search

Yubico / yubikey-manager-qt

Cross-platform application for configuring any YubiKey over all USB interfaces.
https://developers.yubico.com/yubikey-manager-qt/
BSD 2-Clause "Simplified" License
237 stars 29 forks source link

ykman piv import keys not importing #339

Closed im-richard closed 1 year ago

im-richard commented 1 year ago

Unable to import keys using using ykman piv keys import --touch-policy ALWAYS 9e "file.pfx" If I load up yubikey manager -> PIV -> Select slot 9E, I can manually import it using Yubikey Manager and it works fine. However, I cannot modify the touch / pin policy that way.

Steps to reproduce

Simply import any pfx file into any slot in the PIV module. After running piv keys import, it will ask the normal questions such as:

Enter password to decrypt key:
Enter a management key [blank to use default key]:

No errors appear after that point, it goes back to command prompt like it should. But when opening the Yubikey Manager, there's nothing in there.

Expected result

Normally it imports your keys into the desired slot.

Actual results

Does nothing. No key imported.

Other info

I've used these same exact keys before and they imported fine. I even started doing dumb tests like using a bad password to see if it was even reading the file, and it appears to be.

screenshot

im-richard commented 1 year ago

For some reason, I can't edit my original message. The formatting is messed up. I finally got some debugs to print in Powershell:

DEBUG 17:04:56.208 [ykman.device.add:173] Resolved device 22927029
DEBUG 17:04:56.253 [yubikit.core.smartcard.enable_touch_workaround:150] Touch workaround enabled=False
DEBUG 17:04:56.253 [yubikit.piv.__init__:446] PIV session initialized (version=5.4.3)
DEBUG 17:04:56.254 [ykman.piv.get_pivman_data:241] Reading pivman data
DEBUG 17:04:56.257 [yubikit.piv.get_object:680] Reading data from object slot 0x5fff00
DEBUG 17:04:56.258 [ykman.piv.get_pivman_data:247] No data, initializing blank
DEBUG 17:04:56.259 [ykman._cli.piv.import_key:612] Error parsing key
Traceback (most recent call last):
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\ykman\_cli\piv.py", line 610, in import_key
    private_key = parse_private_key(data, password)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\Yubico\YubiKey Manager\pymodules\ykman\util.py", line 69, in parse_private_key
    raise InvalidPasswordError("No password provided for encrypted key.")
ykman.util.InvalidPasswordError: No password provided for encrypted key.
DEBUG 17:04:56.260 [ykman._cli.util.click_prompt:219] Input requested (Enter password to decrypt key)
DEBUG 17:04:56.262 [ykman._cli.util.click_prompt:228] Using interactive prompt...
Enter password to decrypt key:
DEBUG 17:05:25.838 [ykman._cli.util.click_prompt:219] Input requested (Enter a management key [blank to use default key])
DEBUG 17:05:25.838 [ykman._cli.util.click_prompt:228] Using interactive prompt...
Enter a management key [blank to use default key]:
DEBUG 17:05:28.177 [yubikit.piv.get_management_key_metadata:604] Getting management key metadata
DEBUG 17:05:28.181 [yubikit.piv.authenticate:487] Authenticating with key type: 3
DEBUG 17:05:28.184 [yubikit.piv.put_key:778] Importing key with pin_policy=0, touch_policy=0
INFO 17:05:28.368 [yubikit.piv.put_key:782] Private key imported in slot 156 of type 7

I also ran this code because I saw in another git issue where you requested this:

PS C:\d> openssl asn1parse -inform der -in .\piv_name_9d_priv.pfx
    0:d=0  hl=4 l=3455 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim: INTEGER           :03
    7:d=1  hl=4 l=3381 cons: SEQUENCE
   11:d=2  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   22:d=2  hl=4 l=3366 cons: cont [ 0 ]
   26:d=3  hl=4 l=3362 prim: OCTET STRING      [HEX DUMP]:30820D1E3082079206092A864886F70D010706A08207833082077F0201003082077806092A864886F70D010701305706092A864886F70D01050D304A302906092A864886F70D01050C301C04088EF005E0151BACAE02020800300C06082A864886F70D02090500301D060960864801650304012A04107CB4DF38671C666A69142275AB3E849480820710A1BE3406732906F4293B24D0422A74AC94B08F0653B0343929A1EE173B78207903C16A7BBFDF57702F49EBD95BE02DE6C75C3E02500F7F52E668F0012AD014A60A719701B6B48BADFB39199DA2AEE3BB2D1DC84E146D7C76379E63D3F3ADF5BCCC0286249EAA66E3698D5D8E275502D4F32876054BF6028BEA4D66E4A1DDE6B8B2B1B23ABCD7A54F174282F6F6C90777FDFB22CDB3DC2527BB23B2B89AAD8CDDEB679B27970F514B20B1A48ACA13B1F2EB94FAD0B5EE2B602F39CB00B2ADB55344C821503259C07D91F5395B6E3B094F3DFCFE8910C6FC7B368C37B39FABFF21B50D51D9CC4EB2832E4B04178A4A03CA5425AAA03FC2501604DF350AB552106BA533C88AD4EBEADBD39F2C7ED8469FF622779EA74313C47B2A5443A244C6005D5990D200D3012033C1B58445DD9856B2C1C8179B9092BBC92DF1321EC7314753FFE4CF52D1C1697641465E0B79042F5A0D7F5199C58FF712BFE227A8AF47CBDFA4D7DD2AFE664F67CB0F4E08489D1E5132B39AB7A4C879027408A08A43BF48140D44AEB773446464AB4C47A7CA72967CFE45ADB5E9C6D2B3A4864C800375D305CF4961FDCC12785749053AAF494B60D2A3BDED1D53B273E262F54121B6A3CFE34E3B403CF4646ECADF36D094505F38058E85C0A303ED5A7F84D91F2FD8399FF32149D05F56215401829AE75BBA48FF163EDB402939AFE05D3DF2B7DC01AA3E26CDA0E2B28D3D7E544A2588715B2D43CF63729F6BAB01FB7D5728A921D47E1F84CE5B3B3FC3BE24AF1F86DE81F15FA19A538D25D73EB79F86231BC47AA49985DCFF37E3F7ABD49DEFC7D5A61E5C2E6D49D24968E64E50169FD9DF8D52A58631B8ADDF8FB16622EF77A0F9A0CF2FAB5C90B4819725917BB5B24EAE7DF3C1DED4290677B04FA6472AC2198E4299BF5A91878B6A2F5B786A4DED471E00BF35F99C28239B3146DD0AB76E2D1E740808CF743F5578D57F5142B913D43F3474D6DDF6B265E9EA5710B30F957ABBA2126D295756490E1F16CB3C0002C63D97DDC385CEEEC633FEE741574950191ED0D9D8C86A51A7844F00406DB4A0ED6EDAFC50EF9A7DB7141F3A70C3C76612E2F78887B56B09B53F252B257563A48EACF2013D6E58E45A262146A17253F957A8B12C25FF774E96A6146EEA1E72A75FCC1D27DE11B8BB862830E797ECEDE68A4BACBA774E25C564401D9AF41BC27A1BFBAB4C20E8E343C5EEF0639B22E64A5828EFDBE8C00AD5B91511A0F29B68B03DC099F4C2C66CF78CE35D07F1C8EBAD290D9AACC63F473EB0C1AD72AE343B2B302EF9C17143828BF4B9D0D4F806FEBE531C0172B392E7C15606C3ADA54208F70517C118EF0C7C09C5C92ADC86E858FC8A8EF644CA2D2C0F70147EB5279DF04AA9AAD5697B329B6073BEE17CB4D68C34B9D34039DBCB5CCE66805651CF19522883FEFA7C8493B41B47845C7AB928895AF346456F1104D158D1D37D73576748044C36A8605EC14FE13F3AFA496CA92E720174BD82A51629BD236D430FC57917708F83B15FE53F52F638ABB97942F478A2AC03BB618C0AE8CD665AA6C84FA2151DC6CD90606DBCE0EF45951A31ED86BA7A6F68B7A0202800DD0E5ED3181934F86058439214B8506A955AFBFB5BD273A64BA87A57E2144B4F9161D7A2BE1F3F078E73A02BF4C103756596C9F0533B554DD97D403383AA4AC8056440297C91BBEE9E3597256E29AEFCB4D26D70276AF2F6791A3723E821C604769B1D732816A9185D1ADCEAD524C0C308D34110A9B161FD9FFA4D6A11B20888B7A60F227FEE72F9223E0A0DDA9DE8A6308EE373199B63B0A7546BF8598ADF1938BF224013AEDF3BDA727858AE8431DD7163D37B5FFE91FBE464F25FC7344DB099135A37434D3E10410622636FCA17065B9B3075C092423BD3AE8BC0D149A0858EE3A5E748DFC5EB2C9C04BC06B8F433B4053C2B67E0A651F9A886457DCA0B0AC51575A6C9E1CD7DD068FF8C3C48F67DCF3F81615FE8951C9B4D777386FD558E0C3C7C69CA66DA764E3ED31800ED7FC5E24D861B496AC835E604633A3965287C338FF10D00AF6BD627699693D7E159A33492B50FC56DC944A78948AFD9085002F5B27CD02E096F8F1E9CAF59F0A2FAA10277367672F54E895F0B8056177B1D4570E6F0266E5E72576BE482078A90A13C9225EF0F72BEF80147E8DA3C41A6B9EAEB0BCCEC7055696F9DCBDC86719EB0A0B7C2E03672F478412BD863B9762BA168D2816926546B6A18580FE4A6F33550F9B7EB6D8526854A42FBF883CDE3C5C6E3B579660207E84187F9C8779D0E5CCD3CDC3A7D9F23F0BEF75D91EEB8B592A0BC564D322DBBCC688CC53CB665629463EA7630255D58ECF863C524DDB202CAF189C1AAB790CFD4E38E7865C6D4676642D6A84172EF1904CB89ADEB61A2BF2F0C680C724E81FEA4B3CDF1974A2E35A91F5F2C5DBCF442C54F47DBC03BBB1DE43970A9539E6E0ACB888764C89F970CC69445D9B3822D17B435CFB1BCD17606D86CFA3723E04906E9323FF25829F3D6DD4154F978B5B47D027420B2DEF3536656D4152A3082058406092A864886F70D010701A0820575048205713082056D30820569060B2A864886F70D010C0A0102A08205313082052D305706092A864886F70D01050D304A302906092A864886F70D01050C301C0408FFD9970316495ED802020800300C06082A864886F70D02090500301D060960864801650304012A04109964AA68CE43E4D05B8A49A57AA1258A048204D09DB29131107B5F2E0AA3A0ED320D6CAE3286AAB6922A3645DA1D21073862C761D00A4F90179149AC2599CC8566467CEA012D60136386F82469A6DF885DF746D101B28F6DD17C00DE8C613F61CA345E8F578373F66ED7097600F4510C6BE4C8E2BFF0106EB1CB5C8F5E4BAC12EB0BA7033518456A065E1A42D88991107FFA58F2983920DDE2712575712BC53A3E0311C103452799A233B3D2DBF8A9CB7D7C441E3D8B65A12CED3518445C5BB5524B479058E179A74C9888DD05C3A133E71A105286E43130B4DA96F5AE695E7AA3BEE141F851B1AABEC03725D2F1B075A8D924D28E1001DDBD07222E4482FA6F08FA52A98B950EB978BEA46299106768EA1A5AF7309868BD9925B391F2240FF466AF5CF57D3436B54E7623CC24D567648AF5DBEFAEE0C5AEBB3E9969C55824C9D8F7D01C48212A26B33030BD44BD90F49515629C280B1D40C857DDA0230F0797967D919D7B4139F10893F903C3BA8FE292108F21DCCB140DABCADEDB49FBADB59C925214BE2115D74C2F7D6E93491C7F01E123BF4DC44480A601284B793CF6EF3273D1209E6B502D4D40880DD4F757BE498CBD560852C7E1BC0BEAC59B197A9373F9CF8AE64CDF25F15209386488D0CCE50FF72A5101784658AC61C0243FEFF4C4CF25842F8A2B987CF7BD70954536213A6349AD81BFBA5FC97488713A56B0B038FB852FE3175EDD833BE8A1616A203DCDFA14401E2AD427756E7DC47D58F300673CFA71AF39D40D5817CF700466E18CCB10282D600694D6E5EE2B68C54E752FFB322AF665C043ED9D9A7A7CD655F2DB89B4F62E8E541E4019DD37C00DB671F6F733FF98CE58D6F200971051BDB0FF4FE936D6EF091118ADF8D0762798F2A52C30281F1562979792F83BDC6368F07ED2D2FAFE0BEF797B78CFAB28B2A96D86E3E81C4D477BAB2DD0ED3A6EF99664C7AF90F9510545AE38F4918F18DA7F5C8E4739C6AB9A6379372C53172C8EEC584D3D802CB321F4B36F99B3CAA6FD9B8C1178FCC0A3B18483B726BEFC7212B5E6B5BE4F21E075C3E3368A187D62100D4019AB4162E49A0B93A28A12E9DC627BB5993829F5EE4F1F392D13666BCCE6EE08E62D394B9D3C04BD5621C86E1430889C9D5D84CDC713E800D4AA27163A7DDA13D8365C00A88DAA6F64B401AF6F4357776EF6DC67E41C345D01D1A950C49EB1F94D5C558F4F1F8E156AF2E1CDE2807F91B7666BE6F0A31B70BE341F18157F6AAFCF57BA9A4E1599CFB8D6F07453BFD1CBAC01690CE09764B8CD9D9A59C3821DA8B27690773468E4CFDADB3C3F2A52F31C7ACEC0F6B9EB1C6543EB3BD9E9EE97DC4C10CDC7144BF6FB66304BF67F407E6EF968B06535C159C57D6B21E5E1B7E94C433B3C2B8314C45D6E33F354E8C4E70D1F37F62E869DCC2946AB9B861CFC20E5D00E0C5D6F51BF0E01C05B5AA6CECEB55EB80031E6E8B70E8D28CFDAD36E4E28E4C216DF3AC20C0C8421E31963B1CBE339934CD63348EB47A9BF74C2008E8AB1AD4261F226A60E1DF232C23EB67ACE61024479D58354273A4B2F88A303CD1235E18D6119AD5E3B765855E0F736D774B24F1D1AFBAB3311848B7D4AA91A36FA0CCAC77E5149E96A51DD4C7B00415C989862DC8CC0FB4C2415B2A4651B54AD488515B9D9F16C6463F481286FE03EC4B9A5DAAFC1220AD3863C4EC0CFB8B8D98B64616E20FDDDB38D68ECC33B9F99066D298A1DF20AE3FC713A0A947E7116F4863AA533493F305C3125302306092A864886F70D01091531160414543CC5D2D7CE4481293D625EA578786E460C7CC0
 3392:d=1  hl=2 l=  65 cons: SEQUENCE
 3394:d=2  hl=2 l=  49 cons: SEQUENCE
 3396:d=3  hl=2 l=  13 cons: SEQUENCE
 3398:d=4  hl=2 l=   9 prim: OBJECT            :sha256
 3409:d=4  hl=2 l=   0 prim: NULL
 3411:d=3  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:B8FD1756577640768C677A320F6B6A7558195455354E64B64A085F4BFF5059B3
 3445:d=2  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:9A9A7D73124F49C6
 3455:d=2  hl=2 l=   2 prim: INTEGER           :0800

From everything I'm seeing, this apparently thinks it imported too.

Edit: I'm going to chalk this up to a system issue. I did this on another machine and even verified using a third party source such as Kleopatra to check if the certificates were imported and they are, so I just went ahead and did the import on the keys.

I'll test the certs/keys out and see if the touch / pin policies actually work.

dainnilsson commented 1 year ago

Glad to hear that it's now working, here's what I think caused this:

In PIV, each slot can hold both a key and a certificate, and they are separate from each other (though the most common use-case is to have matching pairs).

In the YubiKey Manager GUI when you import from a PFX file that contains both a key and a certificate, both of those objects are imported into the YubiKey.

The CLI however, uses more explicit actions where you have to import the two objects independently, using ykman piv keys import and ykman piv certificates import. My guess is that you imported the key only, and not the certificate.