Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:45 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Fri Feb 12, 2016 12:28 pm 
Offline

Joined: Thu Jan 28, 2016 3:01 pm
Posts: 9
Hello,

we are trying to get S/MIME-based email signing and decryption working using Yubikey Neo and Yubikey 4 with Thunderbird / opensc on Linux. Unfortunately we always encounter the same problems.

Thunderbird cannot reliably communicate with Yubikey and always looses the reference to the certificate.

The first time we try to send a signed mail or decrypt a stored mail it works. Thunderbirds asks for the PIN (strangely called master password for some reason) and resumes operation as expected. However, after that, both signing and decryption ceases to function.

Trying to sign mails fails with:
Code:
Sending of the message failed.
You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired.


Decrypting mails fails with:
Code:
Thunderbird cannot decrypt this message
The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key.


Sometimes Thunderbird will repeatedly ask for the "master password for PIV" without managing to log into the key, sometimes it will not ask at all. In any case it does not work.

The only solution we found so far was to eject and reinsert the Yubikey. Then the next single signing or decryption operation will succeed. After that, the error reoccurs.

We have confirmed that on two different machines running two newly installed flavors of Ubuntu. I am unsure whether this is Yubikey or opensc related, so it could as well be an opensc bug. But since opensc is apparently the only driver for Yubikey it's effectively a Yubikey problem.

Software:
xubuntu / ubunut-gnome 15.10 x86_64 4.2.0-27-generic
Thunderbird 38.5.1
OpenSC 0.15.0 [gcc 4.9.2]

Best regards


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Feb 12, 2016 11:14 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
Just to make sure: did you fully initialize your Yubikey NEO with yubico-piv-tool? You need to look at "set-chuid" and "set-ccc". Without these two your Yubikey is not PIV-compliant enough for other software to use it.


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 15, 2016 10:00 am 
Offline

Joined: Thu Jan 28, 2016 3:01 pm
Posts: 9
Uriel wrote:
Just to make sure: did you fully initialize your Yubikey NEO with yubico-piv-tool? You need to look at "set-chuid" and "set-ccc". Without these two your Yubikey is not PIV-compliant enough for other software to use it.


I would like to verify that, unfortunately, my system suddenly does not recognize any smart card reader anymore.

Code:
> yubico-piv-tool -a set-chuid
Failed to connect to reader.


Anyway, there does not seem to be a "set-ccc" option / action:

Code:
> yubico-piv-tool -a set-ccc
yubico-piv-tool: invalid argument, "set-ccc", for option `--action' (`-a')
> yubico-piv-tool --set-ccc
yubico-piv-tool: unrecognized option '--set-ccc'
> man yubico-piv-tool | grep set-ccc



Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 15, 2016 3:16 pm 
Offline

Joined: Thu Jan 28, 2016 3:01 pm
Posts: 9
After removing anything smartcard related from the system, then reinstalling the yubico packages using the yubico PPA I now have the newest stable version of yubico-piv-tool. Obviously, the one in the official ubuntu PPA is outdated.

Checking the status:

Code:
> yubico-piv-tool -a status
CHUID: <very long hex number>
CCC:   No data available
Slot 9c:   
   <...>
Slot 9d:   
    <....>
PIN tries left:   3


So indeed, CCC is apparently not set. However, I can't do set-ccc due to some authentication problem that I can't get around:
Code:
> yubico-piv-tool -a set-ccc
Failed authentication with the application.


In fact, I can't do anything that requires authentication (reset, set-mgm-key, ...). I never changed the management key and it should be default.

Also, I wonder, if "set-ccc" is such a critical setting, why is there no documentation about it, and why is this option not included in the stable ubuntu PPA release? Not even the yubico-piv-tool documentation https://www.yubico.com/wp-content/uploads/2015/04/Yubico-PIV-Management-Tools_v1.0.pdf mentions it.


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 15, 2016 5:03 pm 
Offline

Joined: Thu Jan 28, 2016 3:01 pm
Posts: 9
I managed to set-ccc by setting a new management key but that did not change anything. The error still persists.


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 16, 2016 1:11 pm 
Offline

Joined: Thu Jan 28, 2016 3:01 pm
Posts: 9
For further information, we also tested another USB-based token device that stores s/mime certificates and uses the opensc-pkcs11 module. It works on the same machine using the same software stack without issues. IMHO that strengthens my assumption, that it is a yubikey-related issue.


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 16, 2016 8:01 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
I've had problems with Thunderbird decrypting S/MIME on different machines with different PKCS11 middleware (including Windows). So I'm certain there's something about Thunderbird itself.

I've also successfully did signature & verification (using RSA and ECC), and encryption & decryption (using RSA) with Yubikey NEO and Yubikey 4 on Mac, using Apple Mail, MS Outlook 2011, and Thunderbird.

Apple Mail often loses track of the token authentication status, and fails to sign outgoing. Possibly Yubikey's problem, but people were reporting similar issues with DoD CAC.

Thunderbird on some Mac boxes is very unreliable and refuses to send encrypted. Observed only with Yubikey on Mac (so far ;) ), works reliably on other platforms with other tokens and middleware.

Thunderbird on many different boxes refuses to decrypt when the decryption key is on a hardware token. This was evidenced consistently on several different platforms with several different token types and different middleware. Definitely not a Yubikey problem.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group