generation of Certificate Request for SignatureKey with Attestation impossible - proposed fix #321
Comments
|
There are two problems above, and a suggestion. Just specifying the --pin option does not actually verify the PIN, it just specifies it's value. You also need a -averify-pin (or --action=verify-pin) action which is the 'verb' that actually verifies the pin. The reason for this is that you can omit the --pin and it will ask for the pin value, or you may specify the action multiple times. This may be needed for always-authenticate keys such as slot 9c (by default). The other problem is a bug in piv-tool when --attestation is specified with an always-authenticate key, where it will perform other commands before the sign command, de-authenticating the key in the process. This is because always-authenticate keys require the pin to be verified just before the sign command, every time. The (unrelated) suggestion is that you can skip the attest action since an attestation will be embedded in the certificate request anyway with the --attestation option. Of course, if you actually want the attestation separately your command is fine. |
|
So if you add a verify-pin action just before the request-certificate action this will work for other slots than 9c (since 9c by default has always-authenticate active). There is currently no way to use an always-authenticate key with the --attestation option. I will create an issue to fix this. |
|
Please see #326 which should solve this problem, and also means that your original command line should work. The verify-pin action is still functional, in case you just want to verify the pin for example. |
|
Hello Per, Thanks a lot for your help. Kind regards, Bernhard |
|
Glad to hear it works! Just as a FYI, there are two extensions in the certificate request, one is an attestation, and the other is the certificate for the attestation key (in slot f9), which is the issuer certificate for the attestation (which is also a certificate). Kind regards |
Dear yubico team,
the following call of the yubico-piv-tool fails before the Sign-Command ( ISO 7817 - 10 87 07 9c ... ) with the failure code 6982:
C:\Users\bernh\Documents\development\yubico-piv-tool\yubico-piv-tool-2.2.1\build\tool\Debug>yubico-piv-tool.exe --action=generate -s9c --touch-policy="never" --action=attest --action=request-certificate --pin="123456" -S"/CN=Bernhard Schmitz/OU=Security Architecture/O=IT-Security Architects/C=de/" -v2 --attestation
For signature key, a premature pin verify is required after the attestation certificate has been read.
I changed a few lines in the code of yubico-piv-tool.c ( which is attached - as text file ).
The additional file, I added, contains a test trace for slots 9c and 9e after compiling the modified code.
May I ask you to have a look, whether you could adopt this suggestion - or find a better way to resolve the described problem?
I'm looking forward to hearing from you and receiving your feedback.
Kind regards,
Bernhard
yubico-piv-tool.txt
2021_10_01_Test_Trace.txt
The text was updated successfully, but these errors were encountered: