Yubico Forum

Re: [BUG] S/MIME Mail Signing / Decryption not working

2016-02-16T20:01:51+01:00

I've had problems with Thunderbird decrypting S/MIME on different machines with different PKCS11 middleware (including Windows). So I'm certain there's something about Thunderbird itself.

I've also successfully did signature & verification (using RSA and ECC), and encryption & decryption (using RSA) with Yubikey NEO and Yubikey 4 on Mac, using Apple Mail, MS Outlook 2011, and Thunderbird.

Apple Mail often loses track of the token authentication status, and fails to sign outgoing. Possibly Yubikey's problem, but people were reporting similar issues with DoD CAC.

Thunderbird on some Mac boxes is very unreliable and refuses to send encrypted. Observed only with Yubikey on Mac (so far ), works reliably on other platforms with other tokens and middleware.

Thunderbird on many different boxes refuses to decrypt when the decryption key is on a hardware token. This was evidenced consistently on several different platforms with several different token types and different middleware. Definitely not a Yubikey problem.

Statistics: Posted by Uriel — Tue Feb 16, 2016 8:01 pm

Re: [BUG] S/MIME Mail Signing / Decryption not working

2016-02-16T13:11:21+01:00

For further information, we also tested another USB-based token device that stores s/mime certificates and uses the opensc-pkcs11 module. It works on the same machine using the same software stack without issues. IMHO that strengthens my assumption, that it is a yubikey-related issue.

Statistics: Posted by tzn — Tue Feb 16, 2016 1:11 pm

Re: [BUG] S/MIME Mail Signing / Decryption not working

2016-02-15T17:03:07+01:00

I managed to set-ccc by setting a new management key but that did not change anything. The error still persists.

Statistics: Posted by tzn — Mon Feb 15, 2016 5:03 pm

Re: [BUG] S/MIME Mail Signing / Decryption not working

2016-02-15T15:16:54+01:00

After removing anything smartcard related from the system, then reinstalling the yubico packages using the yubico PPA I now have the newest stable version of yubico-piv-tool. Obviously, the one in the official ubuntu PPA is outdated.

Checking the status:

Code:

> yubico-piv-tool -a status
CHUID: 
CCC:   No data available
Slot 9c:   
   <...> 
Slot 9d:   
    <....>
PIN tries left:   3

So indeed, CCC is apparently not set. However, I can't do set-ccc due to some authentication problem that I can't get around:

Code:

> yubico-piv-tool -a set-ccc
Failed authentication with the application.

In fact, I can't do anything that requires authentication (reset, set-mgm-key, ...). I never changed the management key and it should be default.

Also, I wonder, if "set-ccc" is such a critical setting, why is there no documentation about it, and why is this option not included in the stable ubuntu PPA release? Not even the yubico-piv-tool documentation https://www.yubico.com/wp-content/uploads/2015/04/Yubico-PIV-Management-Tools_v1.0.pdf mentions it.

Statistics: Posted by tzn — Mon Feb 15, 2016 3:16 pm

Re: [BUG] S/MIME Mail Signing / Decryption not working

2016-02-15T10:00:59+01:00

Uriel wrote:

Just to make sure: did you fully initialize your Yubikey NEO with yubico-piv-tool? You need to look at "set-chuid" and "set-ccc". Without these two your Yubikey is not PIV-compliant enough for other software to use it.

I would like to verify that, unfortunately, my system suddenly does not recognize any smart card reader anymore.

Code:

> yubico-piv-tool -a set-chuid
Failed to connect to reader.

Anyway, there does not seem to be a "set-ccc" option / action:

Code:

> yubico-piv-tool -a set-ccc
yubico-piv-tool: invalid argument, "set-ccc", for option `--action' (`-a')
> yubico-piv-tool --set-ccc
yubico-piv-tool: unrecognized option '--set-ccc'
> man yubico-piv-tool | grep set-ccc

Statistics: Posted by tzn — Mon Feb 15, 2016 10:00 am

Re: [BUG] S/MIME Mail Signing / Decryption not working

2016-02-12T23:14:46+01:00

Statistics: Posted by Uriel — Fri Feb 12, 2016 11:14 pm

[BUG] S/MIME Mail Signing / Decryption not working

2016-02-12T12:28:24+01:00

Hello,

we are trying to get S/MIME-based email signing and decryption working using Yubikey Neo and Yubikey 4 with Thunderbird / opensc on Linux. Unfortunately we always encounter the same problems.

Thunderbird cannot reliably communicate with Yubikey and always looses the reference to the certificate.

The first time we try to send a signed mail or decrypt a stored mail it works. Thunderbirds asks for the PIN (strangely called master password for some reason) and resumes operation as expected. However, after that, both signing and decryption ceases to function.

Trying to sign mails fails with:

Code:

Sending of the message failed.
You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired.

Decrypting mails fails with:

Code:

Thunderbird cannot decrypt this message
The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key.

Sometimes Thunderbird will repeatedly ask for the "master password for PIV" without managing to log into the key, sometimes it will not ask at all. In any case it does not work.

The only solution we found so far was to eject and reinsert the Yubikey. Then the next single signing or decryption operation will succeed. After that, the error reoccurs.

We have confirmed that on two different machines running two newly installed flavors of Ubuntu. I am unsure whether this is Yubikey or opensc related, so it could as well be an opensc bug. But since opensc is apparently the only driver for Yubikey it's effectively a Yubikey problem.

Software:
xubuntu / ubunut-gnome 15.10 x86_64 4.2.0-27-generic
Thunderbird 38.5.1
OpenSC 0.15.0 [gcc 4.9.2]

Best regards

Statistics: Posted by tzn — Fri Feb 12, 2016 12:28 pm