Open kmb64 opened 4 years ago
microshine
commented
4 years ago As I can remember I saw that problem before and it wasn't a Fortify issue. It was like a yubico PKCS#11 lib issue (it was during graphene-pk11 testing).
What version of yubico PKCS#11 library do you use?
microshine
commented
4 years ago It's possible that Yubico library still has a token slot after it's removing. Fortify catches PCSC event on token insertion/removing and filters all loaded libraries and their slots. It must add new slots and remove unused if needed
kmb64
commented
4 years ago Using the PKCS#11 modules from yubikey-piv-tool 2.1.1
kmb64
commented
4 years ago Using just graphene-pk11 it works as expected. I can take out the card and reinsert and it and graphene-pk11 is still able to access slots and perform operations etc.
kmb64
commented
4 years ago Were you guys able to reproduce this issue?
kmb64
commented
4 years ago Some further testing:
Confirmed symptom: Fortify can’t communicate with the Yubikey if it has been pulled out and reinserted, and requires a full restart.The YubiKey will no longer be provided as an option in the drop down via Fortify tools.
Environment: Windows 10. Browser: Chrome.
Fortify logs:
{"message":"Error: SCardGetStatusChange error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","level":"error"} {"message":"Error: SCardGetStatusChange error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","level":"error"} {"message":"Provider:Token:Remove reader:'Yubico Yubikey NEO OTP+U2F+CCID 0' name:'Yubico Yubikey NEO OTP+U2F+CCID' atr:3bfc1300008131fe15597562696b65794e454f7233e1","level":"info"} {"message":"Error: SCardGetStatusChange error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","level":"error"} {"message":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","level":"error"} {"message":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","level":"error"} {"message":"Error: SCardListReaders error: The Smart Card Resource Manager is not running.\r\n(0x8010001d)","level":"error"} {"message":"Provider:RemoveCrypto PKCS#11 'C:\\Windows\\System32\\libykcs11-1.dll' 'Yubico Yubikey NEO OTP+U2F+CCID'","level":"info"} {"message":"Provider:RemoveCrypto PKCS#11 finalize 'C:\\Windows\\System32\\libykcs11-1.dll'","level":"info"} {"message":"Provider:Token:Remove Crypto removed 'Yubico Yubikey NEO OTP+U2F+CCID' b5436fd6c2dbbd2a225e4c39b9c314ec5df663d2543bef8e5a938c6c65fb697a","level":"info"} {"message":"Provider:Token Amount of tokens was changed (+0/-1)","level":"info"}
Also confirmed that the following modules are still able to communicate with the YubiKey after reinserting:
yubico-piv-tool
node-webcrypto-p11
and graphene-pk11
rmhrisk
commented
4 years ago @microshine / @donskov please investigate when the current project is complete
kmb64
commented
4 years ago Very similar issue over here for node-pcsclite https://github.com/santigimeno/node-pcsclite/issues/68 with the same symptoms. Perhaps changing the webcrypto-local/server to. point at @pokusew/pcsclite could help fix?
See this comment on the issue: https://github.com/santigimeno/node-pcsclite/issues/68#issuecomment-283129223
rmhrisk
commented
4 years ago We will give that a try. I believe @microshine has the necessary token and in a little over a week he should have time.
jaydenmallen
commented
4 years ago @microshine have you had a chance to look into this one?
On a Windows 10 machine, the Yubikey (NEO) can only ever be detected by Fortify once. If I take out the card and reinsert, it won't be picked up or recognized and the Fortify application has to be restarted.
Logs after removing card: