Post AXrfL2yNBifoMeJ5iS by hp@mastodon.tmm.cx
(DIR) More posts by hp@mastodon.tmm.cx
(DIR) Post #AXrehlNef5T4VdOsvA by mjg59@nondeterministic.computer
2023-07-19T21:15:33Z
1 likes, 3 repeats
STOP DOING PKCS#11* SECURITY SENSITIVE APPS WERE NOT SUPPOSED TO LOAD ARBITRARY CODE* YEARS OF DEVELOPMENT but NO REAL-WORLD USE CASE FOUND for PROPRIETARY CODE* Wanted to drive your HSM anyway for a laugh? We had a tool for that: it was called "GHIDRA"* "Yes, please dlopen() /usr/lib/systemd/boot/efi/linuxx64.elf.stub. Please dlclose() libsegfault.so" - Statements dreamed up by the utterly DerangedThey have played us for absolute fools
(DIR) Post #AXrfL2yNBifoMeJ5iS by hp@mastodon.tmm.cx
2023-07-19T21:23:08Z
0 likes, 0 repeats
@mjg59 nothing screams "my hsm is super secure" louder than "we don't trust you to not send the wrong commands to it, we can't guarantee the security in that case. Please use our shitty library šš".
(DIR) Post #AXrfe7Lz7lstSARdce by baloo@sfba.social
2023-07-19T21:26:32Z
0 likes, 0 repeats
@mjg59 yubihsm :)Commands to the hsm are documented. Code is open source. Folks at iqlusion have a rust crate to talk to it directly.
(DIR) Post #AXrok0MUvoVd5sZCj2 by shlee@aus.social
2023-07-19T23:08:33Z
0 likes, 0 repeats
@mjg59 why donāt they just make the whole computer out of the HSM?!
(DIR) Post #AXs36HxXaGEPOtPgEC by xlerb@sfba.social
2023-07-20T01:49:13Z
0 likes, 0 repeats
@mjg59 There's also Netscape's galaxy brain move of having the list of trusted CAs be a PKCS#11 module.Thus leading to this bit of, uh, system integration: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/8274edca65deb6dd9591f10abc90431fab823d99/elements/components/nss.bst#L138-139
(DIR) Post #AXs9Hhv00b6Yoz3JeC by federicomena@mstdn.mx
2023-07-20T02:58:55Z
0 likes, 0 repeats
@mjg59 What is blowing my mind is that apparently some libraries make the stack executable... in a constructor!? WTF?
(DIR) Post #AXsMnvId5m4qzcnV5M by lanodan@queer.hacktivis.me
2023-07-20T05:31:34.190851Z
0 likes, 0 repeats
@mjg59 Meanwhile PAM and most implementations of nsswich.conf are pretty much doing the same thing, even without PKCS#11 being involved.
(DIR) Post #AXtM9A37XfV21Y4AnQ by gerow@mastodon.sdf.org
2023-07-20T16:57:11Z
0 likes, 0 repeats
@mjg59 I have yet to see a nontrivial PKCS#11 module correctly handle dlclose without leaking something, which would normally be *kinda* ok, if not for the fact that wpasupplicant (and maybe others?) insist on closing and opening their configured modules in the same process during any reauth event.Which of course isnāt a dig at the library authors, but even further evidence that maybe blindly opening arbitrary libraries and letting them run code isnāt the best of āmodularā interfaces.
(DIR) Post #AXtlQPFEnSJMve3Oca by mjg59@nondeterministic.computer
2023-07-20T21:40:34Z
0 likes, 0 repeats
@gerow yet another argument for using p11-kit
(DIR) Post #AXtnAgL1fyglDZOJ8q by gerow@mastodon.sdf.org
2023-07-20T21:59:46Z
0 likes, 0 repeats
@mjg59 easy done with GnuTLS, although it looks like using PKCS#11 URIs with p11-kit might have gotten easier with OpenSSL since I last cared about this? If so, yeah certainly the better approach.
(DIR) Post #AXuHkff0fcQAALobxY by jerkey@mastodon.social
2023-07-21T03:43:18Z
0 likes, 0 repeats
@mjg59 this means something
(DIR) Post #AYnXD6gYzg77RXiHLM by KlavsKlavsen@fosstodon.org
2023-08-16T19:25:31Z
0 likes, 0 repeats
@mjg59Isn't pkcs11 what yubikeys (and nitrokeys etc implementing fido2 standard) use? For atleast some of the functionality
(DIR) Post #AYnZE07D6hBTGQjONM by mjg59@nondeterministic.computer
2023-08-16T19:48:06Z
0 likes, 0 repeats
@KlavsKlavsen yes, and it's shit
(DIR) Post #AYnZNV1ZYbeDjVchrU by mjg59@nondeterministic.computer
2023-08-16T19:48:37Z
0 likes, 0 repeats
@KlavsKlavsen the webauthn stuff doesn't use pkcs#11 at all, it's the other key management stuff that does
(DIR) Post #AYnZYvDQWFoM9IcAdM by KlavsKlavsen@fosstodon.org
2023-08-16T19:51:04Z
0 likes, 0 repeats
@mjg59 are there alternatives implemented anywhere, that they might also support, to allow for moving away from pkcs11?
(DIR) Post #AYnZjs8yHShHo6khSS by mjg59@nondeterministic.computer
2023-08-16T19:53:39Z
0 likes, 0 repeats
@KlavsKlavsen not usefully in the Linux world, sadly
(DIR) Post #AYnaJ2DGppSDAjWuoq by KlavsKlavsen@fosstodon.org
2023-08-16T19:59:54Z
0 likes, 0 repeats
@mjg59 if a decent alternate standard exists, atleast one could lobby relevant projects for implementing support (and if they agree and time and skill permits even contribute ti it. Whats the name of good alternatives for pkcs11? Then perhaps firefox could support it, and then yubikey etc. Could support it too.. And we'd start to have a choice :)
(DIR) Post #AYndc8K0eAT9TyTqkK by mjg59@nondeterministic.computer
2023-08-16T20:37:20Z
0 likes, 0 repeats
@KlavsKlavsen Windows Hello
(DIR) Post #AYoL0rP8yg4WHcv3Me by KlavsKlavsen@fosstodon.org
2023-08-17T04:42:57Z
0 likes, 0 repeats
@mjg59 but you start with linux doing it right and those that use windows is running crap anyways, so pkcs11 or not does not make a difference for those users
(DIR) Post #AYoPgvTYdBNetBIW36 by mjg59@nondeterministic.computer
2023-08-17T05:35:58Z
0 likes, 0 repeats
@KlavsKlavsen it is literally impossible to do it right with pkcs#11 because the entire point is to load arbitrary C code into address space belonging to your security-critical process
(DIR) Post #AYoQHKrhi8lW3exAXI by KlavsKlavsen@fosstodon.org
2023-08-17T05:42:19Z
0 likes, 0 repeats
@mjg59 my point is to implement a replacement standard in linux software, and get yubikey etc. To support that, so linux users stops needing the pkcs11 method
(DIR) Post #AYoQbEX8xfXYDEpAoK by mjg59@nondeterministic.computer
2023-08-17T05:46:18Z
0 likes, 0 repeats
@KlavsKlavsen the easiest thing to do would be to reimplement Windows Hello, which provides a sensible API for accessing biometric data and associated secrets and which is already supported by browsers so wouldn't require significant effort to adopt.
(DIR) Post #AYoQsEuIpGKkIHlYEy by KlavsKlavsen@fosstodon.org
2023-08-17T05:49:10Z
0 likes, 0 repeats
@mjg59 sounds like an issue with nitro key, yubikey etc. Proposing they support that protocol would further the cause, and then figure if its a new, or existing project that is needed for linux hello support
(DIR) Post #AYoR3lKYcHa62TXbI8 by mjg59@nondeterministic.computer
2023-08-17T05:49:59Z
0 likes, 0 repeats
@KlavsKlavsen they do support that protocol, Linux doesn't implement it
(DIR) Post #AYoRE1QvbMZqsPPfWK by KlavsKlavsen@fosstodon.org
2023-08-17T05:52:53Z
0 likes, 0 repeats
@mjg59 nice.
(DIR) Post #AYoY6YDqVaGjvrg87E by nyancient@ninjagroup.moe
2023-08-17T06:47:09.943Z
0 likes, 0 repeats
@mjg59@nondeterministic.computer @KlavsKlavsen@fosstodon.org I don't think any of the FIDO2 stuff used pkcs#11 though? It's only the smart card functionality, which you're not going to use unless you know that you "want to".
(DIR) Post #AYoY6Z65Fvece53Rei by mjg59@nondeterministic.computer
2023-08-17T07:10:06Z
0 likes, 0 repeats
@nyancient @KlavsKlavsen At the moment there's no way to provide arbitrary device support for WebAuthn on Linux because the apps are speaking USB directly rather than there being a platform layer that abstracts other biometric devices that could do the same job, so for apps that aren't aware of the specific hardware interface you're left with PKCS#11 at best
(DIR) Post #AYpDfo6fXUwxS7FfLE by nyancient@ninjagroup.moe
2023-08-17T12:32:33.739Z
0 likes, 0 repeats
@mjg59@nondeterministic.computer @KlavsKlavsen@fosstodon.org CTAP2 is part of the FIDO2 spec. Doesn't that abstract over different implementations? I only own Yubikeys myself, but I was under the impression that all certified FIDO2 devices speak the same protocol.
(DIR) Post #AYpDfozGGWcQBQnGQy by mjg59@nondeterministic.computer
2023-08-17T14:55:51Z
0 likes, 0 repeats
@nyancient @KlavsKlavsen over USB, sure. Now add Bluetooth, or anything implemented using platform authenticators, and so on.
(DIR) Post #AYrUozoLTkGjtdZHvs by nyancient@ninjagroup.moe
2023-08-18T17:03:12.490Z
0 likes, 0 repeats
@mjg59@nondeterministic.computer @KlavsKlavsen@fosstodon.org Oh, I didn't know CTAP2 was USB only.
(DIR) Post #AYrUp0S3681nsm8zom by mjg59@nondeterministic.computer
2023-08-18T17:17:16Z
0 likes, 0 repeats
@nyancient @KlavsKlavsen CTAP2 is transport agnostic, but there's no Linux support for anything other than USB. And not every device people want to use as an authenticator speaks it (eg, you could have a TPM-backed token, but something's going to need to abstract that)