Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The smart card cannot peform the requested operation or the operation requires a different smart card #65

Open
dniasoff opened this issue Dec 15, 2021 · 11 comments
Open

The smart card cannot peform the requested operation or the operation requires a different smart card #65

dniasoff opened this issue Dec 15, 2021 · 11 comments

Comments

@dniasoff
Copy link

This is probably similar to #12

But when I try to login, I typically have to click ok on a few popups containing the above message before WinCryptSSHAgent will present the correct key.

I keep deleting the invalid certs from my user certificate store but they magically reappear???

Screenshot 2021-12-15 115307
@dniasoff
Copy link
Author

Incredible software by the way. I have struggled over the years with windows, ssh-agent and wsl and this is the first solution that JUST WORKS!!!!

@DKhalil
Copy link

DKhalil commented Jan 4, 2022

Yeah, I have the same issue here (and the same compliements as @dniasoff )

@GottZ
Copy link

GottZ commented Jan 21, 2022
edited
Loading

do you also get this when executing certutil.exe -scinfo?
I do.

Judging from your screenshot you are on windows 11 as well as me.

image

@dniasoff
Copy link
Author

dniasoff commented Jan 25, 2022 via email

@dniasoff
Copy link
Author

dniasoff commented Jan 26, 2022 via email

@dniasoff
Copy link
Author

dniasoff commented Feb 17, 2022
edited
Loading

This is my output from the above command

C:\Users\daniel>certutil.exe -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@


=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Microsoft Base Smart Card Crypto Provider: Missing stored keyset

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = XXXXXXXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXXXXXXXXXXXX
Issuer:  XXXXXXXXXXXXXXXXXXXXX
 NotBefore: 07/11/2021 15:00
 NotAfter: 20/10/2023 15:00
Subject: XXXXXXXXXXXXXXXXXXXXX
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): XXXXXXXXXXXXXXXXXXXXX

Performing  public key matching test...
Public key matching test succeeded
  Key Container = XXXXXXXXXXXXXXXXXXXXX
  Provider = Microsoft Smart Card Key Storage Provider
  ProviderType = 0
  Flags = 1
    0x1 (1)
  KeySpec = 0 -- XCN_AT_NONE
Private key verifies
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(ECC:CNG) test skipped

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x20
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: XXXXXXXXXXXXXXXXXXXXX
  NotBefore: 07/11/2021 15:00
  NotAfter: 20/10/2023 15:00
  Subject: XXXXXXXXXXXXXXXXXXXXX
  Serial: XXXXXXXXXXXXXXXXXXXXX
  Cert: XXXXXXXXXXXXXXXXXXXXX
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

Exclude leaf cert:
  Chain: XXXXXXXXXXXXXXXXXXXXX
Full chain:
  Chain: XXXXXXXXXXXXXXXXXXXXX
  Issuer: XXXXXXXXXXXXXXXXXXXXX
  NotBefore: 07/11/2021 15:00
  NotAfter: 20/10/2023 15:00
  Subject: XXXXXXXXXXXXXXXXXXXXX
  Serial: XXXXXXXXXXXXXXXXXXXXX
  Cert: XXXXXXXXXXXXXXXXXXXXX
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
------------------------------------
Verifies against UNTRUSTED root
Displayed  cert for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

And I am getting the issue alot now. The command pops up a prompt to view certificate like below and that's when I get the error CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist

image

@dniasoff
Copy link
Author

Getting it every time I use it and would love a fix pleeeeeease

this is what I see on certinfo
image

@GottZ
Copy link

GottZ commented Apr 16, 2022

yep. annoying. i've moved to using a normal cert with classic passphrase until this issue is resolved.
my yubikey works fine on linux using this method.

@dniasoff
Copy link
Author

@buptczq Any chance you can address this? it is getting a real pain? Perhaps someway of selecting the card to present to windows instead of allowing it to see all certs/cards? Would really appreciate it and it would improve my efficiency and quality of life dramatically.

Happy to help in any way I can but I don't write in go currently

@michaelfm
Copy link

michaelfm commented May 23, 2022
edited
Loading

I have the same issue and would also appreciate a creative solution. Would unloading certain keys be an option? WinSCP won‘t connect with more than one certificate available. Unfortunately it checks the incorrect ones first and stops connecting.

@dniasoff
Copy link
Author

I have found a workaround for my problem. Certificates are created when you RDP into a machine so that you can use a smartcard over RDP remotely and when you disconnect, the certificate remains in the user's personal store which confuses Wincrypt. Removing that certificate manually prevents the pop-up.

Also windows hello for business supports smart-card enumeration which also confuses WinCrypt. Disabling Windows hello smart card enumeration should resolve this

image

Computer Configuration/Administrative Templates/Windows Components/Windows Hello for Business.

I found that in one case that wasn't enough and I also had to disable the specific cert in Users/Personal store (later on the cert disappeared so it might just take time)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DKhalil @GottZ @michaelfm @dniasoff