Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Creation of Certificate Sign Requests Fails if Key Pin Policy is Set to Once or Always in Combination with Attestation #430

Open
tillmann-crabnebula opened this issue Feb 28, 2023 · 4 comments
Open

Creation of Certificate Sign Requests Fails if Key Pin Policy is Set to Once or Always in Combination with Attestation #430

tillmann-crabnebula opened this issue Feb 28, 2023 · 4 comments

Comments

@tillmann-crabnebula
Copy link

tillmann-crabnebula commented Feb 28, 2023
edited
Loading

Used version: yubico-piv-tool --version yubico-piv-tool 2.3.1

Reproduction commands:

  1. Create key on device
    yubico-piv-tool --slot 9c --pin 123456 --action verify-pin,generate --pin-policy always --touch-policy never

  2. Create signing request for generated key
    yubico-piv-tool --slot 9c --pin 123456 --action verify-pin,request-certificate --attestation --output 9c.csr --subject "/CN=Example/OU=example/O=example@example.com/"

  3. Observe output

Successfully verified PIN.
Failed signing data: Authentication error.
Failed signing request.
C0EBAFB7917F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:284:

I saw similar issues mentioning this behavior #383 and some recent changes ubuntu tracker 1988833 ubuntu tracker 1993908 but the issue persists for me.

The above example works once the --pin-policy is set to never or the --attestation flag is removed.

Raw output:

DBG ykpiv.c:589 (ykpiv_connect): Connect reader 'Yubico YubiKey FIDO+CCID 00 00' matching 'Yubikey'.
DBG ykpiv.c:595 (ykpiv_connect): SCardConnect succeeded for 'Yubico YubiKey FIDO+CCID 00 00', protocol=2
DBG ykpiv.c:795 (_ykpiv_transmit): > 00a4040005a00000030800 (11)
DBG ykpiv.c:802 (_ykpiv_transmit): < 61114f0600001000010079074f05a0000003089000 (21)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:795 (_ykpiv_transmit): > 0020008000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 63c3 (2)
DBG ykpiv.c:775 (ykpiv_translate_sw): SW_63c3
DBG ykpiv.c:795 (_ykpiv_transmit): > 00fd000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0504039000 (5)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:795 (_ykpiv_transmit): > 00f8000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 011d235e9000 (6)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
Now processing for action 'verify-pin'.
Action 'verify-pin' does not need authentication.
DBG ykpiv.c:795 (_ykpiv_transmit): > 0020008008313233343536ffff00 (14)
DBG ykpiv.c:802 (_ykpiv_transmit): < 9000 (2)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
Successfully verified PIN.
Now processing for action 'request-certificate'.
Action 'request-certificate' does not need authentication.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00f99c0000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 3082032030820208a003020102021001c9686403336502df36ac80f68378e0300d06092a864886f70d01010b05003021311f301d06035504030c1659756269636f20504956204174746573746174696f6e3020170d3136303331343030303030305a180f32303532303431373030303030305a30253123302106035504030c1a597562694b657920504956204174746573746174696f6e20396330820122300d06092a864886f70d01010105000382010f003082010a0282010100d43c74824d20644a0325f8e2a631418ca5cacc4b8f1bd354ff439e0e967d7e79fa5b6b093e76d0821811771c5ba0f3b13f0ea7a5ecdc9570064bdf9f004a09c6cf6a7971346100 (258)
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 343e7971d64eb91b3f1b135a532644664504479ae39c30b1acb1474074901a4f41dbb4137e92df13e6d12916fab0a63f54ceede43cbd0753bf71d461f9916e2a9ae55572cf6fe56b04781a78668b8d697a9fc41aa6f810a68e6f5fdd48700d0db5d715d114ad1edf2ecff56f47e4a365fc37570fb85d7196db1ee4de2b21a7061b314dbd6aa0a0646fcc3988b4cec3d34994e219dc9bde6d87e2413bcbb83a21496cf2807f7ba10817056e8e4bab330e7860804cd2a76ff3bbc5830203010001a34e304c3011060a2b0601040182c40a030304030504033014060a2b0601040182c40a030704060204011d235e3010060a2b0601040182c40a030804020301306100 (258)
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0f060a2b0601040182c40a0309040103300d06092a864886f70d01010b05000382010100554362d01a1dc6d8e8d50ed382a76f365ea2c188c652225e1c03a645d6fd65129faa23d09eb9daeb2788482e0a52503ad07d41f2ddd9828064d38a99392198d2e6a4d30229573849e73f89e92e0eddcb3ac53691d959962feb231af5498b64dd3f847874968fd1194895501bcffc39211a2ceac3e8c25f9dd73375c90533dc16b19eb5aa29d33db06807ba9ebd60a5acd7974868433736362e6c9095ebbf853ad82bc116dfeee4c3d0a1272829f18bae6fae791b0f6e49a4945de26892d7969c73adc5adc8003197a79e3240d57d333e3746c50532768741b44862686124 (258)
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000024 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < f8ee18cc962747c0dc2c3a38b63524d654eb659393487526b4278ed5e1f21a757a5f21569000 (38)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:795 (_ykpiv_transmit): > 00cb3fff055c035fff0100 (11)
DBG ykpiv.c:802 (_ykpiv_transmit): < 53820302708202fe308202fa308201e2a003020102020900e8c3dd799e433b62300d06092a864886f70d01010b0500302b3129302706035504030c2059756269636f2050495620526f6f742043412053657269616c203236333735313020170d3136303331343030303030305a180f32303532303431373030303030305a3021311f301d06035504030c1659756269636f20504956204174746573746174696f6e30820122300d06092a864886f70d01010105000382010f003082010a0282010100bd3d3e27f411eaca9c15528daabcec90506f7a9d966902b25f81cfed02cf3f6259366eb3108c7222d01f1f68845b8eb4ac392eaf564e995fe3ff717d6d476100 (258)
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 56b684a67e85b694b82eb01133d0580e4bcd69bf3ea171fdbe996f0a7a076f66a0db448d8e397777b6d7b40f8f096bc0f8c74e698f67cc5987bc7f962adc18ef9ece40b65572439501250b34cc558135d0cf3d362726dc36438667f2964c1c8457e054cba57f35180da1a791e96822d8655e93f85d5360cbae4dc60762cb8f1cafca132ebd552e14b76e68d3674ea58f5dd2602385edfbc090bc9e99fc2e3f8f36d06f8efdadecd4f5d9a4bc5c6ec90fd58b1a3abebe160f084add1de4c4dc27aef70203010001a32930273011060a2b0601040182c40a0303040305040330120603551d130101ff040830060101ff020100300d06092a864886f70d01010b056100 (258)
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0003820101005b86793d1d9a8db527aa81f55fc3261c26675dfb00f4cd04ab3411f857d24ab77fd8dfbbe518b36f616b06873fbef72adb1639480da142bab69bec363bbe03f51b01f5272d457dceb86c552a0414d12d321aa3175e9552353e7647208bf3ce3a8e6e343b79ee7b83f626d619e9347b8d6518a6e5452599ea86b5d5b0b43e0e24c4e3a60cc7ad66f50aa19ed084dd98d35dbdbf76c22b7cdeff07a1dff1f78474d168e67e1c0a3e2c179bf37e506c6bca5ebc71e52cc36cbd594c22c7148c47cb907329ba6b5dea9adb70cc69cb26b13575be6563b18fe5e3699325ac9abd012b1bdd07ee04c89820d8c1c54f01ada75058b8d9cbec6dac149d036106 (258)
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000006 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 352223f6983f9000 (8)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:795 (_ykpiv_transmit): > 1087079cff7c8201068200818201000001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d0609608648016503040201050004204dd2a91a5273d3f4a5aa91265001ef8e973897832600 (261)
DBG ykpiv.c:802 (_ykpiv_transmit): < 9000 (2)
DBG ykpiv.c:795 (_ykpiv_transmit): > 0087079c0bf8b5948962db394dc679b200 (17)
DBG ykpiv.c:802 (_ykpiv_transmit): < 6982 (2)
DBG ykpiv.c:751 (ykpiv_translate_sw): SW_ERR_SECURITY_STATUS
DBG ykpiv.c:1249 (_general_authenticate): Sign command failed
Failed signing data: Authentication error.
Failed signing request.
C01B991E117F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:../crypto/asn1/a_sign.c:284:
DBG ykpiv.c:344 (ykpiv_disconnect): Disconnect card
@tillmann-crabnebula tillmann-crabnebula changed the title Creation of Certificate Sign Requests Fails if Key Pin Policy is Set to Once or Always Creation of Certificate Sign Requests Fails if Key Pin Policy is Set to Once or Always in Combination with Attestation Feb 28, 2023
@qpernil
Copy link
Contributor

qpernil commented Feb 28, 2023

Yes this is a known issue, the problem is that the tool performs several operations against the device within a single action, hence pin cannot be verified directly before the signing operation, which is required by keys with the always-auth pin policy. There are two PRs implemented to solve this in two different ways, but a decision hasn't been made yet which one to commit to.

@tillmann-crabnebula
Copy link
Author

tillmann-crabnebula commented Mar 1, 2023
edited
Loading

Hey @qpernil thanks for the heads up!
I saw the PRs are around 2 years old, so I don't expect any merge soon. Any recommendation which branch we should use in the meantime?

I would assume #326 is the more simplistic change suited for our case, as it's only affecting the tool and not the library.

@qpernil
Copy link
Contributor

qpernil commented Mar 1, 2023

Yes, that's the one most likely to be merged, or something similar.

@qpernil
Copy link
Contributor

qpernil commented Mar 13, 2023

I just noticed one thing from the title of this issue - The problem should only manifest if the PIN policy is 'always', i.e. by default only slot 9c.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qpernil @tillmann-crabnebula