I have a NEO which appears to have the PIV applet installed.
I can't get 'ykneomgr -a' to admit that, mind you:
Code:
$ ykneomgr -d -a
Trying reader 0: Yubico Yubikey NEO OTP+CCID 00 00
--> 13: 00 a4 04 00 08 a0 00 00 05 27 20 01 01
<-- 12: 03 02 00 01 85 07 82 00 00 00 90 00
versionMajor 3
versionMinor 2
versionBuild 0
pgmSeq 1
touchLevel 34055
mode 82
crTimeout 0
autoEjectTime 0
--> 4: 00 01 10 00
<-- 6: 00 2d ca f3 90 00
serialno 3001075
--> 13: 00 a4 04 00 08 a0 00 00 00 03 00 00 00
<-- 105: 6f 65 84 08 a0 00 00 00 03 00 00 00 a5 59 9f 65 01 ff 9f 6e 06 47 91 12 10 38 00 73 4a 06 07 2a 86 48 86 fc 6b 01 60 0c 06 0a 2a 86 48 86 fc 6b 02 02 01 01 63 09 06 07 2a 86 48 86 fc 6b 03 64 0b 06 09 2a 86 48 86 fc 6b 04 02 55 65 0b 06 09 2b 85 10 86 48 64 02 01 03 66 0c 06 0a 2b 06 01 04 01 2a 02 6e 01 02 90 00
--> 13: 80 50 00 00 08 01 02 03 04 05 06 07 08
<-- 30: 00 00 33 17 01 41 49 97 09 12 ff 02 00 03 4b ae 77 56 ee 49 56 66 ea 14 f5 6f 14 84 90 00
error: ykneomgr_authenticate (-4): Backend error
But I can install a private key with yubico-piv-tool:
Code:
$ yubico-piv-tool -a import-key -s 9c -p $PASSPHRASE -i ~/.cert/certificate.p12 -K PKCS12
Successfully imported a new private key.
(The corresponding cert is larger than 2KiB so I can't install that but that shouldn't matter).
Now I can attempt to connect to my VPN server with openconnect:
Code:
$ openconnect -c ~/.cert/certificate.pem -k 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private' $VPNSERVER -v -v
This appears to work fine, to start with. I'm asked for the PIN, and it doesa test signature to check that the key and certificate that I've given it are a correct match:
Code:
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib64/opensc-pkcs11.so"
0: C_GetFunctionList
2014-11-06 16:32:24.165
Returned: 0 CKR_OK
1: C_Initialize
2014-11-06 16:32:24.168
[in] pInitArgs = 0x23ca380
flags: 2
CKF_OS_LOCKING_OK
Returned: 0 CKR_OK
2: C_GetInfo
2014-11-06 16:32:24.339
[out] pInfo:
cryptokiVersion: 2.20
manufacturerID: 'OpenSC (www.opensc-project.org) '
flags: 0
libraryDescription: 'Smart card PKCS#11 API '
libraryVersion: 0.0
Returned: 0 CKR_OK
3: C_GetSlotList
2014-11-06 16:32:24.486
[in] tokenPresent = 0x1
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
4: C_GetTokenInfo
2014-11-06 16:32:24.866
[in] slotID = 0x1
[out] pInfo:
label: 'PIV_II (PIV Card Holder pin) '
manufacturerID: 'piv_II '
model: 'PKCS#15 emulated'
serialNumber: '00000000 '
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
5: C_GetSlotInfo
2014-11-06 16:32:24.866
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'Yubico Yubikey NEO OTP+CCID 00 0'
'0 '
manufacturerID: 'OpenSC (www.opensc-project.org) '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
Using certificate file /home/dwmw2/.cert/certificate.pem
Using PKCS#11 key pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private;pin-source=openconnect%3a0x23c1240
6: C_GetSlotList
2014-11-06 16:32:24.867
[in] tokenPresent = 0x1
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
7: C_GetTokenInfo
2014-11-06 16:32:24.867
[in] slotID = 0x1
[out] pInfo:
label: 'PIV_II (PIV Card Holder pin) '
manufacturerID: 'piv_II '
model: 'PKCS#15 emulated'
serialNumber: '00000000 '
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
8: C_GetSlotInfo
2014-11-06 16:32:24.868
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'Yubico Yubikey NEO OTP+CCID 00 0'
'0 '
manufacturerID: 'OpenSC (www.opensc-project.org) '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
9: C_OpenSession
2014-11-06 16:32:24.868
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x28a1560
Returned: 0 CKR_OK
10: C_GetSessionInfo
2014-11-06 16:32:24.868
[in] hSession = 0x28a1560
[out] pInfo:
slotID: 1
state: ' CKS_RO_PUBLIC_SESSION'
flags: 4
CKF_SERIAL_SESSION
ulDeviceError: 0
Returned: 0 CKR_OK
PIN required for PIV_II (PIV Card Holder pin)
Enter PIN:
11: C_Login
2014-11-06 16:32:38.333
[in] hSession = 0x28a1560
[in] userType = CKU_USER
[in] pPin[ulPinLen] 0000000002baeb30 / 6
00000000 31 32 33 34 35 36 123456
Returned: 0 CKR_OK
12: C_FindObjectsInit
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pTemplate[3]:
CKA_ID 00000000029b29c0 / 1
00000000 02 .
CKA_LABEL 00000000024a4d10 / 8
5349474E 206B6579
S I G N . k e y
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
13: C_FindObjects
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x2a3b950 matches
Returned: 0 CKR_OK
14: C_FindObjectsFinal
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
Returned: 0 CKR_OK
15: C_GetAttributeValue
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] hObject = 0x2a3b950
[in] pTemplate[1]:
CKA_KEY_TYPE 00007fff6dbbf548 / 8
[out] pTemplate[1]:
CKA_KEY_TYPE CKK_RSA
Returned: 0 CKR_OK
16: C_SignInit
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x2a3b950
Returned: 0 CKR_OK
17: C_Sign
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00000000029a4ca0 / 35
00000000 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 85 0!0...+.........
00000010 AF 1A B7 B2 8B 75 9C 38 47 BC 34 BA AF 3A 67 3E .....u.8G.4..:g>
00000020 13 15 35 ..5
[out] pSignature[*pulSignatureLen] NULL [size : 0x100 (256)]
Returned: 0 CKR_OK
18: C_Sign
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00000000029a4ca0 / 35
00000000 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 85 0!0...+.........
00000010 AF 1A B7 B2 8B 75 9C 38 47 BC 34 BA AF 3A 67 3E .....u.8G.4..:g>
00000020 13 15 35 ..5
[out] pSignature[*pulSignatureLen] 00000000028f89f0 / 256
00000000 09 90 5C B2 B2 A2 8E DF 00 79 A1 34 08 7F 54 6B ..\......y.4Tk
00000010 AA FC 60 DB 4E 1B 6B 0D EF 73 CB C3 EA EE 96 60 ..`.N.k..s.....`
00000020 5C 1E 15 3C 18 5D 76 43 14 39 05 BC 3B 60 99 B8 \..<.]vC.9..;`..
00000030 1E 7D 0A 73 E2 B4 78 1B 40 87 96 21 E8 90 9D 0B .}.s..x.@..!....
00000040 A2 14 27 5B AE 75 97 FE 4E 5F 81 F7 7D 68 17 5D ..'[.u..N_..}h.]
00000050 B8 23 4F 13 CE 3F 2B 6B 68 25 3D 70 39 D7 34 EA .#O..?+kh%=p9.4.
00000060 BD 15 D7 4D A9 EF 10 1C 1D 2F 35 CB 09 30 F4 0C ...M...../5..0..
00000070 1C 18 63 98 79 A6 5F 57 57 DC BA C6 F6 9F D2 F0 ..c.y._WW.......
00000080 D0 88 60 15 68 A3 08 BA C2 06 4B A9 10 2B B1 55 ..`.h.....K..+.U
00000090 8B 9C 07 7F 40 93 75 32 10 66 9B 6F 68 88 C4 BD ..@.u2.f.oh...
000000A0 46 1D 6E C9 3C 3C 85 C6 3D 55 9F 54 30 5C A3 80 F.n.<<..=U.T0\..
000000B0 04 0F 55 69 66 F3 C3 09 CB 7C 94 FB E9 E1 B5 19 ..Uif....|......
000000C0 56 9E 86 00 5C 36 F0 B8 C3 8A 33 39 4E 58 1A 90 V...\6....39NX..
000000D0 F5 B6 49 77 26 00 2F AC 71 0F FD 28 71 0B FA 90 ..Iw&./.q..(q...
000000E0 5B 25 04 73 A1 EF 7E FC DE 84 97 4C 6D E7 74 DD [%.s..~....Lm.t.
000000F0 81 61 B1 1D D5 5B A5 87 80 6F C2 5F E5 9B EA 8F .a...[...o._....
Returned: 0 CKR_OK
Using client certificate 'Woodhouse\, David'
... but then it goes off and connects to the server, and then it's asked by the server to perform a signature, but by this time it seems to have forgotten that I'd logged in:
Code:
Attempting to connect to server xx.xx.xx.xx:443
SSL negotiation with xx.xx.xx.xx
22: C_SignInit
2014-11-06 16:32:39.499
[in] hSession = 0x28a1560
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x2a3b950
Returned: 0 CKR_OK
23: C_Sign
2014-11-06 16:32:39.499
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00007fff6dbbf6b0 / 36
00000000 42 B1 2E A0 4B A2 D6 C0 AD C0 CA 28 AD 0F 5D 34 B...K......(..]4
00000010 09 AD 6C 8C 2C A1 31 1E 13 FF 91 65 59 A3 9D D9 ..l.,.1....eY...
00000020 24 89 88 9D $...
[out] pSignature[*pulSignatureLen] NULL [size : 0x100 (256)]
Returned: 0 CKR_OK
24: C_Sign
2014-11-06 16:32:39.499
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00007fff6dbbf6b0 / 36
00000000 42 B1 2E A0 4B A2 D6 C0 AD C0 CA 28 AD 0F 5D 34 B...K......(..]4
00000010 09 AD 6C 8C 2C A1 31 1E 13 FF 91 65 59 A3 9D D9 ..l.,.1....eY...
00000020 24 89 88 9D $...
Returned: 257 CKR_USER_NOT_LOGGED_IN
SSL connection failure: PKCS #11 user error
Failed to open HTTPS connection to xx.xx.xx.xx
Failed to obtain WebVPN cookie
What's wrong? It looks like it's so *close* to working...
FWIW I don't think the PKCS#11 standard permits CKR_USER_NOT_LOGGED_IN as a return value from C_Sign(). If that's the case, C_SignInit() should have failed.
Login
FAQ
Search
