Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:43 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Fri Dec 12, 2014 10:58 am 
Offline

Joined: Fri Dec 12, 2014 10:35 am
Posts: 3
Hello,

I've got my yubikey neo working with a RSA public/private key and ssh. However, I can't get it to work with the elliptic curve algorithm ECCP256.

The steps that I've done :-

Code:
yubico-piv-tool -s 9a -a generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.sote -A ECCP256 -o public-ecc.pem
yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a -S "/CN=Guy Evans ECC key/" -i public-ecc.pem -o ecc-cert.pem
yubico-piv-tool -a import-certificate -s 9a -i ecc-cert.pem


Which all seem to run ok, however, when I run

Code:
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


I get the error C_GetAttributeValue failed: 18.

I can use ssh-keygen to convert the public-ecc.pem file directly and copy that to authorized_keys. However, when I attempt to login with ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so I get the same error.

pkcs15-tool --list-public-keys shows the key. pkcs15-tool --read-public-key comes back with a "not implemented" error (but also does the same for a RSA key). pkcs15-tool --read-certificate correctly outputs the certificate that was imported.

Cheers
Guy


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Dec 12, 2014 4:08 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Hello,

This may not be a complete answer, but the pkcs11 module doesn't support ECC.

Could you double check?


Top
 Profile  
Reply with quote  
PostPosted: Fri Dec 12, 2014 7:17 pm 
Offline

Joined: Fri Dec 12, 2014 10:35 am
Posts: 3
How do I do that?


Top
 Profile  
Reply with quote  
PostPosted: Sun Dec 14, 2014 9:43 pm 
Offline

Joined: Fri Dec 12, 2014 10:35 am
Posts: 3
Ok, I've done some more experimenting. It seems that things are ok at the PKCS11 level as the following works :-

Code:
pkcs11-tool --module /lib64/opensc-pkcs11.so  --sign --slot 1 --id 02 -m ECDSA --input-file wombat --output-file wombat-signed


The problem looks like it's with openssh. The man page for ssh_config mentions that the PKCS11Provider reads RSA keys (no mention of ECC) and a quick scan of the source code at https://github.com/openssh/openssh-port ... h-pkcs11.c seems to confirm this.

Cheers
Guy


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 13, 2015 3:33 pm 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
Hi,
have you found out a solution to this?

I'd love to use ECC keys, but without PKCS11 support it will not work. I looked around for possibility of adding the support but couldn't find anything (and I'm not a developer).


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group