Yubico Forum ...visit our web-store at 2015-03-13T15:33:21+01:00 https://forum.yubico.com/feed.php?f=26&t=1657 2015-03-13T15:33:21+01:00 2015-03-13T15:33:21+01:00 https://forum.yubico.com/viewtopic.php?t=1657&p=7026#p7026 <![CDATA[Re: yubico-piv-tool, ECCP256 and ssh]]> have you found out a solution to this?

I'd love to use ECC keys, but without PKCS11 support it will not work. I looked around for possibility of adding the support but couldn't find anything (and I'm not a developer).

Statistics: Posted by zviratko — Fri Mar 13, 2015 3:33 pm

]]> 2014-12-14T21:43:10+01:00 2014-12-14T21:43:10+01:00 https://forum.yubico.com/viewtopic.php?t=1657&p=6508#p6508 <![CDATA[Re: yubico-piv-tool, ECCP256 and ssh]]>
Code:
pkcs11-tool --module /lib64/opensc-pkcs11.so  --sign --slot 1 --id 02 -m ECDSA --input-file wombat --output-file wombat-signed


The problem looks like it's with openssh. The man page for ssh_config mentions that the PKCS11Provider reads RSA keys (no mention of ECC) and a quick scan of the source code at https://github.com/openssh/openssh-port ... h-pkcs11.c seems to confirm this.

Cheers
Guy

Statistics: Posted by evansguy — Sun Dec 14, 2014 9:43 pm

]]> 2014-12-12T19:17:21+01:00 2014-12-12T19:17:21+01:00 https://forum.yubico.com/viewtopic.php?t=1657&p=6498#p6498 <![CDATA[Re: yubico-piv-tool, ECCP256 and ssh]]> Statistics: Posted by evansguy — Fri Dec 12, 2014 7:17 pm

]]> 2014-12-12T16:08:20+01:00 2014-12-12T16:08:20+01:00 https://forum.yubico.com/viewtopic.php?t=1657&p=6497#p6497 <![CDATA[Re: yubico-piv-tool, ECCP256 and ssh]]>
This may not be a complete answer, but the pkcs11 module doesn't support ECC.

Could you double check?

Statistics: Posted by Tom2 — Fri Dec 12, 2014 4:08 pm

]]> 2014-12-12T10:58:20+01:00 2014-12-12T10:58:20+01:00 https://forum.yubico.com/viewtopic.php?t=1657&p=6494#p6494 <![CDATA[yubico-piv-tool, ECCP256 and ssh]]>
I've got my yubikey neo working with a RSA public/private key and ssh. However, I can't get it to work with the elliptic curve algorithm ECCP256.

The steps that I've done :-

Code:
yubico-piv-tool -s 9a -a generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.sote -A ECCP256 -o public-ecc.pem
yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a -S "/CN=Guy Evans ECC key/" -i public-ecc.pem -o ecc-cert.pem
yubico-piv-tool -a import-certificate -s 9a -i ecc-cert.pem


Which all seem to run ok, however, when I run

Code:
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


I get the error C_GetAttributeValue failed: 18.

I can use ssh-keygen to convert the public-ecc.pem file directly and copy that to authorized_keys. However, when I attempt to login with ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so I get the same error.

pkcs15-tool --list-public-keys shows the key. pkcs15-tool --read-public-key comes back with a "not implemented" error (but also does the same for a RSA key). pkcs15-tool --read-certificate correctly outputs the certificate that was imported.

Cheers
Guy

Statistics: Posted by evansguy — Fri Dec 12, 2014 10:58 am

]]>