ykcs11.so does not recognize SO PIN

[hayashida-katsutoshi]

I'm trying to write a private key to a YubiKey FIPS, and I'm getting an error. User PIN and SO PIN are not changed from default for now.

$ p11tool --provider ~/cst/yubico-piv-tool/ykcs11/.libs/libykcs11.so "pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV" --so-login --write --load-privkey keys/SRK1_sha256_2048_65537_v3_usr_key.pem --label SRK1_sha256_2048_65537_v3_usr --id 010203040506070801020304050607080102030405060708
debug: ykcs11.c:174 (C_GetFunctionList): In
debug: ykcs11.c:182 (C_GetFunctionList): Out
debug: ykcs11.c:87 (C_Initialize): In
trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00'.
debug: ykcs11.c:107 (C_Initialize): Found 1 slot(s) of which 0 tokenless/unsupported
debug: ykcs11.c:112 (C_Initialize): Out
debug: ykcs11.c:152 (C_GetInfo): In
debug: ykcs11.c:166 (C_GetInfo): Out
Token '' with URL 'key:' requires user PIN
Enter PIN: 123456
Enter password: higashihara
debug: ykcs11.c:197 (C_GetSlotList): In
debug: ykcs11.c:239 (C_GetSlotList): token present is 1
debug: ykcs11.c:240 (C_GetSlotList): number of slot(s) is 1
debug: ykcs11.c:242 (C_GetSlotList): Out
debug: ykcs11.c:274 (C_GetTokenInfo): In
debug: ykcs11.c:315 (C_GetTokenInfo): Out
debug: ykcs11.c:251 (C_GetSlotInfo): In
debug: ykcs11.c:265 (C_GetSlotInfo): Out
debug: ykcs11.c:514 (C_OpenSession): In
trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00'.
debug: yubico_token.c:317 (get_objects): The total number of objects for this token is 29
debug: yubico_token.c:317 (get_objects): The total number of objects for this token is 29
debug: ykcs11.c:642 (C_OpenSession): Out
debug: ykcs11.c:723 (C_GetSessionInfo): In
debug: ykcs11.c:742 (C_GetSessionInfo): Out
Token 'YubiKey PIV' with URL 'pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV' requires security officer PIN
Enter PIN: 12345678
debug: ykcs11.c:779 (C_Login): In
debug: ykcs11.c:793 (C_Login): user 0, pin 12345678, pinlen 8
debug: ykcs11.c:665 (C_CloseSession): In
debug: ykcs11.c:690 (C_CloseSession): Out
Error in pkcs11_write:1006: The request is invalid.

In C_Login function, I found this code.

  case CKU_SO:
    if (ulPinLen != PIV_MGM_KEY_LEN)
      return CKR_ARGUMENTS_BAD;

It sounds strange because it says SO PIN must be 48 letters.

Then I took off this 'if' block, but I get another error as below.

$ p11tool --provider ~/cst/yubico-piv-tool/ykcs11/.libs/libykcs11.so "pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV" --so-login --write --load-privkey keys/SRK1_sha256_2048_65537_v3_usr_key.pem --label SRK1_sha256_2048_65537_v3_usr --id 010203040506070801020304050607080102030405060708
debug: ykcs11.c:174 (C_GetFunctionList): In
debug: ykcs11.c:182 (C_GetFunctionList): Out
debug: ykcs11.c:87 (C_Initialize): In
trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00'.
debug: ykcs11.c:107 (C_Initialize): Found 1 slot(s) of which 0 tokenless/unsupported
debug: ykcs11.c:112 (C_Initialize): Out
debug: ykcs11.c:152 (C_GetInfo): In
debug: ykcs11.c:166 (C_GetInfo): Out
Token '' with URL 'key:' requires user PIN
Enter PIN: 
Enter password: 
debug: ykcs11.c:197 (C_GetSlotList): In
debug: ykcs11.c:239 (C_GetSlotList): token present is 1
debug: ykcs11.c:240 (C_GetSlotList): number of slot(s) is 1
debug: ykcs11.c:242 (C_GetSlotList): Out
debug: ykcs11.c:274 (C_GetTokenInfo): In
debug: ykcs11.c:315 (C_GetTokenInfo): Out
debug: ykcs11.c:251 (C_GetSlotInfo): In
debug: ykcs11.c:265 (C_GetSlotInfo): Out
debug: ykcs11.c:514 (C_OpenSession): In
trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00'.
debug: yubico_token.c:317 (get_objects): The total number of objects for this token is 29
debug: yubico_token.c:317 (get_objects): The total number of objects for this token is 29
debug: ykcs11.c:642 (C_OpenSession): Out
debug: ykcs11.c:723 (C_GetSessionInfo): In
debug: ykcs11.c:742 (C_GetSessionInfo): Out
Token 'YubiKey PIV' with URL 'pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV' requires security officer PIN
Enter PIN: 
debug: ykcs11.c:779 (C_Login): In
debug: ykcs11.c:793 (C_Login): user 0, pin 12345678, pinlen 8
debug: token_vendors.c:74 (COMMON_token_login): Failed to authenticate
debug: ykcs11.c:861 (C_Login): Unable to login as SO
debug: ykcs11.c:723 (C_GetSessionInfo): In
debug: ykcs11.c:742 (C_GetSessionInfo): Out
debug: ykcs11.c:274 (C_GetTokenInfo): In
debug: ykcs11.c:315 (C_GetTokenInfo): Out
*** Wrong PIN has been provided!
Token 'YubiKey PIV' with URL 'pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV' requires security officer PIN
Enter PIN: 

Does it mean the default SO PIN is not 12345678 but something else in 48 letters?

[a-dma]

Correct, 12345678 is the PUK and only used to unblock the PIN. The SO PIN is the management key which defaults to 010203040506070801020304050607080102030405060708.

[hayashida-katsutoshi]

Thank you, a-dma. I now understand that SO PIN is the management key. However I'm still having a trouble because p11tool accepts SO PIN up to 31 letters. Is there any workaround?

[a-dma]

I haven't used p11tool much, but you're right, I've had a quick look at the source code and they define GNUTLS_PKCS11_MAX_PIN_LEN to 32, which is incorrect. The right way would be to look at what the Token reports through the module when GetTokenInfo is called. Unfortunately that is also incorrectly reported by ykcs11 :upside_down_face:.

If you're fine with using pkcs11-tool that supports longer PINs.

[hayashida-katsutoshi]

For test purpose, I hardcoded 48 letters SO PIN an I was able to log in to the device as SO. However it turned out some facts.

• CKA_ID is typically MD5 of private key, however ykcs11 limits ID in one byte at is_valid_key_id function.
• ykcs11 (or YubiKey) cannot support private key which has CKA_SIGN, CKA_DECRYPT, KA_PRIVATE, CKA_EXTRACTABLE, CKA_MODULUS and CKA_PRIVATE_EXPONENT attributes, according to check_create_rsa_key function.
• YubiKey FIPS likely ignores importing a private key request, even if I temporarily eliminates all limitation I mention above.

We are using a 3rd party tool chain to implement secure boot system for our products. Since we don't have a time to investigate inside of 3rd party tool, and we are not professional on cryptography, we need to use a HSM token fully compatible with PKCS#11, and I concluded YubiKey and ykcs11 are not ready for PKCS#11. We will purchase another HSMs. I returned all YubiKeys yesterday and I am no longer able to help for yubico_piv_tool.

However thank you for your support.