Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1023561: yubico-piv-tool: selfsign-certificate fails nondescriptively, update needed?
172 views
Skip to first unread message
Jamie Lentin
Nov 6, 2022, 1:10:03 PM11/6/22
to
Package: yubico-piv-tool
Version: 2.2.0-1.1
Severity: normal
X-Debbugs-Cc: j...@lentin.co.uk
Dear Maintainer,
I tried following the instructions to set up a Yubikey 5C Nano, firmware 5.4.3,
with PIV:
https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html
$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from the YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
PIN: 123456
PUK: 12345678
Management Key: 010203040506070801020304050607080102030405060708
$ yubico-piv-tool --version
yubico-piv-tool 2.2.0
$ yubico-piv-tool -s 9a -a generate -o public.pem
Successfully generated a new private key.
$ yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Failed signing certificate.
Not entirely dissimilar to the upstream issue 185[0], however there is no wait
for a button press. Trying the same commands from upstream master 75188af,
compiling upstream as per README instructions[1], works fine:
$ ./tool/yubico-piv-tool --version
yubico-piv-tool 2.3.0
$ ./tool/yubico-piv-tool -s 9a -a generate -o public.pem
Successfully generated a new private key.
$ ./tool/yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S
"/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a new self signed certificate.
NB: The tagged version yubico-piv-tool-2.3.0 fails to compile.
Does the package need updating? Is the Yubikey documentation not valid for
2.2.0, or am I just being dumb?
Cheers,
[0] https://github.com/Yubico/yubico-piv-tool/issues/185
[1] https://github.com/Yubico/yubico-piv-tool
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages yubico-piv-tool depends on:
ii libc6 2.36-4
ii libssl3 3.0.7-1
ii libykpiv2 2.2.0-1.1
yubico-piv-tool recommends no packages.
yubico-piv-tool suggests no packages.
-- no debconf information
Version: 2.2.0-1.1
Severity: normal
X-Debbugs-Cc: j...@lentin.co.uk
Dear Maintainer,
I tried following the instructions to set up a Yubikey 5C Nano, firmware 5.4.3,
with PIV:
https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html
$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from the YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
PIN: 123456
PUK: 12345678
Management Key: 010203040506070801020304050607080102030405060708
$ yubico-piv-tool --version
yubico-piv-tool 2.2.0
$ yubico-piv-tool -s 9a -a generate -o public.pem
Successfully generated a new private key.
$ yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Failed signing certificate.
Not entirely dissimilar to the upstream issue 185[0], however there is no wait
for a button press. Trying the same commands from upstream master 75188af,
compiling upstream as per README instructions[1], works fine:
$ ./tool/yubico-piv-tool --version
yubico-piv-tool 2.3.0
$ ./tool/yubico-piv-tool -s 9a -a generate -o public.pem
Successfully generated a new private key.
$ ./tool/yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S
"/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a new self signed certificate.
NB: The tagged version yubico-piv-tool-2.3.0 fails to compile.
Does the package need updating? Is the Yubikey documentation not valid for
2.2.0, or am I just being dumb?
Cheers,
[0] https://github.com/Yubico/yubico-piv-tool/issues/185
[1] https://github.com/Yubico/yubico-piv-tool
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages yubico-piv-tool depends on:
ii libc6 2.36-4
ii libssl3 3.0.7-1
ii libykpiv2 2.2.0-1.1
yubico-piv-tool recommends no packages.
yubico-piv-tool suggests no packages.
-- no debconf information
Richard Hansen
Dec 24, 2022, 6:40:04 PM12/24/22
to
Control: tags -1 patch
On Sun, 06 Nov 2022 17:58:06 +0000 Jamie Lentin <j...@lentin.co.uk> wrote:
> Does the package need updating?
Can you try merge request #7 [1] to see if it works for you? You can find pre-built .deb files in the CI artifacts [2] for that merge request.
(Disclaimer: I'm not a maintainer for yubico-piv-tool, just someone who wants to update it.)
[1] https://salsa.debian.org/auth-team/yubico-piv-tool/-/merge_requests/7
[2] https://salsa.debian.org/rhansen/yubico-piv-tool/-/jobs/3701682/artifacts/browse/debian/output/
On Sun, 06 Nov 2022 17:58:06 +0000 Jamie Lentin <j...@lentin.co.uk> wrote:
> Does the package need updating?
(Disclaimer: I'm not a maintainer for yubico-piv-tool, just someone who wants to update it.)
[1] https://salsa.debian.org/auth-team/yubico-piv-tool/-/merge_requests/7
[2] https://salsa.debian.org/rhansen/yubico-piv-tool/-/jobs/3701682/artifacts/browse/debian/output/
Jamie Lentin
Dec 27, 2022, 7:10:03 AM12/27/22
to
On 2022-12-24 23:22, Richard Hansen wrote:
> Control: tags -1 patch
>
> On Sun, 06 Nov 2022 17:58:06 +0000 Jamie Lentin <j...@lentin.co.uk>
> wrote:
>> Does the package need updating?
>
> Can you try merge request #7 [1] to see if it works for you? You can
> find pre-built .deb files in the CI artifacts [2] for that merge
> request.
Looks like it will do, after installing the CI artifacts:
> Control: tags -1 patch
>
> On Sun, 06 Nov 2022 17:58:06 +0000 Jamie Lentin <j...@lentin.co.uk>
> wrote:
>> Does the package need updating?
>
> Can you try merge request #7 [1] to see if it works for you? You can
> find pre-built .deb files in the CI artifacts [2] for that merge
> request.
* libykpiv2_2.3.0-1+salsaci+20221224+4_amd64.deb
* ykcs11_2.3.0-1+salsaci+20221224+4_amd64.deb
* yubico-piv-tool_2.3.0-1+salsaci+20221224+4_amd64.deb
I can happily generate / sign:
$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory
settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from the YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
PIN: 123456
PUK: 12345678
Management Key: 010203040506070801020304050607080102030405060708
/usr/bin/yubico-piv-tool
$ yubico-piv-tool --version
yubico-piv-tool 2.3.0
$ yubico-piv-tool -s 9a -a generate -o public.pem
Successfully generated a new private key.
$ yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S
"/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a new private key.
$ yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S
"/CN=SSH key/" -i public.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a new self signed certificate.
Thanks!
0 new messages