-
Notifications
You must be signed in to change notification settings - Fork 705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
YubiKey PIN policy is not supported #1769
Comments
This sounds like some new Yubico extension. The PIV specifications from NIST NIST.SP.800-73-4 defines fixed pin policies. A quick look at 1 and 2 does not show how to read the policy for a specific key. |
By default key |
9E should not require PIN, but it still asks somehow to login into the card. The patch (for 0.19.0) is:
As for |
The info.flags are for the token. The PIV specs (sp800-74-4 Part1 Table 3) also say the The PIV card is the only card I know of that has a key that does not require a login. I would be reluctant to make any changes for this special situation. How do you plan on using pkcs11-tool with the A simple change to pkcs11-tool would be to change your modified patch by adding a parameter that does not execute the two lines you wanted to delete. Something like Or add another value to opt_login_type to say "don't need login" to skip the call to
|
Actually the
I see the Yubico policies are in conflict with the per-token flag. Stripping the flag when only slots having the "no PIN required" policy are in use would make this work automatically at least in some simple scenarios. Sadly, I don't see a way to obtain the PIN policy, not even using Yubico's provisioning tools. Would it be instead possible to introduce either an |
Try this patch that needs a lot of testing. It moves the test for CKF_LOGIN_REQUIRED till after the Login changes the session from if This worked on a PIV demo card using: pkcs11-tool --sign --id 04 -m SHA256-RSA-PKCS --input-file /tmp/data |
Thank you for the patch. However, looks like it inhibited login completely regardless of the policy. |
It should work the same. The default the PIV and Yubico I think the find_object returns the number of objects it has found. It should be either 1 or 0 as you need to specify the Did the Your card only has one certificate and one key. I did not look at the find_key closely. It might default to returning that one key. If you also added a |
I meant Default PIN policies(
Reversed PIN policies( |
The patch is working for the default pin policies. (See exception below) The Revised PIN policies will not work unless Yubico documents how to test for policy of a key on a Yubico device. It looks like they almost do: yubikey-5-series-technical-manual and PIV_attestation This sould then need to added to The exception with the |
New version of the patch: Unmodified To keep the same functionality, The new patch will only look for a key as seen by This still does not "fix" the general issue of "YubiKey PIN policy is not supported" but does if you stick to using the Default PIN policies. |
I thought that Yubikey policies affect the token itself. Which means - the software need not bother trying to learn what they are. Just attempt the operation - and if the response is |
PKCS#11 imposes some other restrictions. You must first call In this case we are call Also complicating the process is the The patch to
There are really 2 problems here.
|
My point is that it's unnecessary to query it in software. Just issue a command. If it fails with So, again - why not? The simplest way to figure out if an operation requires login or not is to try it and observe the return code. And if you can't even find an object (private key) for a given slot - do you need to query some fancy policy to figure that you need a login? |
If you think there is a simple command to find the private key without first doing a C_Login, show how to defer the login in The "fancy policy query" (if Yubico has one), would be used in
|
I think you showed that you can find an unprotected private key. We all agree that you must login to the token in order to find PIN-protected keys (regardless of whether they're My point was that once you do have a key object (either the unprotected only without prior login, or all the keys after you logged in once), you do not need to login (again?) unless the token forces you to by returning |
As I already wrote in the #1784, I think the PIN policy of the key should be available in the certificate extension and PIV driver should be able to read it. See the section Attestation in the Yubikey technical manual: |
In a separate e-mail to Yubico 8/22/2019 I asked: The OpenSC PIV driver only supports the standard PIN policies for a key. Where is the ADPU Thanks." The response was: The way I read the response the "Attestation" can not return the pin policy for individual keys. |
You can of course read the policy from the attestation certificate. However, the attestation feature is not the way to go. It overwrites whatever certificate was stored in the attestation slot and is unusable when the associated key was imported to the device. |
Apparently, I have confused the purpose of the attestation slot, which is to supply a key used to sign the attestation. But the second point still stands. |
Just to clarify the situation, Yubico has implemented their own PIN policy extensions to the NIST PIV standards, but provide no way to actually test use them except a trial and error method which is all but impossibly to implement within the PKCS#11 and PKCS#15 standards. NIST sp800-73-3 PIV specs define 4 basic key/certificate pairs and up to 20 others in the History object. sp800-73-4 defines one more. The pin policy for these are fixed and enforced on the card. Yubico has defined a way to set these when the key is imported/generated. But there appears to be is no way to read the policy for each key. Thus I said: "The way I read the response the "Attestation" can not return the pin policy for individual keys." and why the note to Yubico. NIST also defines some objects as pin protected. Most objects are not accessible over the contactless (NFC) interface. Yubico violated these access restrictions too. But these restrictions are minor and a NIST approved PIV card will enforce these. Additionally NIST sp800-73-4 also defines optional Secure Messaging for use over NFC but no one appears to be interested in this feature and Yubico does not support it either so I have not done much to implement it. (I do have a NIST approved card that does support it. ) I will look at #1769 (comment) about in a certificate extension That could work, but the CA needs to add the extension to a certificate. (When I am back from vacation.) |
It looks like in firmware ver 5.3 Yubico added a new "get metadata" instruction ( https://developers.yubico.com/PIV/Introduction/Yubico_extensions.html#_get_metadata Seems that the "policy" tag (0x02) is expected to contain two bytes, with values given the same way as when you're instructing it to apply the policy to a slot, so e.g. They implement it in the code for https://github.com/Yubico/yubico-piv-tool/blob/master/lib/ykpiv.c#L1961 |
You are welcome to submit a PR, if you think that address all the concerns above, about violating the NIST standards. |
One thing you can try to see what happens: piv-tool -s"00:f7:00:9A:00" I do not have a Yubico 5, so can not try this. |
Closing this issue due to inactivity. Please re-open the ticket if more input is available. |
I did a bit of procastination and implemented this in #3071 . This implementation is purely based on the specification, so I'd appreciate someone actually testing the pull request. |
fixes detection of Yubikey version, which was broken since f6b4a2e, see OpenSC#3071 (comment) fixes OpenSC#1769
Problem Description
I have a YubiKey 5 which supports PIN policies per slot [1] [2]. There are three different PIN policies: never required, required once and always required. However, it seems the first two are unsupported, as applications always ask for PIN regardless of the policy. This does not allow to authenticate the card only. An example of the desired behavior is when in pkcs11-tool the code responsible for logging in is disabled (opt_login forced to false).
Proposed Resolution
Maybe CKF_LOGIN_REQUIRED should be ignored and login should be deferred until actually required (CKR_USER_NOT_LOGGED_IN). I don't really know, tell me the proper way this should be handled and I can try to implement it.
Steps to reproduce
Logs
OPENSC_DEBUG=9 patched/pkcs11-tool --sign
pkcs11-tool -L
pkcs11-tool -O
The text was updated successfully, but these errors were encountered: