Yubico / yubikey-manager-qt

Cross-platform application for configuring any YubiKey over all USB interfaces.
https://developers.yubico.com/yubikey-manager-qt/
BSD 2-Clause "Simplified" License
237 stars 29 forks source link

PIV PFX File Import sitting idle - Never Prompts for Mgmt Password (POWERSHELL) #327

Closed RichardWrinkle closed 2 years ago

RichardWrinkle commented 2 years ago

When attempting to import a PFX file into a Yubikey 5/5c using ykman.exe through POWERSHELL, command starts but sits idle and never continues the provisioning process. When using the GUI/Cmd.exe I can import just fine, but when trying to do through cmd line/ Powershell it just hangs.

Steps to reproduce 1.) Create PFX file with password protection. 2.) Install Yubikey Manager. 3.) Add "C:\Program Files\Yubico\YubiKey Manager" as path variable. 4.) Open Powershell ISE. 5.) Run the following command syntax:

.\ykman.exe --log-level DEBUG piv certificates import -P "PIN Value" -p "PFX FIle Password" 9a "C:\.pfx"

[Please explain what you did when the bug appeared, and if and how you have been able to reproduce it.] I have swapped out multiple Yubikeys to test. Occurs across all of them. 1.) I confirmed that I was able to successfully install the PFX with the provided password on both my local machine cert store as well as on the Yubikey itself through the GUI. Both were successful. When importing into the Yubikey this also confirmed the proper PIN. 2.) I also confirmed that the process was not being held up with a requirement to touch the metal leads. The Yubikey never blinks when the command is submitted. And I did press them when I ran the command just to test and nothing additional happened.

Expected result I would expect that the command completes successfully and that the Key and certificate would be properly provisioned in the authentication slot 9a.

[What did you expect to happen when you did the above?] That the cert and key would be imported onto the Yubikey.

Actual results The command hangs. It neither completes nor fails. Just sits in an idle state. (Also, it is not waiting on me to touch the metal leads as I do not see any blinking action indicator on the Yubikey.)

[What actually happened?] Nothing.

Other info

Powershell output when setting log level to Debug:cc

PS C:\Program Files\Yubico\YubiKey Manager> .\ykman.exe --log-level DEBUG piv certificates import -P "PIN Value" -p "PFX FIle Password" 9a "C:\.pfx" .\ykman.exe : 2022-06-28T11:23:33-0700 INFO [ykman.logging_setup.setup:76] Initialized logging for level: DEBUG At line:1 char:1

2022-06-28T11:23:33-0700 INFO [ykman.logging_setup.setup:77] Running ykman version: 4.0.7 2022-06-28T11:23:33-0700 DEBUG [ykman.logging_setup.log_sys_info:48] Python: 3.8.10 (tags/v3.8.10:3d8993a, May 3 2021, 11:48:03) [MSC v.1928 64 bit (AMD64)] 2022-06-28T11:23:33-0700 DEBUG [ykman.logging_setup.log_sys_info:49] Platform: win32 2022-06-28T11:23:33-0700 DEBUG [ykman.logging_setup.log_sys_info:50] Arch: AMD64 2022-06-28T11:23:33-0700 DEBUG [ykman.logging_setup.log_sys_info:52] Windows version: (10, 0, 17763) 2022-06-28T11:23:33-0700 DEBUG [ykman.logging_setup.log_sys_info:56] Running as admin: True 2022-06-28T11:23:34-0700 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040008a000000527471117 2022-06-28T11:23:34-0700 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 5669727475616c206d6772202d2046572076657273696f6e20352e312e32 SW=9000 2022-06-28T11:23:34-0700 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 001d000000 2022-06-28T11:23:35-0700 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 2b0102023f0302023f020400a90de104010105030501020602000007010f0801000d02023b0e02023b0a0100 SW=9000 2022-06-28T11:23:35-0700 DEBUG [ykman.device.read_info:453] Read info: DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial="", version=Version(major=5, minor=1, patch=2), form_factor=<FORM_FACTOR.USB_A_KEYCHAIN: 1>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|4|U2F|OTP: 575>, <TRANSPORT.NFC: 'nfc'>: <CAPABILITY.FIDO2|OATH|PIV|OPENPGP|U2F|OTP: 571>}, is_locked=False, is_fips=False, is_sky=False) 2022-06-28T11:23:35-0700 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040005a000000308 2022-06-28T11:23:35-0700 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 61114f0600001000010079074f05a000000308 SW=9000 2022-06-28T11:23:35-0700 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00fd000000 2022-06-28T11:23:35-0700 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 050102 SW=9000 2022-06-28T11:23:35-0700 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00cb3fff0000055c035fff00 2022-06-28T11:23:35-0700 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82

[Anything else you would like to add?] Using CMD line I am prompted for managment key:

2022-06-28T11:55:56-0700 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00a4040005a000000308 2022-06-28T11:55:57-0700 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 61114f0600001000010079074f05a000000308 SW=9000 2022-06-28T11:55:57-0700 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00fd000000 2022-06-28T11:55:57-0700 DEBUG [ykman.pcsc.send_and_receive:120] RECV: 050207 SW=9000 2022-06-28T11:55:57-0700 DEBUG [ykman.pcsc.send_and_receive:118] SEND: 00cb3fff0000055c035fff00 2022-06-28T11:55:57-0700 DEBUG [ykman.pcsc.send_and_receive:120] RECV: SW=6a82 Enter a management key [blank to use default key]:

Is there a flag we can set to do this by default w/o requiring manual interaction?

RichardWrinkle commented 2 years ago

I guess my question is that is there a value we can set for -m "MGMT Key" that tells it to use the default value? It isn't very clear in the documentation or -h output.

RichardWrinkle commented 2 years ago

OUtput when I try and add -m flag. Need to understand how to set to default.

.\ykman.exe : 2022-06-28T12:15:42-0700 INFO [ykman.logging_setup.setup:76] Initialized logging for level: DEBUG At line:1 char:1

2022-06-28T12:15:42-0700 INFO [ykman.logging_setup.setup:77] Running ykman version: 4.0.7 2022-06-28T12:15:42-0700 DEBUG [ykman.logging_setup.log_sys_info:48] Python: 3.8.10 (tags/v3.8.10:3d8993a, May 3 2021, 11:48:03) [MSC v.1928 64 bit (AMD64)] 2022-06-28T12:15:42-0700 DEBUG [ykman.logging_setup.log_sys_info:49] Platform: win32 2022-06-28T12:15:42-0700 DEBUG [ykman.logging_setup.log_sys_info:50] Arch: AMD64 2022-06-28T12:15:42-0700 DEBUG [ykman.logging_setup.log_sys_info:52] Windows version: (10, 0, 17763) 2022-06-28T12:15:42-0700 DEBUG [ykman.logging_setup.log_sys_info:56] Running as admin: True Usage: ykman.exe piv certificates import [OPTIONS] SLOT CERTIFICATE Try 'ykman.exe piv certificates import -h' for help. Error: Invalid value for "management_key":

fdennis commented 2 years ago

Hi, As you have correctly pointed out, you need to input the management key. The default one can, for example, be found here https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html and is 010203040506070801020304050607080102030405060708

RichardWrinkle commented 2 years ago

Thank you. Once this was passed the command took successfully.