-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSC PIV doesn't expose all available Yubikey 4 slots #847
Comments
NIST 800-73-3 defines the Key History Object which has a The OpenSC PIV driver is following the NIST specs and tries to read the Key (The OpenSC PIV driver will read from the user's home directory the offline Note the key usage for these keys is for key management not signatures, The The proper way to deal with is is add a KeyHistoryObject to the card. http:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf On Sat, Aug 6, 2016 at 3:17 PM, Jonathan Rudenberg <[email protected]
|
The Yubikey 4 allows using all 24 keypairs/certificates for any purpose, and does not expose a Key History Object. Since I don't work at Yubico and the devices are not flashable, there is no way to expose the "Key History Object". Thus in order for the additional 20 keys to be accessible to OpenSC's PIV driver it would need to be modified to support the way the Yubikey does things. |
The Yubico-piv-tool can be used to write objects. One just has to create a NIST 800-73 defines the usage, and the keys must be in order. So this is On Sat, Aug 6, 2016 at 4:56 PM, Jonathan Rudenberg <[email protected]
|
The OpenSC PIV driver was written to match NIST 800-73 3, as are most card 800-73-3 has 4 parts: The Key History Object is well defined in 800-73-3. On Sat, Aug 6, 2016 at 7:10 PM, Douglas E Engert [email protected] wrote:
|
Thanks for the pointer, I was able to write the object and now OpenSC sees the keys. However, it won't let me use the keys in the retired slots for for signatures, reporting:
Here's the whole object dump: https://gist.github.com/titanous/d76eb86c7e9dcf76aaf2858d74ff3faf And in case anyone is wondering, here's the command to write the Key History object specifying 20 keys with on-card certificates:
|
NIST 800-73-3 calls the certificates (and keys) "Retired X.509 For the NEO, Something could be added onto #816. This might be a flag in I believe Yubico wrote an almost PIV applet was to allow the NEO to be used I can look at this after Aug 15. . On Sun, Aug 7, 2016 at 7:44 PM, Jonathan Rudenberg <[email protected]
|
FWIW this is the Yubikey 4, which is newer than the NEO. I think the NEO only has the standard 4 slots, not the extra 20 key management slots. And yeah, it is not intended to be a normal PIV card, all 24 keys should be allowed to do both ECDSA and ECDH or RSA signing and decryption. I'm happy to test anything you come up with when you get back, and I'd also be willing to order a Yubikey 4 and send it to you if that would make things easier. Just send me an email (address in my GitHub profile) if you'd like me to do that. I'm not worried about native Windows support right now, I just want to be able to use all of the keys via the OpenSC PKCS11 interface. Thanks! |
I was not aware that "Retired keys" could be used for anything but Key Management (because the only reasonable employment of retired keys IMHO is decrypting data that was encrypted before that key got retired). Frankly, any other use does not make sense to me. The reported error So while Yubico indeed wrote "almost PIV" applets for NEO and (later) Yubikey 4, I would not expect any PIV to be able to sign with retired keys. |
The card-piv.c and pkcs15-piv.c code is enforcing the key usage policies as The user wants to use the keys and certs for other purposes not compliant I plan to allow the Yubico devices to do what the user wants, as these On Mon, Aug 8, 2016 at 9:33 PM, Mouse [email protected] wrote:
|
Well, maybe Yubico does enforce Key Usage on the Retired keys? Especially Yubikey 4, that they tried to make stricter and more conformant? Also, while Yubico does not follow all the policies, those devices seem to follow enough of the PIV policies to be very useful (to us at least) as an affordable convenient PIV-compatible token. I just completed integration of PIV login with Active Directory - using Yubikey NEO as the test-card. Worked wonders. I'll probably keep using it as my PIV token even after PIV smart card get provisioned and deployed. Back to the retired keys. Maybe in this case we should not allow the user to do every P.S. You probably know that while CAC signing keys are not replaceable, one can request a copy of his CAC encrypting key pair? So the usefulness/necessity of retired keys IMHO is fairly low. |
They do not in their YKCS11 library or on the key itself. My use cases are code signing, SSH, and GPG, none of which require strict compliance with the PIV standard. Having more key slots available is really useful, especially since the hardware supports it. I believe that using the key usage attributes from the certificate in the slot is a reasonable tradeoff. |
I don't have access to AD anymore. I assume you are using the built in As for copies of any of the encryption keys,they are normally escrowed by As for the keyUsage, the security of the system depends on the key, I will look at the key usages in certificates on the NIST demo cards, and On Tue, Aug 9, 2016 at 9:51 PM, Mouse [email protected] wrote:
|
Well, I'll leave this to you and @dengert .
No, I'm using OpenSC on Mac, with my fork of OpenSC.tokend. As that was the purpose of that exercise - to get Mac users login using PIV-compliant smart cards, via AD.
Thanks, regarding this aspect I had all the luck I needed. Participants of the Mac 2-factor pilot have NEOs. When the time comes to deploy wider - (hopefully) PIV smart cards (that you can print on, etc) would be available.
Exactly! And the above does not apply to signing/authenticating keys, only to encrypting ones. |
Interestingly, once I've added the Key History Object to the card, Keychain stopped recognizing the token as PIV:
@dengert, how do I delete Key History object from the token, so I can be sure it was the cause of the problem? |
https://github.com/OpenSC/OpenSC/wiki/PivTool#clear-a-certificate-on-the-card
Douglas E. Engert [email protected] |
This is a first cut at allowing the certificate associated with a Retired Key to specify the keyUsage for the key. It requires PR #852 It only works for Yubico4 or NEO PIV like tokens which loosly follow the NIST 800-73 specifications. But the PIV specifications defines the "Retired Keys" as retired key management keys which have a single purpose use. @titanous This needs a lot of testing so is not a PR yet. I am looking for comments. |
I agree. But it doesn't (yet?).
Pardon me, what command? How should the complete command look like? I tried this without success:
That seemed to work: Thanks! P.S. Somebody somewhere must note and warn the user that enabling this thing will not only break the PIV standard compatibility, but likely disable the token for all the other PIV purposes on Mac, like email signing, etc. |
What command? Read : https://github.com/OpenSC/OpenSC/wiki/PivTool#clear-a-certificate-on-the-card Someone? Should be Yubico, its thier device. They claim its PIV and OpenSC compatable. It has many issues. It could be the MacOS keychain problem, or the user who wrote the Key History Object on the device. This issue #847 is experimental, and needs lots of testing. |
Well, since the other way worked, I guess the details are unnecessary.
True, but I've been successfully using both NEO and 4 for pretty much everything on Mac now: smartcard logon (local and using Active Directory), screen unlock, application access (native Apple apps like Mail andSafari), access by OpenSSL (with libp11). Yes, I haven't made any use of retired certs - too bad. Chalk it off to PIV incompatibility of NEO, and tokend imperfection with Yubikey 4. I personally don't care. My usage model does not have room for 20 retired Key Management keys on my token, let alone for standard "extension" of using those 20 keys for whatever other purpose the user decides to.
Or the tokend...
True. Perhaps it could stay as a patch rather than being integrated into the master. Especially since there doesn't seem to be a whole lot of testers. |
If you don't write a key History Object the code is not used. If you start using the Key History Object and write the certificate(s) with the correct keyUsage (Key Encipherment for RSA or Key Agreement for EC) the PKCS#11 attributes should match the current code. You said you added a Key History Object. Did you also add private keys and certificates to match the number of keys listed in the KeyHistory Object? |
Good to know.
Hmm... No I did not... So that's the problem that bit me, in your opinion? |
Douglas E. Engert [email protected] |
First, thank you! I think I understand better now.
The "user" does not have this ability. Possession of the "Card management key" is the equivalent of being the IT/provisioning center. So this is like IT experimenting with a card before deployment. Needless to say, when I distribute cards/tokens, I don't give the management keys with them. ;-) |
Douglas E. Engert [email protected] |
Like everywhere else, an ability comes with responsibility. Any card you could buy must come with the ability to do something with it - like provisioning. If an organization (and we know that not all of them are competent :) or an individual buys such a token (or a bunch of them), the assumption is they either know how to use it, or know where/how to learn that. If not - whose fault is that? Speaking of other tokens, I've no idea whether OpenSC can be used to provision, e.g., Oberthur PIV cards - or they'd require a system that costs thousands of dollars (because I won't be buying such on my own dime anyway :). Yubico allows anybody to buy a few tokens and provision them for himself, his family, his friends. Plus, I suspect that the majority of Yubico token buyers use OTP and OpenPGP modes/applets (maybe now U2F mode). Regardless, I love the capabilities these tokens offer, for quite reasonable price. Perhaps other smart cards can be purchased and used the same way as Yubico PIV - that depends on whether they can be provisioned without specialized and expensive equipment. |
@titanous, Can you try #852 and dengert/OpenSC@740a41b with a Yubico with retired keys and certificates that have various keyUsage bit set? |
Yes, I'll do so this weekend. Thanks! |
Is there any progress about this matter? Since yubikeys are not exactly cheap, it would greatly reduce costs if all 24 key slots could be used for regular key use, and thus a single yubikey would cover what it takes three or four otherwise. regards |
@dengert Is this going to get released in a new version of OpenSC? I can't see the commit included in any of the latest releases. Cheers |
@madjam002 67ea96d it is in the master branch so should be in next release. @frankmorgner another request to get a 0.17.0 release.... |
@dengert That's great, thanks! 😄 |
I just wanted to say thx for this!! This feature is awesome, as we are also searching for a way to have more than one ssh key on the yubikey. Now only support for 4096bit rsa would need to be enabled on the PIV side on the yubikey. |
I am on opensc 0.17.0 and using trying to use a reserved slot with openvpn:
openvpn calls |
Yes you are missing something. You may need a Key History Object. This comment on how to say write a Key History Object to use 20 of the retired keys and certificates. #847 (comment) |
@dengert Nice, that works now. Thanks for the tip! |
This is getting quite old but I just used this info for ssh auth with slot 82 on yubikey 5 nfc. It works fine as expected. My use case is that I want my ssh auth to require touch so if I ever get hacked and someone is trying to trampoline out of my machine to somewhere else I'll be notified. However I sometimes need to fetch the android aosp and I don't want to touch 300+ times so for that I have another key which does not require touch in slot 82. If it helps, I did this as mentioned above:
Then I generated the certificate as follow:
If I understood correctly, the important bit here is the "keyUsage" part. If you don't have it you'll get what I had at first:
|
First, why are you using slot 82? Are the normal four slots not enough? Second - key usage your specified is only for CA to sign certificates. That could explain "key type inconsistent" error. Finally, "yubico-piv-tool" allows setting touch policy, but I don't remember/know whether the applet adds more restrictions (like, enforces "PIN Always" for signing keys). |
I'm sorry if my comment sounded like a question. Everything is working fine. I just dumped what I did so others could do the same if there use case matches mine. I'm using slot 82 because I'm already using 9a for is intended purpose and the other 3 slots had a very specific purpose, I didn't want to mess that up. I though if I would go against the standard and add an extra authentication key, I might as well use one of these extra slots. As for the key usage, I'm not familiar with this, what would you recommend for ssh public key authentication? keyAgreement? keyCertSign? |
"Digital Signature". Probably also "Key Encipherment" if your keys are RSA, or "Key Agreement" if they're ECC. |
Thanks for pointing that out, it makes a lot more sense. I'll edit my post to reflect the change. |
You said: "This is getting quite old but I just used this info for ssh auth with slot 82 on yubikey 5 nfc. It works fine as expected." Because of security risks, NIST 800-73-3 does not allow access to most objects and keys over the contactless interface (NFC) . Compliant PIV card enforces this. Yubico does not. Use at your own risk. NIST 800-73-4 does allow this contactless bur requires "VCI" using "Secure Messaging". I have recently obtained an approved demo card (populated with 25 certs/25 keys) the can do this, and have started implementing these optional features in the PIV driver. |
A lot of thank guys, this conversation finally solved my problem with my YubiKey 5 NFC too. After a lot of headache, thank to write the KeyHistory, Im able to store and use some others certs (tested already). I understand the "Retirement" importance, but in other hand is pretty useful we can able to use additional slots. Yubiko allow us disable NFC interface for PIV, can be... "dangerous" allow NFC for all applets. |
I'm at a loss, KeyHistory was enabled, can generate self-signed keys in retired slots using piv, |
hello ,i wonder how to revert this operation thanks alot. i mean "echo -n C10114C20100FE00 | yubico-piv-tool -k -a write-object --id 0x5FC10C -i -" |
I tested on a YK5 nfc. reinsert key ,i see my cert in windows certificate manager "certmgr.msc", but it can't be used actually. finally i delete slot 82 and test to use gui manager import my cert to 9a,9c,9d,9e slot how can i do to use retired slot cert in outlook or word |
Expected behaviour
When using the OpenSC PIV module, it should provide access to the 20 "retired" slots on the Yubikey 4. These slots don't appear to have any limitations and can be used in the same fashion as the other four slots on the device.
Actual behaviour
The 20 slots are not displayed when using the PIV module provided by OpenSC, but do appear when using the YKCS11 module from Yubico.
Logs
https://gist.github.com/titanous/57a8993894d457cadf8d2057f036d112
The text was updated successfully, but these errors were encountered: