Yubico Forum

I ahve Yubikey NEO firmware 3.3.0.

I used to have Yubikey sort-of running on Mac OS X Mavericks:

• openpgp worked OK
• piv worked with opensc tools and yubico-piv-tool, but not with Keychain Access or tokend...

Haven't touched it for a few months. System got replaced since. Now I'm trying to get it back to working.

1. Attempt to use OpenSC-0.15.0. Does not detect the card, period. "Card not present".
   
   Code:
   $ piv-tool -n -c piv
   Card not present.
   $ piv-tool -n
   Card not present.
   $ opensc-tool -i
   OpenSC 0.15.0 [gcc  4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.53)]
   Enabled features: zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
   $ opensc-tool -a
   Card not present.
   $ openpgp-tool
   Card not present.
   error: failed to connect to card: Unknown error
   
   Aborting.
   
   
   
2. Attempt to use the latest yubico-piv-tool 1.0.2 from GitHub. Cannot detect the card presence:
   
   Code:
   $ yubico-piv-tool -a status
   Failed to connect to reader.
   
   
3. Attempt to use Yubikey Personalization Tool (App version 3.1.21, Lib version 1.17.1). Detects the device fine, works with it fine. I was able to register it for two-factor auth with Duo. OK here.

I have CACKey installed, and it works fine with CAC card (of course it does not detect Yubikey NEO).

Browsed this forum, cannot get a hint what I could/should try. My goals are:

• Get Yubikey NEO recognized by available tools such as OpenSC
• Get NEO working again with GnuPG
• Get NEO working with PIV tools, at least to the level of dealing with keys and certificates in manual mode, such as using them via "yubico-piv-tool"
• Ideally - get NEO recognized by tokend (either PKCS11.tokend that came with CACKey, or by OpenSC.tokend from OpenSC-0.15.0, or whatever) so I can use it for S/MIME and Web authentication

Would appreciate any help!

Thank you!

Install the Yubikey NEO manager to get the plist patched

I've installed YubiKey NEO Manager and YubiKey PIV Manager.

UPDATE

YubiKey NEO Manager starts fine, detects my NEO device fine, and correctly reports that the device has been set to connection mode [OTP+U2F+CCID]. Rebooting the system a couple of times made it display Available apps in this mode. Among those apps:

• Yubico PIV applet 0.1.2
• Yubico OpenPGP applet 1.0.8 (definitely need to upgrade, but that would be my next question ).

Changed the certs to RSA, and got PKCS11.tokend to see NEO. Jay! But Keychain Access refuses to unlock this token - just doesn't prompt for the PIN.

Reviewing past goals :

1. (solved) OpenSC tools started talking to NEO after I disabled U2F mode.
   
   Code:
   $ piv-tool --serial
   Using reader with a card: Yubico Yubikey NEO OTP+CCID
   88 66 D9 72 4C CE 01 2B 1E 8B CE 0B 71 EC 84 46 .f.rL..+....q..F
   
   
   Currently the certs are RSA. I hope to be able to change them to ECC at some point.
2. GnuPG - still no-go, with either GPG-2.0.28 or GPG-1.4.19. Cannot recognize the card, though GPG-1.4.19 detects the "reader":
   
   Code:
   $ gpg -v --card-edit
   
   gpg: detected reader `SCM Microsystems Inc. SCR 3310'
   gpg: detected reader `Yubico Yubikey NEO OTP+CCID'
   gpg: reader slot 0: not connected
   gpg: reader slot 0: not connected
   gpg: apdu_send_simple(0) failed: no card
   Please insert the card and hit return or enter 'c' to cancel: c
   gpg: selecting openpgp failed: no card
   gpg: OpenPGP card not available: general error
   
3. (solved) NEO working with PIV tools: good. Works with yubico-piv-tool, OpenSC piv-tool, Yubikey PIV Manager (correctly displaying provisioned certificates).
4. (partially solved) PKCS11.tokend sees Yubikey NEO. But KeyChain Access cannot unlock it.

Questions:

1. How to get GnuPG to recognize the NEO again?
2. How to upgrade the OpenPGP applet on the NEO, given that I only have Mac and Mac OS X - and there doesn't seem to be a way to install gpshell or Global Platform...?
3. How to get KeyChain Access to actually work with NEO (e.g. unlock the keychain)?
4. How to get any tokend to recognize NEO with EC certificates?

Thank you!

because you are using the wrong reader.

disable gpg: detected reader `SCM Microsystems Inc. SCR 3310'

Sorry, this doesn't seem to work. With GPG-2.0.28:


With GPG-1.4.19:


Also, in general I need to use both devices (CAC and NEO), so I need that SCM reader - and jerking it out every time I want to do something GPG-related doesn't seem a good solution...

Also, I'm not sure I fully understand what you mean by "disable" - somehow programmatically? Just yank the cable out? Or...?

Update

Seems like there's conflict between the tokend from OpenSC-0.15.0 that takes care of the PIV part of the NEO, and openpgp-tool from OpenSC-0.15.0 that should take care of the OpenPGP part:

You can try un-patching the ifd-ccid OSX driver (removing Yubikey support) so it isn't used for tokend. Then you can use scdaemon to talk to the card directly via libusb (it should just work).

You will not be able to use the Neo with both PIV and GPG.

But I was able to use the NEO with both PIV and GPG, as far as 5 months ago! Granted, tokend did not operate properly then, but the ifd-ccid included full Yubikey support...

Update 2

OpenSC Tokend (0.15.0) recognizes the NEO, but still refuses to unlock it. As a result, Mac OS X applications see the certificates on the PIV applet, allow to configure them for accounts and such, but when the time comes to, e.g., actually sign something with a signing cert, the unlock does not work (no error message, PIN entry window pops up, I enter the correct (verified) PIN, the window disappears) and the operation fails.

Here's the opensc.log in case somebody can make something useful out of it:


Update 3

After switching back from OpenSC.tokend to PKCS11.tokend, I was able to access the OpenPGP applet on the card:



Update 4
An important part of being able to access OpenPGP applet while PKCS11.tokend is running and providing PIV applet-related services, is setting up gpg-agent correctly (which I probably haven't done before). This includes:

1. Making sure gpg-agent actually starts, preferably when you log in.
2. Having the correct config files for
   
   • gpg-agent
   • scdaemon
   • gpg itself (make sure it has the "use-agent" option in it)

Here are the config files in ~/.gnupg:
For gpg-agent (note that I have GPG Tools installed):


For scdaemon:


and scd-event:


Here's what my ~/.bash_profile includes:


Update 5

With the above setup - the latest PKCS11.tokend from CACKey_0.7.4 package, and the latest OpenSC 0.15.0, I can use NEO for both PIV and OpenPGP (and U2F, and OTP, but that's besides the point ). This applies to OpenPGP 1.0.8 and 1.0.10, and PIV 0.1.2 and 0.1.3.

Disadvantage: after using it in one mode {PIV, PGP} usually I need to remove and re-insert to run it in the other one. But I can tolerate that.

Update 6
With the latest commit to OpenSC and OpenSC.tokend, OpenSC.tokend works with NEO and CAC. PIV.tokend also works with both. Adding the correct Card Capability Container (CCC) to NEO made the difference between working with tokend, and not being accepted as a valid PIV.

Here is an example of a valid CCC (variable part is randomly generated):



Summary.
Needed for OpenSC.tokend:
In order to get OpenSC.tokend working with NEO, the following commit needs to be applied to it:
https://github.com/frankmorgner/OpenSC.tokend/commit/c8fe66e

Or better yet, since some recent commits damaged the above tokend's ability to sign RSA, you can try this fork:
https://github.com/mouse07410/OpenSC.tokend
It is supposed to completely support RSA for S/MIME (signing/verifying, and encryption/decryption), and ECDSA. Tested with Apple Mail (RSA and ECDSA), MS Outlook 2011 (RSA, verifies ECDSA but cannot generate ECDSA signatures), Thunderbird (full RSA, full ECDSA).
ECDH support is coming, but not there yet.

Needed for NEO: Generate CCC with format and content as shown above, and write it to NEO using OpenSC piv-tool like this:

Note than environment variable PIV_EXT_AUTH_KEY must point to a text file containing the NEO admin maintenance key in the
format: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Note that yubico-piv-tool release 1.1.3 added the ability to set CCC to the card:


The above enables all the tokends mentioned above.

On macOS Sierra, for Yubikey to be properly recognized by the new pivtoken (that Apple ships with Sierra) it appears to need Key History Object.

Here's how it can be put on the card:

1. Create a text file, e.g. ~/key_history_object.txt with content 5301fe
2. Perform the following command
   Code:
   yubico-piv-tool -k -a write-object --id=0x5fc10c -i ~/key_history_object.txt
   It will prompt you for the token management key. Give it.
3. Verify that the command succeeded via
   Code:
   yubico-piv-tool -a read-object --id=0x5fc10c
   
   Response should be 5301fe