Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:48 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Jun 16, 2015 5:26 pm 
Offline

Joined: Thu Dec 18, 2014 11:02 pm
Posts: 6
I'm looking into doing Windows code signing, using signtool.exe, with the private key stored on my Yubikey NEO. However, I'm running into problems. Hopefully someone can give me a pointer in the right direction.

I created a self-signed test keypair in slot 9c ('Digital Signature'), which is nicely listed by signtool when searching for keys:

Code:
signtool.exe sign /n test /v /debug tobesigned.txt

The following certificates were considered:
    Issued to: testkey
    Issued by: testkey
    Expires:   Fri Jan 24 18:13:27 2025
    SHA1 hash: 014D6DCFDF7DCD735CC3F1D1267F4F429D08F1D6

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.


But the Windows pop-up I get immediately after that tells me

Quote:
A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate.


(Also see the attached screenshot.)

After which I can only hit cancel, which in turn results in signtool failing:
Code:
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.


I also tried using a keypair in slot 9a, but that is not even found by signtool, so I guess 9c is the right PIV slot.

Has anyone succeeded in using a NEO in combination with signtool? Can you tell me what I'm doing wrong here?


Attachments:
File comment: PIV card error
signtool-yubikey-error.png
signtool-yubikey-error.png [ 11.9 KiB | Viewed 3012 times ]
Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jun 17, 2015 9:52 am 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Yes I can confirm that slot 9c is the correct one.

Double check that your certificate has the right enhanced key usage field. You need one with OID 1.3.6.1.5.5.7.3.3 in order to enable a key for code signing (admittedly you pass the EKU filter tho).
As I can see you're using your own test certificate, so make sure to include that when you generate it.

I don't know how you're doing the generation, but I can tell you that it's possible to do it and set the required OID with openssl creating your own CA.

Also make sure that the card has a CHUID set.

I hope this helps out.

A.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 29, 2015 3:41 pm 
Offline

Joined: Thu Dec 18, 2014 11:02 pm
Posts: 6
Took me a while to get back to this, but I just did and I think the set-chuid did the trick. Unfortunately not entirely sure, since there has been too much fiddling in between, but at least it works now. Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 29, 2015 3:57 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Jan 02, 2015 12:22 pm
Posts: 16
Glad to hear that you got it working.

A.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group