hwcrypto / hwcrypto.js Goto Github PK

Latest hwcrypto.js 0.0.10 does not allow signing in IE 11 in Windows 10.

Error that is shown is: 'Promise' is undefined

Internet Explorer exact version

Hello, it looks like hwcrypto.github.io does not work and returns the 404 error.

Could you also build and publish the hwcrypto.min.js file?

So that only a certain set of backend implementations are enabled.

When trying to call this function I see this error.
Any ideas?

import { hwcrypto } from '../hwcrypto/hwcrypto';

const signEstonianIdCard = (offerId: string) => {
    hwcrypto.getCertificate({ lang: 'en' }).then(function (certificate) {
      const hash = hexToPem(certificate.hex);
      hwcrypto
        .sign(certificate, { type: 'SHA-256', hex: hash }, { lang: 'en' })
        .then(
          function (signature: any) {
            request('customer', 'person')
              .get()
              .then((res) => {
                request('loans', 'sign/contract').post({
                  offerId,
                  userId: res.data.personDetails.idPerson,
                  signatureHash: signature.hex,
                  signingParty: 'applicant',
                });
              });
          },
          function (error: any) {
            console.log(`Signing failed:  ${error.message}`);
          }
        );
    });
  };

// Prepared function for easier exports 
export const hwcrypto = function hwcrypto() {
    "use strict";
    var _debug = function(x) {};
    _debug("hwcrypto.js activated");
    window.addEventListener = window.addEventListener || window.attachEvent;
    function hasPluginFor(mime) {
        return navigator.mimeTypes && mime in navigator.mimeTypes;
    }
[...]

fields.getCertificate = function(options) {
        if (typeof options !== "object") {
            _debug("getCertificate options parameter must be an object");
            return Promise.reject(new Error(INVALID_ARGUMENT));
        }
        if (options && !options.lang) {
            options.lang = "en";
        }
        return _autodetect().then(function(result) {
            // removed if statements because it was throwing errors on dev environment 
            return _backend.getCertificate(options).then(function(certificate) {
                if (certificate.hex && !certificate.encoded) certificate.encoded = _hex2array(certificate.hex);
                return certificate;
            });
        });
    };

hwcrypto-extension does not inject scripts to websites any more, which means that the messaging API needs to be implemented by hwcrypto.js itself.

But "Origin doesn't contain https". How I can use file origin to develop. Something addon to extension js ? I'm only interested to read personal data from cert (card).

When running hwcrypto.js 0.0.9 inside an iframe, it's not able to detect the backend due to using the "window" object for detection. This is not the same object as the one where the chrome extension has bound the "TokenSigning" function, which is in the top frame.

A workaround is to use window.top instead of window.

It is not needed, actually.

getCertificate({lang:'ET',filter:'AUTH'}) returns SIGN certificate instead of AUTH under IE11 and asks for PIN2. For all other browsers (Edge, FF, Chrome) it works as expected.
Is it something that can be fixed quickly?

Hi!

Thank you for the good work.

I was able to sign a document using the chrome native extensions and hwcrypto.

Is there anyway to generate a .p7s file?

cheers!

Maybe call this hwcrypto-lgacy.js, which is required mostly for older IE-s

Hi.

Does it support IE9 and IE10 browsers?

If I click sign on https://open-eid.github.io/hwcrypto.js/sign.html the page generates error(console output):

hwcrypto.js activated
Autodetecting best backend
Assuming IE BHO, testing
Loading plugin for application/x-digidoc into hwcapplicationxdigidoc
Using backend: undefined
Error
{

description: "",
message: "",
name: "Error",
number: -2147352567,
stack: "Error
at Anonymous function (https://open-eid.github.io/hwcrypto.js/hwcrypto.js:113:21)
at Promise (https://open-eid.github.io/hwcrypto.js/js/lib/npo.src.js:264:4)
at getCertificate (https://open-eid.github.io/hwcrypto.js/hwcrypto.js:111:13)
at fields.getCertificate (https://open-eid.github.io/hwcrypto.js/hwcrypto.js:251:9)
at sign (https://open-eid.github.io/hwcrypto.js/sign.html:58:5)
at onclick (https://open-eid.github.io/hwcrypto.js/sign.html:128:36)"
}

Error: 0 with:
Unknown error: 0 with:

(was using IE11 with IE10 Document mode emulation)

Thank You.

Hello!
First of all, thanks for building and maintaining this amazing library.
This is a request for help or information more than a bug report.
I want to add timestamped signatures to an ASIC-E container. I am using eideasy-browser-js to create the containers, and I can create a successful signature (SHA-256 for example) using hwcrypto.
What I want is to know how to convert that signature into a valid xAdES signature to be inserted into the container.

Any insight or help greatly appreciated.
Thanks

I got the certificate from the token as a hex code ,so i need to use this certificate to sign a pdf in back end (.net C#). but I got error private key is missing. I have a doubt that always certificate from the token does not has private key or I made mistake somewhere else .
Additional information: I got the details of the certificate from its hex code , but while signing only its showing No private key error
I am using hwcrypto.js for getting certificate from USB token.

I'm using hwcrypto for working with Estonian E-residency card. There is no problem with getting certificates and signing messages, but I can't understand one thing: is there any way to get "determined" signature for determined message and options?

For now, each time I'm signing a message some random nonce is used, so the signature is different each time (message and options are the same). Can I somehow pass my own nonce into the sign function?

I've already tried to pass nonce parameter into hash and options and both of them - didn't work, still random nonce appeared.

Why it is now disabled getting certificate with with AUTH filter?
window.hwcrypto.getCertificate({
lang: 'et',
filter: 'AUTH'
})
Example in Linux chrome code i can see, that it's now hard coded response as invalid_argument (similar line in osx and windows):
open-eid/chrome-token-signing@82d5f5c#diff-fe43588ba7b913eece962fff6f946b5298389c96751d5d86d93c51127cf776deR121

Result for this change is that i cannot create signature with PIN1, so i cannot handle login normally as i can only sign hash with PIN2.

Plugin log:
2021-02-08 16:23:15 [36088] main_block_invoke() [chrome-host.mm:80] Message size: 2
2021-02-08 16:23:15 [36088] main_block_invoke() [chrome-host.mm:95] Message (2): {}
2021-02-08 16:23:15 [36088] write() [chrome-host.mm:38] Response(37) {"result":"invalid_argument","ver":1}
2021-02-08 16:23:20 [36204] main() [chrome-host.mm:54] Starting native host 1.1.3.539
2021-02-08 16:23:20 [36204] main_block_invoke() [chrome-host.mm:80] Message size: 129
2021-02-08 16:23:20 [36204] main_block_invoke() [chrome-host.mm:95] Message (129): {"type":"CERT","lang":"et","filter":"AUTH","nonce":"u3ssh12wj729cx0r","src":"page.js","origin":"https://***","tab":66}
2021-02-08 16:23:20 [36204] write() [chrome-host.mm:38] Response(64) {"result":"invalid_argument","nonce":"u3ssh12wj729cx0r","ver":1}

Technical description in https://github.com/open-eid/hwcrypto.js/wiki/Authentication

From here: https://demo.yubico.com/js/u2f-api.js

-- Edit --
Post in wrong repository

is new estonian id card supported?

So right now we‘re struggling with the following hwcrypto.js + SK ID software issues:
• When signing documents (hashes), the user is being asked for PIN only once. While browser stays opened, even after reloading pages, etc. – tested on Chrome 53.0.2785.116 m, Firefox 45.3.0. Tested with Lithuanian ID card, which uses CryptoCard software as a driver.
• Sometimes certificate selection popup shows same certificate listed twice.
• Sometimes certificate selection popup can’t detect certificate, but after a few tries – the certificate appears.
• Using IE11 + usb key, issued by “Center of Registry”, the hwcrypto throws an error “invalid_argument”.

For us, the most critical one is that user is not being asked for PIN after entering it once. I wonder if there was testing and implemented use cases regarding SK software + Lithuanian ID cards.

is it possible with help of hwcrypto
to allow javascript get response from ID Card: name, username, email and so on ?

Signwise plugin link is broken in documentation. The link does not work: https://www.signwise.me/p/about/plugin

https://open-eid.github.io/hwcrypto.js/sign.html
Token signing extension is installed and activated in my Chrome but It seems that it is never recognised by hwcrypto :(

This is sign.html 0.0.10 running on
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
sign() clicked on Sun, 31 Jul 2016 18:37:32 GMT
Signing SHA-256: 413140d54372f9baf481d4c54e2d5c7bcf28fd6087000280e07976121dd54af2
Debug: hwcrypto.js 0.0.10 with failing backend Chrome native messaging extension
getCertificate() failed: Error: no_implementation

I don't find npm module https://www.npmjs.com/search?q=hwcrypto
Only bower?

Probably not attaching to the window.hwcrypto interface

GetCertificate takes too long.

The results on my i9 processor are the following:

Is the slow performance caused by browser plugin or could there be optimizations made in hwcrypto.js?
The plugin I used is Chrome native messaging extension 0.0.30/1.0.9.507.

Hello,

We use hwcrypto as authentication with a signature-verification scheme. The user in the browser generates a signature with their certificate (private key, using AUTH certificate), and the backend verifies the signature using the public certificate of the user. We also use it to sign contracts, this time, using the SIGN certificate. This incorrect behavior I am describing applies to both cases.

The implementation has been working well so far, but recently we started experiencing problems. Every time you call the code that generates the signature, you get a different one, even using the same input text. The problem is that some (most?) of those signatures cannot be verified as correct signatures in the backend, whereas some of them are.

This had been working fine and dandy for months until it stopped working at a certain point (we are not sure exactly when, it took us some time to identify the problem).

The signatures generated are different, so multiple calls to "sign" from the browser using your library yield different signatures. Some of them are properly validated by the backend (a minority), some others are not (most of them). To generate the signatures, we use the function:

engine.sign(cert, {type: hashtype, hex: hash}, {lang: lang}).then(function(response) {
 var sig = response.hex
 var nonceSigned = hexToBase64(sig)
 validateSignature(certfull, nonce, sig)
 callback(null, cert, certfull, nonce, sig)
 }, function(err2) {
 callback(new Error("Error signing request with your certificate: " + err2))
})

In the backend, we use the library jsrsasign to verify these signatures.

This is our code to verify the signatures. Pretty standard and was working before.

const { Certificate, PrivateKey } = require('@fidm/x509')
var rs = require('jsrsasign')
var rsu = require('jsrsasign-util')

const SIGNATURE_HASH_ALGORITHM = "sha256"
const SIGNATURE_EC_HASH_ALGORITHM = "SHA256withECDSA"

exports.verifyRawECSignature = function (plain, rawSignature, certificateData, signatureAlgorithm) {
	if (!signatureAlgorithm) { signatureAlgorithm = SIGNATURE_EC_HASH_ALGORITHM }
	var asn1Signature = exports.rawECHexSignatureToASN1Signature(rawSignature)

	var pub = rs.KEYUTIL.getKey(certificateData)
	var sig = new rs.KJUR.crypto.Signature({alg: signatureAlgorithm})
	sig.init(pub)
	sig.updateString(plain)
	return sig.verify(asn1Signature)
}

Plain texts to sign are always SHA256 hashes of a document, or a utc timestamp string.

Curiously enough, for the same certificate, and same plain text, we obtain different signatures every time, and some of them are verified OK and some others are not.

So in one iteration (a completely random one), the generated nonce (SHA256 of a document) signed works:

Plain: aef3d564d40ef79349f73bda0c6a3a2c0c3032d1e762d5bbdb8bb783de22596b
rawSignature: A364F3B42BDD8E9AE0191794A5E654AA1ED8BCAF43CC1987C6BD577B65CE265525053010436F4BBA36DAD231EAE02FC796559F873083D67043A00CE42F6E602BFC7878EDAB4EDB1FDBF5CD446EB1C946AC440B2581BF9C2BBC924AFDE2BDE8F7
certificateData:
-----BEGIN CERTIFICATE-----MII [...] ZHYdOg==-----END CERTIFICATE-----
signatureAlgorithm: SHA256withECDSA
signature valid: true

But another iteration (most of them indeed) the signature generated is completely different and does not get validated by the backend. Using the exact same code with the exact same certificate and Plain text.

Plain: aef3d564d40ef79349f73bda0c6a3a2c0c3032d1e762d5bbdb8bb783de22596b
rawSignature: 5C889F858ACB65A751123627109FD957FEADEEA49CD8774EE7817A8758009DE2081128418838E989D9F6A013FA83AE77A2D929AD4531146E3A4C3C5C13A7A6334D56D0FBE78A0D5C67FDC4FAD6DCC136AC44A2C9C66F1A3DB848709B38A4FD0B
certificateData: -----BEGIN CERTIFICATE-----MII [...] ZHYdOg==-----END CERTIFICATE-----
signatureAlgorithm: SHA256withECDSA
signature valid: false

Any idea why this may be happening?
Happy to share any other information required.

The Firefox web browser used to support a javascript function called crypto.signText() that presented some text to the end user, and invited the user to sign the text with a digital certificate.

This was removed from the Firefox project without a replacement.

I propose the same functionality be added to hwcrypto.js, so as to make it possible to sign text as was possible before.

Linked issues: open-eid/chrome-token-signing#165

Hello,

I'd like to use hwcrypto to generate a signature and insert the signature and certificate in a pdf.

The data I'm trying to sign is an asn1 value hex encoded value
3169301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3231303732333038313833315a302f06092a864886f70d010904312204202c2c0a3e069410fb2f747d0225ec453e90f8c8c82847999e088baa589ca80a0b

When passing this data the hwcrypto, I get an invalid hash error.
What format is excepted for the hash to sign ?

Cheers

Hey

What about skipping the PIN2 input in case of batch signing multiple documents? In case user has to sign 100 documents, It would be convenient to not enter PIN2 for every single document. Is there any way to skip it?

1. Kas on ka mingi kiirem kanal suhtluseks kui issue-tracker? Praeguste küsimuste ja teemade juures tundub see pisut ebasobiv või aeglane. samas sk suunas siia.
2. sai just (15.aprill) chrome 42 installeeritud, ja https://open-eid.github.io/hwcrypto.js/sign.html ei tööta. Autodetect ei suuda sobivat backendi laadida. Kas see ajutine probleem (viimasest commitist mõnda aega juba möödas) või peaks siiski kõik töötama? (vähe vanema js failiga (see kus versiooni number on 0.1.0) chrome 41 veel toimis)
3. ja peamine teema: praegune hwcrypto lahendus on üles ehitatud ideele, et leht laaditakse ühe korra, ning sisu muudatused (peale serdi laadimist allkirjastamine) laetakse taustal ajaxi päringutega. Samas vana lahendus (idCard.js) oli oma olemuselt uus post/uus leht iga sammu järel. Sellest tulenevalt ongi nüüd raske dilemma - kas hakata
   a) äriloogikat ümber kirjutama (mis on küll tehtav ja ilmselt pikas perspektiivis õigem toetamaks parmeini hwcrypto tulevasi versioone) või
   b) muuta hwcrypto.js selliselt et see toetaks erinevaid lehti. Praegu olen selle teise variandi peal, ja mida ma tegin:

108a109,112

    // by BC
    this.set_certificate_id = function(cert, id){
        certificate_ids[cert] = id;
    };

119a124
// ",\nid: v.id" by BC
121c126,127

< hex: v.cert

                        hex: v.cert,
                        id: v.id

276a283,293
};
// by BC
fields.set_certificate_id = function(cert, id){
if(_backend == null) {
console.log("backend is null, use _autodetect");
_autodetect().then(function(result){
_backend.set_certificate_id(cert, id);
});
}else{
_backend.set_certificate_id(cert, id);
}

ehk laadimisel võtan ka serdi id, panen selle lehe post parameetritesse ning hiljem initsialiseerin backendi uuesti ning lisan sertifikaadi. Vastik häkk, aga ühilduvuse seisukohast on see vähem koodi muudatust kui hakata praeguseid POST lehekülgi ümber kirjutama. Mis on arvamus? Samas kui see patch saaks peale panna ka reposse, siis lahendaks see ehk ka teistel analoogse probleemi.

This is not issue , it was my doubt,
how to load this project in visual studio and how can i implement in my web app (asp.net mvc 4)?

I'm using MacOS High Sierra 10.13.3 and Chrome Version 65.0.3325.181 (Official Build) (64-bit), but I couldn't get it to work.

I test it on https://hwcrypto.github.io/demo/ but when I try to sign in I get an error as follows:

Debug: hwcrypto.js 0.0.11 with Chrome native messaging extension 0.0.29/1.0.6.490
getCertificate() failed: Error: no_certificates

And in the console I get:

I've installed chome-token-signing extension and _the content of the file in /Library/Google/Chrome/NativeMessagingHosts/ee.ria.esteid.json is as follows:

{
    "name": "ee.ria.esteid",
    "description": "Give signatures with your eID on the web",
    "path": "/Library/Google/Chrome/NativeMessagingHosts/chrome-token-signing.app/Contents/MacOS/chrome-token-signing",
    "type": "stdio",
    "allowed_origins": [
        "chrome-extension://ckjefchnfjhjfedoccjbhjpbncimppeg/"
    ]
}

At first the path was (/Library/Google/Chrome/NativeMessagingHosts/chrome-token-signing.app), what is not correct and the error was getCertificate() failed: Error: no_implementation but I changed the path to /Library/Google/Chrome/NativeMessagingHosts/chrome-token-signing.app/Contents/MacOS/chrome-token-signing and the implementation error is gone, but now I get no_certificates error.

Any idea what is wrong?

We are using hwcrypto 0.0.9 and hwcrypto-legacy 0.0.9.

When using IE9 to for signing, it all works great if the developer console (F12) is open. However, if a signing session is started without the console being open, the signing fails with the error "Unable to get value of the property 'getCertificate': object is null or undefined".

A similar issue can be observed at the test site https://open-eid.github.io/hwcrypto.js/sign.html, where the property 'use' is null or undefined.

Is this a know issue?

hwcrypto 0.0.10 is not able to detect backend if signing is started immediately after page load in function $(document).ready()

Adding short delay makes the signing work again.

See the attached test signing html file where the issue is reproducable every time in Chrome Version 51.0.2704.79 Ubuntu 16.04 (64-bit)

sign.txt

For older ID cards that are using RSA keys signature verification is unsuccessful. Example:

Signing SHA-256: 413140d54372f9baf481d4c54e2d5c7bcf28fd6087000280e07976121dd54af2
Debug: hwcrypto.js 0.0.13 with Chrome native messaging extension 0.0.29/1.0.7.498
Using certificate:
-----BEGIN CERTIFICATE-----
MIIFnTCCA4WgAwIBAgIQHlForrTelKtZCdGezFULQTANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMMDkVTVEVJRC1TSyAy
MDE1MB4XDTE3MDUwMzEyNDgzMFoXDTE4MTAxNjIwNTk1OVowgY8xCzAJBgNVBAYT
AkVFMQ8wDQYDVQQKDAZFU1RFSUQxFzAVBgNVBAsMDmF1dGhlbnRpY2F0aW9uMSAw
HgYDVQQDDBdURUVNQUEsVE9FTCwzNzkwMTE5Mjc2NTEPMA0GA1UEBAwGVEVFTUFB
MQ0wCwYDVQQqDARUT0VMMRQwEgYDVQQFEwszNzkwMTE5Mjc2NTCCASMwDQYJKoZI
hvcNAQEBBQADggEQADCCAQsCggEBANmKoF5sgFwczcETJNkuNAydn/N7AcJMaYr5
etOz3mEktytXhj8RTAeVt07FyYwlne7fzCe0TuvFcuu4eeKgOBO6WeYZ5dZSZ/T1
Gb2mdrzOB2TnlbJN+OllMlnqtGR59jSE2ffct+hSHeqCUgf/vl2rXiSYGDY9hcrT
YRhM3cTyQ6kwBIFliXghfl5FklMJ/aJ715SeuseZ+f54qrsLCBydpzHjILP2Tzi2
njBeH57kuEkh4VFQEQR7VgV7tbZl1lNOloBwlxK9K4pqYBwIYt3Du1fRnPjNiCYn
lpAsoBontukJ8H8sTDgK63PNzZSLt8Jww/X7uecT+uKT5HiGy7sCBDj0NJ2jggEd
MIIBGTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIEsDA7BgNVHSAENDAyMDAGCSsG
AQQBzh8BATAjMCEGCCsGAQUFBwIBFhVodHRwczovL3d3dy5zay5lZS9jcHMwHwYD
VR0RBBgwFoEUdG9lbC50ZWVtYWFAZWVzdGkuZWUwHQYDVR0OBBYEFP0nv9lrY/m4
kgU1539FDtrOVIw1MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAf
BgNVHSMEGDAWgBSzq4i8mdVipIUqCM20HXI7g3JHUTA8BgNVHR8ENTAzMDGgL6At
hitodHRwOi8vd3d3LnNrLmVlL2NybHMvZXN0ZWlkL2VzdGVpZDIwMTUuY3JsMA0G
CSqGSIb3DQEBCwUAA4ICAQC2A5r8Y6IZrkZJOK7mrCnat231blZrPvEHKZ/0gCrb
CglDrDzFuWQWvmF0cGaWIsa18msI7zx0NJG5mOTH5PjdlvqzzxvhwwKSyMRXmA9H
167aUQZh9wD5gpeitlLqmZkqlWTy9HajUJd8PeRkP4+hcep9LBNwabNlDqD0N23b
OcHuzNZnItrmGgPhE73SEnQUuwVpUfES5suNYcrlwdB3B3lVBPCkwLoToYezwCRD
ZD1w5i9qSRgJNiIe1DAODv3AFdA1B3Jr+TG7hiUI0E5b7m6kjKlh/J49nLFG/Aen
uPyNfPkTdc1kRUxekSFmTLV9w8I0Rp6dyGS36QvGqqS6qcxfSzqenCJaYVRSK4Wo
z8dmmfbzyqym36acYIe8Xmgz6VW0HDkXc/kAPEpAeEANLR917PO7qujvzU7nSbkq
jdY+0dLxbgRYtbgao26swC/Fk0qvzlBIZSWHSYG8ZcclB3hlGoIEwejnD+uVu9QJ
dr1mI5GGT7mRgFh8oGRi6sf3qEjo5WsbnH2lOnrrPc4qypuHvaTA2XCrm4SXM3nz
JWJnAgLEI69IoNlpaVTwFA/295z9VPOqwkQnwCeBcX/IVuSGMeojEkd4rJQAV++Q
T2whWj9KMBW4Hiv9g6U77SyDMKwISf0vQhgjc2aUmPRns9UZQvbC1/ijB6JUfOC8
aA==
-----END CERTIFICATE-----
Generated signature:
5b99ae743378949f7ae831cc12bd4ed4e64de2a4b01388ca93050c6395f1ebdf
37e593c16f0266ca8788832a2f69aa5a2cdcfce7932a693779dc8511878217aa
4500c1397f7818b518e6f7da65edfdb80936253aa2151f8a6e452c181efe63d4
8618ec8be26a522dbd92b1eea7a42bd5928104794ae46b8adfc8380d01a00710
bf0475748bb05100b364a60fad8d40abe1d1029035db29c8b09c8011e63aba66
3881d22a521dd1acb77f5060af7c1db7403ecab8ed5ac9275ac60b3658748c17
e1e2b788c5ef2bb84b2ed5ebe1f1fdeb3a487da617c7722aeb6f462145806a54
9274d3cef53e228a67826f12bf2efb48a02a0f721e94e99878bc69df8628fe6c

Trying to verify the signature with openssl failed:

openssl x509 -in cert.pem -inform pem -pubkey -noout > pubkey.pem
echo '5b99ae743378949f7ae831cc12bd4ed4e64de2a4b01388ca93050c6395f1ebdf37e593c16f0266ca8788832a2f69aa5a2cdcfce7932a693779dc8511878217aa4500c1397f7818b518e6f7da65edfdb80936253aa2151f8a6e452c181efe63d48618ec8be26a522dbd92b1eea7a42bd5928104794ae46b8adfc8380d01a00710bf0475748bb05100b364a60fad8d40abe1d1029035db29c8b09c8011e63aba663881d22a521dd1acb77f5060af7c1db7403ecab8ed5ac9275ac60b3658748c17e1e2b788c5ef2bb84b2ed5ebe1f1fdeb3a487da617c7722aeb6f462145806a549274d3cef53e228a67826f12bf2efb48a02a0f721e94e99878bc69df8628fe6c' | xxd -r -p > sigfile
openssl rsautl -verify -in sigfile -pkcs -inkey pubkey.pem -pubin > challenge.rsautil-decrypted

The resulting challenge.rsautil-decrypted is 51bytes instead of 32 bytes of incoming data. I have tried to do the similar thing in JAVA and the result of verification is also "false".

Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0

sign() clicked on Tue, 30 May 2017 10:48:46 GMT
Signing SHA-1: 030520DE07E85163FF5300D7E3F33516BB9077CB
sign() failed: Error: CKR_ARGUMENTS_BAD

works fine for SHA-256 though.

https://saucelabs.com/opensauce/

Is there any chance of RSA signature support or is this not implemented in the lower API? I was looking for a way to get a RSA-SHA256 signature of some data.

It's reproducable on the demo page

1. Go to https://hwcrypto.github.io/hwcrypto.js/sign.html
2. Select Certificate AUTH
3. Click sign
4. Confirm the dialog
   ...nothing happens

However if you do the following it does work

1. Go to https://hwcrypto.github.io/hwcrypto.js/sign.html
2. Select Certificate SIGN
3. Click sign
4. Confirm the dialog
5. Enter pin
6. Select Certificate AUTH
7. Click sign
8. Confirm dialog
9. Enter pin

Seems like some kind of invalid internal state.
Anyone any idea how to fix this?