Keys created with ES 0.3.5.0 do not have "sign" usage bit enabled

[opoplawski]

As reported by "pkcs15-tool --list-keys" on Linux, the keys created by ES do not have the "sign" usage flag set. For example:

# pkcs15-tool --list-keys
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00
Private RSA Key [PIV AUTH key]
        Object Flags   : [0x1], private
        Usage          : [0x22], decrypt, unwrap

However, keys created with the YubiKey PIV Manager do:

$ pkcs15-tool --list-keys
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00
Private RSA Key [PIV AUTH key]
        Object Flags   : [0x1], private
        Usage          : [0x26], decrypt, sign, unwrap

Most importantly, the "sign" flag is needed for PKINIT to work on Linux as discovered here: https://pagure.io/SSSD/sssd/issue/3616

[goldfinger2]

We can't reproduce this misbehavior with ES 0.3.5.0 and Linux and enroll on behalf of other users pkinit is working and the sign bit is set.

Using reader with a card: Yubico Yubikey 4 OTP+CCID 00 00 Private RSA Key [PIV AUTH key] Object Flags : [0x1], private Usage : [0x26], decrypt, sign, unwrap Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local

Public RSA Key [PIV AUTH pubkey] Object Flags : [0x0] Usage : [0xD1], encrypt, wrap, verify, verifyRecover

[Genbox]

ES's responsibility is only to get a certificate from the Active Directory Certificate Services (ADCS) and put it on the Yubikey - it does not set properties on the certificate itself. The certificate content is controlled using templates on the ADCS server, so make sure it contains the correct setup.