Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:06 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Wed Jan 03, 2018 12:04 am 
Offline

Joined: Sun Mar 15, 2015 12:23 pm
Posts: 3
I have installed yubikey-piv-tools via brew.

using my Yubikey 4 works for e.g. SSH login but get before being prompted for PIN for each installed PIV certificate a:

C_GetAttributeValue failed: 6

e.g. example:

Code:
% ssh-keygen -D /usr/local/lib/libykcs11.dylib -e
C_GetAttributeValue failed: 6
[...]


using opensc-pkcs11.so doesn't show the error and works similar, however can't use the extra slots.

what struggles me, however is that openvpn doesn't show any certs (while opensc does):

Code:
% openvpn --show-pkcs11-ids /usr/local/lib/libykcs11.dylib

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
%


It is a little suprising that opensc works while Yubikey's own implementation with its own device fails... I would have expected the opposite way.
The reasons why I wanted to use ykcs11 rather opensc one is the fact I can use the "retired" slots for openvpn and I do not consume the rare NIST Slots (9x) for that. Did anyone get openvpn going on macOS with ykcs11. Anything to debug that? Buggy code?

Cheers,
Yze


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jan 03, 2018 4:35 pm 
Offline

Joined: Sun Mar 15, 2015 12:23 pm
Posts: 3
Found a solution myself. Since my primary goal was to use all PIV slots, I found a solution from opensc to get the "retired" slots working. The current 2017 version is already ready for this. What was missing is to describe with a Key History object how to use those slots for opensc. For the yubikey 4: To make the certificates appear in keychain. In short:

Code:
echo -n C10114C20100FE00 | yubico-piv-tool -k -a write-object --id 0x5FC10C -i -


will activate all 20 slots as purpose for X509 certificate + key. With that said, ykcs11 is no longer needed.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group