Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:36 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Thu Nov 06, 2014 5:38 pm 
Offline

Joined: Thu Nov 06, 2014 5:09 pm
Posts: 20
I have a NEO which appears to have the PIV applet installed.

I can't get 'ykneomgr -a' to admit that, mind you:

Code:
$ ykneomgr  -d -a
Trying reader 0: Yubico Yubikey NEO OTP+CCID 00 00
--> 13: 00 a4 04 00 08 a0 00 00 05 27 20 01 01
<-- 12: 03 02 00 01 85 07 82 00 00 00 90 00
versionMajor 3
versionMinor 2
versionBuild 0
pgmSeq 1
touchLevel 34055
mode 82
crTimeout 0
autoEjectTime 0
--> 4: 00 01 10 00
<-- 6: 00 2d ca f3 90 00
serialno 3001075
--> 13: 00 a4 04 00 08 a0 00 00 00 03 00 00 00
<-- 105: 6f 65 84 08 a0 00 00 00 03 00 00 00 a5 59 9f 65 01 ff 9f 6e 06 47 91 12 10 38 00 73 4a 06 07 2a 86 48 86 fc 6b 01 60 0c 06 0a 2a 86 48 86 fc 6b 02 02 01 01 63 09 06 07 2a 86 48 86 fc 6b 03 64 0b 06 09 2a 86 48 86 fc 6b 04 02 55 65 0b 06 09 2b 85 10 86 48 64 02 01 03 66 0c 06 0a 2b 06 01 04 01 2a 02 6e 01 02 90 00
--> 13: 80 50 00 00 08 01 02 03 04 05 06 07 08
<-- 30: 00 00 33 17 01 41 49 97 09 12 ff 02 00 03 4b ae 77 56 ee 49 56 66 ea 14 f5 6f 14 84 90 00
error: ykneomgr_authenticate (-4): Backend error


But I can install a private key with yubico-piv-tool:

Code:
$ yubico-piv-tool  -a import-key -s 9c  -p $PASSPHRASE -i ~/.cert/certificate.p12 -K PKCS12
Successfully imported a new private key.


(The corresponding cert is larger than 2KiB so I can't install that but that shouldn't matter).

Now I can attempt to connect to my VPN server with openconnect:

Code:
$ openconnect -c ~/.cert/certificate.pem -k 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private' $VPNSERVER -v -v


This appears to work fine, to start with. I'm asked for the PIN, and it doesa test signature to check that the key and certificate that I've given it are a correct match:

Code:
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib64/opensc-pkcs11.so"

0: C_GetFunctionList
2014-11-06 16:32:24.165
Returned:  0 CKR_OK

1: C_Initialize
2014-11-06 16:32:24.168
[in] pInitArgs = 0x23ca380
     flags: 2
       CKF_OS_LOCKING_OK
Returned:  0 CKR_OK

2: C_GetInfo
2014-11-06 16:32:24.339
[out] pInfo:
      cryptokiVersion:         2.20
      manufacturerID:         'OpenSC (www.opensc-project.org) '
      flags:                   0
      libraryDescription:     'Smart card PKCS#11 API          '
      libraryVersion:          0.0
Returned:  0 CKR_OK

3: C_GetSlotList
2014-11-06 16:32:24.486
[in] tokenPresent = 0x1
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned:  0 CKR_OK

4: C_GetTokenInfo
2014-11-06 16:32:24.866
[in] slotID = 0x1
[out] pInfo:
      label:                  'PIV_II (PIV Card Holder pin)    '
      manufacturerID:         'piv_II                          '
      model:                  'PKCS#15 emulated'
      serialNumber:           '00000000        '
      ulMaxSessionCount:       0
      ulSessionCount:          0
      ulMaxRwSessionCount:     0
      ulRwSessionCount:        0
      ulMaxPinLen:             8
      ulMinPinLen:             4
      ulTotalPublicMemory:     -1
      ulFreePublicMemory:      -1
      ulTotalPrivateMemory:    -1
      ulFreePrivateMemory:     -1
      hardwareVersion:         0.0
      firmwareVersion:         0.0
      time:                   '                '
      flags:                   40d
        CKF_RNG                         
        CKF_LOGIN_REQUIRED               
        CKF_USER_PIN_INITIALIZED         
        CKF_TOKEN_INITIALIZED           
Returned:  0 CKR_OK

5: C_GetSlotInfo
2014-11-06 16:32:24.866
[in] slotID = 0x1
[out] pInfo:
      slotDescription:        'Yubico Yubikey NEO OTP+CCID 00 0'
                              '0                               '
      manufacturerID:         'OpenSC (www.opensc-project.org) '
      hardwareVersion:         0.0
      firmwareVersion:         0.0
      flags:                   7
        CKF_TOKEN_PRESENT               
        CKF_REMOVABLE_DEVICE             
        CKF_HW_SLOT                     
Returned:  0 CKR_OK
Using certificate file /home/dwmw2/.cert/certificate.pem
Using PKCS#11 key pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private;pin-source=openconnect%3a0x23c1240

6: C_GetSlotList
2014-11-06 16:32:24.867
[in] tokenPresent = 0x1
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned:  0 CKR_OK

7: C_GetTokenInfo
2014-11-06 16:32:24.867
[in] slotID = 0x1
[out] pInfo:
      label:                  'PIV_II (PIV Card Holder pin)    '
      manufacturerID:         'piv_II                          '
      model:                  'PKCS#15 emulated'
      serialNumber:           '00000000        '
      ulMaxSessionCount:       0
      ulSessionCount:          0
      ulMaxRwSessionCount:     0
      ulRwSessionCount:        0
      ulMaxPinLen:             8
      ulMinPinLen:             4
      ulTotalPublicMemory:     -1
      ulFreePublicMemory:      -1
      ulTotalPrivateMemory:    -1
      ulFreePrivateMemory:     -1
      hardwareVersion:         0.0
      firmwareVersion:         0.0
      time:                   '                '
      flags:                   40d
        CKF_RNG                         
        CKF_LOGIN_REQUIRED               
        CKF_USER_PIN_INITIALIZED         
        CKF_TOKEN_INITIALIZED           
Returned:  0 CKR_OK

8: C_GetSlotInfo
2014-11-06 16:32:24.868
[in] slotID = 0x1
[out] pInfo:
      slotDescription:        'Yubico Yubikey NEO OTP+CCID 00 0'
                              '0                               '
      manufacturerID:         'OpenSC (www.opensc-project.org) '
      hardwareVersion:         0.0
      firmwareVersion:         0.0
      flags:                   7
        CKF_TOKEN_PRESENT               
        CKF_REMOVABLE_DEVICE             
        CKF_HW_SLOT                     
Returned:  0 CKR_OK

9: C_OpenSession
2014-11-06 16:32:24.868
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x28a1560
Returned:  0 CKR_OK

10: C_GetSessionInfo
2014-11-06 16:32:24.868
[in] hSession = 0x28a1560
[out] pInfo:
      slotID:                  1
      state:                  '           CKS_RO_PUBLIC_SESSION'
      flags:                   4
        CKF_SERIAL_SESSION               
      ulDeviceError:           0
Returned:  0 CKR_OK
PIN required for PIV_II (PIV Card Holder pin)
Enter PIN:

11: C_Login
2014-11-06 16:32:38.333
[in] hSession = 0x28a1560
[in] userType = CKU_USER
[in] pPin[ulPinLen] 0000000002baeb30 / 6
    00000000  31 32 33 34 35 36                                123456         
Returned:  0 CKR_OK

12: C_FindObjectsInit
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pTemplate[3]:
    CKA_ID                00000000029b29c0 / 1
    00000000  02                                               .               
    CKA_LABEL             00000000024a4d10 / 8
    5349474E 206B6579
     S I G N  . k e y
    CKA_CLASS             CKO_PRIVATE_KEY     
Returned:  0 CKR_OK

13: C_FindObjects
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x2a3b950 matches
Returned:  0 CKR_OK

14: C_FindObjectsFinal
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
Returned:  0 CKR_OK

15: C_GetAttributeValue
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] hObject = 0x2a3b950
[in] pTemplate[1]:
    CKA_KEY_TYPE          00007fff6dbbf548 / 8
[out] pTemplate[1]:
    CKA_KEY_TYPE          CKK_RSA           
Returned:  0 CKR_OK

16: C_SignInit
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
pMechanism->type=CKM_RSA_PKCS                 
[in] hKey = 0x2a3b950
Returned:  0 CKR_OK

17: C_Sign
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00000000029a4ca0 / 35
    00000000  30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 85  0!0...+.........
    00000010  AF 1A B7 B2 8B 75 9C 38 47 BC 34 BA AF 3A 67 3E  .....u.8G.4..:g>
    00000020  13 15 35                                         ..5             
[out] pSignature[*pulSignatureLen] NULL [size : 0x100 (256)]
Returned:  0 CKR_OK

18: C_Sign
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00000000029a4ca0 / 35
    00000000  30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 85  0!0...+.........
    00000010  AF 1A B7 B2 8B 75 9C 38 47 BC 34 BA AF 3A 67 3E  .....u.8G.4..:g>
    00000020  13 15 35                                         ..5             
[out] pSignature[*pulSignatureLen] 00000000028f89f0 / 256
    00000000  09 90 5C B2 B2 A2 8E DF 00 79 A1 34 08 7F 54 6B  ..\......y.4Tk
    00000010  AA FC 60 DB 4E 1B 6B 0D EF 73 CB C3 EA EE 96 60  ..`.N.k..s.....`
    00000020  5C 1E 15 3C 18 5D 76 43 14 39 05 BC 3B 60 99 B8  \..<.]vC.9..;`..
    00000030  1E 7D 0A 73 E2 B4 78 1B 40 87 96 21 E8 90 9D 0B  .}.s..x.@..!....
    00000040  A2 14 27 5B AE 75 97 FE 4E 5F 81 F7 7D 68 17 5D  ..'[.u..N_..}h.]
    00000050  B8 23 4F 13 CE 3F 2B 6B 68 25 3D 70 39 D7 34 EA  .#O..?+kh%=p9.4.
    00000060  BD 15 D7 4D A9 EF 10 1C 1D 2F 35 CB 09 30 F4 0C  ...M...../5..0..
    00000070  1C 18 63 98 79 A6 5F 57 57 DC BA C6 F6 9F D2 F0  ..c.y._WW.......
    00000080  D0 88 60 15 68 A3 08 BA C2 06 4B A9 10 2B B1 55  ..`.h.....K..+.U
    00000090  8B 9C 07 7F 40 93 75 32 10 66 9B 6F 68 88 C4 BD  ..@.u2.f.oh...
    000000A0  46 1D 6E C9 3C 3C 85 C6 3D 55 9F 54 30 5C A3 80  F.n.<<..=U.T0\..
    000000B0  04 0F 55 69 66 F3 C3 09 CB 7C 94 FB E9 E1 B5 19  ..Uif....|......
    000000C0  56 9E 86 00 5C 36 F0 B8 C3 8A 33 39 4E 58 1A 90  V...\6....39NX..
    000000D0  F5 B6 49 77 26 00 2F AC 71 0F FD 28 71 0B FA 90  ..Iw&./.q..(q...
    000000E0  5B 25 04 73 A1 EF 7E FC DE 84 97 4C 6D E7 74 DD  [%.s..~....Lm.t.
    000000F0  81 61 B1 1D D5 5B A5 87 80 6F C2 5F E5 9B EA 8F  .a...[...o._....
Returned:  0 CKR_OK
Using client certificate 'Woodhouse\, David'



... but then it goes off and connects to the server, and then it's asked by the server to perform a signature, but by this time it seems to have forgotten that I'd logged in:

Code:
Attempting to connect to server xx.xx.xx.xx:443
SSL negotiation with xx.xx.xx.xx

22: C_SignInit
2014-11-06 16:32:39.499
[in] hSession = 0x28a1560
pMechanism->type=CKM_RSA_PKCS                 
[in] hKey = 0x2a3b950
Returned:  0 CKR_OK

23: C_Sign
2014-11-06 16:32:39.499
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00007fff6dbbf6b0 / 36
    00000000  42 B1 2E A0 4B A2 D6 C0 AD C0 CA 28 AD 0F 5D 34  B...K......(..]4
    00000010  09 AD 6C 8C 2C A1 31 1E 13 FF 91 65 59 A3 9D D9  ..l.,.1....eY...
    00000020  24 89 88 9D                                      $...           
[out] pSignature[*pulSignatureLen] NULL [size : 0x100 (256)]
Returned:  0 CKR_OK

24: C_Sign
2014-11-06 16:32:39.499
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00007fff6dbbf6b0 / 36
    00000000  42 B1 2E A0 4B A2 D6 C0 AD C0 CA 28 AD 0F 5D 34  B...K......(..]4
    00000010  09 AD 6C 8C 2C A1 31 1E 13 FF 91 65 59 A3 9D D9  ..l.,.1....eY...
    00000020  24 89 88 9D                                      $...           
Returned:  257 CKR_USER_NOT_LOGGED_IN
SSL connection failure: PKCS #11 user error
Failed to open HTTPS connection to xx.xx.xx.xx
Failed to obtain WebVPN cookie


What's wrong? It looks like it's so *close* to working...

FWIW I don't think the PKCS#11 standard permits CKR_USER_NOT_LOGGED_IN as a return value from C_Sign(). If that's the case, C_SignInit() should have failed.


Last edited by dwmw2 on Fri Nov 07, 2014 5:55 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Nov 06, 2014 9:10 pm 
Offline

Joined: Thu Nov 06, 2014 5:09 pm
Posts: 20
I think this is a bug. We modified GnuTLS to call pkcs11_login() again when a key has the CKA_ALWAYS_AUTHENTICATE attribute set: https://gitorious.org/gnutls/gnutls/commit/e1a0af191

Now the GnuTLS pkcs11_login() function is duly called before C_SignInit() and does this:

Code:

25: C_GetSessionInfo
2014-11-06 19:56:41.534
[in] hSession = 0xed7620
[out] pInfo:
      slotID:                  1
      state:                  '           CKS_RO_USER_FUNCTIONS'
      flags:                   4
        CKF_SERIAL_SESSION               
      ulDeviceError:           0
Returned:  0 CKR_OK


We see CKS_RO_USER_FUNCTIONS and we don't actually call C_Login(). So I hacked it again to avoid that check and now it does call C_Login() and the exchange goes like this...

Code:
28: C_Login
2014-11-06 20:02:11.599
[in] hSession = 0x2c089a0
[in] userType = CKU_USER
[in] pPin[ulPinLen] 000000000293d9c0 / 6
    00000000  31 32 33 34 35 36                                123456         
Returned:  256 CKR_USER_ALREADY_LOGGED_IN
p11: Login result = 256

29: C_SignInit
2014-11-06 20:02:11.599
[in] hSession = 0x2c089a0
pMechanism->type=CKM_RSA_PKCS                 
[in] hKey = 0x269da90
Returned:  0 CKR_OK

30: C_Sign
2014-11-06 20:02:11.599
[in] hSession = 0x2c089a0
[in] pData[ulDataLen] 00007fff4449d3d0 / 36
    00000000  E9 44 15 2E 2F 04 6F 66 78 9B F1 9F 35 20 1D EB  .D../.ofx...5 ..
    00000010  A7 8B A1 B9 70 99 36 1B 9E 75 73 2D 4D 8F 7A A6  ....p.6..us-M.z.
    00000020  7D DE 54 B7                                      }.T.           
[out] pSignature[*pulSignatureLen] NULL [size : 0x100 (256)]
Returned:  0 CKR_OK

31: C_Sign
2014-11-06 20:02:11.599
[in] hSession = 0x2c089a0
[in] pData[ulDataLen] 00007fff4449d3d0 / 36
    00000000  E9 44 15 2E 2F 04 6F 66 78 9B F1 9F 35 20 1D EB  .D../.ofx...5 ..
    00000010  A7 8B A1 B9 70 99 36 1B 9E 75 73 2D 4D 8F 7A A6  ....p.6..us-M.z.
    00000020  7D DE 54 B7                                      }.T.           
Returned:  257 CKR_USER_NOT_LOGGED_IN



Since this might be an OpenSC bug I've also posted to the opensc-devel list: http://permalink.gmane.org/gmane.comp.e ... evel/15731


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 07, 2014 6:02 pm 
Offline

Joined: Thu Nov 06, 2014 5:09 pm
Posts: 20
This is mostly fixed in GnuTLS with the following commits:
https://gitorious.org/gnutls/gnutls/commit/e1a0af19
https://gitorious.org/gnutls/gnutls/commit/239cb7d7

This now works:

Code:
openconnect -c 'pkcs11:manufacturer=piv_II;id=%01' $VPNSERVER


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group