Comments (10)
Is it possible for you to provide a token with middleware for debugging here?
One great debugging-tool is the opensc pkcs11-spy library. It is a "ManInTheMiddle-library" between the application and the destination library, logging all calls and replies to the console.
Start XCA in the Terminal as follows:
PKCS11SPY=/usr/local/lib/libykcs11.dylib /Applications/xca.app/Contents/MacOS/xca
open your database, open the preferences and remove the libykcs11.dylib
from the settings and load /usr/local/lib/pkcs11-spy.so
instead.
Now all PKCS#11 API calls are logged to the console. Maybe this will give more insight.
You will also see XCA logging its database actions.
In any case, a Yubikey4 is highly appreciated for testing and playing around :-)
from xca.
I've collected some logs here: https://gist.github.com/Forst/6d6504da19f51f6ef802e9de8009b847
What I did for both PIN policies:
- Generate a new keypair and cert with
yubico-piv-tool
in slot 82 - Start xca and import those into the database
- Generate a test EC key, which is to be signed
- Sign it as a sub-CA
I'm using OpenSC, since YKCS11 shows errors for some of my certificates and ends up not displaying those, this is a topic for investigation for some other day :)
The problem is clearly here in xca.pin-always.log
:
111: C_Sign
2018-06-28 14:28:31.280
[in] hSession = 0x7f90ff8310f0
[in] pData[ulDataLen] 00007ffee5b3ec20 / 32
00000000 E2 29 35 19 C8 A9 DA 8B 25 E9 27 F1 EB F9 BA C9 .)5.....%.'.....
00000010 57 F8 A3 4B 84 9D EA D0 8B C1 3E 56 9C DA 7A 5B W..K......>V..z[
Returned: 257 CKR_USER_NOT_LOGGED_IN
Error: C_Sign(init): CKR_USER_NOT_LOGGED_IN
OpenSSL error (pki_x509.cpp:586) : error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib
"Destructor(0) Transaction: Rollback Level 0, E:1 "
from xca.
In the same log we also see the successful
105: C_Login
2018-06-28 14:28:31.264
[in] hSession = 0x7f90ff8310f0
[in] userType = CKU_USER
[in] pPin[ulPinLen] 00007f90ffb93028 / <deleted>
<deleted>
Returned: 0 CKR_OK
for this session. There is nothing more XCA can do.
I am pretty sure it has to do with the touch asked
feature.
I think this token looks interesting enough to buy one....
from xca.
Just tested this with touch policy = never
, i.e. a button press is never asked for the key in the given slot, still getting the same error.
This is apparently the token requiring the PIN code to be submitted for every privileged operation. I see some possibilities here:
- relogin on
CKR_USER_NOT_LOGGED_IN
and retry the operation once more - relogin just before
C_Sign
As for buying one, I'd suggest to perhaps wait for a newer version to be released, since FIDO2 standard has been finalised recently, and Yubico has yet updated only their cheapest model (Security Key), which supports U2F and FIDO2 only.
from xca.
@chris2511 , if you need some Yubikey's, I can send you some. Contact me privately with a mailing address.
from xca.
Hi jsfrederick,
thanks for the offer.
I'm very interested, please contact me at [email protected]
from xca.
Any updates on this issue?
Update: For anyone else stuck on this issue, I got XCA working with a Yubikey 4 by changing the slot holding the keypair in question to have a pin-policy of once and touch-policy of always using the yubico-piv-tool by reimporting a PKCS12 package.
from xca.
@Staja I'll be really appreciated if use CryptokiMPX to generate some logs in some successful scenarios with Yubikey 4, and send them to me:
https://github.com/hajikhorasani/cryptokimpx
from xca.
I has the same issue, and I've found that this relates to issues in OpenSC OpenSC/OpenSC#1545, OpenSC/OpenSC#1269. So, the solution would be to check if the key on token is CKA_ALWAYS_AUTHENTICATE
, and do C_Login(CKU_CONTEXT_SPECIFIC,...)
P.S. Working solution could be seen in letsencrypt/pkcs11key#24
from xca.
Hi. Having the same issue here. As a workaround, signing works if you use opensc-pkcs11.so
as a provider and ignore user consent on PIN caching in /etc/opensc.conf
:
app default {
# debug = 3;
# debug_file = opensc-debug.txt;
framework pkcs15 {
# use_file_caching = public;
# vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
pin_cache_ignore_user_consent = true; # <=== ADD THIS
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
}
}
from xca.
Related Issues (20)
- permanent processor load / stucked instances as background process HOT 2
- Docker image HOT 1
- Problems exporting PKCS#12 HOT 1
- Exporting private keys with MacOS doesn't work HOT 9
- XCA cannot properly access a YubiHSM2 (login issues maybe) HOT 8
- New XCA v2.6.0 - It's not in English HOT 10
- XCA version 2.6.0 very slow (Win 10) HOT 1
- XCA 2.5.0 & 2.6.0 very slow HOT 12
- pfx certificate cannot be imported in ios and macos: incorrect password
- XCA 2.6 on macOS - mySQL ODBC issue HOT 3
- What's wrong with hohnstaedt.de HOT 1
- XCA 2.6.0 gui language bug under macOS HOT 9
- Can't connect remote database
- export certificate: error using child folder
- Disorder in displaying Persian words that are links HOT 5
- Error in compiling code in linux HOT 2
- issues with icons in gnome dock HOT 2
- Missing option to disable file association in Windows setup
- No available SQL option HOT 2
- Implement full command-line support for XCA HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xca.