Yubico Forum
https://forum.yubico.com/

[QUESTION] How to get past err code 6f00 importing key/cert
https://forum.yubico.com/viewtopic.php?f=26&t=1578
Page 1 of 1

Author:  DeezCashews [ Thu Nov 06, 2014 4:06 pm ]
Post subject:  [QUESTION] How to get past err code 6f00 importing key/cert

I am trying to use the yubico-piv-tool-0.1.0-win64.zip distribution of yubico-piv-tool to import an existing private key / certificate pair in PKCS12 format using the following command

Code:
./yubico-piv-tool -v -s 9c -i certificate.p12 -K PKCS12 -p password -a set-chuid -a import-key -a import-cert


but I keep getting the following:

Code:
Successfully set new CHUID.
using reader 'Yubico Yubikey NEO OTP+CCID 0' matching 'Yubikey'.
Successful applet authentication.
Now processing for action 7.
Setting the GUID to: 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08 42 10 84 21 38 42 10 c3 f5 34 8c aa e0 79 67 a6 08 2f dd aa c2 db 94 4e 9e 3f 00 35 08 32 30 33 30 30 31 30 31 3e 00 fe 00
Now processing for action 5.
Failed import command with code 6f00.


Can anyone tell me what this code implies or what I might be doing wrong? If I remove the
Code:
-a import-key
it imports the certificate without error, but I need both. Thanks.

Author:  Klas [ Tue Nov 11, 2014 8:32 am ]
Post subject:  Re: [QUESTION] How to get past err code 6f00 importing key/c

Hello,

Unfortunately I don't think the new release fixes this issue, the "6f 00" return indicates a problem with the applet.

Would you be able to send me an example pkcs12 file that exhibits this problem? at klas@yubico.com

What type is the private key inside the pkcs12? rsa-2048?

What version is the applet you're running with? can be extracted with -a version to yubico-piv-tool.

/klas

Author:  FastJack [ Tue Nov 11, 2014 8:44 pm ]
Post subject:  Re: [QUESTION] How to get past err code 6f00 importing key/c

I tried this with my shiny new YubiKey NEO on my Mac and got pretty much the same result. Unlike DeezCashews I didn't use "-a set-chuid" but that didn’t change the outcome:

Code:
yubico-piv-tool -s 9c -i my_ca.p12 -K PKCS12 -p password -a import-key -a import-cert -v5


Which resulted in: (Yes, I cranked up the verbosity in the hope of some helpful output for the developers)

Code:
using reader 'Yubico Yubikey NEO CCID' matching 'Yubikey'.
> 00 a4 04 00 05 a0 00 00 03 08
< 61 11 4f 06 00 00 10 00 01 00 79 07 4f 05 a0 00 00 03 08 90 00
> 00 87 03 9b 04 7c 02 80 00
< 7c 0a 80 08 8a 80 f9 6e 00 db 58 2c 90 00
> 00 87 03 9b 16 7c 14 80 08 b0 fe 9a fc a5 a9 4a 96 81 08 33 84 0f e9 43 a5 ec d2
< 7c 0a 82 08 29 b3 71 c5 dc 91 41 bb 90 00
Successful applet authentication.
Now processing for action 5.
Going to send 255 bytes in this go.
> 10 fe 07 9c ff 01 81 80 f0 9f b9 42 5a 64 76 0f f4 f5 0e c6 0b f4 23 f2 70 57 ba b8 d3 19 ad b1 3c 96 a7 17 1d 48 4e eb fd 92 5e 5a 2f 1e 64 9c fb 70 a8 3b 85 1d 31 c8 2f ad fa bd 66 4b 05 d8 7a ec 2b a3 46 42 7b fd e1 c4 28 da df 97 ea 0b aa 85 fc 7d 35 3d a4 95 07 9f fc d2 5c 3b 35 2b e5 e9 df c0 a6 7f 33 49 04 56 f0 78 3e b1 c1 73 5a b1 5b c6 21 ec 37 98 80 dd 93 8c 25 b4 8f 5c 47 0d 3a c8 59 77 d2 ed 02 81 80 c5 27 78 d1 d6 21 67 f1 3c 76 b3 ba 34 b3 42 25 8f ab d0 96 bd 38 9c 17 40 4e d7 66 75 d5 6a f9 b6 3d 99 ba 93 a3 0f 71 8f 84 d5 d1 b0 19 8a a7 a1 60 b0 56 07 c9 7c 13 79 14 ed 25 ee 3c cf 8a 5b 4d 14 d4 61 ca 42 51 d1 cd 8a ed a3 a8 1f 80 55 9f 29 01 b5 f6 55 d5 12 41 f6 0d 55 53 19 47 61 40 8b fe 35 61 21 c7 4f 70 60 b9 4f 66 0c ca ce 0b d2 9a 16 80 57 f9 ee
< 90 00
Going to send 255 bytes in this go.
> 10 fe 07 9c ff 07 25 4a ac 35 f9 b1 03 81 80 ef 33 f9 39 0b 1f 1f 76 d1 6e e3 d6 e1 7f 3c 55 00 75 55 fb f2 6f 6e 89 e8 cf 63 1f c9 4e 5e 96 9f 27 68 80 82 a2 d6 26 70 97 17 c6 c3 97 b8 2b 67 aa ae be a5 f8 22 c1 87 c1 4b c8 2e 4a 5d 74 8f 81 2f 94 15 fe b0 fe 13 f0 ca 85 b5 ed a7 b5 37 35 46 61 e0 aa 43 3b 76 7d be 9f 87 64 a0 19 10 25 55 3c 54 26 e5 46 c5 7b d6 dd ea 4f 27 1d 85 cd bf a5 ec bd c8 5e 55 8b c3 49 f4 16 f8 29 04 7f 3d 9c 18 25 7a c4 f5 b6 6d 2e aa fb 85 7c 7f 2f 3d b6 73 78 a7 a9 09 1e 3a fa 68 55 9c 7d 14 f0 f4 02 4c 08 02 1a f2 b8 8a 20 f8 b0 8e 57 6c fc f5 71 41 a9 a0 c5 56 00 bf d5 ca 46 10 2c f0 ae 4b d9 ca a8 93 e6 a0 d2 f0 bd 4a ac f8 77 91 60 89 61 33 6f 55 6d a5 64 f0 4f ac 94 7e 15 79 d0 d4 93 57 2c 19 82 41 0c 07 c7 16 72 d2 5d 11 a2 4e c1 63
< 90 00
Going to send 143 bytes in this go.
> 00 fe 07 9c 8f 0e c3 f9 57 84 c2 dd 78 c9 dd 07 01 05 81 80 ae 27 3b a1 8d f3 34 4f e9 50 d3 e9 16 b0 b5 94 de 3e 14 93 3f d3 d8 99 16 55 29 5f 6d d0 5e b0 d7 87 04 59 86 88 e6 de fc 47 7e 1c 77 16 4e f3 50 48 4b f4 a0 e1 34 4a b9 ed b8 69 ab 73 a8 0b 18 0e 89 18 a8 4b 7d a6 9f b2 20 d3 44 9d 9a 0a 6f dc 2c 65 69 ef c5 3d c7 38 66 46 fe 67 be df 8e 71 42 c7 1d e4 2f 7c 6c 6e 34 4a df 1c 51 e2 af c5 47 1c 1e 6b a7 a0 8d 86 78 45 40 00 fb 0c
< 6f 00
Failed import command with code 6f00.


The PIV applet installed on my NEO has version 0.1.2. The private key is RSA-2048.

Author:  Klas [ Wed Nov 12, 2014 10:32 am ]
Post subject:  Re: [QUESTION] How to get past err code 6f00 importing key/c

Very interesting (and as a note, the verbose data at that level contains your private key..)

What seems to be happening here is that parameter 4 (dq1) is one byte to short and needs to have a 0 byte added first to be acceptable to the card. It'd be interesting to get a key that looks like this, could you email the PKCS12 you used to me at klas@yubico.com ?

I'll see if I can add some code that makes sense that fixes this.

/klas

EDIT: There is now a potential fix for this issue pushed for the tool to github: https://github.com/Yubico/yubico-piv-to ... fff1709d29 it'd be great if someone could test this and report back..

Author:  FastJack [ Wed Nov 12, 2014 8:19 pm ]
Post subject:  Re: [QUESTION] How to get past err code 6f00 importing key/c

I don’t mind the private key being visible. It's just my own CA I created. I can restart from scratch. ;)

Anyway, the latest change from Klas seems to have fixed it. I was able to successfully import a new private key and certificate. Are you still interested to see that PKCS12?

Author:  Klas [ Thu Nov 13, 2014 9:16 am ]
Post subject:  Re: [QUESTION] How to get past err code 6f00 importing key/c

Good, so with that commit it works for you, then I don't need the PKCS12 any more, managed to create keys like that myself.

I'll try to cut a release of this today or tomorrow.

/klas

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/