[SmartcardServices-Users] Cannot use my Yubikey Neo

Blumenthal, Uri - 0558 - MITLL uri at ll.mit.edu
Thu Feb 26 12:45:08 PST 2015 

I can add that I seem to have a fully-configured Yubikey NEO card with
both OpenPGP and PIV applets loaded and provisioned - and Keychain refuses
to detect/recognize it.

Here’s some output from OpenSC tools (I’d be happy to provide more if
needed, of course):

$ piv-tool -vn
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
Connecting to card in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00...
Using card driver PIV-II  for multiple cards.
Card name: PIV-II card
$ pkcs15-tool --list-certificates
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
X.509 Certificate [Certificate for Digital Signature]
	Object Flags   : [0x0]
	Authority      : no
	Path           :
	ID             : 02
	Encoded serial : 02 02 06C9
X.509 Certificate [Certificate for Key Management]
	Object Flags   : [0x0]
	Authority      : no
	Path           :
	ID             : 03
	Encoded serial : 02 02 06C8
$


Firefox was able to see the NEO, and the certs on it.

P.S. My setup works fine with CAC.
-- 
Regards,
Uri Blumenthal                               Voice: (781) 981-1638



On 2/26/15, 14:43 , "Henry B (Hank) Hotz, CISSP" <hotz at 2ndquadrant.com>
wrote:

>Hmmm. I was hoping someone else would take this one. My experiments
>didn’t go about it the “official way” like yours, and it was an older
>version of the applet to boot.
>
>Before I say “real” debugging is needed, can you try 1) reading it on a
>Debian Linux system, and 2) maybe loading the key/cert with the piv-tool
>from opensc?
>
>If you need to go farther, there are tools for dumping the USB messages,
>and it would probably be more productive if you went back to Yubico for
>support. The guy who wrote the PIV applet for them is Klas Lindfors, I
>believe. (I can give you his direct email and an introduction if needed.)
>Please keep me, or this list posted on how you get this resolved.
>
>On Feb 17, 2015, at 12:41 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>
>>> On Feb 1, 2015, at 1:50 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>>> 
>>>> Hello everyone,
>>>> 
>>>> I am proud owner of a new Yubikey NEO firmare 3.3.0, with CCID mode
>>>>enabled.
>>>> 
>>>> I am having problems getting it to work, e.g. showing the
>>>>certificates of the yubikey in my keychain. I have installed the
>>>>latest Smartcard services for Mac OS 10.9. on my MacBookAir with PIV
>>>>tokend installed. I am currently running 10.9.5. on it.
>>>> 
>>>> First of all, wenn I attach the yubikey, my console shows the
>>>>following:
>>>> 
>>>> 01.02.15 22:44:08,127 UserEventAgent[11]: assertion failed: 13F34:
>>>>com.apple.telemetry + 16493 [AE0C3032-1747-317E-9871-E26B5B6B0120]:
>>>>0xffffffffe00002ed
>>>> 01.02.15 22:44:08,803 com.apple.SecurityServer[15]: Token reader
>>>>Yubico Yubikey NEO OTP+CCID 00 00 inserted into system
>>>> 01.02.15 22:44:09,207 com.apple.SecurityServer[15]: token in reader
>>>>Yubico Yubikey NEO OTP+CCID 00 00 cannot be used (error 229)
>>>> 
>>>> That does not sound too well. I then restarted the pcscd with the
>>>>—debug and —apdu flag and reattached the yubikey. this is the lengthy
>>>>output shown at the end of the post.
>>>> 
>>>> Now my noob question: what can I do next? It does not seem to work or
>>>>am I missing something here?
>>> 
>>> Without spending some time with 800-73, I can’t interpret the detailed
>>>dump. 
>>> 
>>> Let me ask you this: Have you actually gone through the
>>>initialization/provisioning steps to create a PIV container on the
>>>Yubikey? I assume it still comes blank from the factory, so there would
>>>not be any “token" in the “reader" for the software to connect with
>>>until you create one. They have some free utilities for the purpose,
>>>and there should have been a cheat-sheet in the box telling you how to
>>>do it.
>>> 
>>> --
>>> Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
>>> PostgreSQL Development, 24x7 Support, Training & Services
>>> 
>> 
>> Am 09.02.2015 um 03:15 schrieb Henry B (Hank) Hotz, CISSP
>><hotz at 2ndquadrant.com>:
>> 
>> First of all, thanks for your reply. It took me some time to have a
>>look in more detail. First I used the yubikey NEO manager to activate
>>the PIV applet on the NEO. I then took the following steps:
>> 
>> 1. generate private key and selt-signed certificate using openssl:
>> # openssl req -x509 -node -newkey rsa:2048 -keyout key.pem -out
>>cert.pem -days 365
>> 
>> 2. convert key and cert into p12 file
>> # openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem
>> 
>> 3. use homebrew to install yubikey-piv-tool and opensc
>> 
>> 4. use the yubikey-piv-tool to load the private key and the cert into
>>the NEO
>> # yubico-piv-tool -s 9c -i cert.p12 -K PKCS12 -p 123 -a set-chuid -a
>>import-key -a import-cert
>> Successfully set new CHUID.
>> Successfully imported a new private key.
>> Successfully imported a new certificate.
>> 
>> This at first sounds promising, however I get the very same error
>>messages and the yubikey PIV module does not appear in Keychain.
>> 
>> Am I missing anything ?
>> Thanks in advance.
>
>--
>Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
>PostgreSQL Development, 24x7 Support, Training & Services
>
>_______________________________________________
>SmartcardServices-Users mailing list
>SmartcardServices-Users at lists.macosforge.org
>https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150226/fc983d09/attachment.p7s>

More information about the SmartcardServices-Users mailing list