Closed romerod closed 1 week ago
DennisDyallo
commented
1 week ago Hi @romerod ! I'm told that in order for this to work, one must make sure to set the card holder unique ID (CHUID) after the reset.
What do the minidriver logs say?
Docs on enabling logging: https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers#Setting-Touch-Policy
romerod
commented
1 week ago Hi, thanks for replying and how do I write the CHUID? from the logs I get:
2024-11-08 13:11:19 cardinit.cpp:14 -> CardAcquireContext
2024-11-08 13:11:19 cardinit.cpp:22 IN pCardData->pbAtr[23]:
09B64410 / 23
00000000 3B FD 13 00 00 81 31 FE 15 80 73 C0 21 C0 57 59 ;.....1...s.!.WY
00000010 75 62 69 4B 65 79 40 ubiKey@
2024-11-08 13:11:19 cardinit.cpp:23 IN dwFlags = 0
2024-11-08 13:11:19 cardinit.cpp:24 IN pCardData->dwVersion = (requested): 7
2024-11-08 13:11:19 cardinit.cpp:25 IN pCardData->pwszCardName = YubiKey Smart Card
2024-11-08 13:11:19 cardinit.cpp:27 IN pCardData->pfnCspPadData = 664D3BA0
2024-11-08 13:11:19 cardinit.cpp:28 IN [pCardData=09BAEEB8] [hScard=EA090000] [hSCardCtx: 0xCD010005]
2024-11-08 13:11:19 ykcontext.cpp:32 -> YKContext::Create
2024-11-08 13:11:19 ykcontext.cpp:653 YubiKey serial: XXXXXXX version: 5.4.3
2024-11-08 13:11:19 ykcontext.cpp:674 -> YKContext::_init
2024-11-08 13:11:19 ykcontext.cpp:691 detected YK5
2024-11-08 13:11:19 ykcontext.cpp:703 cardid is not set, attempting to authenticate with default key
2024-11-08 13:11:19 ykcontext.cpp:706 ykpiv_authenticate failed: YKPIV_AUTHENTICATION_ERROR (-5)
2024-11-08 13:11:19 ykcontext.cpp:707 device must be reset using an external utility
2024-11-08 13:11:19 ykcontext.cpp:708 <- YKContext::_init returns 8010000d (The specified smart card name is not recognized. )
2024-11-08 13:11:19 ykcontext.cpp:38 _init failed: The specified smart card name is not recognized. (8010000d)
2024-11-08 13:11:19 ykcontext.cpp:46 <- YKContext::Create returns 8010000d (The specified smart card name is not recognized. )
2024-11-08 13:11:19 cardinit.cpp:84 Could not create YKContext
2024-11-08 13:11:19 cardinit.cpp:85 <- CardAcquireContext returns 8010000d (The specified smart card name is not recognized. )
Thank you for assisting
romerod
commented
1 week ago After setting the CHUID everything works as expected. Thank you.
Use this to write a new CHUID: var chuid = new CardholderUniqueId(); chuid.SetRandomGuid(); pivSession.WriteObject(chuid);
DennisDyallo
commented
5 days ago Glad it worked out for you!
Is there an existing issue for this?
What is your question?
We initialize a yubikey by resetting the application, setting it to PinOnlyMode.Protected, generate a new PrivateKey and Import a certificate for that key.
As soon as we start using the Windows Crypto API with CryptAcquireContext we get a negative return code. Same code works perfectly when not setting pin only mode. GetLastError returns 0x80090016 (NTE_BAD_KEYSET). We invoke it with CryptAcquireContext(ref smartCardContext, $"\\.\Yubico YubiKey OTP+FIDO+CCID 0\", "Microsoft Base Smart Card Crypto Provider", PInvoke.PROV_RSA_FULL, PInvoke.CRYPT_VERIFYCONTEXT)
Didn't find any documentation that this shouldn't work.
We have the 64 bit version of the Minidriver installed.
Could someone get access to the private key when knowing the management key? Or make it possible to try to brute force pin entry by un blocking the PUK or so?
Context
No response