Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

Fortify 2.0.0 not able to detect client certificate if Yubikey is unplugged and plugged again #582

Open
pmhatre-swi opened this issue Aug 27, 2024 · 5 comments
Open

Fortify 2.0.0 not able to detect client certificate if Yubikey is unplugged and plugged again #582

pmhatre-swi opened this issue Aug 27, 2024 · 5 comments
Labels
bug

Comments

@pmhatre-swi
Copy link

pmhatre-swi commented Aug 27, 2024
edited
Loading

Fortify 2.0.0 not able to detect client certificate if Yubikey is unplugged and plugged again.
Fortify 2.0.0 is installed from below link: https://github.com/PeculiarVentures/fortify-releases/releases/tag/v2.0.0

This issue is observed during Operation Approval process in on the of feature.

Setup configuration:
Environment: https://eu.airvantage.net/authorize

HC operation signer Laptop configuration:
OS version: Windows 11
Browser: Mozilla Firefox
Fortify version: 2.0.0
Yubikey version: Yubikey 5 NFC (FW version: 5.7.1)

Steps to re-produce the issue:

  1. Trigger multiple operations on device.

  2. The operation goes for approval.

  3. Connect the Yubikey to the Operation signer laptop.

  4. Approve single operation.

  5. Verify operation is successful.

  6. Unplug the Yubikey from laptop.

  7. Connect the Yubikey again to the laptop.

  8. Approve any operation.

  9. Fortify prompt on approval page does not detect any certificate loaded on Yubikey.

Observations:

  1. This issue is not seen with Fortify version 1.8.4

  2. This issue is seen with Yubikey 5.4.3 as well as Yubikey 5.7.1

Workaround:
User need to close and re-open Fortify app running on the laptop.

Fortify logs are attached.
Fortify Logs.txt
@microshine
Copy link
Collaborator

Thank you very much for the information provided. I have reviewed the logs provided and noted the following data:

{"message":"New token was added to the reader","source":"pcsc","reader":"Yubico YubiKey OTP+FIDO+CCID 0","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Token was added to the reader","source":"provider","reader":"Yubico YubiKey OTP+FIDO+CCID 0","name":"Yubico Yubikey 4 OTP+U2F+CCID","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Loading PKCS#11 library","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll"}
{"message":"Looking for slot","source":"provider","slots":1}
{"message":"Use ConfigTemplateBuilder","source":"provider"}
{"message":"PKCS#11 library information","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll","manufacturerId":"Yubico (www.yubico.com)","cryptokiVersion":{"major":2,"minor":40},"libraryVersion":{"major":2,"minor":52},"firmwareVersion":{"major":1,"minor":0}}
{"message":"Crypto provider was added to the list","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll","name":"Yubico Yubikey 4 OTP+U2F+CCID","reader":"Yubico YubiKey OTP+FIDO+CCID 0"}
{"message":"Amount of tokens was changed","source":"provider-service","added":1,"removed":0}
{"message":"Token was removed from the reader","source":"pcsc","reader":"Yubico YubiKey OTP+FIDO+CCID 0","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Token was removed from the reader","source":"provider","reader":"Yubico YubiKey OTP+FIDO+CCID 0","name":"Yubico Yubikey 4 OTP+U2F+CCID","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Token was removed from the reader","source":"pcsc","reader":"Yubico YubiKey OTP+FIDO+CCID 0","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Server event error","source":"server","error":"SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","stack":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)"}
{"message":"Server event error","source":"server","error":"SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","stack":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)"}
{"message":"Server event error","source":"server","error":"SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","stack":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)"}
{"message":"Server event error","source":"server","error":"Cannot find removed slot in PKCS#11 library C:\\WINDOWS\\System32\\libykcs11-1.dll. Win32 error 126","stack":"WebCryptoLocalError: Cannot find removed slot in PKCS#11 library C:\\WINDOWS\\System32\\libykcs11-1.dll. Win32 error 126\n    at new WebCryptoLocalError (C:\\snapshot\\fortify-app\\node_modules\\@webcrypto-local\\server\\build\\index.js:402:23)\n    at LocalProvider.onTokenRemove (C:\\snapshot\\fortify-app\\node_modules\\@webcrypto-local\\server\\build\\index.js:3083:40)"}
{"message":"uncaughtException","source":"server"}
{"message":"uncaughtException","source":"server"}
{"message":"Crypto provider was removed from the list","source":"provider"}
{"message":"Finalize crypto provider","source":"provider"}
{"message":"Amount of tokens was changed","source":"provider-service","added":0,"removed":1}

I was surprised to see that the application uses libykcs11.dll from Program Files when connecting, but uses a library from System32 when disconnecting. This could be a problem with incorrect application behavior.

Also, I noticed that it would be beneficial to expand the logs and add information about provider identifiers, so we can monitor which provider was added or removed from the application.

I will try to reproduce the problem locally and will let you know when I have more information.

@microshine microshine added the bug label Aug 27, 2024
@microshine
Copy link
Collaborator

I have reproduced the problem locally. I am identifying the cause and making corrections.

@pmhatre-swi
Copy link
Author

I tried Fortify 2.0.2 test version provided by Ryan Hurst to verify the issue fix. [Test version Fortify app: https://drive.google.com/file/d/1IjTllOs769yhqcrxSS_RUCfM8iSgLRhE/view?usp=sharing]

I observed that Fortify Client is not detected while approving the operation.
Fortify client not detected

Attached Fortify Logs:
Fortify Logs.txt

@microshine
Copy link
Collaborator

microshine commented Sep 2, 2024
edited
Loading

Thank you for testing the update and providing the report. I have tried installing the version provided via the link and replicated the Yubico token connection. It worked without any issues on my end. However, there are a few things in the logs you've provided that caught my attention:

  1. No Record of the Site Connecting to the Fortify Server
    There should be log entries indicating the connection between the site and the Fortify server. If you search for the word "origin," you should see entries like:

    {"message":"Create a new connection","source":"server","origin":"https://tools.fortifyapp.com"}
{"message":"Push session to stack","source":"server","origin":"https://tools.fortifyapp.com"}

    This might indicate an issue with the server not starting correctly or a problem with the SSL certificate installation.

    To manually verify that the server is running and the certificate is installed correctly, you can visit the local link:
    https://127.0.0.1:31337/.well-known/webcrypto-socket

  2. Fortify Application Detects Yubico Token Connection and Disconnection
    According to the logs, the Fortify application is detecting the connection and disconnection of the Yubico token. The logs contain entries like:

    {"message":"PKCS#11 library information","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll","manufacturerId":"Yubico (www.yubico.com)","cryptokiVersion":{"major":2,"minor":40},"libraryVersion":{"major":2,"minor":52},"firmwareVersion":{"major":1,"minor":0}}
{"message":"Crypto provider was added to the list","source":"provider","library":"C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll","name":"Yubico Yubikey 4 OTP+U2F+CCID","reader":"Yubico YubiKey OTP+FIDO+CCID 0"}
{"message":"Amount of tokens was changed","source":"provider-service","added":1,"removed":0}

{"message":"Token was removed from the reader","source":"pcsc","reader":"Yubico YubiKey OTP+FIDO+CCID 0","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Token was removed from the reader","source":"provider","reader":"Yubico Yubikey 4 OTP+U2F+CCID 0","name":"Yubico Yubikey 4 OTP+U2F+CCID","atr":"3bfd1300008131fe158073c021c057597562694b657940"}
{"message":"Crypto provider was removed from the list","source":"provider"}
{"message":"Finalize crypto provider","source":"provider"}
{"message":"Amount of tokens was changed","source":"provider-service","added":0,"removed":1}

Please check that the Fortify application is running properly and that the Fortify server is operational. I verified the connection/disconnection through https://tools.fortifyapp.com/. This site dynamically displays the list of connected devices.

image

@pmhatre-swi
Copy link
Author

Hi,

Thank you for providing the insights.
I checked on link https://127.0.0.1:31337/.well-known/webcrypto-socket, that the server is running fine.
I am able to approve the operations after unplugging and plugging the Yubikey to the host laptop.

Issue is not seen with Fortify test version 2.0.2 (https://drive.google.com/file/d/1IjTllOs769yhqcrxSS_RUCfM8iSgLRhE/view?usp=sharing)

Please merge these changes into official Fortify release so that we can test with official Fortify release.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@microshine @pmhatre-swi