Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attestattion certificate for OpenPGP ENC slot has unparsable public key #402

Open
ya-isakov opened this issue Apr 2, 2021 · 2 comments
Open

Attestattion certificate for OpenPGP ENC slot has unparsable public key #402

ya-isakov opened this issue Apr 2, 2021 · 2 comments

Comments

@ya-isakov
Copy link

ya-isakov commented Apr 2, 2021
edited

  • YubiKey Manager (ykman) version: 4.0.0
  • How was it installed?: Gentoo package
  • Operating system and version: Gentoo
  • YubiKey model and version: YubiKey 5 NFC, Firmware version: 5.2.4
  • Bug description summary: openssl cannot parse public key from attestation certificate for OpenPGP ENC key.

Steps to reproduce

  • Set enc slot to cv25519
  • Use ykman key attest ENC test.crt
  • Verify certificate with openssl x509 -in test.crt -text

Expected result

OpenSSL should show that everything is good :)

Actual results and logs

So, I have a key with all three slots set to use Curve25519/Ed25519:
Key attributes ...: ed25519 cv25519 ed25519
I can encrypt via gpg to my key, and on decrypting, gpg says that gpg: encrypted with 256-bit ECDH key
But, when I'm trying to attest this key via ykman key attest ENC test.crt, and check this test.crt with openssl x509 -in test.crt -text, it thinks that certificate has:
Signature Algorithm: sha256WithRSAEncryption, also I'm getting this error:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:a8:12:c8:22:b7:d4:ec:52:44:c2:59:6b:d3:3b:2a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Yubikey OPGP Attestation
        Validity
            Not Before: Aug  1 00:00:00 2019 GMT
            Not After : Dec 17 00:00:00 2046 GMT
        Subject: CN = YubiKey OPGP Attestation DEC
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            Unable to load Public Key
139714749192000:error:100D7010:elliptic curve routines:eckey_pub_decode:EC lib:crypto/ec/ec_ameth.c:168:
139714749192000:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:crypto/x509/x_pubkey.c:125:
... (skipped)

Other info

OpenSSL is of version 1.1.1k

Also, only ENC slot has this problem, other slots are fine.
@ya-isakov
Copy link
Author

ya-isakov commented Apr 2, 2021
edited

I've just generated new key via gpg --edit-card -> addcardkey, and still the same problem

Also, verification of generated cert works, so, it's only openssl which cannot parse certificate.

@ya-isakov ya-isakov changed the title Attestattion certificate for OpenPGP ENC slot thinks that type of key is RSA (it's cv25519) Attestattion certificate for OpenPGP ENC slot has unparsable public key Apr 2, 2021
@dainnilsson
Copy link
Member

Thanks for reporting! I've notified our firmware team of this, it looks like an incompatibility with how the public key is encoded in the certificate which will likely be changed in a future version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dainnilsson @ya-isakov