Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:40 pm

View unanswered posts | View active topics


Board index » Yubikey » Yubikey NEO

All times are UTC + 1 hour




Post new topic Reply to topic  Page 2 of 3
  [ 23 posts ]  Go to page Previous  1, 2, 3  Next
  Print view Previous topic | Next topic 
Author Message
Uriel
PostPosted: Mon Mar 16, 2015 10:01 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
1. I will blast the PIV applet, and re-create as you suggest, one slot at a time. Starting with 9c.

Update. tried with filling the 9c slot only, same result: NEO PIV not recognized by Keychain, because no tokend seems comfortable with it.

2. The original (fully provisioned) NEO PIV (will try slot-by-slot later).

With Thursby PKard:
Code:
Mar 16 16:42:48 <hostname> PKard[29341]: TSSCardClass: presence NOT detected '/Library/Logs/com.thursby.pki.caching.disabled' uid=91
Mar 16 16:42:48 <hostname> com.apple.SecurityServer[38]: token in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 cannot be used (error 229)


With OpenSC (first token inserted was CAC - wanted to see if it can unlock it; it couldn't. Second inserted token was NEO):
Code:
Mar 16 00:02:46 <hostname> apsd[671]: CFNetwork SSLHandshake failed (-9806)
...skipping...
ken "PIV_II" (d8e21ddbb4709a69c13ba7fc55908a4a8dd94afe) subservice 7
Mar 16 16:47:26 <hostname> apsd[671]: CFNetwork SSLHandshake failed (-9806)
Mar 16 16:47:38 <hostname> com.apple.SecurityServer[38]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 16 16:47:40 <hostname> com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (930ec3d62bec500b8c71636d353d5b821e51378d) subservice 6 using driver com.apple.tokend.opensc
Mar 16 16:47:56 <hostname> apsd[671]: CFNetwork SSLHandshake failed (-9806)


4. Will try after this.
Update. Failed, behavior as before (i.e., as with the fully-provisioned card).

5. I don't know, but would expect that any UUID in the right format should work. Your experience seems to confirm this assumption.

6. Can you tell me which one you have installed right now, that seems to work OK with the NEO PIV?

7. So that PKCS12 file contains your private key, and the corresponding public key (probably with signatures, so it's actually a cert)?

Update. Figured that out, converting between different key+cert formats on the fly. Thanks, OpenSSL! :-)
Top
 Profile  
Reply with quote  

Share On:
Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

zviratko
PostPosted: Mon Mar 16, 2015 11:44 pm 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
1. maybe try putting the same cert in 9a as well if it doesn't work with only 9c, it could by mandatory in some implementations
2. I don't have PKard, but can you post a few previous lines? This doesn't really tell if the PKard tokend was used. This (229 code) is however the same I got when my card was not provisioned to the tokend's liking (empty or "wrong" slots)

As for OpenSC - do not try unlocking it in keychain - it's pointless and just UI. Try using it (sign an email), that will tell you if it works.

6. Both OpenSC and Centrify work for me (now)

7. Yes. Typically, what you want on card is:
a) the private key
b) the certificate signed by authority
c) all intermediate certificates, possibly including the root authority
(this is what I have in my .p12)

I don't think intermediate CAs are imported by yubico-piv-tool (I don't know if that's even supported with PIV applet), so you might need to import the intermediate CAs into keychain to use the identity. But this will come after you see the card in keychain and has is irrelevant at this point. It's just a common problem when trying to actually use it without having all the anchors up to the trusted root (and I guess it's a bug that software like Firefox needs it).
Top
 Profile  
Reply with quote  
zviratko
PostPosted: Mon Mar 16, 2015 11:48 pm 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
Post logs, I'll take a look tomorrow.
Are you sure you cleaned all the tokends from the system? Have you tried rebooting?

Maybe something is different on your 10.9.5 - CCID driver most probably? I know that some yubico software actually patches the supported readers, but I don't remember which one - not sure what messages you would get if it wasn't supported (but my guess would be no message at all, not even the 229 error). 10.9 should actually work better than 10.10...
Top
 Profile  
Reply with quote  
Uriel
PostPosted: Wed Mar 18, 2015 7:02 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
1. Putting the same cert in 9a had no visible effect. The card is still visible as "PIV-II" in Keychain. It shows one certificate (which makes sense, because neither PIV Auth nor Card Auth are supposed to be usable by applications such as Keychain, AFAIK). It is still not unlock-able.

Naturally, when I select "My Certificates" (which means - certificates for which I have private keys) is shows nothing.

2. Unlocking is not pointless - it enables access to the private keys. Since it turns out impossible - I'm not surprised that neither Apple Mail nor MS Outlook-2011 even saw my certs on the NEO. So of course I was unable to sign with it.

6. Darn. So how to get OpenSC.tokend to work with NEO??? (And maybe Centrify?)

7. Yeah, except that the card has no room for the intermediate certs - that's what belongs to the Keychain :). But I've got that .p12 imported just fine, so doubt that part is a problem.

Yeah, I've rebooted many times by now. Yeah, right now the only tokend in /System/Library/Security/tokend is OpenSC.tokend:

Code:
$ ll /System/Library/Security/tokend
total 0
drwxr-xr-x  5 root  wheel  170 Mar 17 17:21 ./
drwxr-xr-x  8 root  wheel  272 Mar 16 13:05 ../
drwxr-xr-x  3 root  wheel  102 Oct 30 06:12 OpenSC.tokend/
drwxr-xr-x  7 root  wheel  238 Mar 17 17:21 tmp/
drwxr-xr-x  5 root  wheel  170 Apr 17  2014 uiplugins/


I think this is the relevant part of the logs:
Code:
Mar 18 11:48:51 hostname com.apple.SecurityServer[38]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 18 11:48:53 hostname com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (c62cfe2c4e51372d76c7a0492489dda9b7c12671) subservice 12 using driver com.apple.tokend.opensc
Mar 18 11:49:00 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 11:49:00 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[44833] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
...
Mar 18 13:27:06 hostname com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 removed token "PIV_II" (c62cfe2c4e51372d76c7a0492489dda9b7c12671) subservice 12
Mar 18 13:27:15 hostname com.apple.SecurityServer[38]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 18 13:27:17 hostname com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (c62cfe2c4e51372d76c7a0492489dda9b7c12671) subservice 12 using driver com.apple.tokend.opensc
...
Mar 18 13:40:32 hostname apsd[588]: CFNetwork SSLHandshake failed (-9806)
Mar 18 13:40:40 hostname authexec[78741]: executing /Library/Frameworks/VirusScanPreferences.framework/Versions/Current/Resources/prefsHelperTool
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)


And maybe this (happens with PKCS11.tokend):
Code:
Mar 17 01:02:59 MacBook-Air.local com.apple.SecurityServer[15]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 17 01:03:04 MacBook-Air.local com.apple.SecurityServer[15]: token in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 cannot be used (error 2147549225)


And this - on the same (MacBook Air) machine but with OpenSC.tokend:
Code:
Mar 17 01:53:27 MacBook-Air.local com.apple.SecurityServer[15]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 17 01:53:31 MacBook-Air.local com.apple.SecurityServer[15]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (5269d71a0501b05bbffa28e25bd8e73d569b21b2) subservice 7 using driver com.apple.tokend.opensc
.....
Mar 17 01:53:49 MacBook-Air.local launchservicesd[80]: Application App:"iTerm" asn:0x0-20020 pid:371 refs=7 @ 0x7fbc52519d60 tried to be brought forward, but isn't in fPermittedFrontApps ( ( "LSApplication:0x0-0x22022 pid=455 "SecurityAgent"")), so denying. : LASSession.cp #1481 SetFrontApplication() q=LSSession 100004/0x186a4 queue
Mar 17 01:53:49 MacBook-Air.local WindowServer[112]: [cps/setfront] Failed setting the front application to iTerm, psn 0x0-0x20020, securitySessionID=0x186a4, err=-13066
Mar 17 01:53:49 MacBook-Air kernel[0]: Sandbox: mDNSResponder(65) deny file-read-data /
Mar 17 01:53:49 --- last message repeated 4 times ---
Mar 17 01:53:49 MacBook-Air kernel[0]: Sandbox: apsd(87) deny file-read-data /
Mar 17 01:53:50 MacBook-Air.local sandboxd[282] ([87]): apsd(87) deny file-read-data /
Mar 17 01:54:03 --- last message repeated 3 times ---


Though the last message could be from gpg-agent...
Top
 Profile  
Reply with quote  
zviratko
PostPosted: Wed Mar 18, 2015 7:39 pm 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
I don't think OSX cares about the slots themselves - the certificates should definetly be visible, in my case they 100% are.

Keychain unlocking has nothing to do with actually using the keys - it is just a cosmetic feature. It might cause PIN to get cached by Keychain for some tokens, but even in "locked" state it is completely usable (assuming everything else works).
Quoting from OpenSC FAQ:
Quote:
Q: It seems to be impossible to unlock the smart card keychain in Keychain Access.app ?

A: The padlock in the Keychain Access GUI is just a GUI feature, it does not relate to unlocking smart card items with a PIN code. The PIN for the related key will be asked if used (for example, with Google Chrome for SSL authentication)



I don't know what else to suggest - maybe try deleting the contents of /var/db/TokenCache - but that should not be an issue if you changed the CHUID...
Top
 Profile  
Reply with quote  
Uriel
PostPosted: Wed Mar 18, 2015 10:13 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
The certificate(s) were visible in the "Certificates" tab of Keychain Access. Nothing was visible in "My Certificates" tab.

Re. OpenSC FAQ: it does not seem to be correct, what can I say. What it states contradicts my direct experience.

Deleting everything in /var/db/TokenCache/config and /var/db/TokenCache/tokens resulted in both NEO and CAC not being recognized any more.

Continuing experiments. :-)
Top
 Profile  
Reply with quote  
uri
PostPosted: Thu Mar 19, 2015 3:35 am 
Offline

Joined: Thu Feb 12, 2015 9:18 am
Posts: 3
Related: https://github.com/OpenSC/OpenSC.tokend/issues/11
Top
 Profile  
Reply with quote  
zviratko
PostPosted: Thu Mar 19, 2015 9:33 am 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
Original CAC might be a different beast - are we talking about it, or about the PIV applet that we initialize ourselves? I reckon the original CAC and DoD cards will have a different structure than what yubico-piv-tool gives us, and different problems.
Top
 Profile  
Reply with quote  
Uriel
PostPosted: Thu Mar 19, 2015 2:59 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
Yes, we talk about both: original CAC cards, and Yubikey NEO.

Yes,the do seem to have different problems. :-)

However, at this point I have a few solutions that seem to work well with CAC on Mac:

For NEO PIV applet - only OpenSC.tokend even sees the token, but just like with CAC, it refuses to do anything useful with it. Which means that all the applications that rely on tokend, don't even see the NEO token (in PIV mode).

I wish I could enable debugging output of OpenSC.tokend...
Top
 Profile  
Reply with quote  
zviratko
PostPosted: Thu Mar 19, 2015 3:10 pm 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
You can

/Library/OpenSC/etc/opensc.conf

search for "tokend" :-)
Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 2 of 3
  [ 23 posts ]  Go to page Previous  1, 2, 3  Next

Board index » Yubikey » Yubikey NEO

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group