Closed im-richard closed 1 year ago
For some reason, I can't edit my original message. The formatting is messed up. I finally got some debugs to print in Powershell:
DEBUG 17:04:56.208 [ykman.device.add:173] Resolved device 22927029
DEBUG 17:04:56.253 [yubikit.core.smartcard.enable_touch_workaround:150] Touch workaround enabled=False
DEBUG 17:04:56.253 [yubikit.piv.__init__:446] PIV session initialized (version=5.4.3)
DEBUG 17:04:56.254 [ykman.piv.get_pivman_data:241] Reading pivman data
DEBUG 17:04:56.257 [yubikit.piv.get_object:680] Reading data from object slot 0x5fff00
DEBUG 17:04:56.258 [ykman.piv.get_pivman_data:247] No data, initializing blank
DEBUG 17:04:56.259 [ykman._cli.piv.import_key:612] Error parsing key
Traceback (most recent call last):
File "C:\Program Files\Yubico\YubiKey Manager\pymodules\ykman\_cli\piv.py", line 610, in import_key
private_key = parse_private_key(data, password)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Program Files\Yubico\YubiKey Manager\pymodules\ykman\util.py", line 69, in parse_private_key
raise InvalidPasswordError("No password provided for encrypted key.")
ykman.util.InvalidPasswordError: No password provided for encrypted key.
DEBUG 17:04:56.260 [ykman._cli.util.click_prompt:219] Input requested (Enter password to decrypt key)
DEBUG 17:04:56.262 [ykman._cli.util.click_prompt:228] Using interactive prompt...
Enter password to decrypt key:
DEBUG 17:05:25.838 [ykman._cli.util.click_prompt:219] Input requested (Enter a management key [blank to use default key])
DEBUG 17:05:25.838 [ykman._cli.util.click_prompt:228] Using interactive prompt...
Enter a management key [blank to use default key]:
DEBUG 17:05:28.177 [yubikit.piv.get_management_key_metadata:604] Getting management key metadata
DEBUG 17:05:28.181 [yubikit.piv.authenticate:487] Authenticating with key type: 3
DEBUG 17:05:28.184 [yubikit.piv.put_key:778] Importing key with pin_policy=0, touch_policy=0
INFO 17:05:28.368 [yubikit.piv.put_key:782] Private key imported in slot 156 of type 7
I also ran this code because I saw in another git issue where you requested this:
PS C:\d> openssl asn1parse -inform der -in .\piv_name_9d_priv.pfx
0:d=0 hl=4 l=3455 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :03
7:d=1 hl=4 l=3381 cons: SEQUENCE
11:d=2 hl=2 l= 9 prim: OBJECT :pkcs7-data
22:d=2 hl=4 l=3366 cons: cont [ 0 ]
26:d=3 hl=4 l=3362 prim: OCTET STRING [HEX DUMP]:30820D1E3082079206092A864886F70D010706A08207833082077F0201003082077806092A864886F70D010701305706092A864886F70D01050D304A302906092A864886F70D01050C301C04088EF005E0151BACAE02020800300C06082A864886F70D02090500301D060960864801650304012A04107CB4DF38671C666A69142275AB3E849480820710A1BE3406732906F4293B24D0422A74AC94B08F0653B0343929A1EE173B78207903C16A7BBFDF57702F49EBD95BE02DE6C75C3E02500F7F52E668F0012AD014A60A719701B6B48BADFB39199DA2AEE3BB2D1DC84E146D7C76379E63D3F3ADF5BCCC0286249EAA66E3698D5D8E275502D4F32876054BF6028BEA4D66E4A1DDE6B8B2B1B23ABCD7A54F174282F6F6C90777FDFB22CDB3DC2527BB23B2B89AAD8CDDEB679B27970F514B20B1A48ACA13B1F2EB94FAD0B5EE2B602F39CB00B2ADB55344C821503259C07D91F5395B6E3B094F3DFCFE8910C6FC7B368C37B39FABFF21B50D51D9CC4EB2832E4B04178A4A03CA5425AAA03FC2501604DF350AB552106BA533C88AD4EBEADBD39F2C7ED8469FF622779EA74313C47B2A5443A244C6005D5990D200D3012033C1B58445DD9856B2C1C8179B9092BBC92DF1321EC7314753FFE4CF52D1C1697641465E0B79042F5A0D7F5199C58FF712BFE227A8AF47CBDFA4D7DD2AFE664F67CB0F4E08489D1E5132B39AB7A4C879027408A08A43BF48140D44AEB773446464AB4C47A7CA72967CFE45ADB5E9C6D2B3A4864C800375D305CF4961FDCC12785749053AAF494B60D2A3BDED1D53B273E262F54121B6A3CFE34E3B403CF4646ECADF36D094505F38058E85C0A303ED5A7F84D91F2FD8399FF32149D05F56215401829AE75BBA48FF163EDB402939AFE05D3DF2B7DC01AA3E26CDA0E2B28D3D7E544A2588715B2D43CF63729F6BAB01FB7D5728A921D47E1F84CE5B3B3FC3BE24AF1F86DE81F15FA19A538D25D73EB79F86231BC47AA49985DCFF37E3F7ABD49DEFC7D5A61E5C2E6D49D24968E64E50169FD9DF8D52A58631B8ADDF8FB16622EF77A0F9A0CF2FAB5C90B4819725917BB5B24EAE7DF3C1DED4290677B04FA6472AC2198E4299BF5A91878B6A2F5B786A4DED471E00BF35F99C28239B3146DD0AB76E2D1E740808CF743F5578D57F5142B913D43F3474D6DDF6B265E9EA5710B30F957ABBA2126D295756490E1F16CB3C0002C63D97DDC385CEEEC633FEE741574950191ED0D9D8C86A51A7844F00406DB4A0ED6EDAFC50EF9A7DB7141F3A70C3C76612E2F78887B56B09B53F252B257563A48EACF2013D6E58E45A262146A17253F957A8B12C25FF774E96A6146EEA1E72A75FCC1D27DE11B8BB862830E797ECEDE68A4BACBA774E25C564401D9AF41BC27A1BFBAB4C20E8E343C5EEF0639B22E64A5828EFDBE8C00AD5B91511A0F29B68B03DC099F4C2C66CF78CE35D07F1C8EBAD290D9AACC63F473EB0C1AD72AE343B2B302EF9C17143828BF4B9D0D4F806FEBE531C0172B392E7C15606C3ADA54208F70517C118EF0C7C09C5C92ADC86E858FC8A8EF644CA2D2C0F70147EB5279DF04AA9AAD5697B329B6073BEE17CB4D68C34B9D34039DBCB5CCE66805651CF19522883FEFA7C8493B41B47845C7AB928895AF346456F1104D158D1D37D73576748044C36A8605EC14FE13F3AFA496CA92E720174BD82A51629BD236D430FC57917708F83B15FE53F52F638ABB97942F478A2AC03BB618C0AE8CD665AA6C84FA2151DC6CD90606DBCE0EF45951A31ED86BA7A6F68B7A0202800DD0E5ED3181934F86058439214B8506A955AFBFB5BD273A64BA87A57E2144B4F9161D7A2BE1F3F078E73A02BF4C103756596C9F0533B554DD97D403383AA4AC8056440297C91BBEE9E3597256E29AEFCB4D26D70276AF2F6791A3723E821C604769B1D732816A9185D1ADCEAD524C0C308D34110A9B161FD9FFA4D6A11B20888B7A60F227FEE72F9223E0A0DDA9DE8A6308EE373199B63B0A7546BF8598ADF1938BF224013AEDF3BDA727858AE8431DD7163D37B5FFE91FBE464F25FC7344DB099135A37434D3E10410622636FCA17065B9B3075C092423BD3AE8BC0D149A0858EE3A5E748DFC5EB2C9C04BC06B8F433B4053C2B67E0A651F9A886457DCA0B0AC51575A6C9E1CD7DD068FF8C3C48F67DCF3F81615FE8951C9B4D777386FD558E0C3C7C69CA66DA764E3ED31800ED7FC5E24D861B496AC835E604633A3965287C338FF10D00AF6BD627699693D7E159A33492B50FC56DC944A78948AFD9085002F5B27CD02E096F8F1E9CAF59F0A2FAA10277367672F54E895F0B8056177B1D4570E6F0266E5E72576BE482078A90A13C9225EF0F72BEF80147E8DA3C41A6B9EAEB0BCCEC7055696F9DCBDC86719EB0A0B7C2E03672F478412BD863B9762BA168D2816926546B6A18580FE4A6F33550F9B7EB6D8526854A42FBF883CDE3C5C6E3B579660207E84187F9C8779D0E5CCD3CDC3A7D9F23F0BEF75D91EEB8B592A0BC564D322DBBCC688CC53CB665629463EA7630255D58ECF863C524DDB202CAF189C1AAB790CFD4E38E7865C6D4676642D6A84172EF1904CB89ADEB61A2BF2F0C680C724E81FEA4B3CDF1974A2E35A91F5F2C5DBCF442C54F47DBC03BBB1DE43970A9539E6E0ACB888764C89F970CC69445D9B3822D17B435CFB1BCD17606D86CFA3723E04906E9323FF25829F3D6DD4154F978B5B47D027420B2DEF3536656D4152A3082058406092A864886F70D010701A0820575048205713082056D30820569060B2A864886F70D010C0A0102A08205313082052D305706092A864886F70D01050D304A302906092A864886F70D01050C301C0408FFD9970316495ED802020800300C06082A864886F70D02090500301D060960864801650304012A04109964AA68CE43E4D05B8A49A57AA1258A048204D09DB29131107B5F2E0AA3A0ED320D6CAE3286AAB6922A3645DA1D21073862C761D00A4F90179149AC2599CC8566467CEA012D60136386F82469A6DF885DF746D101B28F6DD17C00DE8C613F61CA345E8F578373F66ED7097600F4510C6BE4C8E2BFF0106EB1CB5C8F5E4BAC12EB0BA7033518456A065E1A42D88991107FFA58F2983920DDE2712575712BC53A3E0311C103452799A233B3D2DBF8A9CB7D7C441E3D8B65A12CED3518445C5BB5524B479058E179A74C9888DD05C3A133E71A105286E43130B4DA96F5AE695E7AA3BEE141F851B1AABEC03725D2F1B075A8D924D28E1001DDBD07222E4482FA6F08FA52A98B950EB978BEA46299106768EA1A5AF7309868BD9925B391F2240FF466AF5CF57D3436B54E7623CC24D567648AF5DBEFAEE0C5AEBB3E9969C55824C9D8F7D01C48212A26B33030BD44BD90F49515629C280B1D40C857DDA0230F0797967D919D7B4139F10893F903C3BA8FE292108F21DCCB140DABCADEDB49FBADB59C925214BE2115D74C2F7D6E93491C7F01E123BF4DC44480A601284B793CF6EF3273D1209E6B502D4D40880DD4F757BE498CBD560852C7E1BC0BEAC59B197A9373F9CF8AE64CDF25F15209386488D0CCE50FF72A5101784658AC61C0243FEFF4C4CF25842F8A2B987CF7BD70954536213A6349AD81BFBA5FC97488713A56B0B038FB852FE3175EDD833BE8A1616A203DCDFA14401E2AD427756E7DC47D58F300673CFA71AF39D40D5817CF700466E18CCB10282D600694D6E5EE2B68C54E752FFB322AF665C043ED9D9A7A7CD655F2DB89B4F62E8E541E4019DD37C00DB671F6F733FF98CE58D6F200971051BDB0FF4FE936D6EF091118ADF8D0762798F2A52C30281F1562979792F83BDC6368F07ED2D2FAFE0BEF797B78CFAB28B2A96D86E3E81C4D477BAB2DD0ED3A6EF99664C7AF90F9510545AE38F4918F18DA7F5C8E4739C6AB9A6379372C53172C8EEC584D3D802CB321F4B36F99B3CAA6FD9B8C1178FCC0A3B18483B726BEFC7212B5E6B5BE4F21E075C3E3368A187D62100D4019AB4162E49A0B93A28A12E9DC627BB5993829F5EE4F1F392D13666BCCE6EE08E62D394B9D3C04BD5621C86E1430889C9D5D84CDC713E800D4AA27163A7DDA13D8365C00A88DAA6F64B401AF6F4357776EF6DC67E41C345D01D1A950C49EB1F94D5C558F4F1F8E156AF2E1CDE2807F91B7666BE6F0A31B70BE341F18157F6AAFCF57BA9A4E1599CFB8D6F07453BFD1CBAC01690CE09764B8CD9D9A59C3821DA8B27690773468E4CFDADB3C3F2A52F31C7ACEC0F6B9EB1C6543EB3BD9E9EE97DC4C10CDC7144BF6FB66304BF67F407E6EF968B06535C159C57D6B21E5E1B7E94C433B3C2B8314C45D6E33F354E8C4E70D1F37F62E869DCC2946AB9B861CFC20E5D00E0C5D6F51BF0E01C05B5AA6CECEB55EB80031E6E8B70E8D28CFDAD36E4E28E4C216DF3AC20C0C8421E31963B1CBE339934CD63348EB47A9BF74C2008E8AB1AD4261F226A60E1DF232C23EB67ACE61024479D58354273A4B2F88A303CD1235E18D6119AD5E3B765855E0F736D774B24F1D1AFBAB3311848B7D4AA91A36FA0CCAC77E5149E96A51DD4C7B00415C989862DC8CC0FB4C2415B2A4651B54AD488515B9D9F16C6463F481286FE03EC4B9A5DAAFC1220AD3863C4EC0CFB8B8D98B64616E20FDDDB38D68ECC33B9F99066D298A1DF20AE3FC713A0A947E7116F4863AA533493F305C3125302306092A864886F70D01091531160414543CC5D2D7CE4481293D625EA578786E460C7CC0
3392:d=1 hl=2 l= 65 cons: SEQUENCE
3394:d=2 hl=2 l= 49 cons: SEQUENCE
3396:d=3 hl=2 l= 13 cons: SEQUENCE
3398:d=4 hl=2 l= 9 prim: OBJECT :sha256
3409:d=4 hl=2 l= 0 prim: NULL
3411:d=3 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:B8FD1756577640768C677A320F6B6A7558195455354E64B64A085F4BFF5059B3
3445:d=2 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:9A9A7D73124F49C6
3455:d=2 hl=2 l= 2 prim: INTEGER :0800
From everything I'm seeing, this apparently thinks it imported too.
Edit: I'm going to chalk this up to a system issue. I did this on another machine and even verified using a third party source such as Kleopatra to check if the certificates were imported and they are, so I just went ahead and did the import on the keys.
I'll test the certs/keys out and see if the touch / pin policies actually work.
Glad to hear that it's now working, here's what I think caused this:
In PIV, each slot can hold both a key and a certificate, and they are separate from each other (though the most common use-case is to have matching pairs).
In the YubiKey Manager GUI when you import from a PFX file that contains both a key and a certificate, both of those objects are imported into the YubiKey.
The CLI however, uses more explicit actions where you have to import the two objects independently, using ykman piv keys import
and ykman piv certificates import
. My guess is that you imported the key only, and not the certificate.
Unable to import keys using using
ykman piv keys import --touch-policy ALWAYS 9e "file.pfx"
If I load up yubikey manager -> PIV -> Select slot 9E, I can manually import it using Yubikey Manager and it works fine. However, I cannot modify the touch / pin policy that way.Steps to reproduce
Simply import any pfx file into any slot in the PIV module. After running piv keys import, it will ask the normal questions such as:
No errors appear after that point, it goes back to command prompt like it should. But when opening the Yubikey Manager, there's nothing in there.
Expected result
Normally it imports your keys into the desired slot.
Actual results
Does nothing. No key imported.
Other info
I've used these same exact keys before and they imported fine. I even started doing dumb tests like using a bad password to see if it was even reading the file, and it appears to be.
screenshot