[SmartcardServices-Users] Cannot use my Yubikey Neo

Ridley DiSiena rdisiena at gmail.com
Mon Mar 2 18:07:01 PST 2015 

I also can confirm that using the OS X Forge PIV tokend it does show the
NEO PIV applet as a keychain. I tried in CCID mode and CCID with other
modes enabled, doesn't make a difference.

There is an open source OpenSC tokend project -
https://github.com/OpenSC/OpenSC.tokend
I have a NEO-n and when in CCID mode the OpenSC tokend will show it as the
PIV­_II keychain. The NEO PIV applet doesn't even need to contain
certificates, it will show the keychain for the container, just empty. So
there is nothing you need to do to the NEO out of the box besides enable
CCID mode to make it show up as a keychain using the OpenSC tokend.

I know that doesn’t help resolve the issue with leveraging the PIV.tokend
with the NEO PIV applet, but might help narrow down the problem space.

Ridley DiSiena



On Mon, Mar 2, 2015 at 5:31 PM, Blumenthal, Uri - 0558 - MITLL <
uri at ll.mit.edu> wrote:

> I assume this is all on some MacOS.
>
>
> I don’t know, probably not.
>
> Which version are you using?
>
>
> I’m using Mavericks 10.9.5. Can’t move to Yosemite yet due so certain
> incompatibilities and code signing issues it sports.
>
> IIUC support for Yubikey was officially added in Yosemite.  I didn’t
> mention it because I thought Thomas was using Yosemite, but I see it’s
> Maverics. Oops.
>
>
> :-)
>
> As I said, tools such as “piv-tool” do find the card and can talk to it.
> But Keychain doesn’t/cannot, nor can Apple Mail…
>
> Prior to that you need to manually add the Yubikey to the whitelist for
> the smart card stuff to work. It appears the relevant plist hasn’t changed
> in a long time. Here’s the patch file I got for, I think, Snow Leopard.
>
>
> It looks like my copy of that Info.plist whitelists all the Yubikey
> configurations:
>
> …..
> <key>ifdVendorID</key>
> <array>
> <string>0x1050</string>
> <string>0x1050</string>
> <string>0x1050</string>
> <string>0x1050</string>
> <string>0x08E6</string>
> ……
> <key>ifdProductID</key>
> <array>
> <string>0x0116</string>
> <string>0x0115</string>
> <string>0x0112</string>
> <string>0x0111</string>
> <string>0x2202</string>
> ……
> <key>ifdFriendlyName</key>
> <array>
> <string>Yubico Yubikey NEO OTP+U2F+CCID</string>
> <string>Yubico Yubikey NEO U2F+CCID</string>
> <string>Yubico Yubikey NEO CCID</string>
> <string>Yubico Yubikey NEO OTP+CCID</string>
> <string>Gemplus Gem e-Seal Pro</string>
> ……
>
>
>
> On Feb 26, 2015, at 12:45 PM, Blumenthal, Uri - 0558 - MITLL <
> uri at ll.mit.edu> wrote:
>
> > I can add that I seem to have a fully-configured Yubikey NEO card with
> > both OpenPGP and PIV applets loaded and provisioned - and Keychain
> refuses
> > to detect/recognize it.
> >
> > Here’s some output from OpenSC tools (I’d be happy to provide more if
> > needed, of course):
> >
> > $ piv-tool -vn
> > Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
> > Connecting to card in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00...
> > Using card driver PIV-II  for multiple cards.
> > Card name: PIV-II card
> > $ pkcs15-tool --list-certificates
> > Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
> > X.509 Certificate [Certificate for Digital Signature]
> >        Object Flags   : [0x0]
> >        Authority      : no
> >        Path           :
> >        ID             : 02
> >        Encoded serial : 02 02 06C9
> > X.509 Certificate [Certificate for Key Management]
> >        Object Flags   : [0x0]
> >        Authority      : no
> >        Path           :
> >        ID             : 03
> >        Encoded serial : 02 02 06C8
> > $
> >
> >
> > Firefox was able to see the NEO, and the certs on it.
> >
> > P.S. My setup works fine with CAC.
> > --
> > Regards,
> > Uri Blumenthal                               Voice: (781) 981-1638
> >
> >
> >
> > On 2/26/15, 14:43 , "Henry B (Hank) Hotz, CISSP" <hotz at 2ndquadrant.com>
> > wrote:
> >
> >> Hmmm. I was hoping someone else would take this one. My experiments
> >> didn’t go about it the “official way” like yours, and it was an older
> >> version of the applet to boot.
> >>
> >> Before I say “real” debugging is needed, can you try 1) reading it on a
> >> Debian Linux system, and 2) maybe loading the key/cert with the piv-tool
> >> from opensc?
> >>
> >> If you need to go farther, there are tools for dumping the USB messages,
> >> and it would probably be more productive if you went back to Yubico for
> >> support. The guy who wrote the PIV applet for them is Klas Lindfors, I
> >> believe. (I can give you his direct email and an introduction if
> needed.)
> >> Please keep me, or this list posted on how you get this resolved.
> >>
> >> On Feb 17, 2015, at 12:41 PM, Thomas Westfeld <westfeld at mac.com> wrote:
> >>
> >>>> On Feb 1, 2015, at 1:50 PM, Thomas Westfeld <westfeld at mac.com> wrote:
> >>>>
> >>>>> Hello everyone,
> >>>>>
> >>>>> I am proud owner of a new Yubikey NEO firmare 3.3.0, with CCID mode
> >>>>> enabled.
> >>>>>
> >>>>> I am having problems getting it to work, e.g. showing the
> >>>>> certificates of the yubikey in my keychain. I have installed the
> >>>>> latest Smartcard services for Mac OS 10.9. on my MacBookAir with PIV
> >>>>> tokend installed. I am currently running 10.9.5. on it.
> >>>>>
> >>>>> First of all, wenn I attach the yubikey, my console shows the
> >>>>> following:
> >>>>>
> >>>>> 01.02.15 22:44:08,127 UserEventAgent[11]: assertion failed: 13F34:
> >>>>> com.apple.telemetry + 16493 [AE0C3032-1747-317E-9871-E26B5B6B0120]:
> >>>>> 0xffffffffe00002ed
> >>>>> 01.02.15 22:44:08,803 com.apple.SecurityServer[15]: Token reader
> >>>>> Yubico Yubikey NEO OTP+CCID 00 00 inserted into system
> >>>>> 01.02.15 22:44:09,207 com.apple.SecurityServer[15]: token in reader
> >>>>> Yubico Yubikey NEO OTP+CCID 00 00 cannot be used (error 229)
> >>>>>
> >>>>> That does not sound too well. I then restarted the pcscd with the
> >>>>> —debug and —apdu flag and reattached the yubikey. this is the lengthy
> >>>>> output shown at the end of the post.
> >>>>>
> >>>>> Now my noob question: what can I do next? It does not seem to work or
> >>>>> am I missing something here?
> >>>>
> >>>> Without spending some time with 800-73, I can’t interpret the detailed
> >>>> dump.
> >>>>
> >>>> Let me ask you this: Have you actually gone through the
> >>>> initialization/provisioning steps to create a PIV container on the
> >>>> Yubikey? I assume it still comes blank from the factory, so there
> would
> >>>> not be any “token" in the “reader" for the software to connect with
> >>>> until you create one. They have some free utilities for the purpose,
> >>>> and there should have been a cheat-sheet in the box telling you how to
> >>>> do it.
> >>>>
> >>>> --
> >>>> Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
> >>>> PostgreSQL Development, 24x7 Support, Training & Services
> >>>>
> >>>
> >>> Am 09.02.2015 um 03:15 schrieb Henry B (Hank) Hotz, CISSP
> >>> <hotz at 2ndquadrant.com>:
> >>>
> >>> First of all, thanks for your reply. It took me some time to have a
> >>> look in more detail. First I used the yubikey NEO manager to activate
> >>> the PIV applet on the NEO. I then took the following steps:
> >>>
> >>> 1. generate private key and selt-signed certificate using openssl:
> >>> # openssl req -x509 -node -newkey rsa:2048 -keyout key.pem -out
> >>> cert.pem -days 365
> >>>
> >>> 2. convert key and cert into p12 file
> >>> # openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem
> >>>
> >>> 3. use homebrew to install yubikey-piv-tool and opensc
> >>>
> >>> 4. use the yubikey-piv-tool to load the private key and the cert into
> >>> the NEO
> >>> # yubico-piv-tool -s 9c -i cert.p12 -K PKCS12 -p 123 -a set-chuid -a
> >>> import-key -a import-cert
> >>> Successfully set new CHUID.
> >>> Successfully imported a new private key.
> >>> Successfully imported a new certificate.
> >>>
> >>> This at first sounds promising, however I get the very same error
> >>> messages and the yubikey PIV module does not appear in Keychain.
> >>>
> >>> Am I missing anything ?
> >>> Thanks in advance.
> >>
> >> --
> >> Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
> >> PostgreSQL Development, 24x7 Support, Training & Services
> >>
> >> _______________________________________________
> >> SmartcardServices-Users mailing list
> >> SmartcardServices-Users at lists.macosforge.org
> >> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
> > _______________________________________________
> > SmartcardServices-Users mailing list
> > SmartcardServices-Users at lists.macosforge.org
> > https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
>
> --
> Henry B. (Hank) Hotz, CISSP   http://www.2ndQuadrant.com/
> PostgreSQL Development, 24x7 Support, Training & Services
>
>
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150302/5ce1a55a/attachment-0001.html>

More information about the SmartcardServices-Users mailing list