Yubico Forum

...visit our web-store at store.yubico.com
It is currently Sun Feb 26, 2017 9:01 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Thu Jan 28, 2016 3:25 pm 
Offline

Joined: Thu Jan 28, 2016 3:01 pm
Posts: 9
Hello all,

i am trying to use the Yubikey NEO as a smart card holding my x509 S/MIME certificate and use that as a security device in both thunderbird 38.5.1and firefox 44.0 on xUbuntu 15.10.

I have imported the key and cert to the yubikey:

Code:
sudo yubico-piv-tool -a import-cert -a import-key -s 9d -K PKCS12 -i smime.p12 -p pass


Key is loaded to the card:

Code:
yubico-piv-tool -a status
CHUID:   No data available
Slot 9a:   No data available.
Slot 9c:   No data available.
Slot 9d:   
   Algorithm:   RSA2048
   Subject DN:   xxx
   Issuer DN:            xxx
   Fingerprint:   xxx
   Not Before:   Jan 18 13:36:27 2016 GMT
   Not After:   Jan 17 13:36:27 2019 GMT
Slot 9e:   No data available.
PIN tries left:   3


Opensc detects the reader:

Code:
opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico Yubikey NEO OTP+U2F+CCID 00 00


Pkcs-tool lists the certificate:
Code:
pkcs15-tool --list-data-objects
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
<snip>
Data object 'X.509 Certificate for Key Management'
   applicationName: X.509 Certificate for Key Management
   applicationOID:  2.16.840.1.101.3.7.2.1.2
   Path:            0102
   Data (1448 bytes): 538XXXXXXXX0FE00
<snap>


I imported the certificate chain in firefox and thunderbird and set trustlevels to trust them with everything.
I then loaded a new security device trying the two modules
Code:
/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


Login with my pin works and I see my certificate and am able to set it in thunderbirds security dialog for digital signing and encryption.

However, whenever I try to send a signed message, sending fails with the following error:

Code:
Sending of the message failed.
Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.


Curiously, decryption of emails sent to me does indeed work, meaning, the certificate is stored and accessed correctly.
I found a post somewhere that claims this is an issue with trust somewhere in the certificate chain. This cannot be the case here, I checked the chain and its trust multiple times, including reseting trust levels, deleting and reimporting the chain, and so on.

I'm stuck now.

Has anybody any idea why signing does not work?

TL;DR
Sending signed mails with thunderbird using yubikey as a security device does not work. Decryption, however, works as expected. Any idea why?

Thank you all for any insights


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Jan 29, 2016 9:18 am 
Offline

Joined: Thu Jan 28, 2016 3:01 pm
Posts: 9
I sort of figured it out. The certificate also has to be stored in slot 9c for signing.
To be able to both sign outgoing mails and decrypt incoming mails the certificate has to be stored in 2 slots, namely 9c and 9d. I don't know if there is a technical necessity for that, but it's a bit confusing and also seems to lead to further problems.

I am only able to send one (1) signed message. The first message I send can be signed. Thunderbird asks for the pin, signs the message, and sends it out. But any subsequent attempt to sign mails leads to the same error as stated above.
Code:
Sending of the message failed.
Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail.

I have to either restart thunderbird or reinsert the yubikey every time I want to sign a message, which is basically for every new mail. That's not really usable.

Has anybody else seen that problem and maybe even has a solution?


Thank you all.


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 15, 2017 5:56 pm 
Offline

Joined: Wed Feb 15, 2017 5:53 pm
Posts: 2
I have exactly same issue on both OS X and Ubuntu 16.10.
Emails are properly decrypted,
Trying to send signed message causes same error.
Certificate signed by external CA
[EDIT]
I have yubikey 4


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 15, 2017 6:04 pm 
Offline

Joined: Wed Feb 15, 2017 5:53 pm
Posts: 2
Adding certificate to both 9c and 9d causes pin prompt every time i read a message.
However i can send signed emails (after two pin prompts).


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group