Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test Linux app #27

Open
kuronosec opened this issue Dec 11, 2024 · 16 comments
Open

Test Linux app #27

kuronosec opened this issue Dec 11, 2024 · 16 comments
Assignees
@josueCarvajal
Labels
good first issue Good for newcomers

Comments

@kuronosec
Copy link
Owner

Run the Linux app with a Firma Digital and check for errors
@kuronosec kuronosec added the good first issue Good for newcomers label Dec 11, 2024
@josueCarvajal
Copy link

josueCarvajal commented Dec 12, 2024
edited
Loading

Let me handle this issue!

This is how I will work it:

  1. The way I will do it is by creating a Virtual Machine of the specified Linux distribution (Debian)
  2. I do have my Firma Digital which can be used for testing so configuring the USB bridge we can make it work.
  3. Testing might include but not limited to functionality, security & fuzz testing where possible.

But in order to achieve this I would like to know:

  • Any specific Linux distribution that you want to be this test performed first other than Debian? Or any specific release you want to test the compatibility with?
  • What are some of the key core functionalities that needs to be tested? This is needed to define a scope and proper test cases
  • What are some known issues that are already mapped? This will help me to not duplicate already covered issues in your roadmap.

Thanks.

@kuronosec
Copy link
Owner Author

Let me handle this issue!

thanks a lot @josueCarvajal !

This is how I will work it:

1. The way I will do it is by creating a Virtual Machine of the specified Linux distribution (Debian)

2. I do have my Firma Digital which can be used for testing so configuring the USB bridge we can make it work.

3. Testing might include but not limited to functionality, security & fuzz testing where possible.

@josueCarvajal sounds great! The goal of this issue is more like checking that it works, hence the "good first issue", but if you want to create test cases and audit it, please go ahead! But lets create other specific issues.

But in order to achieve this I would like to know:

* Any specific Linux distribution that you want to be this test performed first other than Debian? Or any specific release you want to test the compatibility with?

The installer is based on this project, at the moment its only Debian: https://github.com/luisza/dfva_client/

* What are some of the key core functionalities that needs to be tested? This is needed to define a scope and proper test cases

As mentioned maybe I can create other issues for this

* What are some known issues that are already mapped? This will help me to not duplicate already covered issues in your roadmap.

Since it is a PoC, there are many scenarios that I haven't tested, so just make it crash and document it.

Thanks.

@josueCarvajal
Copy link

Update no1

Environment:

  • Debian 12 (bookworm) DVD .iso image
  • Virtualized using VMWare Workstation 1.16
  • Physical Firma Digital (Connected to the VM)
  • Installer version: zk-firma-digital_0.4_amd64.deb

Summary (Tests done until now)

  • Downloaded the zk-firma-digital_0.4_amd64.deb & firma-verifier.zkey
  • Installed both packages:
    • zk-firma-digital_0.4_amd64.deb: Some missing dependencies were found.
    • firma-verifier.zkey: No problems have been found
  • Mounted the Firma digital and ran the ZK-Firma Digital: Some problems were found here (Gaudi Agent must be installed)

Findings (General)

  • pcscd , libxcb-xinerama0, libpcre3 are required libraries
  • Gaudi Agent from Firma Digital must be installed
  • System is crashing after Clicking "Ok" after successfully authenticating the Firma Digital.

Findings (Details):

  1. When installing the zk-firma-digital_0.4_amd64.deb this one requires the pcscd and libxcb-xinerama0 libraries to be installed, dependencies that were not documented and not part of and out-of-the-box debian installation.
  2. ZK-Firma Digital: I just installed the ZK-Firma Digital and tried to verify my card but it fail several times.

image

2.1 So I decided to install the Gaudi Agent (which required a dependency installed as well) libpcre3, after that the system was able to authenticate my session (Kind Of). The UI retrieved my name and in the console the details for my Firma Digital

image

But after clicking "OK" the system crash with an error in the line https://github.com/wbond/certvalidator/blob/master/certvalidator/registry.py#L316 for the certvalidator.

This is the stack trace
image

My Firma Digital is working as expected outside the ZK-Firma Digital. I will continue with the testing and giving you updates once I can move forward this problem and I'll make sure it is not an isolated problem at my end, also, please let me know if this is a known issue.

So far this is the progress I did today, and this last finding is a blocker right now.

Thank you for reading and I will keep you posted!

@kuronosec
Copy link
Owner Author

Hi @josueCarvajal , thanks a lot for working on this! Great summary! Ill star creating issues to solve the problems and improve the docs. When did you get your Firma Digital? It seems like there is an older and newer certificate from the CA:

The app is only using (2) at the moment, but thats easy to fix.

@josueCarvajal
Copy link

Thank you @kuronosec

That will explain the issue, the error code was related to (1) since I got my firma digital back in 2021.

Please let me know if any action is needed at my end to fix this problem and proceed with the testing.

Thank you so much!

@kuronosec
Copy link
Owner Author

@josueCarvajal I have added several issues related to this, maybe you would like to work on #32 ?

@josueCarvajal
Copy link

josueCarvajal commented Dec 18, 2024
edited
Loading

@kuronosec Sure, I can give it a shot!

@kuronosec
Copy link
Owner Author

@kuronosec Sure, I can give it a shot!

It seems like someone went ahead and sent a PR already 😮
#35

@kuronosec
Copy link
Owner Author

Hey @josueCarvajal I have just pushed the release version v0.5 with several fixes thanks to your suggestions. Could you try it again? Thanks!

@josueCarvajal
Copy link

Those are amazing news! Sure, I will continue with the testing, thank you so much!

@josueCarvajal
Copy link

Update no2

Environment

  • Same as the initial assesment. Only upgraded From v.04 to v.05.

Summary (General)

  • The installation of the new version went ok.
  • Now the system is able to pull the certificate to validate my Firma Digital
  • Now a new issue is being faced where the circom.gen_witness is failing

Findings (General)

  • An issue has been found after verifying the CERT for the firma digital in the circom.gen_witness call. A deep dive showed that a required file witness.wtns is not in the credentials directory

Findings (Details)

I've upgraded to the v.05 version without any issues. When I try to generate the Credential.json

image

The message of the dialog shown in the previous SS, referts to this part of the code

zk-firma-digital/src/main.py

Line 146 in bedfbdd

QMessageBox.information(self, "Validación", f"{info}\n\n Firma de certificado válida!!!")
, where when we click Ok (continue) a new circom instance is created to do the witness, prove and verify.

BUT
After clicking OK and continuing with that flow there is a failure in the Circom circuit, specifcally in the cirm.gen_witness

zk-firma-digital/src/circom.py

Line 65 in bedfbdd

self.circuit.gen_witness(

image

Initially I though it was a problem related to privileges but I ran it using sudo -E /usr/share/zk-firma-digital/zk-firma-digital.bin and the same issue occured.

After checking deeper in the code, the circom witness requires two files, an input.json and a witness.wtns

When searching those files on my machine since the code is looking to a /credentials path, the input.json is located and contains data in it, but the .wtns is not found.
image

Actually, there are only two files in this directory which feels a little bit un-expected
image

So far the installation went okay, but now we are facing the circom issue. I am not sure if it is an expected behavior that the witness.wtns is missing but I wanted to highlighted just in case it was not expected.

I can continue the testing once this specific issue gets fixed,
Thanks @kuronosec

@kuronosec
Copy link
Owner Author

Hi @josueCarvajal thanks a lot for continue testing this. Could you show me what do you get from executing this?:

cat ~/.zk-firma-digital/logs/app.log

@josueCarvajal
Copy link

Happy new year @kuronosec! Using those logs I was able to figure it out. Give me some time to properly document all the findings!

@josueCarvajal
Copy link

Update no3

Environment

  • The environment started with 2GB of RAM and 4 CPU Cores but had to increase it to 16GB of RAM and 8 CPU Cores. (This is important)
  • Firma digital v.05
  • Dependencies had to be manually installed: Node, Circom & SnarkJS.

Summary (General)

  • Several issues have been faced related to core dependencies missing (Node, Circom & SnarkJS)
  • Issue found on systems that do not have enough hardware (CPU & RAM)

Findings (General)

  • Faced several issues when installing as stated in my previous comment
  • After reading the suggested log I was able to identify the problem: The Firma Digital V.05 does not install core dependencies such as Node, Circom, and Snarkjs
  • The initial VM hardware (CPU & RAM) was insufficient, causing the proof to fail.

Findings (Details)

  • The missing witness file stated in my previous comment was due to a missing core dependency that was not installed by the core install of the Firma Digital, in this case the circom installation was missing. After installing it, the witness files were added properly.

So I tried to run it again but faced new issue, so after reading the log suggested by @kuronosec I was able to see that Node was not installed on my system, after installing it I faced the problem with the SnarkJS dependency not installed.

image
  • So I installed the dependencies and I faced a new problem, the prove was receiving a SIGKILL: 9.
image

To fix this issue I had to increase the VM resources which started with 2GB of RAM and 4 CPU Cores but had to increase it to 16GB of RAM and 8 CPU Cores, after doing this the system was able to work!! :D

When hitting the prove section it got stuck in this way for 2 minutes
image

and then generated the credential.json
image

With this, I was able to open the comands.txt and credentials.json successfully.

So I went to http://app.sakundi.io:8080/ and uploaded my credential: It took some time to process but it failed with: public key mismatch

image

With that, we are almost done, but I was not able to identify what was causing this key mismatch. This is the last step in the ladder that we need to fix to validate the whole process!

So far, I will recommend trying to add to the docs the core dependencies that are needed before installing ZK-Firma-Digital, or even better if we could install those if they are missing in the system. Also, suggest the system requirements needed to run the circuits.

Thanks!

@kuronosec
Copy link
Owner Author

Hi @josueCarvajal , thanks a lot again for the deep review! Would you like me to create some issues, so you can fix the dependencies or even the documentation?

@josueCarvajal
Copy link

It's a pleasure @kuronosec !

Sure, please create those and if possible, assign those to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josueCarvajal josueCarvajal

Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kuronosec @josueCarvajal