Yubico Forum

Hello,

we are trying to get S/MIME-based email signing and decryption working using Yubikey Neo and Yubikey 4 with Thunderbird / opensc on Linux. Unfortunately we always encounter the same problems.

Thunderbird cannot reliably communicate with Yubikey and always looses the reference to the certificate.

The first time we try to send a signed mail or decrypt a stored mail it works. Thunderbirds asks for the PIN (strangely called master password for some reason) and resumes operation as expected. However, after that, both signing and decryption ceases to function.

Trying to sign mails fails with:


Decrypting mails fails with:


Sometimes Thunderbird will repeatedly ask for the "master password for PIV" without managing to log into the key, sometimes it will not ask at all. In any case it does not work.

The only solution we found so far was to eject and reinsert the Yubikey. Then the next single signing or decryption operation will succeed. After that, the error reoccurs.

We have confirmed that on two different machines running two newly installed flavors of Ubuntu. I am unsure whether this is Yubikey or opensc related, so it could as well be an opensc bug. But since opensc is apparently the only driver for Yubikey it's effectively a Yubikey problem.

Software:
xubuntu / ubunut-gnome 15.10 x86_64 4.2.0-27-generic
Thunderbird 38.5.1
OpenSC 0.15.0 [gcc 4.9.2]

Best regards

Just to make sure: did you fully initialize your Yubikey NEO with yubico-piv-tool? You need to look at "set-chuid" and "set-ccc". Without these two your Yubikey is not PIV-compliant enough for other software to use it.

I would like to verify that, unfortunately, my system suddenly does not recognize any smart card reader anymore.



Anyway, there does not seem to be a "set-ccc" option / action:

After removing anything smartcard related from the system, then reinstalling the yubico packages using the yubico PPA I now have the newest stable version of yubico-piv-tool. Obviously, the one in the official ubuntu PPA is outdated.

Checking the status:



So indeed, CCC is apparently not set. However, I can't do set-ccc due to some authentication problem that I can't get around:


In fact, I can't do anything that requires authentication (reset, set-mgm-key, ...). I never changed the management key and it should be default.

Also, I wonder, if "set-ccc" is such a critical setting, why is there no documentation about it, and why is this option not included in the stable ubuntu PPA release? Not even the yubico-piv-tool documentation https://www.yubico.com/wp-content/uploads/2015/04/Yubico-PIV-Management-Tools_v1.0.pdf mentions it.

I managed to set-ccc by setting a new management key but that did not change anything. The error still persists.

For further information, we also tested another USB-based token device that stores s/mime certificates and uses the opensc-pkcs11 module. It works on the same machine using the same software stack without issues. IMHO that strengthens my assumption, that it is a yubikey-related issue.

I've had problems with Thunderbird decrypting S/MIME on different machines with different PKCS11 middleware (including Windows). So I'm certain there's something about Thunderbird itself.

I've also successfully did signature & verification (using RSA and ECC), and encryption & decryption (using RSA) with Yubikey NEO and Yubikey 4 on Mac, using Apple Mail, MS Outlook 2011, and Thunderbird.

Apple Mail often loses track of the token authentication status, and fails to sign outgoing. Possibly Yubikey's problem, but people were reporting similar issues with DoD CAC.

Thunderbird on some Mac boxes is very unreliable and refuses to send encrypted. Observed only with Yubikey on Mac (so far ), works reliably on other platforms with other tokens and middleware.

Thunderbird on many different boxes refuses to decrypt when the decryption key is on a hardware token. This was evidenced consistently on several different platforms with several different token types and different middleware. Definitely not a Yubikey problem.