-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When configuring the ECCP256 algorithm certificate, XShell directly crashes when using PKCS11 for authentication connection. #3073
Comments
PIV type cards determine the type and size of a key from the certificate that is stored on the card in the Subject PublicKeyInfo. Some possible problems:
An OpenSC debug log would help as would |
pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
Using reader with a card: Yubico YubiKey FIDO+CCID 0
Warning: Reading certificate from stdin since no -in or -new option is given
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=yubico
Validity
Not Before: Mar 18 04:42:21 2024 GMT
Not After : Mar 18 04:42:21 2025 GMT
Subject: CN=yubico
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
ASN1 OID: prime256v1
NIST CURVE: P-256
Signature Algorithm: ecdsa-with-SHA256
Signature Value: |
OpenSC 0.20.0 is some years old. Can you try with more recent version or master? Do you have some backtrace from the crash? The operations look successful in all the examples you provided. |
@Z1Turn0 in the output from #3073 (comment) did you blank out the "Serial Number", "pub:" and "Signature:" ? if not it looks like ykman only wrote the minimal information to let PIV driver know there is a private key. What is output of https://netsarang.atlassian.net/wiki/spaces/ENSUP/pages/2086437094/SSH+access+via+PIV+smart+card+using+CAPI Do you see any indications that XShell using PKCS11 supports using ECC keys? All examples I have seen are RSA. |
Because I crashed using the latest release version, I finally changed to version 0.20.0 in the xshell document. |
Yes, I deleted the printout the "Serial Number", "pub:" and "Signature:". |
I thought that the certificate algorithm is handled by opensc middleware, so I didn't consider whether xshell supports ecc ... |
What is output of Can you try using putty.
That is not clear. Also try using OpenSC SPY to get trace of PKCS11 calls and get opensc debug log. See: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC |
|
pkcs15-tool.exe --read-ssh-key 01
Using reader with a card: Yubico YubiKey FIDO+CCID 0
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCbFQO09NGnBtLwqgMpKTi3NNroOtAw74pIOsGaU1kDC5OtxgJm0lQ1Otg9MEmZR+cVEvVIYPHhDMQvD/yIbF5c= PIV AUTH pubkey |
I would say its a bug in the xshell. I do not see any indication of opensc functions in the backtrace and as the key can be used ok with the pkcs15-tool, there is not much we can do, except for recommending to use other ssh client. There is Putty-CAC, which (regardless of the name), should work with any smart cards and PKCS#11. |
This looks more promissing. Can you get a OpenSC debug log from this operation? |
Also run https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/pkcs15-piv.c#L534 list the default usage for the 01 cert i.e. 9A key. If this is a non government PIV then here is where the certificate's keyUsage is obtained: You may also want to try Yubico's PKCS11 module: Yubico/yubico-piv-tool#223 it is old but points out you may need to generate a CSR, have it signed by a CA so it has the correct correct keyUsage. |
Problem Description
I am using yubikey 5 key for ssh connection.
When configuring the ECCP256 algorithm certificate, XShell directly crashes when using PKCS11 for authentication connection.
But in the same environment, everything works fine when configuring the RSA2048 certificate.
Proposed Resolution
Support ECCP256 algorithm for PKCS11.
Steps to reproduce
Steps like SSH Connections with YubiKey PKCS#11 User Authentication(PIV).
The difference is that yubikey generates the key.
RSA2045 :
ykman piv keys generate -a RSA2048 --pin-policy=once --touch-policy=always 9a pubkey.pem ykman piv certificates generate --subject "yubico" 9a pubkey.pem
ECCP256 :
ykman piv keys generate -a ECCP256 --pin-policy=once --touch-policy=always 9a pubkey.pem ykman piv certificates generate --subject "yubico" 9a pubkey.pem
Using ECCP256 will directly crash or become unresponsive when xshell connects.
Logs
The text was updated successfully, but these errors were encountered: