what it might take to implement - which sounds non-trivial
but doable for someone willing to dig into the weeds and figure out how
all the pieces need to work together.

Thanks again!


Jim