Code Monkey home page Code Monkey logo

yubico-piv-tool's Introduction

Yubico PIV Tool

Introduction

The Yubico PIV tool is used for interacting with the Personal Identity Verification (PIV) application on a YubiKey.

With it you may generate keys on the device, importing keys and certificates, and create certificate requests, and other operations. A shared library and a command-line tool is included.

Usage guides

For information and examples on what you can do with a PIV enabled YubiKey, see https://developers.yubico.com/PIV/

License

In general the project is covered by the following BSD license. The file ykcs11/pkcs11.h has additional copyright and licensing information, please see it for more information.

   Copyright (c) 2014-2020 Yubico AB
   All rights reserved.

   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions are
   met:

     * Redistributions of source code must retain the above copyright
       notice, this list of conditions and the following disclaimer.

     * Redistributions in binary form must reproduce the above
       copyright notice, this list of conditions and the following
       disclaimer in the documentation and/or other materials provided
       with the distribution.

   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Building on POSIX platforms

Either clone from Git or download and unpackage the tarball, then make sure you have the pre-requisites installed and build following the steps below from the yubico-piv-tool directory.

Please make sure to have recent versions of the following packages installed on your system.

cmake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man zlib-devel

Help2man is used to generate the manpages. Gengetopt version 2.22.6 or later is needed for command line parameter handling. The Vagrant VM has all these dependencies preinstalled.

Please note that these package names are debian based. Other POSIX plarforms might have different names. For example, libssl-dev can probably be replaced with openssl-devel and libpcsclite-dev can probably be replaced by pcsc-lite-devel on a Redhat platform. Also note that Gengetopt might not be available on all plarforms and might need to be built from source (See https://www.gnu.org/software/gengetopt/gengetopt.html#Installation)

After installation of all dependencies, run the following:

$ cd yubico-piv-tool
$ mkdir build; cd build
$ cmake ..
$ make
$ sudo make install

On macos, you might need to point out homebrew openssl version when running pkg-config.

$ PKG_CONFIG_PATH="/usr/local/opt/[email protected]/lib/pkgconfig" cmake ..

To statically link to OpenSSL (the libcrypto library), use the cmake option -DOPENSSL_STATIC_LINK=ON

Don’t forget you might need to be root for the last command. On Linux it might be needed to update your linked libraries after install

sudo ldconfig

The backend to use is decided at compile time, see the summary at the end of the cmake output. Use --with-backend=foo to choose backend, replacing foo with the backend you want to use. The backends available are "pcsc", "macscard" and "winscard" using the PCSC interface, with slightly different shared library linkage and header file names: "pcsc" is used under GNU-like systems, "macscard" under Mac OS X, and "winscard" is used under Windows. In most situations, running cmake should automatically find the proper backend to use.

Building on Windows

Building on Windows requires MSBuild or Visual Studio and the MSVC compiler. It also requires building the binaries from the source release package and not from the source checked out from the repository on GitHub. This is because some files that are part of the command line shell are generated but they cannot, currently, be generated on Windows. Those files are, however, included in the source release package.

On Windows, getopt is needed to read command line arguments. The easiest way to install getopt is with the vcpkg package manager. The path to getopt DLL library and include file need to be specified as a command line argument to cmake. Also the path to OpenSSL needs to be specified either as a command line argument to cmake or by setting the environment variable OPENSSL_ROOT_DIR

The command line examples bellow are for PowerShell and the prerequisites were installed from source (using vcpkg).

$ env:OPENSSL_ROOT_DIR ="PATH/TO/OPENSSL_DIR"
$ mkdir build; cd build
$ cmake -A <ARCH> -DGETOPT_LIB_DIR="PATH/TO/GETOPT_DIR/lib" -DGETOPT_INCLUDE_DIR="PATH/TO/GETOPT_DIR/include ..
$ cmake --build .

To run the tests, check is used. The path to the check directory needs to be specified as a command line argument to cmake. Also the path to check binaries, OpenSSL binaries, libykpiv.dll and libykcs11.dll need to be in the PATH

$ env:OPENSSL_ROOT_DIR ="PATH/TO/OPENSSL_DIR"
$ mkdir build; cd build
$ cmake -A <ARCH> -DGETOPT_LIB_DIR="PATH/TO/GETOPT_DIR/lib" -DGETOPT_INCLUDE_DIR="PATH/TO/GETOPT_DIR/include -DCHECK_PATH="PATH/TO/CHECK_DIR" ..
$ cmake --build .
$ $env:Path +=";PATH/TO//CHECK_DIR/bin;PATH/TO/OPENSSL_DIR/bin;PATH/TO/build\lib\Debug;PATH/TO/build\ykcs11\Debug"
$ ctest.exe -C Debug

For building on 32 bits system, use Win32 as ARCH. For building on 64 bits systems, use x64 as ARCH.

Coverage

Code coverage is provided courtesy of lcov and CMake-codecov. This currently only works with make.

Enable coverage with

$ cmake -DENABLE_COVERAGE=1 ..

You can then build the project normally and run some executables (for example running the tests with make test).

At this point coverage evaluation can be generated with gcov/lcov related targets. For example

$ make lcov

will generate a single HTML report in ./lcov/html/all_targets/index.html

Portability

The main development platform is Debian GNU/Linux. The project compiles on Windows using MSVC and the PCSC backend. It can also be built for Mac OS X, also using the PCSC backend.

Example Usage

For a list of all available options --help can be given. For more information on exactly what happens --verbose or --verbose=2 may be added.

Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:

$ yubico-piv-tool -s9a -AECCP256 -agenerate

Generate a certificate request with public key from stdin, will print the resulting request on stdout:

$ yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest

Generate a self-signed certificate with public key from stdin, will print the certificate, for later import, on stdout:

$ yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify -aselfsign

Import a certificate from stdin:

$ yubico-piv-tool -s9a -aimport-certificate

Set a random chuid, import a key and import a certificate from a PKCS12 file, into slot 9c:

$ yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \
  -aimport-cert

Change the management key used for administrative authentication:

$ yubico-piv-tool -aset-mgm-key

Delete a certificate in slot 9a, with management key being asked for:

$ yubico-piv-tool -adelete-certificate -s9a -k

Show some information on certificates and other data:

$ yubico-piv-tool -astatus

Read out the certificate from a slot and then run a signature test:

$ yubico-piv-tool -aread-cert -s9a
$ yubico-piv-tool -averify-pin -atest-signature -s9a

Import a key into slot 85 (only available on YubiKey 4 & 5) and set the touch policy (also only available on YubiKey 4 & 5):

$ yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem

yubico-piv-tool's People

Contributors

a-dma avatar aveenismail avatar beneichorst avatar dainnilsson avatar de-vri-es avatar denisenkom avatar emlun avatar gcbw avatar h3xx avatar hannesm avatar jakuje avatar jas4711 avatar jokkon avatar kevinjacobs avatar klali avatar labanskoller avatar marissanishimoto avatar martelletto avatar minisu avatar mrmekon avatar mscherer avatar nbraud avatar notdpate avatar oscarso avatar qpernil avatar sarroutbi avatar secbyd avatar solidgoldbomb avatar syzzer avatar vathpela avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

yubico-piv-tool's Issues

FreeBSD 11 build fails

$ make
Making all in lib
Making all in .
CC ykpiv.lo
CC version.lo
CC error.lo
CCLD libykpiv.la
Making all in tests
Making all in tool
/bin/sh /home/jporter/yubico-piv-tool/build-aux/missing gengetopt --input
gengetopt: option '--input' requires an argument
Run gengetopt --help to see the list of options.
*** Error code 1

Stop.
make[1]: stopped in /usr/home/jporter/yubico-piv-tool/tool
*** Error code 1

Stop.
make: stopped in /usr/home/jporter/yubico-piv-tool

Packages installed:
autoconf-2.69
autoconf-wrapper-20131203
automake-1.15_1
automake-wrapper-20131203
gengetopt-2.22.6_2
libtool-2.4.6
pcsc-lite-1.8.14,2

Build fails on Yosemite

$ ./configure
checking for a BSD-compatible install... /opt/local/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /opt/local/bin/gmkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for gcc... clang
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether clang accepts -g... yes
checking for clang option to accept ISO C89... none needed
checking whether clang understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of clang... gcc3
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-apple-darwin14.4.0
checking host system type... x86_64-apple-darwin14.4.0
checking how to print strings... printf
checking for a sed that does not truncate output... /opt/local/bin/gsed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by clang... /opt/local/libexec/llvm-3.4/bin/ld
checking if the linker (/opt/local/libexec/llvm-3.4/bin/ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /opt/local/bin/nm
checking the name lister (/opt/local/bin/nm) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 196608
checking how to convert x86_64-apple-darwin14.4.0 file names to x86_64-apple-darwin14.4.0 format... func_convert_file_noop
checking how to convert x86_64-apple-darwin14.4.0 file names to toolchain format... func_convert_file_noop
checking for /opt/local/libexec/llvm-3.4/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... dlltool
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... no
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /opt/local/bin/nm output from clang object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking for dsymutil... dsymutil
checking for nmedit... nmedit
checking for lipo... lipo
checking for otool... otool
checking for otool64... no
checking for -single_module linker flag... yes
checking for -exported_symbols_list linker flag... yes
checking for -force_load linker flag... yes
checking how to run the C preprocessor... clang -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if clang supports -fno-rtti -fno-exceptions... yes
checking for clang option to produce PIC... -fno-common -DPIC
checking if clang PIC flag -fno-common -DPIC works... yes
checking if clang static flag -static works... no
checking if clang supports -c -o file.o... yes
checking if clang supports -c -o file.o... (cached) yes
checking whether the clang linker (/opt/local/libexec/llvm-3.4/bin/ld) supports shared libraries... yes
checking dynamic linker characteristics... darwin14.4.0 dyld
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for pkg-config... /opt/local/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for OPENSSL... yes
checking if LD -Wl,--version-script works... no
checking for valgrind... no
checking whether self tests are run under valgrind... no
configure: Detected Mac: selecting macscard backend
configure: use --with-backend to override
configure: checking for PCSC with Mac linkage
checking PCSC/winscard.h usability... yes
checking PCSC/winscard.h presence... yes
checking for PCSC/winscard.h... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating lib/Makefile
config.status: creating lib/tests/Makefile
config.status: creating tool/Makefile
config.status: creating tool/tests/Makefile
config.status: creating lib/ykpiv-version.h
config.status: creating lib/ykpiv.pc
config.status: executing depfiles commands
config.status: executing libtool commands
configure: summary of build options:

  Version:          1.0.2
  Host type:        x86_64-apple-darwin14.4.0
  Install prefix:   /usr/local
  Compiler:         clang
  CFLAGS:           -g -O2
  CPPFLAGS:         
  Warnings:         
  Backend:          macscard
  PCSC
          CFLAGS:   
            LIBS:   
  Winscard
            LIBS:   
  Mac PCSC
            LIBS:   -Wl,-framework -Wl,PCSC
$ make
Making all in lib
Making all in .
  CC       ykpiv.lo
/usr/include/module.map:1:25: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module Darwin [system] [extern_c] {
                        ^
/usr/include/module.map:1561:21: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module os [system] [extern_c] {
                    ^
/usr/include/module.map:1577:26: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module libkern [system] [extern_c] {
                         ^
/usr/include/module.map:1602:23: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module ldap [system] [extern_c] {
                      ^
/usr/include/module.map:1635:23: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module krb5 [system] [extern_c] {
                      ^
/usr/include/module.map:1662:22: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module XPC [system] [extern_c] {
                     ^
ykpiv.c:145:53: warning: incompatible pointer types passing 'unsigned long *' to parameter of type 'uint32_t *' (aka 'unsigned int *') [-Wincompatible-pointer-types]
  rc = SCardListReaders(state->context, NULL, NULL, &num_readers);
                                                    ^~~~~~~~~~~~
/System/Library/Frameworks/PCSC.framework/Headers/winscard.h:111:67: note: passing argument to parameter 'pcchReaders' here
                                      char *mszReaders, uint32_t *pcchReaders);
                                                                  ^
ykpiv.c:158:59: warning: incompatible pointer types passing 'unsigned long *' to parameter of type 'uint32_t *' (aka 'unsigned int *') [-Wincompatible-pointer-types]
  rc = SCardListReaders(state->context, NULL, reader_buf, &num_readers);
                                                          ^~~~~~~~~~~~
/System/Library/Frameworks/PCSC.framework/Headers/winscard.h:111:67: note: passing argument to parameter 'pcchReaders' here
                                      char *mszReaders, uint32_t *pcchReaders);
                                                                  ^
ykpiv.c:193:40: warning: incompatible pointer types passing 'unsigned long *' to parameter of type 'uint32_t *' (aka 'unsigned int *') [-Wincompatible-pointer-types]
      SCARD_PROTOCOL_T1, &state->card, &active_protocol);
                                       ^~~~~~~~~~~~~~~~
/System/Library/Frameworks/PCSC.framework/Headers/winscard.h:67:67: note: passing argument to parameter 'pdwActiveProtocol' here
                                  LPSCARDHANDLE phCard, uint32_t *pdwActiveProtocol);
                                                                  ^
ykpiv.c:327:82: warning: incompatible pointer types passing 'unsigned long *' to parameter of type 'uint32_t *' (aka 'unsigned int *') [-Wincompatible-pointer-types]
  rc = SCardTransmit(state->card, SCARD_PCI_T1, apdu->raw, send_len, NULL, data, recv_len);
                                                                                 ^~~~~~~~
/System/Library/Frameworks/PCSC.framework/Headers/winscard.h:104:75: note: passing argument to parameter 'pcbRecvLength' here
                                   unsigned char *pbRecvBuffer, uint32_t *pcbRecvLength);
                                                                          ^
10 warnings generated.
  CC       version.lo
/usr/include/module.map:1:25: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module Darwin [system] [extern_c] {
                        ^
/usr/include/module.map:1561:21: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module os [system] [extern_c] {
                    ^
/usr/include/module.map:1577:26: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module libkern [system] [extern_c] {
                         ^
/usr/include/module.map:1602:23: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module ldap [system] [extern_c] {
                      ^
/usr/include/module.map:1635:23: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module krb5 [system] [extern_c] {
                      ^
/usr/include/module.map:1662:22: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module XPC [system] [extern_c] {
                     ^
6 warnings generated.
  CC       error.lo
/usr/include/module.map:1:25: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module Darwin [system] [extern_c] {
                        ^
/usr/include/module.map:1561:21: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module os [system] [extern_c] {
                    ^
/usr/include/module.map:1577:26: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module libkern [system] [extern_c] {
                         ^
/usr/include/module.map:1602:23: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module ldap [system] [extern_c] {
                      ^
/usr/include/module.map:1635:23: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module krb5 [system] [extern_c] {
                      ^
/usr/include/module.map:1662:22: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module XPC [system] [extern_c] {
                     ^
6 warnings generated.
  CCLD     libykpiv.la
Making all in tests
make[2]: Nothing to be done for `all'.
Making all in tool
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-recursive
Making all in .
  CC       util.lo
/usr/include/module.map:1:25: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module Darwin [system] [extern_c] {
                        ^
/usr/include/module.map:1561:21: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module os [system] [extern_c] {
                    ^
/usr/include/module.map:1577:26: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module libkern [system] [extern_c] {
                         ^
/usr/include/module.map:1602:23: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module ldap [system] [extern_c] {
                      ^
/usr/include/module.map:1635:23: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module krb5 [system] [extern_c] {
                      ^
/usr/include/module.map:1662:22: warning: unknown attribute 'extern_c' [-Wignored-attributes]
module XPC [system] [extern_c] {
                     ^
util.c:203:10: error: use of undeclared identifier 'slot__NULL'
    case slot__NULL:
         ^
6 warnings and 1 error generated.
make[3]: *** [util.lo] Error 1
make[2]: *** [all-recursive] Error 1
make[1]: *** [all] Error 2
make: *** [all-recursive] Error 1

The prebuilt version on the releases page works, but you provide no install instructions, only compile instructions, and since there are crypto libraries included in the zip, naively overwriting the versions of these files I already have in /usr/local/include/ /usr/local/lib/ etc, would be extremely foolish.

  • Provide a Macports package... pretty please?
  • Provide proper dependency and install documentation, so I know which libraries I have to have installed, which files from the release zip are from your source code, etc.
  • Fix compiling from source on OS X. [This could be my fault, but more documentation so I have a better chance of realising this without having to log a bug report wouldn't hurt ;-) ]

Add support to write signed CHUID

Please add the capability to write a signed CHUID, which is required for use with physical access control systems, such as pivCLASS.

Problem compiling

Fresh (just now) pull from the Github. Platform Mac OS X 10.10.5 with Xcode-7.1.1, but it probably doesn't matter, judging from the type of error.

Making all in tool
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-recursive
Making all in .
  CCLD     libpiv_cmd.la
  CC       util.lo
util.c:265:10: error: use of undeclared identifier 'slot__NULL'
    case slot__NULL:
         ^
util.c:397:10: error: use of undeclared identifier 'hash__NULL'
    case hash__NULL:
         ^
util.c:416:14: error: use of undeclared identifier 'hash__NULL'
        case hash__NULL:
             ^
util.c:431:14: error: use of undeclared identifier 'hash__NULL'
        case hash__NULL:
             ^
util.c:450:10: error: use of undeclared identifier 'algorithm__NULL'
    case algorithm__NULL:
         ^
util.c:464:10: error: use of undeclared identifier 'pin_policy__NULL'
    case pin_policy__NULL:
         ^
util.c:476:10: error: use of undeclared identifier 'touch_policy__NULL'
    case touch_policy__NULL:
         ^
7 errors generated.

EC P256 Certificate Signing Requests are Broken

Originally opened as Yubico/yubikey-piv-manager#1. Content copied below:

Whenever I have the tool generate a CSR using ECC P256, the generated CSR is invalid. The issue appears to be with the ECDSA signature on the certificate request, which appears to be stored incorrectly:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=net, DC=voria, DC=token, CN=Yubikey NEO 35XXXXX
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            EC Public Key: 
                pub: 
                    04:dd:91:86:6a:92:69:90:d9:cd:f0:81:ca:a3:40:
                    80:d8:64:e3:ad:13:3a:ed:43:0e:42:a0:95:b2:1e:
                    8c:2c:46:60:f3:5b:75:33:92:38:51:52:b8:6c:0c:
                    1a:b8:b0:6f:ee:f1:33:7a:9a:37:a8:79:d7:c8:de:
                    19:92:43:23:83
                ASN1 OID: prime256v1
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
        30:46:02:21:00:c3:7d:49:a6:da:e9:fe:25:18:26:7d:20:3e:
        6a:80:22:04:a4:9d:a8:fb:72:9a:7c:99:c5:48:02:e2:28:0b:
        65:02:21:00:d6:58:07:d0:f5:a5:f9:d9:f1:53:49:5d:3b:8a:
        5c:75:87:66:43:32:da:ce:97:67:33:0d:9b:8e:78:54:3a:17
Check that the request matches the signature
Signature verification problems....
20298:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/crypto/asn1/a_verify.c:164:

-a status and documentation should show CCC

Minor nitpicks:

The documentation yubico-piv-tool/doc/YubiKey_PIV_introduction.adoc for "real-world use" needs to include "set-chuid" and "set-ccc".

Also, the -a status only shows the CHUID at the moment, it would be good if it could show the CCC. The message displayed in the case that one or other is missing should be more of a warning/error.

So: CHUID/CCC: <Error - not set>

CHUID is required for a persistent ContainerId, which otherwise prevents Windows usage as a logon smart card. CCC is required for Mac to appear in KeyChain at all (it is similarly used as a card identifier in PIV.tokend).

Thanks!

[question] possible to use within a container?

Greetings.

I'm investigating the possible use of my YubiKey4, using yubico-piv-tool from inside a docker container. Both host and container image are running Ubuntu 14.04, with the yubikey attached to the host. The device works as expected from the host OS. But within the container, I can't seem to get passed a message: Failed to connect to reader.

A glimmer of hope was given by this post, in which a user appears successful in running their U2F device.

In my Dockerfile, I'm compiling pcsc-lite, ccid, openct and opensc libraries (to control versions); and creating udev rules as was necessary to make use of the device from the host machine.

ENV PCSC_VERSION 1.8.13
ENV CCID_CERSION 1.4.18
ENV OPENCT_VERSION 0.6.20
ENV OPENSC_VERSION 0.15.0

Has anyone (community at large) had any success accessing their YubiKey4 from within a docker container? If so, I'd love to hear from you!

Edit: markdown link components reversed

action "import-key" should fail if e != 65537

I recently tried to import an good old ssh key I've used for years, and it all works great until I try to use it for SSH, ssh borks with the most helpful error:

$ ssh -P $PKSC11LIB a.server.example.com
Enter PIN for 'PIV_II (PIV Card Holder pin)':
C_Sign failed: 257
ssh_rsa_sign: RSA_sign failed: unknown err

According to http://www.metzdowd.com/pipermail/cryptography/2013-October/018177.html, pre OpenSSH 5.4 hardcoded e = 35 (publicExponent: 35), which turned out to be true for my old key.

Speaking to klali@, he says the nxp chip used only supports e = 65537 (publicExponent: 65537). However, yubikey-piv-tool said that the key import went successful without any errors.
So, action import-key should fail if e != 65537, pointing out that the publicExponent in the key is unsupported (and perhaps of questionable strength...)

help2man not identified correctly

  CC       yubico-piv-tool.o
/bin/sh /Users/here/src/yubico-piv-tool/build-aux/missing help2man --no-info \
        --name="Yubico PIV tool" \
        --include=./yubico-piv-tool.h2m \
        --output=yubico-piv-tool.1 ./yubico-piv-tool
help2man: can't get `--help' info from ./yubico-piv-tool
Try `--no-discard-stderr' if option outputs to stderr
WARNING: 'help2man' is missing on your system.
         You should only need it if you modified a dependency of a man page.
         You may want to install the GNU Help2man package:
         <http://www.gnu.org/software/help2man/>
make[3]: *** [yubico-piv-tool.1] Error 127
make[2]: *** [all-recursive] Error 1
make[1]: *** [all] Error 2
make: *** [all-recursive] Error 1
$ type help2man
help2man is /opt/local/bin/help2man
$ port installed help2man
The following ports are currently installed:
  help2man @1.47.3_0 (active)

ykcs11 library reports incorrect hardcoded token serial number

pkcs11-tool --module libykcs11.dylib -T
  token label        : YubiKey PIV
  token manufacturer : Yubico
  token model        : YubiKey YK4
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 4.206
  serial num         : 1234

Here serial number is reported as 1234 which is incorrect.

I've found that another library: libykneomgr is reporting correct serial number. I tried sending same APDU command as libykneomgr: "\x00\x01\x10\x00" but token doesn't report serial number when this command is called from ykcs11. Is there a documentation on APDU commands supported by Yubikey?

Windows version of ykcs11 segfaults

this command fails:

pkcs11-tool --module ykcs11.dll -L

immediately after C_GetFunctionList call

I suspect that Windows build does not set packing correctly for pkcs11.h, it should set it to 1 byte alignment. From pkcs11.h:

 * In addition to defining these 6 macros, the packing convention
 * for PKCS #11 structures should be set.  The PKCS #11
 * convention on packing is that structures should be 1-byte
 * aligned.
 *
 * In a Win32 environment, this might be done by using the
 * following preprocessor directive before including pkcs11.h
 * or pkcs11t.h:
 *
 * #pragma pack(push, cryptoki, 1)
 *
 * and using the following preprocessor directive after including
 * pkcs11.h or pkcs11t.h:
 *
 * #pragma pack(pop, cryptoki)

Build fails on Fedora 20

Tried version 0.1.0 and trunk. Same results for both. Same thing happens if I manually autoreconf --install and ./configure.

Here is what I'm getting:

[user@desktop yubico-piv-tool-yubico-piv-tool-0.1.0]$ ./build-and-test.sh 
+ autoreconf -i
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build-aux'.
libtoolize: copying file `build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
configure.ac:90: error: possibly undefined macro: AC_LIB_HAVE_LINKFLAGS
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
[user@desktop yubico-piv-tool-yubico-piv-tool-0.1.0]$ ./build-and-test.sh 
+ autoreconf -i
configure.ac:42: installing 'build-aux/ar-lib'
configure.ac:44: installing 'build-aux/config.guess'
configure.ac:44: installing 'build-aux/config.sub'
configure.ac:39: installing 'build-aux/install-sh'
configure.ac:39: installing 'build-aux/missing'
lib/Makefile.am: installing 'build-aux/depcomp'
parallel-tests: installing 'build-aux/test-driver'
+ '[' x '!=' x ']'
+ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
...
snip
...
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for OPENSSL... yes
checking if LD -Wl,--version-script works... yes
checking for PCSC... yes
./configure: line 12298: syntax error near unexpected token `winscard,,'
./configure: line 12298: `  AC_LIB_HAVE_LINKFLAGS(winscard,, #include ,'
[user@desktop yubico-piv-tool-yubico-piv-tool-0.1.0]$ ./build-and-test.sh 
+ autoreconf -i
configure.ac:90: error: possibly undefined macro: AC_LIB_HAVE_LINKFLAGS
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1

Binaries missing for 0.1.0

Could you add pre-compiled binaries for 0.1.0? I'm trying to build it on OS X and it fails.

The most recent version that has OS X binaries that I could find is 0.0.3

Prompt for PIN and password

When PIN/Password is not specified on commandline and needed the tool should probably prompt for them instead of erroring out.

Can not import retired private key

I am trying to import private key to slot 82 (retired) and getting following error:

tool/yubico-piv-tool -a import-key -s 82 --key=111111111111111111111111111111111111111111111111 -i privateKey.key --verbose=2
trying to connect to reader 'Yubico Yubikey NEO CCID'.
00 a4 04 00 05 a0 00 00 03 08
< 61 11 4f 06 00 00 10 00 01 00 79 07 4f 05 a0 00 00 03 08 90 00
Authenticating since action 'import-key' needs that.
00 87 03 9b 04 7c 02 80 00
< 7c 0a 80 08 e8 ae 08 79 47 d6 06 44 90 00
00 87 03 9b 16 7c 14 80 08 6a 72 73 c3 77 60 8e 4a 81 08 11 8a d1 69 bc 41 8c 0f
< 7c 0a 82 08 55 22 7f c2 51 44 5a 55 90 00
Successful application authentication.
Now processing for action 'import-key'.
Going to send 255 bytes in this go.
10 fe 06 82 ff 01 40 ed aa 11 78 30 91 48 26 77 69 b5 a3 3e 0e 7d a9 77 1b 2f 08 65 04 3b dc d2 81 f3 c3 63 fa 17 6b f0 7c 5d f8 da 83 21 ef 46 13 4e cc 46 bc be 84 21 6b 22 78 27 fc d0 93 a6 f9 41 1b f3 2e 26 23 02 40 d2 78 b2 5f 80 3e 1a cb 2b 64 5e 77 08 87 1a 11 0f e0 48 b4 f5 c3 a3 39 1d 02 9f ca dd a9 e2 51 78 7c 12 69 a1 2c b2 d4 df 30 a5 03 e0 57 ad 48 13 45 36 31 e3 30 30 57 38 62 a3 6f 09 1c da 85 03 40 c6 4d a0 33 f3 fa 55 04 5b a0 e5 80 e6 f7 ba 5c 5b 58 60 3f 15 e2 99 7c 60 5d 34 22 f5 59 a8 8f 54 e2 c0 9a 32 e1 35 c0 6b 6d 12 d3 99 b6 45 15 04 b9 5a d2 7d 33 12 6a 10 e9 6b 2d 42 14 60 97 04 40 6e 33 ca 59 dc e1 27 d0 57 a1 0f 21 4e 72 c7 00 46 0a ce a7 09 c3 ed 13 fb 8f a3 31 6a 8d 08 36 56 5a c8 9d 4c 4a 06 3d 15 bb f7 bb 26 dd 61 9a ca 94 43 c3 2d 4c cf
< 90 00
Going to send 75 bytes in this go.
00 fe 06 82 4b 12 ec 30 21 99 02 f1 7b ad 05 40 9f c5 17 13 07 a4 aa ba 2a 1b f7 6c 6f 68 39 ca 15 73 66 01 c1 2f 45 98 32 ab 5f 17 e3 4b bc ed a5 6e 3e 5c cd 88 cf d9 3c 04 19 05 cd 31 a0 f4 66 02 1c fd d4 46 bf 52 47 19 b6 03 91 2b fc bb
< 6a 80
Unable to import private key

Adjust return codes for verify-pin

Verify-pin gives the same return code on a failed try as it does on the "pin code blocked" message. The blocked message should return f.ex. 2 so that we in scripts can loop over the verify-pin until it is blocked, rather than hope that 3-4 attempts are enough.

See the attached picture.
tmp

[Trivial] "man"- text shows wrong version.

In version 1.2.2 the man text prints out version 1.1.3.
Reproduce by using: man yubico-piv-tool

Raw output of man text:

YUBICO-PIV-TOOL(1)                                                                                User Commands                                                                                YUBICO-PIV-TOOL(1)

NAME
       yubico-piv-tool - Yubico PIV tool

SYNOPSIS
       yubico-piv-tool [OPTIONS]...

DESCRIPTION
       yubico-piv-tool 1.1.3

       -h, --help
              Print help and exit

       --full-help
              Print help, including hidden options, and exit

       -V, --version
              Print version and exit

       -v, --verbose[=INT]
              Print more information  (default=`0')

       -r, --reader=STRING
              Only use a matching reader  (default=`Yubikey')

       -k, --key[=STRING]
              Authentication key to use (default=`010203040506070801020304050607080102030405060708')

       -a, --action=ENUM
              Action  to take  (possible values="version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin",
              "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc")

              Multiple actions may be given at once and will be executed in order for example --action=verify-pin --action=request-certificate

       -s, --slot=ENUM
              What key slot to operate on  (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95")

              9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management

       -A, --algorithm=ENUM
              What algorithm to use  (possible values="RSA1024", "RSA2048", "ECCP256", "ECCP384" default=`RSA2048')

       -H, --hash=ENUM
              Hash to use for signatures  (possible values="SHA1", "SHA256", "SHA384", "SHA512" default=`SHA256')

       -n, --new-key=STRING
              New authentication key to use

       --pin-retries=INT
              Number of retries before the pin code is blocked

       --puk-retries=INT
              Number of retries before the puk code is blocked

       -i, --input=STRING
              Filename to use as input, - for stdin  (default=`-')

       -o, --output=STRING
              Filename to use as output, - for stdout (default=`-')

       -K, --key-format=ENUM
              Format of the key being read/written  (possible values="PEM", "PKCS12", "GZIP", "DER" default=`PEM')


       -p, --password=STRING
              Password for decryption of private key file

       -S, --subject=STRING
              The subject to use for certificate request

              The subject must be written as: /CN=host.example.com/OU=test/O=example.com/

       -P, --pin=STRING
              Pin/puk code for verification

       -N, --new-pin=STRING
              New pin/puk code for changing

       --pin-policy=ENUM
              Set pin policy for action generate or import-key (possible values="never", "once", "always")

       --touch-policy=ENUM
              Set touch policy for action generate, import-key or set-mgm-key  (possible values="never", "always")

EXAMPLES
       For more information about what's happening --verbose can be added to any command. For much more information --verbose=2 may be used.

       Display what version of the application is running on the YubiKey:

          yubico-piv-tool -a version

       Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:

          yubico-piv-tool -s 9a -A ECCP256 -a generate

       Generate a certificate request with public key from stdin, will print the resulting request on stdout:

          yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \
            -a verify -a request

       Generate a self-signed certificate with public key from stdin, will print the certificate, for later import, on stdout:

          yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \
            -a verify -a selfsign

       Import a certificate from stdin:

          yubico-piv-tool -s 9a -a import-certificate

       Set a random chuid, import a key and import a certificate from a PKCS12 file with password test, into slot 9c:

          yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \
            -a import-key -a import-cert

       Import a certificate which is larger than 2048 bytes and thus requires compression in order to fit:

         openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
         yubico-piv-tool -s 9c -i der.gz -K GZIP -a import-cert

Change the management key used for administrative authentication:

          yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \
            -a set-mgm-key

       Delete a certificate in slot 9a:

         yubico-piv-tool -a delete-certificate -s 9a

       Show some information on certificates and other data:

         yubico-piv-tool -a status

       Read out the certificate from a slot and then run a signature test:

         yubico-piv-tool -a read-cert -s 9a
         yubico-piv-tool -a verify-pin -P 123456 -a test-signature -s 9a

yubico-piv-tool 1.1.3                                                                             December 2015                                                                                YUBICO-PIV-TOOL(1)

Problem with 0.1.3 on mac

Having downloaded the binary from https://developers.yubico.com/yubico-piv-tool/Releases/ I'm getting:

$ ~/bin/yubico-piv-tool-0.1.3-mac/bin/yubico-piv-tool
dyld: Library not loaded: /Users/klas/yubico-piv-tool/tmp/root/lib/libykpiv.1.dylib
Referenced from: /Users/davidillsley/bin/yubico-piv-tool-0.1.3-mac/bin/yubico-piv-tool
Reason: image not found
Trace/BPT trap: 5

0.1.2 is fine.

Have ykpiv_verify receive a byte array and not a string

In some cases (e.g. pkcs11) the pin is represented as a sequence of bytes rather than a string and it is not null terminated.

We should add a new function/refactor the signature of ykpiv_verify to be

ykpiv_rc ykpiv_verify(ykpiv_state *state, const char *pin, size_t pin_len, int *tries);

and avoid calling strlen inside.

Add extra message to commands that expects input, but never get it

Example from https://developers.yubico.com/yubico-piv-tool/

Generate a certificate request with public key from stdin, will print the resulting request on stdout:

yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \
 -a verify -a request

First, this example is not optimal as "-a request" expects input (as the text mentions, but the example doesn't show). Appending < pubkey.pem makes it easier to understand (also, previous "-a generate" command could get a > pubkey.pem appended as well).

Secondly, "-a request" command will just wait for the public key without hinting about it.

$ $PIVTOOL -v -s 9a -S "/CN=Yubikey SSH/" -a verify -a request
using reader 'Yubico Yubikey NEO CCID 00 00' matching 'Yubikey'.
Action 9 does not need authentication.
Action 8 does not need authentication.
Now processing for action 9.
Successfully verified PIN.
Now processing for action 8.
^C

A good idea would be to add something similar as gpg would do if you don't give it something from stdin:

$ gpg
gpg: Go ahead and type your message ...

So if no input for "-a request" is given, yubico-piv-tool could echo an extra comment like:

$ $PIVTOOL -v -s 9a -S "/CN=Yubikey SSH/" -a verify -a request
using reader 'Yubico Yubikey NEO CCID 00 00' matching 'Yubikey'.
Action 9 does not need authentication.
Action 8 does not need authentication.
Now processing for action 9.
Successfully verified PIN.
Now processing for action 8.
Awaiting the public key from stdin...

Hope that makes sense...

PIV terminology

Can you update the terminology on this page?
Privilege and Identification Card (PIV) is actually

Personal Identity Verification

*** sorry, had to submit this when I'm sitting here at NIST and read the first line of the yubikey info page... :-)

MacOS (PIV.tokend) requires Card Capability Container file

Hi,

I have been debugging "PIV.tokend" from the "Smartcard Services for Macintosh" add on for MacOS (the standard Apple smart card package), and it is failing as it is trying to use the unique identifier in the CCC file. This is technically a mandatory file, like the CHUID.

I think that PIV tool should have an "-action initialize" option that installs a CHUID and CCC (at least - there are other mandatory files that probably be considered).

The "-action status" option should probably flag missing mandatory files as errors. Missing CHUID won't work on Windows, missing CCC won't work on Mac.

There is a technical discussion here: https://lists.macosforge.org/pipermail/smartcardservices-users/2015-October/000539.html

I can produce some patches if needed.

PIN complexity

PIN complexity rules have been requested..

This makes some kind of sense since the standard (sp800 73-3 pt 2) specifies some rules for pin (only numbers and lengths). And we could have some flags in the applet for enforcing it and making them settable from the tool.

PIN retries

We have some older Yubikey NEOs (3.3.6) and PIV Tool v0.1.6 can change PIN/PUK retries.

However, we cannot change the PIN/PUK retries on our Yubikey NEOs v3.4.2 using the PIV Tool v0.1.6. We have tried on both Windows and MAC tools and multiple Yubikeys of each version. We are using same command:

yubico-piv-tool.exe -a pin-retries --pin-retries 10 --puk-retries 10 -P xxxxxx - N yyyyyy

Thanks!

Display certificate information

There have been requests to display information about certificates, some of what has been proposed:

  • display something similary to gpg --card-status (fingerprints, id info, pin retries)
  • be able to read individual certificates

Impossible to import CA reply

yubico-piv-tool and YubiKey PIV Manager allow to generate a new key on-board and output a Certificate Signing Request (CSR).
yubi-piv-keygen

The problem is - once this CSR has been signed, there seems to be no way to import the CA reply (in .p7r format). How is one supposed to use this feature???

Failed to import Windows Certificate

Hey,
I'm trying to get a Windows Certificate on my YoubKey. I followed the steps according to https://developers.yubico.com/yubico-piv-tool/Windows_certificate.html

While importing (yubico-piv-tool -s 9a -a import-certificate -i cert.crt) the certificate I get an error:
Failed loading certificate for import.

I have no Windows CA so I used the CA of my raspberry pi. Is there any difference between the signing?

I used these commands:
openssl x509 -req -days 3650 -in request.csr -signkey ca.key -out newcert.pem
openssl x509 -outform der -in newcert.pem -out newcert.crt

Thx

error: SCardTransmit failed, rc=80100016

Hi, I have a Yubikey Neo and I'm trying to use PIV in SSH at Arch Linux, but with no luck.
With root and without root are same, no difference at all.

Debugging Messages

$ yubico-piv-tool -v -a status

trying to connect to reader 'Yubico Yubikey NEO OTP+CCID 00 00'.
error: SCardTransmit failed, rc=80100016
Failed communicating with card: 'Error in PCSC call'
error: no useable reader found.
Failed to connect to reader.

Output of ykinfo

$ ykinfo -a

serial: 3646115
serial_hex: 37a2a3
serial_modhex: eildle
version: 3.4.3
touch_level: 1807
programming_sequence: 3
slot1_status: 1
slot2_status: 1
vendor_id: 1050
product_id: 111

Output of opensc-tool

opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey NEO OTP+CCID 00 00

Output of lsusb

$ lsusb

Bus 009 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 013 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 008 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 007 Device 003: ID 1050:0111 Yubico.com Yubikey NEO(-N) OTP+CCID
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 012 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 011 Device 002: ID 1b1c:1b0e Corsair 
Bus 011 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 010 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 002: ID 2109:0812 VIA Labs, Inc. VL812 Hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 0458:003a KYE Systems Corp. (Mouse Systems) NetScroll+ Mini Traveler / Genius NetScroll 120
Bus 001 Device 002: ID 2109:2812 VIA Labs, Inc. VL812 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Finally output of pcsc_scan

$ pcsc_scan 
PC/SC device scanner
V 1.4.25 (c) 2001-2011, Ludovic Rousseau <[email protected]>
Compiled with PC/SC lite version: 1.8.13
Using reader plug'n play mechanism
Scanning present readers...
0: Yubico Yubikey NEO OTP+CCID 00 00

Sat Jan 23 18:14:00 2016
Reader 0: Yubico Yubikey NEO OTP+CCID 00 00
  Card state: Card inserted, 
  ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1

ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
  Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
    YubiKey NEO (PKI)
    http://www.yubico.com/

Packages Version

$ opensc-tool -i
OpenSC 0.15.0 [gcc  4.9.2 20150304 (prerelease)]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

$ uname -r
4.3.3-2-ARCH

$ yubico-piv-tool -V
yubico-piv-tool 1.3.0

$ ykinfo -V
1.17.3

$ pcsc_scan -V
PC/SC device scanner
V 1.4.25 (c) 2001-2011, Ludovic Rousseau <[email protected]>
Compiled with PC/SC lite version: 1.8.13

I did many stuff and always SCardTransmit failed, I don't know why!

Thanks

[Request] Prompt for pkcs12 passphrase

Hello Yubico Team

Currently I can import a pkcs12 file with yubico-piv-tool and supplying the "-p" parameter and passphrase in the clear. It would be great if the tool would prompt for the passphrase, as it does with the DER format.

Regards

Use PIN to derive the management key

How can I initialize Yubikey to use PIN to derive the management key with yubico-piv-tool like it's possible with yubikey-piv-manager? I have found some description (the bottom of the page) but I'm not sure whether yubico-piv-tool supports it. I can generate the key:

python2 -c "from Crypto.Protocol.KDF import PBKDF2; print ''.join(x.encode('hex') for x in PBKDF2('my_pin', 'my_salt', 24, 10000))"

but I don't know how to save the salt on the Yubikey to indicate that the PIN should be used to derive the management key.

Consider bumping version to 1.0.0

I'm not sure about the state of this project, but it seems that it might be a candidate to bump to 1.0.0. We now also have a GUI tool that uses this.

PIN-keys available over NFC

NIST 800-73-3 and FIPS 201, allow some operations over NFS but not not all.NIST 800-73-3 part 2 After table 2. says: "Note: Cryptographic protocols using private/secret keys requiring “PIN” security condition shall not be used on the contactless interface."

We currently don't follow this, allowing "PIN" keys even over contactless. It isn't really clear whether we should fix this or not (it can be seen as a feature), but let's have an issue open around this until we decide.

Build fails on Mac OS X with undeclared identifier 'slot__NULL'

On master (b08de95) and 1.2.2 the build fails on Mac OS X El Capitan with the following error.

util.c:265:10: error: use of undeclared identifier 'slot__NULL'
    case slot__NULL:
         ^
util.c:457:10: error: use of undeclared identifier 'hash__NULL'
    case hash__NULL:
         ^
util.c:476:14: error: use of undeclared identifier 'hash__NULL'
        case hash__NULL:
             ^
util.c:491:14: error: use of undeclared identifier 'hash__NULL'
        case hash__NULL:
             ^
util.c:510:10: error: use of undeclared identifier 'algorithm__NULL'
    case algorithm__NULL:
         ^
util.c:524:10: error: use of undeclared identifier 'pin_policy__NULL'
    case pin_policy__NULL:
         ^
util.c:536:10: error: use of undeclared identifier 'touch_policy__NULL'
    case touch_policy__NULL:

Key-pair generation doesn't work via PKCS11 library

This command fails:

pkcs11-tool --module libykcs11.dylib -k --key-type rsa:2048 --usage-sign --usage-decrypt --login --id 01

Output:

Using slot 0 with a present token (0x0)
Logging in to "YubiKey PIV".
Please enter User PIN: 
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_DEVICE_ERROR (0x30)

Aborting.

GUID in CHUID is invalid

(1) The CHUID_GUID_OFFS should be 29, not 28. This caused the length field of the GUID to be over written with random data in
if(RAND_pseudo_bytes(chuid + CHUID_GUID_OFFS, 0x10) == -1) {
which can lead to in correct parsing.

(2) comment is wring, it says GUID, but you dump the CHUID contents.

(3) Early versions of NIST 800-73 had both a signed and unsigned chuid.
800-73-3 requirs the CHUID to be signed. From early testing, I know windows does not check the CHUID if the 3E tag is not present. But you have 3E with zero length. It is not clear how windows handles this. Consider removing the 3E 00.

diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c
index 9786afc..630e353 100644
--- a/tool/yubico-piv-tool.c
+++ b/tool/yubico-piv-tool.c
@@ -55,9 +55,9 @@ unsigned const char chuid_tmpl[] = {
0x83, 0x68, 0x58, 0x21, 0x08, 0x42, 0x10, 0x84, 0x21, 0x38, 0x42, 0x10, 0xc3,
0xf5, 0x34, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x08, 0x32, 0x30, 0x33, 0x30, 0x30,

  • 0x31, 0x30, 0x31, 0x3e, 0x00, 0xfe, 0x00,
  • 0x31, 0x30, 0x31, 0xfe, 0x00,
    };
    -#define CHUID_GUID_OFFS 28
    +#define CHUID_GUID_OFFS 29

unsigned const char sha1oid[] = {
0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00,
@@ -469,7 +469,7 @@ static bool set_chuid(ykpiv_state *state, int verbose) {
return false;
}
if(verbose) {

  • fprintf(stderr, "Setting the GUID to: ");
  • fprintf(stderr, "Setting the CHUID to: ");
    dump_hex(chuid, sizeof(chuid));
    fprintf(stderr, "\n");
    }

Use as SDK for Go

Could someone write documentation on how to use Yubico PIV Tool with GoLang (or C) as SDK?
It would be great to have an easy and secure API to develop solutions with Yubico. There are several wrappers with PKCS#11 but I would prefer to use a secure API provided by Yubico community

Side-effects of enforcing parity on 3DES keys

I'm writing an issue here, which is an excerpt from a conversation I had on the forums concerning a separate but related issue.

In addition to several fixes with respect to yubico-piv-tool's handling of PIV management keys (hex_decode failing, etc.) yubico-piv-tool version 0.1.4 enforces DES parity for entry as a parameter.

I do want to point out that enforcing DES parity bits actually makes things significantly more complicated for users and doesn't inherently add any security value. It breaks compatibility with all current tools wrapping yubico-piv-tool in addition to contrasting existing documentation for provisioning NEO tokens and NEO CAs. The additional level of effort to provide this as input using scripts can be seen here: http://forum.yubico.com/viewtopic.php?f=26&t=1729

The state of cryptographic tools is hindered, not helped, by DES implementations that require parity bits to be properly set. They tend to exist in legacy implementations with new versions of software treating keys with and without proper parity identically since they are identical, cryptographically speaking.

Is there a reason this change is inextricably tied to the hex_decode (or some other) change in this version? Based on my understanding, these are independent. Based on the day 1 threads on the forum struggling with the change and my own efforts to repair tooling around the new version, I would like to request for a revert on this feature.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.