Fortify not able to build certificate chain in YubiKey

[rchen-swi]

Issue description:

I have a full certificate chain (root + intermediate + client) in the YubiKey.

• Client cert is stored in slot 9a
• Intermediate cert is stored in slot 83
• Root cert is stored in slot 82 (Note: The 20 slots from slot 82 to slot 95 (hexdecimal value) are hidden slots, which are not configurable through YubiKey Manager UI, but they are configurable through command line)

When I tried to build a full certificate chain using Fortify, it does not give me full chain. It only returns the client cert stored in slot 9a.

I think the problem is Fortify does not try to look at the hidden slots on YubiKey. Can you fix this please?

[microshine]

Thanks to today's meeting, I was able to reproduce the behavior and identify the problem. Fortify returns all certificates that the token provides through the PKCS#11 interface. The difference is that your Fortify is actually using the OpenSC PKCS#11 module instead of the Yubico PKCS#11 module. When listing certificates via pkcs11-tool with OpenSC, it only displays one certificate:

% pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --list-objects --type cert
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      Certificate for Digital Signature
  subject:    DN: CN=End-entity RSA-PKCS1
  serial:     2799F4C7527B299300116C7AA76C926B
  ID:         02

However, when listing certificates via ykcs11, all certificates are accessible:

% pkcs11-tool --module /usr/local/lib/libykcs11.dylib --list-objects --type cert
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      X.509 Certificate for Digital Signature
  subject:    DN: CN=End-entity RSA-PKCS1
  serial:     2799F4C7527B299300116C7AA76C926B
  ID:         02
Certificate Object; type = X.509 cert
  label:      X.509 Certificate for Retired Key 1
  subject:    DN: CN=Intermediate ECDSA
  serial:     051115094A63457CA0D20C3E9B691896
  ID:         05
Certificate Object; type = X.509 cert
  label:      X.509 Certificate for Retired Key 2
  subject:    DN: CN=Root RSA-PSS
  serial:     467DC73AD55ADD3C30532F2A49A75F9D
  ID:         06
Certificate Object; type = X.509 cert
  label:      X.509 Certificate for PIV Attestation
  subject:    DN: CN=Yubico PIV Attestation
  serial:     FC721B77F363B46E
  ID:         19
Certificate Object; type = X.509 cert
  label:      X.509 Certificate for PIV Attestation 9c
  subject:    DN: CN=YubiKey PIV Attestation 9c
  serial:     01B3829C39C39E0D60E9D76268F11A1E
  ID:         02

In my example, I used a Yubico token with the following certificate chain:

• End-entity RSA-PKCS1 (Digital Signature 9a)
• Intermediate ECDSA (Hidden 82)
• Root RSA-PSS (Hidden 83)

During the meeting, we installed Yubico PIV Tools, but Fortify was not restarted, so it continued to use OpenSC. If Fortify cannot load the module specified in the configuration, it tries to use OpenSC.

Please restart Fortify and try to retrieve the list of all token objects using this example or build the certificate chain using this example.

[rchen-swi]

Hi @microshine , I tried restarting Fortify after installing OpenSC and pkcs11-tools in MacOS. Now I am able to build the full chain with root cert and intermediate cert in the hidden slots using your example.

I also tested our application. It can also build the full chain. This is good news. Thanks.

Note: I haven't verified it on Windows yet. I'll tried to find some time to test it.

However, my question is, is it possible to Fortify App to include all these dependencies at the installation time?

[pmhatre-swi]

We are able to generate the certificate chain when certificates are loaded into hidden slots of the Yubikey using fortify example: https://peculiarventures.github.io/fortify-examples/example6.html Below changes are required to generate entire certificate chain with hidden slots certificates:

Pre-requisites:

1. Fortify and Yubikey Manager is already installed on Laptop.
2. Client certificate is loaded in Yubikey slot 9a (Authentication)
3. Intermediate certificate is loaded in Yubikey slot 83 (hidden slot)

4. Root certificate is loaded in Yubikey slot 82 (hidden slot)

   • Install Yubico PIV Tool
   • Edit ~/.fortify/card.json. Change %WINDIR/System32/libykcs11-1.dll to C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll
   • Restart Fortify
   • Unplug and plug the Yubikey.

Entire certificate chain is generated with Fortify Example with above steps.