PIV certificate import fails in Yubikey Manager GUI, but succeeds via ykman CLI

kugelman commented 3 years ago

Yubikey Manager GUI version: 1.2.3
YubiKey Manager (ykman) version: 4.0.5
Operating system and version: MacOS 11.6
YubiKey model and version: 5c Nano
Bug description summary: PIV certificate import fails in Yubikey Manager GUI, but succeeds via ykman CLI

Steps to reproduce

[Please explain what you did when the bug appeared, and if and how you have been able to reproduce it.]

Generate CSR in Yubikey Manager GUI for Authentication slot 9a
Use CA to generate certificate from CSR
Import resulting certificate in Yubikey Manager GUI

Expected result

[What did you expect to happen when you did the above?] Certificate import succeeds and is displayed in Yubikey Manager GUI under authentication slot 9a.

Actual results and logs

[What actually happened?] Receive error in GUI "Unknown error: Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm".

Meanwhile, I tried to do the same operation via CLI (ykman piv certificates import 9a ~/Downloads/cert.pem), and it succeeded. When I quit and restart Yubikey Manager the certificate appears in the GUI as expected.

Other info

[Anything else you would like to add?]

Management key and PIN are both left at their defaults
RSA 2048 was used to generate the CSR as my CA cannot handle the elliptic curve algos.

kugelman commented 3 years ago

Retried with open YubiKey\ Manager.app --args --log-level debug --log-file ~/out.txt and got this in the logs --


Traceback (most recent call last):
  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/ykman/util.py", line 110, in parse_private_key
    return serialization.load_pem_private_key(
  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/cryptography/hazmat/primitives/serialization/base.py", line 20, in load_pem_private_key
    return backend.load_pem_private_key(data, password)
  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1217, in load_pem_private_key
    return self._load_key(
  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1448, in _load_key
    self._handle_key_loading_error()
  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1490, in _handle_key_loading_error
    raise ValueError(
ValueError: Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "qrc:///py/yubikey.py", line 68, in wrapped
    return f(*args, **kwargs)
  File "qrc:///py/yubikey.py", line 693, in piv_import_file
    private_key = parse_private_key(data, password)
  File "/Applications/YubiKey Manager.app/Contents/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/ykman/util.py", line 115, in parse_private_key
    raise InvalidPasswordError(e)
ykman.util.InvalidPasswordError: Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.```

fdennis commented 3 years ago

Hi, Thanks for the report. We have a fix for this in the main branch, however it has not been released yet. We are aiming to have the next release out in a month or two. In the meantime the workaround is to use the cli, as you have done already.

fdennis commented 2 years ago

@kugelman There is a new version out, 1.2.4. Could you check if that has solved this problem?

Yubico / yubikey-manager-qt