Yubico Forum

Strange issues with libykcs11 under macOS
Page 1 of 1

Author:  yze [ Wed Jan 03, 2018 12:04 am ]
Post subject:  Strange issues with libykcs11 under macOS

I have installed yubikey-piv-tools via brew.

using my Yubikey 4 works for e.g. SSH login but get before being prompted for PIN for each installed PIV certificate a:

C_GetAttributeValue failed: 6

e.g. example:

% ssh-keygen -D /usr/local/lib/libykcs11.dylib -e
C_GetAttributeValue failed: 6

using opensc-pkcs11.so doesn't show the error and works similar, however can't use the extra slots.

what struggles me, however is that openvpn doesn't show any certs (while opensc does):

% openvpn --show-pkcs11-ids /usr/local/lib/libykcs11.dylib

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

It is a little suprising that opensc works while Yubikey's own implementation with its own device fails... I would have expected the opposite way.
The reasons why I wanted to use ykcs11 rather opensc one is the fact I can use the "retired" slots for openvpn and I do not consume the rare NIST Slots (9x) for that. Did anyone get openvpn going on macOS with ykcs11. Anything to debug that? Buggy code?


Author:  yze [ Wed Jan 03, 2018 4:35 pm ]
Post subject:  Re: Strange issues with libykcs11 under macOS

Found a solution myself. Since my primary goal was to use all PIV slots, I found a solution from opensc to get the "retired" slots working. The current 2017 version is already ready for this. What was missing is to describe with a Key History object how to use those slots for opensc. For the yubikey 4: To make the certificates appear in keychain. In short:

echo -n C10114C20100FE00 | yubico-piv-tool -k -a write-object --id 0x5FC10C -i -

will activate all 20 slots as purpose for X509 certificate + key. With that said, ykcs11 is no longer needed.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group