Yubico Forum https://forum.yubico.com/ |
|
[Q?] NEO does not show up in Keychain (nor in Apple Mail)? https://forum.yubico.com/viewtopic.php?f=26&t=1768 |
Page 1 of 3 |
Author: | Uriel [ Mon Mar 02, 2015 11:53 pm ] |
Post subject: | [Q?] NEO does not show up in Keychain (nor in Apple Mail)? |
I've fully configured Yubikey NEO (firmware 3.3.0), provisioning both OpenPGP and PIV applets. I can access the device with "piv-tool", "yubico-piv-tool", and such: Code: $ pkcs15-tool -c Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 01 00 X.509 Certificate [Certificate for Digital Signature] Object Flags : [0x0] Authority : no Path : ID : 02 Encoded serial : 02 02 06C9 X.509 Certificate [Certificate for Key Management] Object Flags : [0x0] Authority : no Path : ID : 03 Encoded serial : 02 02 06C8 $ Could you please help get this device recognized by Keychain and Apple Mail? This is on Mac OS X Mavericks 10.9.5. Code: $ yubico-piv-tool -V yubico-piv-tool 0.1.5 $ opensc-tool -i OpenSC 0.14.0 [gcc 4.2.1 Compatible Apple LLVM 5.1 (clang-503.0.40)] Enabled features: zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC) Update. Installing SmartCardServices http://smartcardservices.macosforge.org/trac/wiki/installers, removing PIV.tokend that comes with it, and installing OpenSC.tokend from https://github.com/OpenSC/OpenSC.tokend got my NEO recognized by Keychain. But Keychain refuses to unlock it - something's missing in this tokend. Any other tokend just doesn't recognize NEO. As I said, there seems to be no problem accessing NEO with CLI tools: Code: $ pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so --slot-index 2 --pin xxxxxx -m ECDSA-SHA1 --sign -i ~/test-hash.bin -o ~/test-sign.bin Using slot with index 2 (0x5) Using signature algorithm ECDSA-SHA1 $ But that does not allow using PIV certificates loaded in NEO PIV applet with email and such. |
Author: | zviratko [ Fri Mar 13, 2015 1:41 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
OpenSC.tokend doesn't seem to work right (at least for me). I tried several tokend providers and the one that did work was (I think) CACkey (I believe it provides a PKCS11.tokend into /System/Library/Security/tokend). You should try several of them and see how well they work for you. Be aware that you can't use the openpgp and piv applets at the same time, due to limitations in OSX, so disable whichever you don't use or expect trouble (it gets locked by the first one that uses it). Also, you need to personalize the card _first_, before it is correctly recognized by Keychain - I used yubico-piv-tools to upload the keys/certs to the card, and then they showed in keychain. I ended up with a working card but then just scratched it all and went back to opengpg for both Mail and SSH - still hoping an update to smartcardservices or opensc will fix the issues I am seeing. (the most obnoxious one is that ssh-pkcs11-helper turns into a forkbomb on occassion, homebrewing a newer openssh and using that works better). |
Author: | Uriel [ Fri Mar 13, 2015 3:02 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
zviratko wrote: OpenSC.tokend doesn't seem to work right (at least for me). I tried several tokend providers and the one that did work was (I think) CACkey (I believe it provides a PKCS11.tokend into /System/Library/Security/tokend). I concur regarding OpenSC.tokend. But I have a whole bunch of *.tokend, including what CACKey provided - and nothing seems to work. zviratko wrote: Be aware that you can't use the openpgp and piv applets at the same time, due to limitations in OSX, so disable whichever you don't use or expect trouble (it gets locked by the first one that uses it). Yes I know, and for the time being I'd be willing to live with that constraint. zviratko wrote: Also, you need to personalize the card _first_, before it is correctly recognized by Keychain - I used yubico-piv-tools to upload the keys/certs to the card, and then they showed in keychain. But I thought my card was personalized! At least I put the keys & certs on it. I know that Card Capability Container hasn't been properly instantiated, and several other objects don't seem to contain any data (which bothers a lot commercial applications such as PKard), but it is an issue for tokend? zviratko wrote: I ended up with a working card but then just scratched it all and went back to opengpg for both Mail and SSH - still hoping an update to smartcardservices or opensc will fix the issues I am seeing. (the most obnoxious one is that ssh-pkcs11-helper turns into a forkbomb on occassion, homebrewing a newer openssh and using that works better). I see your point. Unfortunately I need the PIV capabilities and PKI integration. |
Author: | zviratko [ Fri Mar 13, 2015 3:26 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
Uriel wrote: zviratko wrote: OpenSC.tokend doesn't seem to work right (at least for me). I tried several tokend providers and the one that did work was (I think) CACkey (I believe it provides a PKCS11.tokend into /System/Library/Security/tokend). I concur regarding OpenSC.tokend. But I have a whole bunch of *.tokend, including what CACKey provided - and nothing seems to work. You should just keep one, make a "disabled" folder here and move the rest here, then reboot and try again. It should somewhat work even with the OpenSC one, but in my experience it was the most broken one of the bunch. Uriel wrote: zviratko wrote: Also, you need to personalize the card _first_, before it is correctly recognized by Keychain - I used yubico-piv-tools to upload the keys/certs to the card, and then they showed in keychain. But I thought my card was personalized! At least I put the keys & certs on it. I know that Card Capability Container hasn't been properly instantiated, and several other objects don't seem to contain any data (which bothers a lot commercial applications such as PKard), but it is an issue for tokend? I have no idea what CCC is, to be honest I read the specs but from what I understood some aspects are still vendor-specific. I followed this guide for personalization and it worked for me: https://developers.yubico.com/yubico-piv-tool/ I tried various slots and they did what they should (in regard to caching and requiring PINs) and I was able to use 2 certificates in different slots together. I remember having some trouble signing mails in Mail.app, and I'm not sure how/if I solved it in the end, but the card worked and was shown in keychain - and with CACkey tokend I was able to unlock the keychain from Keychain.app, not just when signing (it just does nothing with OpenSC.tokend and the rest) It's possible I'm misleading you on the CACkey tokend, though, I don't remember 100% which one I used in the end, and I tried lots of them. I think it was PKCS11.tokend, which I think gets installed with CACkey. Uriel wrote: zviratko wrote: I ended up with a working card but then just scratched it all and went back to opengpg for both Mail and SSH - still hoping an update to smartcardservices or opensc will fix the issues I am seeing. (the most obnoxious one is that ssh-pkcs11-helper turns into a forkbomb on occassion, homebrewing a newer openssh and using that works better). I see your point. Unfortunately I need the PIV capabilities and PKI integration. Please let me know of your progress - I still want to go back to PKI, but GPG worked so flawlessly with gpgtools I just haven't had a real urge to go back. Oh and one other thing - the last time I tried PKI I tried it with EC keys - things got a bit funky in there as lots of stuff didn't support that (ssh-agent), and I remember Apple's stuff didn't even support 2048bit keys correctly for hash authentication a few years back - not sure if that changed at all as they seem to neglect this subsystem badly... |
Author: | Uriel [ Mon Mar 16, 2015 6:59 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
I routinely use EC keys with Apple Mail, Keychain, etc. on my Mac OS X Mavericks 10.9.5. Seems to be no problem whatsoever. My main problem is getting the NEO recognized by Keychain, and/or my Apple Mail. OpenSC software (but not tokend) and yubico-piv-tool work well enough with the NEO's PIV applet. I'd appreciate if you could recall/find out/whatever what you did to make your NEO recognizable by Keychain. I think my PIV applet is fully provisioned (I even fudged in Card Capability Container, though I can't vouch for its correctness). Code: $ pkcs15-tool --list-keys --list-certificates
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00 X.509 Certificate [Certificate for PIV Authentication] Object Flags : [0x0] Authority : no Path : ID : 01 Encoded serial : 02 04 55030B94 X.509 Certificate [Certificate for Digital Signature] Object Flags : [0x0] Authority : no Path : ID : 02 Encoded serial : 02 02 06C9 X.509 Certificate [Certificate for Key Management] Object Flags : [0x0] Authority : no Path : ID : 03 Encoded serial : 02 02 06C8 X.509 Certificate [Certificate for Card Authentication] Object Flags : [0x0] Authority : no Path : ID : 04 Encoded serial : 02 04 55031273 Private EC Key [PIV AUTH key] Object Flags : [0x1], private Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local FieldLength : 256 Key ref : 154 (0x9A) Native : yes Auth ID : 01 ID : 01 MD:guid : 0x'303132.....' :cmap flags : 0x0 :sign : 0 :key-exchange: 0 Private EC Key [SIGN key] Object Flags : [0x1], private Usage : [0x204], sign, nonRepudiation Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local FieldLength : 256 Key ref : 156 (0x9C) Native : yes Auth ID : 01 ID : 02 MD:guid : 0x'303232.....' :cmap flags : 0x0 :sign : 0 :key-exchange: 0 Private EC Key [KEY MAN key] Object Flags : [0x1], private Usage : [0x100], derive Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local FieldLength : 256 Key ref : 157 (0x9D) Native : yes Auth ID : 01 ID : 03 MD:guid : 0x'30333239.....' :cmap flags : 0x0 :sign : 0 :key-exchange: 0 Private EC Key [CARD AUTH key] Object Flags : [0x0] Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local FieldLength : 256 Key ref : 158 (0x9E) Native : yes ID : 04 MD:guid : 0x'303432........' :cmap flags : 0x0 :sign : 0 :key-exchange: 0 $ |
Author: | zviratko [ Mon Mar 16, 2015 7:15 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
I actually came back and revived the PIV applet on my Neo real quick. It worked with the PKCS11.tokend _and_ the OpenSC tokend right after I imported my certificate + key. The PKCS11 tokend needed the key in the 9c slot, not the 9a slot and that was it (but then I put it in the 9a slot and used OpenSC, I didn't want all those DoD roots from CACkey in my keychain) I can't be sure if there's something in my system that I've done in the past, but I simply reinstalled OpenSC from the installer package, imported the key+cert with yubico-piv-tool ( yubico-piv-tool -a set-chuid -a import-certificate -a import-key -s 9c -i cert.pkcs12 -K PKCS12 -P 123456 -p password ) and it worked as it should. Or at least I could send one signed email with it... Do you verify it's working by only looking into Keychain access? Or are you trying to do something with it? What does /var/log/system.log say? Does it recognize the token? |
Author: | zviratko [ Mon Mar 16, 2015 7:19 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
Hmm, it seems you put it in all the slots? Or are those different certs? Could it be that keychain is picking up the wrong private key that doesn't allow whatever (sign?) operation you're trying to accomplish? Just reset the PIV applet and start from scratch with just one cert... |
Author: | zviratko [ Mon Mar 16, 2015 8:08 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
Something's really strange here... CACkey tokend doesn't work for me for some reason anymore (eh?) OpenSC works, but not with the 9a slot - but works with 9c Centrify tokend (PIV) works with 9a and 9c, but it needs CHUID or gets confused - it's the last one I just tested so it's possible some of my woes were caused by me not setting it in my tests before - guess it's needed sometimes - this tokend identifies itself as org.macosforge.smartcardservices.tokend.piv - that's funny because SCS PIV.tokend didn't work for me at all (never, methinks!) |
Author: | Uriel [ Mon Mar 16, 2015 8:56 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
Strange indeed. 1. Yes I filled all the slots - but with different keys/certificates (of course ). 2. At this time I'm just trying to ascertain that the card is usable by the OS apps (such as Mail and Keychain, and Safari/Chrome) in the PIV mode - and the simplest way I know of checking it is via Keychain. 3. Keychain doesn't see/detect the NEO at all. So I'd guess it's not a question of seeing a wrong cert. 4. What do you mean by "OpenSC works...with 9c slot"? 5. Centrify - what did you do with/for CHUID? Initiated it via "yubico-piv-tool" to a (sort of) random value? Or constructed a meaningful one, and fed to the card? If latter - how exactly did you construct it, and how did you write it to the card? 6. How many tokend's do you currently have installed (and appearing in /System/Library/Security/tokend)? 7. How did you create your cert.pkcs12? (Just to make sure) Thanks! |
Author: | zviratko [ Mon Mar 16, 2015 9:10 pm ] |
Post subject: | Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail |
1. Test with just one slot, then fill it gradually - security and purpose of the slots differ, so I'd try not complicating things unless at least something works 2. Then look at /var/log/system.log - it could hint at what's wrong (and which tokend is actually used) 3. yeah, you're right here 4. with OpenSC.tokend, I need to put my cert in the 9c slot. Putting the same cert in 9a slot doesn't work (everything seems fine but it can't sign anything - but I am not sure 100% that there isn't something else wrong here) 5. Yes, just a "-a set-chuid" to yubico-piv-tool. I haven't investigated the purpose of CHUID, looks to me that as long as it is a new UUID it should work, even if it isn't the "right" number. No? 6. I always just keep one. Don't leave more than one tokend installed (unless it's for a different card). 7. My certificate comes from StartSSL and it was generated in Firefox. I exported it from here and haven't touched it afterwards. It contains my key+cert, and the Startcom Intermediate CA and root CA certificates (those don't get to the card). |
Page 1 of 3 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |