[SmartcardServices-Users] Cannot use my Yubikey Neo

Blumenthal, Uri - 0558 - MITLL uri at ll.mit.edu
Thu Feb 26 13:06:55 PST 2015 

More details:

 pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Yubico Yubikey NEO OTP+U2F+CCID 00 00
  token label        : PIV_II (PIV Card Holder pin)
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token
initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : xxxxxxxxxxxxxx
Slot 2 (0x5): SCM SCR 3310 01 00
  token label        : PIV_II (PIV Card Holder pin)
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token
initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : xxxxxxxxxxxxx


-- 
Regards,
Uri Blumenthal                               Voice: (781) 981-1638



On 2/26/15, 15:45 , "Blumenthal, Uri - 0558 - MITLL" <uri at ll.mit.edu>
wrote:

>I can add that I seem to have a fully-configured Yubikey NEO card with
>both OpenPGP and PIV applets loaded and provisioned - and Keychain refuses
>to detect/recognize it.
>
>Here’s some output from OpenSC tools (I’d be happy to provide more if
>needed, of course):
>
>$ piv-tool -vn
>Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
>Connecting to card in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00...
>Using card driver PIV-II  for multiple cards.
>Card name: PIV-II card
>$ pkcs15-tool --list-certificates
>Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
>X.509 Certificate [Certificate for Digital Signature]
>	Object Flags   : [0x0]
>	Authority      : no
>	Path           :
>	ID             : 02
>	Encoded serial : 02 02 06C9
>X.509 Certificate [Certificate for Key Management]
>	Object Flags   : [0x0]
>	Authority      : no
>	Path           :
>	ID             : 03
>	Encoded serial : 02 02 06C8
>$
>
>
>Firefox was able to see the NEO, and the certs on it.
>
>P.S. My setup works fine with CAC.
>-- 
>Regards,
>Uri Blumenthal                               Voice: (781) 981-1638
>
>
>
>On 2/26/15, 14:43 , "Henry B (Hank) Hotz, CISSP" <hotz at 2ndquadrant.com>
>wrote:
>
>>Hmmm. I was hoping someone else would take this one. My experiments
>>didn’t go about it the “official way” like yours, and it was an older
>>version of the applet to boot.
>>
>>Before I say “real” debugging is needed, can you try 1) reading it on a
>>Debian Linux system, and 2) maybe loading the key/cert with the piv-tool
>>from opensc?
>>
>>If you need to go farther, there are tools for dumping the USB messages,
>>and it would probably be more productive if you went back to Yubico for
>>support. The guy who wrote the PIV applet for them is Klas Lindfors, I
>>believe. (I can give you his direct email and an introduction if needed.)
>>Please keep me, or this list posted on how you get this resolved.
>>
>>On Feb 17, 2015, at 12:41 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>>
>>>> On Feb 1, 2015, at 1:50 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>>>> 
>>>>> Hello everyone,
>>>>> 
>>>>> I am proud owner of a new Yubikey NEO firmare 3.3.0, with CCID mode
>>>>>enabled.
>>>>> 
>>>>> I am having problems getting it to work, e.g. showing the
>>>>>certificates of the yubikey in my keychain. I have installed the
>>>>>latest Smartcard services for Mac OS 10.9. on my MacBookAir with PIV
>>>>>tokend installed. I am currently running 10.9.5. on it.
>>>>> 
>>>>> First of all, wenn I attach the yubikey, my console shows the
>>>>>following:
>>>>> 
>>>>> 01.02.15 22:44:08,127 UserEventAgent[11]: assertion failed: 13F34:
>>>>>com.apple.telemetry + 16493 [AE0C3032-1747-317E-9871-E26B5B6B0120]:
>>>>>0xffffffffe00002ed
>>>>> 01.02.15 22:44:08,803 com.apple.SecurityServer[15]: Token reader
>>>>>Yubico Yubikey NEO OTP+CCID 00 00 inserted into system
>>>>> 01.02.15 22:44:09,207 com.apple.SecurityServer[15]: token in reader
>>>>>Yubico Yubikey NEO OTP+CCID 00 00 cannot be used (error 229)
>>>>> 
>>>>> That does not sound too well. I then restarted the pcscd with the
>>>>>—debug and —apdu flag and reattached the yubikey. this is the lengthy
>>>>>output shown at the end of the post.
>>>>> 
>>>>> Now my noob question: what can I do next? It does not seem to work or
>>>>>am I missing something here?
>>>> 
>>>> Without spending some time with 800-73, I can’t interpret the detailed
>>>>dump. 
>>>> 
>>>> Let me ask you this: Have you actually gone through the
>>>>initialization/provisioning steps to create a PIV container on the
>>>>Yubikey? I assume it still comes blank from the factory, so there would
>>>>not be any “token" in the “reader" for the software to connect with
>>>>until you create one. They have some free utilities for the purpose,
>>>>and there should have been a cheat-sheet in the box telling you how to
>>>>do it.
>>>> 
>>>> --
>>>> Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
>>>> PostgreSQL Development, 24x7 Support, Training & Services
>>>> 
>>> 
>>> Am 09.02.2015 um 03:15 schrieb Henry B (Hank) Hotz, CISSP
>>><hotz at 2ndquadrant.com>:
>>> 
>>> First of all, thanks for your reply. It took me some time to have a
>>>look in more detail. First I used the yubikey NEO manager to activate
>>>the PIV applet on the NEO. I then took the following steps:
>>> 
>>> 1. generate private key and selt-signed certificate using openssl:
>>> # openssl req -x509 -node -newkey rsa:2048 -keyout key.pem -out
>>>cert.pem -days 365
>>> 
>>> 2. convert key and cert into p12 file
>>> # openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem
>>> 
>>> 3. use homebrew to install yubikey-piv-tool and opensc
>>> 
>>> 4. use the yubikey-piv-tool to load the private key and the cert into
>>>the NEO
>>> # yubico-piv-tool -s 9c -i cert.p12 -K PKCS12 -p 123 -a set-chuid -a
>>>import-key -a import-cert
>>> Successfully set new CHUID.
>>> Successfully imported a new private key.
>>> Successfully imported a new certificate.
>>> 
>>> This at first sounds promising, however I get the very same error
>>>messages and the yubikey PIV module does not appear in Keychain.
>>> 
>>> Am I missing anything ?
>>> Thanks in advance.
>>
>>--
>>Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
>>PostgreSQL Development, 24x7 Support, Training & Services
>>
>>_______________________________________________
>>SmartcardServices-Users mailing list
>>SmartcardServices-Users at lists.macosforge.org
>>https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150226/4c3d0330/attachment-0001.p7s>

More information about the SmartcardServices-Users mailing list