Code Monkey home page Code Monkey logo

Comments (8)

chris2511 avatar chris2511 commented on June 11, 2024

Maybe related to #43 (comment)

So, the solution would be to check if the key on token is CKA_ALWAYS_AUTHENTICATE, and do C_Login(CKU_CONTEXT_SPECIFIC,...)

Maybe I will find the time to look into it, soon.

from xca.

rkuerbitz avatar rkuerbitz commented on June 11, 2024

Thanks for the hints.
However, I did not succeed in either of them. Trying to create a key pair with pkcs11-tool using the --always-auth flag gives me this error:
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Regarding the opensc.conf options, I am unsure if the YubiHSM PKCS#11 driver even uses the pin_cache_ignore_user_consent = true; option.

So, I would really appreciate if you could look into it, as I am a bit lost right now.

from xca.

chris2511 avatar chris2511 commented on June 11, 2024

Either the keypair hasn't been created completely (Public and private key object), see: https://hohnstaedt.de/xca-doc/html/smartcard.html#key-management-on-the-token .
Did you create the keys with XCA or with an other tool and then import them into XCA?
Do you see the created keys when you select "Manage Security token" ?

from xca.

rkuerbitz avatar rkuerbitz commented on June 11, 2024

Hi, I contacted Yubico about this, and this is what they answered:
When we are testing the XCA tool it seems like it is not able to establish a session using the yubihsm_pkcs11 module.
The reason is likely that the YubiHSM2 does not support the SO-PIN concept, as is stated in the YubiHSM2 PKCS#11 documentation, and it seems like all the interactions to sign in is using the SO PIN, rather than the regular PIN.

Could this help with adressing this issue within XCA?

from xca.

chris2511 avatar chris2511 commented on June 11, 2024

Added login option with 3457454
Please try a build from https://github.com/chris2511/xca/actions/runs/8195398369

from xca.

rkuerbitz avatar rkuerbitz commented on June 11, 2024

Dear Chris,
thanks a lot for providing the additional login option so fast! I tested the build, but however, XCA just stalls and has to be force-closed after entering the PIN. I am attaching the PCKS11 log for one XCA session, so if you could have a look at it, that would be great:
yubiHSM.txt

from xca.

chris2511 avatar chris2511 commented on June 11, 2024

Auto close with 3457454 was not correct

from xca.

rkuerbitz avatar rkuerbitz commented on June 11, 2024

Dear Chris,
may I kindly ask if there are any news on this issue?

from xca.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.