On 11/30/18 6:14 AM, Sumit Bose wrote:
On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
> On 11/28/18 11:29 PM, Sumit Bose wrote:
>> On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
>>> I configured a YubiKey on Windows using the YubiKey minidriver with the
>>> following certificates:
>>>
>>> - my "orion" certificate - went into slot 9a PIV Auth
>>> - A MacOS keychain cert per their docs - when into slot 9d Key Management
>>> - Another auth certificate for "orion-admin" - went into slot 82
>>>
>>> I'm able to authenticate on Windows as either orion or orion-admin, but
on
>>> Linux with sssd it does not see the orion-admin certificate. What needs to
>>> happen to support this?
>>
>> Which version of SSSD are you using?
>
> On F29:
>
> sssd-2.0.0-4.fc29.x86_64
>
> I get somewhat different behavior. First the gdm login screen presents two
> certificates:
>
> - Certificate for Key Management
> - Certificate for PIV Authentication
>
> but still does not list the admin cert. Also, I don't believe it should list
> the Key Management cert because it is not flagged for smart card authentication.
Do you mean the labels 'Certificate for PIV Authentication' and
'Certificate for Key Management' by 'flagged'?
SSSD only looks at the content of the certificate and by default uses
everything with key usage digitalSignature and extended key usage
clientAuth. With F29 you can modify this by adding mapping and matching
rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man
sssd.conf for details.
>
>
>> Can you sent the output of
>>
>> p11tool --list-all --provider opensc-pkcs11.so
The slots for the retired keys are not visible. I've found
https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888 with
a command which made the slots visible for PKCS#11 on my Yubikey.
Nevertheless the type is still data even after importing a certificate
with 'yubico-piv-tool -a import-certificate'. Maybe this is different
when using the Windows driver?
I finally figured out the this was suggesting writing the key history object
to the yubikey. However, we are using the Yubikeys in a mode where we don't
have (or know) the management key - so I don't seem to be able to write the
object.
Since you already reached out to Yubico you might want to ask as
well
what needs to be done to make the certificates and private keys stored
in the retired slots properly available as certificate and private key
on the PKCS#11 level.
I was hoping we could somehow make use of the Yubico PKCS#11 provider module?
Using it appears to report all of the slots at least:
# p11tool --list-all --provider libykcs11.so
Object 0:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00
Type: Unknown
Label: X.509 Certificate for PIV Authentication
ID:
Object 1:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Card%20Authentication%00
Type: Unknown
Label: X.509 Certificate for Card Authentication
ID:
Object 2:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Digital%20Signature%00
Type: Unknown
Label: X.509 Certificate for Digital Signature
ID:
Object 3:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Key%20Management%00
Type: Unknown
Label: X.509 Certificate for Key Management
ID:
Object 4:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%201%00
Type: Unknown
Label: X.509 Certificate for Retired Key 1
ID:
Object 5:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%202%00
Type: Unknown
Label: X.509 Certificate for Retired Key 2
ID:
Object 6:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%203%00
Type: Unknown
Label: X.509 Certificate for Retired Key 3
ID:
Object 7:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%204%00
Type: Unknown
Label: X.509 Certificate for Retired Key 4
ID:
Object 8:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%205%00
Type: Unknown
Label: X.509 Certificate for Retired Key 5
ID:
Object 9:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%206%00
Type: Unknown
Label: X.509 Certificate for Retired Key 6
ID:
Object 10:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%207%00
Type: Unknown
Label: X.509 Certificate for Retired Key 7
ID:
Object 11:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%208%00
Type: Unknown
Label: X.509 Certificate for Retired Key 8
ID:
Object 12:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%209%00
Type: Unknown
Label: X.509 Certificate for Retired Key 9
ID:
Object 13:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2010%00
Type: Unknown
Label: X.509 Certificate for Retired Key 10
ID:
Object 14:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2011%00
Type: Unknown
Label: X.509 Certificate for Retired Key 11
ID:
Object 15:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2012%00
Type: Unknown
Label: X.509 Certificate for Retired Key 12
ID:
Object 16:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2013%00
Type: Unknown
Label: X.509 Certificate for Retired Key 13
ID:
Object 17:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2014%00
Type: Unknown
Label: X.509 Certificate for Retired Key 14
ID:
Object 18:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2015%00
Type: Unknown
Label: X.509 Certificate for Retired Key 15
ID:
Object 19:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2016%00
Type: Unknown
Label: X.509 Certificate for Retired Key 16
ID:
Object 20:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2017%00
Type: Unknown
Label: X.509 Certificate for Retired Key 17
ID:
Object 21:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2018%00
Type: Unknown
Label: X.509 Certificate for Retired Key 18
ID:
Object 22:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2019%00
Type: Unknown
Label: X.509 Certificate for Retired Key 19
ID:
Object 23:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2020%00
Type: Unknown
Label: X.509 Certificate for Retired Key 20
ID:
Object 24:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Card%20Capability%20Container%00
Type: Unknown
Label: Card Capability Container
ID:
Object 25:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Card%20Holder%20Unique%20Identifier%00
Type: Unknown
Label: Card Holder Unique Identifier
ID:
Object 26:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Security%20Object%00
Type: Unknown
Label: Security Object
ID:
Object 27:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%00;object=X.509%20Certificate%20for%20PIV%20Authentication%00;type=cert
Type: X.509 Certificate
Label: X.509 Certificate for PIV Authentication
ID: 00
Object 28:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%03;object=X.509%20Certificate%20for%20Key%20Management%00;type=cert
Type: X.509 Certificate
Label: X.509 Certificate for Key Management
ID: 03
Object 29:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%00;object=Public%20key%20for%20PIV%20Authentication%00;type=public
Type: Public key (RSA-2048)
Label: Public key for PIV Authentication
ID: 00
Object 30:
URL:
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%03;object=Public%20key%20for%20Key%20Management%00;type=public
Type: Public key (RSA-2048)
Label: Public key for Key Management
ID: 03
But sssd doesn't appear to like it:
# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
(Fri Nov 30 14:38:04:069338 2018) [[sssd[p11_child[3904]]]] [main] (0x0400):
p11_child started.
(Fri Nov 30 14:38:04:069604 2018) [[sssd[p11_child[3904]]]] [main] (0x2000):
Running in [pre-auth] mode.
(Fri Nov 30 14:38:04:069853 2018) [[sssd[p11_child[3904]]]] [main] (0x2000):
Running with effective IDs: [0][0].
(Fri Nov 30 14:38:04:070075 2018) [[sssd[p11_child[3904]]]] [main] (0x2000):
Running with real IDs [0][0].
(Fri Nov 30 14:38:04:073047 2018) [[sssd[p11_child[3904]]]]
[init_verification] (0x0040): X509_LOOKUP_load_file failed
[185090184][error:0B084088:x509 certificate
routines:X509_load_cert_crl_file:no certificate or crl found].
(Fri Nov 30 14:38:04:073234 2018) [[sssd[p11_child[3904]]]] [do_work]
(0x0040): init_verification failed.
(Fri Nov 30 14:38:04:073469 2018) [[sssd[p11_child[3904]]]] [main] (0x0040):
do_work failed.
(Fri Nov 30 14:38:04:073682 2018) [[sssd[p11_child[3904]]]] [main] (0x0020):
p11_child failed!
And indeed it seems to be an incomplete implementation:
# p11tool --export
'pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00'
--debug 100 --provider libykcs11.so
....
|<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2120
debug: ykcs11.c:1259 (C_GetAttributeValue): In
debug: objects.c:398 (get_doa): For data object 0, get
debug: objects.c:436 (get_doa): VALUE TODO!!!
debug: ykcs11.c:1286 (C_GetAttributeValue): Unable to get attribute 0x11 of
object 0
debug: ykcs11.c:1291 (C_GetAttributeValue): Out
|<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2134
debug: ykcs11.c:1460 (C_FindObjectsFinal): In
debug: ykcs11.c:1485 (C_FindObjectsFinal): Out
debug: ykcs11.c:663 (C_CloseSession): In
debug: ykcs11.c:688 (C_CloseSession): Out
|<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_export3]:1376
Error in pkcs11_export:562: The requested data were not available.
I've filed
https://github.com/Yubico/yubico-piv-tool/issues/175
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
https://www.nwra.com/