| Yubico Forum https://forum.yubico.com/ |
|
| Strange issues with libykcs11 under macOS https://forum.yubico.com/viewtopic.php?f=35&t=2813 |
Page 1 of 1 |
| Author: | yze [ Wed Jan 03, 2018 12:04 am ] |
| Post subject: | Strange issues with libykcs11 under macOS |
I have installed yubikey-piv-tools via brew. using my Yubikey 4 works for e.g. SSH login but get before being prompted for PIN for each installed PIV certificate a: C_GetAttributeValue failed: 6 e.g. example: Code: % ssh-keygen -D /usr/local/lib/libykcs11.dylib -e C_GetAttributeValue failed: 6 [...] using opensc-pkcs11.so doesn't show the error and works similar, however can't use the extra slots. what struggles me, however is that openvpn doesn't show any certs (while opensc does): Code: % openvpn --show-pkcs11-ids /usr/local/lib/libykcs11.dylib The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark. % It is a little suprising that opensc works while Yubikey's own implementation with its own device fails... I would have expected the opposite way. The reasons why I wanted to use ykcs11 rather opensc one is the fact I can use the "retired" slots for openvpn and I do not consume the rare NIST Slots (9x) for that. Did anyone get openvpn going on macOS with ykcs11. Anything to debug that? Buggy code? Cheers, Yze |
|
| Author: | yze [ Wed Jan 03, 2018 4:35 pm ] |
| Post subject: | Re: Strange issues with libykcs11 under macOS |
Found a solution myself. Since my primary goal was to use all PIV slots, I found a solution from opensc to get the "retired" slots working. The current 2017 version is already ready for this. What was missing is to describe with a Key History object how to use those slots for opensc. For the yubikey 4: To make the certificates appear in keychain. In short: Code: echo -n C10114C20100FE00 | yubico-piv-tool -k -a write-object --id 0x5FC10C -i - will activate all 20 slots as purpose for X509 certificate + key. With that said, ykcs11 is no longer needed. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|