Open rchen-swi opened 4 months ago
Thanks to today's meeting, I was able to reproduce the behavior and identify the problem. Fortify returns all certificates that the token provides through the PKCS#11 interface. The difference is that your Fortify is actually using the OpenSC PKCS#11 module instead of the Yubico PKCS#11 module. When listing certificates via pkcs11-tool
with OpenSC, it only displays one certificate:
% pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --list-objects --type cert
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: Certificate for Digital Signature
subject: DN: CN=End-entity RSA-PKCS1
serial: 2799F4C7527B299300116C7AA76C926B
ID: 02
However, when listing certificates via ykcs11
, all certificates are accessible:
% pkcs11-tool --module /usr/local/lib/libykcs11.dylib --list-objects --type cert
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: X.509 Certificate for Digital Signature
subject: DN: CN=End-entity RSA-PKCS1
serial: 2799F4C7527B299300116C7AA76C926B
ID: 02
Certificate Object; type = X.509 cert
label: X.509 Certificate for Retired Key 1
subject: DN: CN=Intermediate ECDSA
serial: 051115094A63457CA0D20C3E9B691896
ID: 05
Certificate Object; type = X.509 cert
label: X.509 Certificate for Retired Key 2
subject: DN: CN=Root RSA-PSS
serial: 467DC73AD55ADD3C30532F2A49A75F9D
ID: 06
Certificate Object; type = X.509 cert
label: X.509 Certificate for PIV Attestation
subject: DN: CN=Yubico PIV Attestation
serial: FC721B77F363B46E
ID: 19
Certificate Object; type = X.509 cert
label: X.509 Certificate for PIV Attestation 9c
subject: DN: CN=YubiKey PIV Attestation 9c
serial: 01B3829C39C39E0D60E9D76268F11A1E
ID: 02
In my example, I used a Yubico token with the following certificate chain:
During the meeting, we installed Yubico PIV Tools, but Fortify was not restarted, so it continued to use OpenSC. If Fortify cannot load the module specified in the configuration, it tries to use OpenSC.
Please restart Fortify and try to retrieve the list of all token objects using this example or build the certificate chain using this example.
Hi @microshine , I tried restarting Fortify after installing OpenSC
and pkcs11-tools
in MacOS. Now I am able to build the full chain with root cert and intermediate cert in the hidden slots using your example.
I also tested our application. It can also build the full chain. This is good news. Thanks.
Note: I haven't verified it on Windows yet. I'll tried to find some time to test it.
However, my question is, is it possible to Fortify App to include all these dependencies at the installation time?
We are able to generate the certificate chain when certificates are loaded into hidden slots of the Yubikey using fortify example: https://peculiarventures.github.io/fortify-examples/example6.html Below changes are required to generate entire certificate chain with hidden slots certificates:
Pre-requisites:
Root certificate is loaded in Yubikey slot 82 (hidden slot)
Entire certificate chain is generated with Fortify Example with above steps.
Issue description:
I have a full certificate chain (root + intermediate + client) in the YubiKey.
When I tried to build a full certificate chain using Fortify, it does not give me full chain. It only returns the client cert stored in slot 9a.
I think the problem is Fortify does not try to look at the hidden slots on YubiKey. Can you fix this please?