[SmartcardServices-Users] Cannot use my Yubikey Neo
Blumenthal, Uri - 0558 - MITLL
uri at ll.mit.edu
Thu Feb 26 13:06:55 PST 2015
More details:
pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
(empty)
Slot 1 (0x1): Yubico Yubikey NEO OTP+U2F+CCID 00 00
token label : PIV_II (PIV Card Holder pin)
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : rng, login required, PIN initialized, token
initialized
hardware version : 0.0
firmware version : 0.0
serial num : xxxxxxxxxxxxxx
Slot 2 (0x5): SCM SCR 3310 01 00
token label : PIV_II (PIV Card Holder pin)
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : rng, login required, PIN initialized, token
initialized
hardware version : 0.0
firmware version : 0.0
serial num : xxxxxxxxxxxxx
--
Regards,
Uri Blumenthal Voice: (781) 981-1638
On 2/26/15, 15:45 , "Blumenthal, Uri - 0558 - MITLL" <uri at ll.mit.edu>
wrote:
>I can add that I seem to have a fully-configured Yubikey NEO card with
>both OpenPGP and PIV applets loaded and provisioned - and Keychain refuses
>to detect/recognize it.
>
>Here’s some output from OpenSC tools (I’d be happy to provide more if
>needed, of course):
>
>$ piv-tool -vn
>Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
>Connecting to card in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00...
>Using card driver PIV-II for multiple cards.
>Card name: PIV-II card
>$ pkcs15-tool --list-certificates
>Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
>X.509 Certificate [Certificate for Digital Signature]
> Object Flags : [0x0]
> Authority : no
> Path :
> ID : 02
> Encoded serial : 02 02 06C9
>X.509 Certificate [Certificate for Key Management]
> Object Flags : [0x0]
> Authority : no
> Path :
> ID : 03
> Encoded serial : 02 02 06C8
>$
>
>
>Firefox was able to see the NEO, and the certs on it.
>
>P.S. My setup works fine with CAC.
>--
>Regards,
>Uri Blumenthal Voice: (781) 981-1638
>
>
>
>On 2/26/15, 14:43 , "Henry B (Hank) Hotz, CISSP" <hotz at 2ndquadrant.com>
>wrote:
>
>>Hmmm. I was hoping someone else would take this one. My experiments
>>didn’t go about it the “official way” like yours, and it was an older
>>version of the applet to boot.
>>
>>Before I say “real” debugging is needed, can you try 1) reading it on a
>>Debian Linux system, and 2) maybe loading the key/cert with the piv-tool
>>from opensc?
>>
>>If you need to go farther, there are tools for dumping the USB messages,
>>and it would probably be more productive if you went back to Yubico for
>>support. The guy who wrote the PIV applet for them is Klas Lindfors, I
>>believe. (I can give you his direct email and an introduction if needed.)
>>Please keep me, or this list posted on how you get this resolved.
>>
>>On Feb 17, 2015, at 12:41 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>>
>>>> On Feb 1, 2015, at 1:50 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> I am proud owner of a new Yubikey NEO firmare 3.3.0, with CCID mode
>>>>>enabled.
>>>>>
>>>>> I am having problems getting it to work, e.g. showing the
>>>>>certificates of the yubikey in my keychain. I have installed the
>>>>>latest Smartcard services for Mac OS 10.9. on my MacBookAir with PIV
>>>>>tokend installed. I am currently running 10.9.5. on it.
>>>>>
>>>>> First of all, wenn I attach the yubikey, my console shows the
>>>>>following:
>>>>>
>>>>> 01.02.15 22:44:08,127 UserEventAgent[11]: assertion failed: 13F34:
>>>>>com.apple.telemetry + 16493 [AE0C3032-1747-317E-9871-E26B5B6B0120]:
>>>>>0xffffffffe00002ed
>>>>> 01.02.15 22:44:08,803 com.apple.SecurityServer[15]: Token reader
>>>>>Yubico Yubikey NEO OTP+CCID 00 00 inserted into system
>>>>> 01.02.15 22:44:09,207 com.apple.SecurityServer[15]: token in reader
>>>>>Yubico Yubikey NEO OTP+CCID 00 00 cannot be used (error 229)
>>>>>
>>>>> That does not sound too well. I then restarted the pcscd with the
>>>>>—debug and —apdu flag and reattached the yubikey. this is the lengthy
>>>>>output shown at the end of the post.
>>>>>
>>>>> Now my noob question: what can I do next? It does not seem to work or
>>>>>am I missing something here?
>>>>
>>>> Without spending some time with 800-73, I can’t interpret the detailed
>>>>dump.
>>>>
>>>> Let me ask you this: Have you actually gone through the
>>>>initialization/provisioning steps to create a PIV container on the
>>>>Yubikey? I assume it still comes blank from the factory, so there would
>>>>not be any “token" in the “reader" for the software to connect with
>>>>until you create one. They have some free utilities for the purpose,
>>>>and there should have been a cheat-sheet in the box telling you how to
>>>>do it.
>>>>
>>>> --
>>>> Henry B. (Hank) Hotz, CISSP http://www.2ndQuadrant.com/
>>>> PostgreSQL Development, 24x7 Support, Training & Services
>>>>
>>>
>>> Am 09.02.2015 um 03:15 schrieb Henry B (Hank) Hotz, CISSP
>>><hotz at 2ndquadrant.com>:
>>>
>>> First of all, thanks for your reply. It took me some time to have a
>>>look in more detail. First I used the yubikey NEO manager to activate
>>>the PIV applet on the NEO. I then took the following steps:
>>>
>>> 1. generate private key and selt-signed certificate using openssl:
>>> # openssl req -x509 -node -newkey rsa:2048 -keyout key.pem -out
>>>cert.pem -days 365
>>>
>>> 2. convert key and cert into p12 file
>>> # openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem
>>>
>>> 3. use homebrew to install yubikey-piv-tool and opensc
>>>
>>> 4. use the yubikey-piv-tool to load the private key and the cert into
>>>the NEO
>>> # yubico-piv-tool -s 9c -i cert.p12 -K PKCS12 -p 123 -a set-chuid -a
>>>import-key -a import-cert
>>> Successfully set new CHUID.
>>> Successfully imported a new private key.
>>> Successfully imported a new certificate.
>>>
>>> This at first sounds promising, however I get the very same error
>>>messages and the yubikey PIV module does not appear in Keychain.
>>>
>>> Am I missing anything ?
>>> Thanks in advance.
>>
>>--
>>Henry B. (Hank) Hotz, CISSP http://www.2ndQuadrant.com/
>>PostgreSQL Development, 24x7 Support, Training & Services
>>
>>_______________________________________________
>>SmartcardServices-Users mailing list
>>SmartcardServices-Users at lists.macosforge.org
>>https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150226/4c3d0330/attachment-0001.p7s>
More information about the SmartcardServices-Users
mailing list