Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:46 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Fri Aug 21, 2015 10:12 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
I ahve Yubikey NEO firmware 3.3.0.

I used to have Yubikey sort-of running on Mac OS X Mavericks:
  • openpgp worked OK
  • piv worked with opensc tools and yubico-piv-tool, but not with Keychain Access or tokend...

Haven't touched it for a few months. System got replaced since. Now I'm trying to get it back to working.

  1. Attempt to use OpenSC-0.15.0. Does not detect the card, period. "Card not present".
    Code:
    $ piv-tool -n -c piv
    Card not present.
    $ piv-tool -n
    Card not present.
    $ opensc-tool -i
    OpenSC 0.15.0 [gcc  4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.53)]
    Enabled features: zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
    $ opensc-tool -a
    Card not present.
    $ openpgp-tool
    Card not present.
    error: failed to connect to card: Unknown error

    Aborting.

  2. Attempt to use the latest yubico-piv-tool 1.0.2 from GitHub. Cannot detect the card presence:
    Code:
    $ yubico-piv-tool -a status
    Failed to connect to reader.

  3. Attempt to use Yubikey Personalization Tool (App version 3.1.21, Lib version 1.17.1). Detects the device fine, works with it fine. I was able to register it for two-factor auth with Duo. OK here.

I have CACKey installed, and it works fine with CAC card (of course it does not detect Yubikey NEO).

Browsed this forum, cannot get a hint what I could/should try. My goals are:
  • Get Yubikey NEO recognized by available tools such as OpenSC
  • Get NEO working again with GnuPG
  • Get NEO working with PIV tools, at least to the level of dealing with keys and certificates in manual mode, such as using them via "yubico-piv-tool"
  • Ideally - get NEO recognized by tokend (either PKCS11.tokend that came with CACKey, or by OpenSC.tokend from OpenSC-0.15.0, or whatever) so I can use it for S/MIME and Web authentication

Would appreciate any help!

Thank you!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Aug 24, 2015 9:42 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Install the Yubikey NEO manager to get the plist patched


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 24, 2015 4:42 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
I've installed YubiKey NEO Manager and YubiKey PIV Manager.

UPDATE

YubiKey NEO Manager starts fine, detects my NEO device fine, and correctly reports that the device has been set to connection mode [OTP+U2F+CCID]. Rebooting the system a couple of times made it display Available apps in this mode. Among those apps:
  • Yubico PIV applet 0.1.2
  • Yubico OpenPGP applet 1.0.8 (definitely need to upgrade, but that would be my next question :)).

Changed the certs to RSA, and got PKCS11.tokend to see NEO. Jay! But Keychain Access refuses to unlock this token - just doesn't prompt for the PIN.

Reviewing past goals :) :
  1. :D (solved) OpenSC tools started talking to NEO after I disabled U2F mode.
    Code:
    $ piv-tool --serial
    Using reader with a card: Yubico Yubikey NEO OTP+CCID
    88 66 D9 72 4C CE 01 2B 1E 8B CE 0B 71 EC 84 46 .f.rL..+....q..F

    Currently the certs are RSA. I hope to be able to change them to ECC at some point.
  2. :cry: GnuPG - still no-go, with either GPG-2.0.28 or GPG-1.4.19. Cannot recognize the card, though GPG-1.4.19 detects the "reader":
    Code:
    $ gpg -v --card-edit

    gpg: detected reader `SCM Microsystems Inc. SCR 3310'
    gpg: detected reader `Yubico Yubikey NEO OTP+CCID'
    gpg: reader slot 0: not connected
    gpg: reader slot 0: not connected
    gpg: apdu_send_simple(0) failed: no card
    Please insert the card and hit return or enter 'c' to cancel: c
    gpg: selecting openpgp failed: no card
    gpg: OpenPGP card not available: general error
  3. :D (solved) NEO working with PIV tools: good. Works with yubico-piv-tool, OpenSC piv-tool, Yubikey PIV Manager (correctly displaying provisioned certificates).
  4. :D (partially solved) PKCS11.tokend sees Yubikey NEO. But KeyChain Access cannot unlock it.

Questions:
  1. How to get GnuPG to recognize the NEO again?
  2. How to upgrade the OpenPGP applet on the NEO, given that I only have Mac and Mac OS X - and there doesn't seem to be a way to install gpshell or Global Platform...?
  3. How to get KeyChain Access to actually work with NEO (e.g. unlock the keychain)?
  4. How to get any tokend to recognize NEO with EC certificates?

Thank you!


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 25, 2015 8:54 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
because you are using the wrong reader.

disable gpg: detected reader `SCM Microsystems Inc. SCR 3310'


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 26, 2015 10:20 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
Tom2 wrote:
because you are using the wrong reader.

disable gpg: detected reader `SCM Microsystems Inc. SCR 3310'


Sorry, this doesn't seem to work. With GPG-2.0.28:
Code:
$ opensc-tool -a
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
3b:fc:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:4e:45:4f:72:33:e1
$ gpg2 --card-status
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error


With GPG-1.4.19:
Code:
$ gpg --card-status
gpg: detected reader `Yubico Yubikey NEO OTP+U2F+CCID'
gpg: pcsc_connect failed: sharing violation (0x8010000b)
gpg: apdu_send_simple(0) failed: locking failed
Please insert the card and hit return or enter 'c' to cancel:


Also, in general I need to use both devices (CAC and NEO), so I need that SCM reader - and jerking it out every time I want to do something GPG-related doesn't seem a good solution...

Also, I'm not sure I fully understand what you mean by "disable" - somehow programmatically? Just yank the cable out? Or...?

Update

Seems like there's conflict between the tokend from OpenSC-0.15.0 that takes care of the PIV part of the NEO, and openpgp-tool from OpenSC-0.15.0 that should take care of the OpenPGP part:

Code:
$ openpgp-tool -v --raw
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
Connecting to card in reader Yubico Yubikey NEO OTP+U2F+CCID...
Using card driver PIV-II  for multiple cards.
error: not an OpenPGP card


Last edited by Uriel on Fri Aug 28, 2015 2:59 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 28, 2015 1:38 pm 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
You can try un-patching the ifd-ccid OSX driver (removing Yubikey support) so it isn't used for tokend. Then you can use scdaemon to talk to the card directly via libusb (it should just work).

You will not be able to use the Neo with both PIV and GPG.


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 28, 2015 3:00 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
zviratko wrote:
You can try un-patching the ifd-ccid OSX driver (removing Yubikey support) so it isn't used for tokend. Then you can use scdaemon to talk to the card directly via libusb (it should just work).

You will not be able to use the Neo with both PIV and GPG.

But I was able to use the NEO with both PIV and GPG, as far as 5 months ago! Granted, tokend did not operate properly then, but the ifd-ccid included full Yubikey support...

Update 2

OpenSC Tokend (0.15.0) recognizes the NEO, but still refuses to unlock it. As a result, Mac OS X applications see the certificates on the PIV applet, allow to configure them for accounts and such, but when the time comes to, e.g., actually sign something with a signing cert, the unlock does not work (no error message, PIN entry window pops up, I enter the correct (verified) PIN, the window disappears) and the operation fails.

Here's the opensc.log in case somebody can make something useful out of it:
Code:
0x7fff7db8a300 14:29:49.317106025398799 [tokend] reader-pcsc.c:254:pcsc_transmit: reader 'Yubico Yubikey NEO
 OTP+U2F+CCID'
0x7fff7db8a300 14:29:49.140733193388559 [tokend] apdu.c:187:sc_apdu_log:
Outgoing APDU data [   13 bytes] =====================================
00 20 00 80 08 31 32 33 34 35 36 FF FF . ...123456..
======================================================================
0x7fff7db8a300 14:29:49.140733193388559 [tokend] reader-pcsc.c:184:pcsc_internal_transmit: called
0x7fff7db8a300 14:29:49.4294967834 [tokend] apdu.c:187:sc_apdu_log:
Incoming APDU data [    2 bytes] =====================================
6D 00 m.
======================================================================
0x7fff7db8a300 14:29:49.140733193388570 [tokend] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
0x7fff7db8a300 14:29:49.120259084826 [tokend] apdu.c:552:sc_transmit: returning with: 0 (Success)
0x7fff7db8a300 14:29:49.-4294966758 [tokend] card.c:403:sc_unlock: called
0x7fff7db8a300 14:29:49.317827580442 [tokend] iso7816.c:121:iso7816_check_sw: Instruction code not supported or invalid
0x7fff7db8a300 14:29:49.4294967834 [tokend] sec.c:206:sc_pin_cmd: returning with: -1204 (Unsupported INS byte in APDU)
0x7fff7db8a300 14:29:49.538 [tokend] pkcs15-pin.c:368:sc_pkcs15_verify_pin: PIN cmd result -1204
0x7fff7db8a300 14:29:49.140733193388570 [tokend] card.c:403:sc_unlock: called
0x7fff7db8a300 14:29:49.538 [tokend] reader-pcsc.c:566:pcsc_unlock: called
0x7fff7db8a300 14:29:49.539 [tokend] pkcs15-pin.c:373:sc_pkcs15_verify_pin: returning with: -1204 (Unsupported INS byte in APDU)
0x7fff7db8a300 14:29:49.539 [tokend] /Users/ur20980/Src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:192:_verifyPIN:   In OpenSCToken::verify returned -1204 for pin 1
0x7fff7db8a300 14:31:43.025 [tokend] /Users/ur20980/Src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:342:getAcl: In OpenSCToken::getAcl()


Update 3

After switching back from OpenSC.tokend to PKCS11.tokend, I was able to access the OpenPGP applet on the card:

Code:
$ gpg2 --card-status
Application ID ...: D2760001240102000006xxxxxxxx0000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: xxxxxxxx
Name of cardholder: xxxxxxxx
Language prefs ...: en
Sex ..............: male
URL of public key : [not set]
Login data .......: xxxxxxxx
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 9 10 10
Signature counter : 1
Signature key ....: 55EF BBDB 589D F9E7 C0DE  BD3B 0A15 3DD8 04FC 4C53
      created ....: 2015-02-20 19:25:54
Encryption key....: 61B4 A2C3 6690 CE8C 49FF  7C3F CC16 E440 BF8B 03DA
      created ....: 2015-02-20 19:25:15
Authentication key: 9A42 E3DE 81A4 CDDC A3B9  AF58 ACA3 F3C2 FA14 803D
      created ....: 2015-02-20 19:32:04
General key info..: pub  2048R/04FC4C53 2015-02-20 xxxxxxxx (find out through PGP keyserver :)
sec   4096R/E644595A  created: 2015-02-20  expires: 2015-07-20
ssb>  2048R/BF8B03DA  created: 2015-02-20  expires: 2015-07-20
                      card-no: 0006 xxxxxxxx
ssb>  2048R/04FC4C53  created: 2015-02-20  expires: 2015-07-20
                      card-no: 0006 xxxxxxxx
ssb>  2048R/FA14803D  created: 2015-02-20  expires: 2015-07-20
                      card-no: 0006 xxxxxxxx
$


Update 4
An important part of being able to access OpenPGP applet while PKCS11.tokend is running and providing PIV applet-related services, is setting up gpg-agent correctly (which I probably haven't done before). This includes:
  1. Making sure gpg-agent actually starts, preferably when you log in.
  2. Having the correct config files for
    • gpg-agent
    • scdaemon
    • gpg itself (make sure it has the "use-agent" option in it)

Here are the config files in ~/.gnupg:
For gpg-agent (note that I have GPG Tools installed):
Code:
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
#pinentry-program /Applications/MacPorts/pinentry-mac.app/Contents/MacOS/pinentry-mac
scdaemon-program /usr/local/MacGPG2/libexec/scdaemon
enable-ssh-support
write-env-file
default-cache-ttl 600
max-cache-ttl 7200


For scdaemon:
Code:
#
#reader-port "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
#reader-port "Yubico Yubikey NEO OTP+U2F+CCID 01 00"
reader-port "Yubico Yubikey NEO OTP+U2F+CCID"
allow-admin
pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC
disable-ccid
card-timeout 15 #Release the card after 15 seconds


and scd-event:
Code:
#!/bin/sh

state=$8

if [ "$state" = "NOCARD" ]; then
  pkill -9 scdaemon
fi


Here's what my ~/.bash_profile includes:
Code:
# GPGTools for Apple Mail and Yubikey NEO support
if [ -e /usr/local/MacGPG2 ]; then
        export PATH=$PATH:/usr/local/MacGPG2/bin
        gpg-agent --daemon --write-env-file --enable-ssh-support
        sleep 2
fi
# Also adds support for SSH using keys on NEO
if [ -r ~/.gpg-agent-info ]; then
       source ~/.gpg-agent-info
        export GPG_AGENT_INFO
        export SSH_AUTH_SOCK
        export SSH_AGENT_PID


Update 5

With the above setup - the latest PKCS11.tokend from CACKey_0.7.4 package, and the latest OpenSC 0.15.0, I can use NEO for both PIV and OpenPGP (and U2F, and OTP, but that's besides the point :) ). This applies to OpenPGP 1.0.8 and 1.0.10, and PIV 0.1.2 and 0.1.3.

Disadvantage: after using it in one mode {PIV, PGP} usually I need to remove and re-insert to run it in the other one. But I can tolerate that.

Update 6
With the latest commit to OpenSC and OpenSC.tokend, OpenSC.tokend works with NEO and CAC. PIV.tokend also works with both. Adding the correct Card Capability Container (CCC) to NEO made the difference between working with tokend, and not being accepted as a valid PIV.

Here is an example of a valid CCC (variable part is randomly generated):

Quote:
5344f015a0000001164b03e84bb72137b68047eb04561a5636f10121f20121f300f40111f50110f6110000000000000000000000000000000000f700fa00fb00fc00fd00fe00


Summary.
Needed for OpenSC.tokend:
In order to get OpenSC.tokend working with NEO, the following commit needs to be applied to it:
https://github.com/frankmorgner/OpenSC.tokend/commit/c8fe66e

Or better yet, since some recent commits damaged the above tokend's ability to sign RSA, you can try this fork:
https://github.com/mouse07410/OpenSC.tokend
It is supposed to completely support RSA for S/MIME (signing/verifying, and encryption/decryption), and ECDSA. Tested with Apple Mail (RSA and ECDSA), MS Outlook 2011 (RSA, verifies ECDSA but cannot generate ECDSA signatures), Thunderbird (full RSA, full ECDSA).
ECDH support is coming, but not there yet.

Needed for NEO: Generate CCC with format and content as shown above, and write it to NEO using OpenSC piv-tool like this:
Code:
piv-tool -A M:9b:03 -O db00 -i generated-ccc.bin

Note than environment variable PIV_EXT_AUTH_KEY must point to a text file containing the NEO admin maintenance key in the
format: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Note that yubico-piv-tool release 1.1.3 added the ability to set CCC to the card:
Code:
yubico-piv-tool -k 01020304050607....08 -P 123456 -a set-ccc


The above enables all the tokends mentioned above.


Top
 Profile  
Reply with quote  
PostPosted: Thu Dec 01, 2016 5:20 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
On macOS Sierra, for Yubikey to be properly recognized by the new pivtoken (that Apple ships with Sierra) it appears to need Key History Object.

Here's how it can be put on the card:
  1. Create a text file, e.g. ~/key_history_object.txt with content 5301fe
  2. Perform the following command
    Code:
    yubico-piv-tool -k -a write-object --id=0x5fc10c -i ~/key_history_object.txt
    It will prompt you for the token management key. Give it.
  3. Verify that the command succeeded via
    Code:
    yubico-piv-tool -a read-object --id=0x5fc10c

    Response should be 5301fe


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group