{"id":1494,"date":"2016-05-25T16:13:00","date_gmt":"2016-05-25T20:13:00","guid":{"rendered":"https:\/\/risacher.org\/jfdi\/?p=1494"},"modified":"2019-02-25T21:57:55","modified_gmt":"2019-02-26T02:57:55","slug":"p11-capi","status":"publish","type":"post","link":"https:\/\/risacher.org\/jfdi\/2016\/05\/p11-capi\/","title":{"rendered":"p11-capi now supports SHA-256"},"content":{"rendered":"

tl;dr: I fixed p11-capi<\/a> to support SHA-256<\/a>, thus making it useful again.\u00a0 In doing so, I basically acquired custodianship of an open source project.<\/p>\n

<\/p>\n

\"p11capi-snip\"<\/a>P11-capi, developed by Stef Walter in 2008<\/a>, is a very clever shim that allows Firefox-on-Windows to use the Microsoft Cryptographic API (CAPI)<\/a>.\u00a0 Natively, Firefox uses the PKCS#11 API<\/a> to interface with cryptographic tokens.\u00a0 Unfortunately, PKCS#11 is not supported by middleware vendors as well as CAPI.\u00a0 P11-capi is a PKCS#11 module that just mediates to the appropriate CAPI calls.<\/p>\n

I used p11-capi to access my US-government-issued smartcard from Firefox-on-Windows for years, mainly because I started using a 64-bit version of Firefox (Waterfox<\/a>).\u00a0 I could not find extant Windows 64-bit PKCS#11 middleware, but I compiled 64-bit p11-capi without much trouble.\u00a0 In doing so, I discovered that p11-capi had the additional benefit of not causing other applications to lock up, because CAPI was mediating access to the smartcard in ways that PKCS#11 could not.\u00a0\u00a0 In particular, I was using my smartcard with both Firefox and Outlook, and the two applications were fighting for access to the smartcard.\u00a0\u00a0\u00a0 Using p11-capi solved this problem.<\/p>\n

In 2012, I started publishing 32-bit and 64-bit binaries<\/a> for p11-capi as a convenience for anyone who wanted to use them, with a digitally signed assertion that I had inspected the code for back doors and compiled it myself.<\/p>\n

Alas, sometime around 2013, I started having trouble with Firefox not authenticating to web sites with the smartcard, reporting “SSL_ERROR_SIGN_HASHES_FAILURE”.\u00a0\u00a0 I tried to troubleshoot it, but my experience with the Microsoft Cryptographic API was virtually nonexistent, and my compile-debug-edit cycle was very slow because of factors beyond my control.\u00a0 Eventually I gave up and resigned myself to use Internet Explorer for any web sites that required PKI client authentication.<\/p>\n

Recently (May 2016), I picked it up again and poked a little harder.\u00a0 Ultimately, I determined that Firefox was asking p11-capi to use a SHA-2<\/a> hash (SHA-256, in particular), but that CAPI was reporting that it couldn’t use that algorithm.\u00a0 In particular, when I ask CAPI to resolve the OID for SHA-256, CertOIDToAlgId(\"2.16.840.1.101.3.4.2.1\")<\/code> (i.e. the OID for SHA-256) returns CALG_OID_INFO_CNG_ONLY<\/code>.\u00a0\u00a0\u00a0 I suspect that multiple Cryptographic Service Providers are registering the SHA-256 OID, and that some of them are registering it as “CNG Only” and other CSPs implement it.\u00a0 CertOIDtoAlgId()<\/a> is basically returning the first (or last) registration of that OID.\u00a0\u00a0 Possibly CryptEnumOIDInfo()<\/a> is a better approach.<\/p>\n

Long-story-short, I added some special cases just to handle SHA-2 algorithms, and solved the technical issue.\u00a0 Since Stef Walter has no particular interest in maintaining p11-capi, I guess I now “own” the project, for lack of someone more sensible.\u00a0 Stef was kind enough to add a note on his git repo that points to my git repo to make it “official”.<\/p>\n","protected":false},"excerpt":{"rendered":"

tl;dr: I fixed p11-capi to support SHA-256, thus making it useful again.\u00a0 In doing so, I basically acquired custodianship of an open source project.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,11,21,12],"tags":[],"class_list":["post-1494","post","type-post","status-publish","format-standard","hentry","category-it","category-oss","category-pki","category-work"],"_links":{"self":[{"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/posts\/1494","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/comments?post=1494"}],"version-history":[{"count":10,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/posts\/1494\/revisions"}],"predecessor-version":[{"id":1604,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/posts\/1494\/revisions\/1604"}],"wp:attachment":[{"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/media?parent=1494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/categories?post=1494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/risacher.org\/jfdi\/wp-json\/wp\/v2\/tags?post=1494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}