[SmartcardServices-Users] Cannot use my Yubikey Neo

Blumenthal, Uri - 0558 - MITLL uri at ll.mit.edu
Mon Mar 2 14:31:16 PST 2015 

> I assume this is all on some MacOS.

I don’t know, probably not.

> Which version are you using?

I’m using Mavericks 10.9.5. Can’t move to Yosemite yet due so certain
incompatibilities and code signing issues it sports.

> IIUC support for Yubikey was officially added in Yosemite.  I didn’t mention
> it because I thought Thomas was using Yosemite, but I see it’s Maverics. Oops.

:-)

As I said, tools such as “piv-tool” do find the card and can talk to it. But
Keychain doesn’t/cannot, nor can Apple Mail…

> Prior to that you need to manually add the Yubikey to the whitelist for the
> smart card stuff to work. It appears the relevant plist hasn’t changed in a
> long time. Here’s the patch file I got for, I think, Snow Leopard.

It looks like my copy of that Info.plist whitelists all the Yubikey
configurations:

…..
<key>ifdVendorID</key>
<array>
<string>0x1050</string>
<string>0x1050</string>
<string>0x1050</string>
<string>0x1050</string>
<string>0x08E6</string>
……
<key>ifdProductID</key>
<array>
<string>0x0116</string>
<string>0x0115</string>
<string>0x0112</string>
<string>0x0111</string>
<string>0x2202</string>
……
<key>ifdFriendlyName</key>
<array>
<string>Yubico Yubikey NEO OTP+U2F+CCID</string>
<string>Yubico Yubikey NEO U2F+CCID</string>
<string>Yubico Yubikey NEO CCID</string>
<string>Yubico Yubikey NEO OTP+CCID</string>
<string>Gemplus Gem e-Seal Pro</string>
……



> On Feb 26, 2015, at 12:45 PM, Blumenthal, Uri - 0558 - MITLL <uri at ll.mit.edu>
> wrote:
> 
>> > I can add that I seem to have a fully-configured Yubikey NEO card with
>> > both OpenPGP and PIV applets loaded and provisioned - and Keychain refuses
>> > to detect/recognize it.
>> > 
>> > Here’s some output from OpenSC tools (I’d be happy to provide more if
>> > needed, of course):
>> > 
>> > $ piv-tool -vn
>> > Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
>> > Connecting to card in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00...
>> > Using card driver PIV-II  for multiple cards.
>> > Card name: PIV-II card
>> > $ pkcs15-tool --list-certificates
>> > Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
>> > X.509 Certificate [Certificate for Digital Signature]
>> >        Object Flags   : [0x0]
>> >        Authority      : no
>> >        Path           :
>> >        ID             : 02
>> >        Encoded serial : 02 02 06C9
>> > X.509 Certificate [Certificate for Key Management]
>> >        Object Flags   : [0x0]
>> >        Authority      : no
>> >        Path           :
>> >        ID             : 03
>> >        Encoded serial : 02 02 06C8
>> > $
>> > 
>> > 
>> > Firefox was able to see the NEO, and the certs on it.
>> > 
>> > P.S. My setup works fine with CAC.
>> > -- 
>> > Regards,
>> > Uri Blumenthal                               Voice: (781) 981-1638
>> > 
>> > 
>> > 
>> > On 2/26/15, 14:43 , "Henry B (Hank) Hotz, CISSP" <hotz at 2ndquadrant.com>
>> > wrote:
>> > 
>>> >> Hmmm. I was hoping someone else would take this one. My experiments
>>> >> didn’t go about it the “official way” like yours, and it was an older
>>> >> version of the applet to boot.
>>> >> 
>>> >> Before I say “real” debugging is needed, can you try 1) reading it on a
>>> >> Debian Linux system, and 2) maybe loading the key/cert with the piv-tool
>>> >> from opensc?
>>> >> 
>>> >> If you need to go farther, there are tools for dumping the USB messages,
>>> >> and it would probably be more productive if you went back to Yubico for
>>> >> support. The guy who wrote the PIV applet for them is Klas Lindfors, I
>>> >> believe. (I can give you his direct email and an introduction if needed.)
>>> >> Please keep me, or this list posted on how you get this resolved.
>>> >> 
>>> >> On Feb 17, 2015, at 12:41 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>>> >> 
>>>>> >>>> On Feb 1, 2015, at 1:50 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>>>>> >>>> 
>>>>>> >>>>> Hello everyone,
>>>>>> >>>>> 
>>>>>> >>>>> I am proud owner of a new Yubikey NEO firmare 3.3.0, with CCID mode
>>>>>> >>>>> enabled.
>>>>>> >>>>> 
>>>>>> >>>>> I am having problems getting it to work, e.g. showing the
>>>>>> >>>>> certificates of the yubikey in my keychain. I have installed the
>>>>>> >>>>> latest Smartcard services for Mac OS 10.9. on my MacBookAir with
PIV
>>>>>> >>>>> tokend installed. I am currently running 10.9.5. on it.
>>>>>> >>>>> 
>>>>>> >>>>> First of all, wenn I attach the yubikey, my console shows the
>>>>>> >>>>> following:
>>>>>> >>>>> 
>>>>>> >>>>> 01.02.15 22:44:08,127 UserEventAgent[11]: assertion failed: 13F34:
>>>>>> >>>>> com.apple.telemetry + 16493 [AE0C3032-1747-317E-9871-E26B5B6B0120]:
>>>>>> >>>>> 0xffffffffe00002ed
>>>>>> >>>>> 01.02.15 22:44:08,803 com.apple.SecurityServer[15]: Token reader
>>>>>> >>>>> Yubico Yubikey NEO OTP+CCID 00 00 inserted into system
>>>>>> >>>>> 01.02.15 22:44:09,207 com.apple.SecurityServer[15]: token in reader
>>>>>> >>>>> Yubico Yubikey NEO OTP+CCID 00 00 cannot be used (error 229)
>>>>>> >>>>> 
>>>>>> >>>>> That does not sound too well. I then restarted the pcscd with the
>>>>>> >>>>> —debug and —apdu flag and reattached the yubikey. this is the
>>>>>> lengthy
>>>>>> >>>>> output shown at the end of the post.
>>>>>> >>>>> 
>>>>>> >>>>> Now my noob question: what can I do next? It does not seem to work
or
>>>>>> >>>>> am I missing something here?
>>>>> >>>> 
>>>>> >>>> Without spending some time with 800-73, I can’t interpret the
>>>>> detailed
>>>>> >>>> dump. 
>>>>> >>>> 
>>>>> >>>> Let me ask you this: Have you actually gone through the
>>>>> >>>> initialization/provisioning steps to create a PIV container on the
>>>>> >>>> Yubikey? I assume it still comes blank from the factory, so there
>>>>> would
>>>>> >>>> not be any “token" in the “reader" for the software to connect with
>>>>> >>>> until you create one. They have some free utilities for the purpose,
>>>>> >>>> and there should have been a cheat-sheet in the box telling you how
to
>>>>> >>>> do it.
>>>>> >>>> 
>>>>> >>>> --
>>>>> >>>> Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
>>>>> >>>> PostgreSQL Development, 24x7 Support, Training & Services
>>>>> >>>> 
>>>> >>> 
>>>> >>> Am 09.02.2015 um 03:15 schrieb Henry B (Hank) Hotz, CISSP
>>>> >>> <hotz at 2ndquadrant.com>:
>>>> >>> 
>>>> >>> First of all, thanks for your reply. It took me some time to have a
>>>> >>> look in more detail. First I used the yubikey NEO manager to activate
>>>> >>> the PIV applet on the NEO. I then took the following steps:
>>>> >>> 
>>>> >>> 1. generate private key and selt-signed certificate using openssl:
>>>> >>> # openssl req -x509 -node -newkey rsa:2048 -keyout key.pem -out
>>>> >>> cert.pem -days 365
>>>> >>> 
>>>> >>> 2. convert key and cert into p12 file
>>>> >>> # openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem
>>>> >>> 
>>>> >>> 3. use homebrew to install yubikey-piv-tool and opensc
>>>> >>> 
>>>> >>> 4. use the yubikey-piv-tool to load the private key and the cert into
>>>> >>> the NEO
>>>> >>> # yubico-piv-tool -s 9c -i cert.p12 -K PKCS12 -p 123 -a set-chuid -a
>>>> >>> import-key -a import-cert
>>>> >>> Successfully set new CHUID.
>>>> >>> Successfully imported a new private key.
>>>> >>> Successfully imported a new certificate.
>>>> >>> 
>>>> >>> This at first sounds promising, however I get the very same error
>>>> >>> messages and the yubikey PIV module does not appear in Keychain.
>>>> >>> 
>>>> >>> Am I missing anything ?
>>>> >>> Thanks in advance.
>>> >> 
>>> >> --
>>> >> Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
>>> >> PostgreSQL Development, 24x7 Support, Training & Services
>>> >> 
>>> >> _______________________________________________
>>> >> SmartcardServices-Users mailing list
>>> >> SmartcardServices-Users at lists.macosforge.org
>>> >> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
>> > _______________________________________________
>> > SmartcardServices-Users mailing list
>> > SmartcardServices-Users at lists.macosforge.org
>> > https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
> 
> --
> Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
> PostgreSQL Development, 24x7 Support, Training & Services
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150302/1eda411e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150302/1eda411e/attachment-0001.p7s>

More information about the SmartcardServices-Users mailing list