import-certificate -v fails to verify the key

[erikvanzijst]

• YubiKey Manager (ykman) version:

# ykman --version
YubiKey Manager (ykman) version: 3.1.1
Libraries:
    libykpers 1.20.0
    libusb 1.0.21
# ykman list
YubiKey 5 Nano [OTP+FIDO+CCID] Serial: 11108858
# ykman piv info
PIV version: 5.2.4
PIN tries remaining: 3
Management key is stored on the YubiKey, protected by PIN.
CHUID:  3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410f1b299724e4ab3b9d8afd7200958c7f7350832303330303130313e00fe00
CCC:    f015a000000116ff023f4a7d27b270665ecb841a239150f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
# ykman --version
YubiKey Manager (ykman) version: 3.1.1
Libraries:
    libykpers 1.20.0
    libusb 1.0.21

• How was it installed?:

add-apt-repository -y ppa:yubico/stable && apt install yubikey-manager

• Operating system and version:

Ubuntu 18.04.3 LTS

• YubiKey model and version:

YubiKey 5 Nano [OTP+FIDO+CCID] Serial: 11108858

• Bug description summary:

When I try to import a signed client certificate for PIV mode, ykman import-certificate -v says the certificate does not match the private key that was used to generate the original CSR.

# ykman piv generate-key --pin 123456 -a RSA2048 --pin-policy NEVER --touch-policy NEVER -F PEM 9a pub.pem
# ykman piv generate-csr --pin 123456 -s erik 9a pub.pem csr.pem
# cat csr.pem 
-----BEGIN CERTIFICATE REQUEST-----
MIICZTCCAU0CAQAwDzENMAsGA1UEAwwEZXJpazCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKgBZkE1kVzng3lzYippGKX6JYgoPn7WrxJQXBy5dyuzDH8e
dQixW+lMzWUAfFxsrq5k1OCwkCxyEH3iZGaJ3S6QfLFh4U7/oJMFOLYOgNd6dLfl
IMtrWiJul+vZwz4w+sEH2SKHY9kNam0rYP4ygbg/OHFMd7In4xmgEmjebqfAS2NM
l9E/dl7pSiXaMY9INO0IgsFKKjPMBZm5hPSGjHkjJ2ysOLnnJBFv2fSja3F2BrjA
NhoJO5qsnooGEiDZCu02nvv35OZAUIB4nc1nq8VlSjUxbYnQOHygYOalQ4p6iSTA
vUyKaoDgln5PfZ7dptXXk8lLL1p6Sjg8+imckmsCAwEAAaARMA8GCSqGSIb3DQEJ
DjECMAAwDQYJKoZIhvcNAQELBQADggEBAD7xJyVTa2mEc0RSvYw8YS6OlXe8RUVw
Y8B0m+ndU64rCnvjwTnjzK1tTrd90xjEgg+GX2Em3ObUKrNDjoKNSwlx4xEoXx8M
Zw0GCavyAKI4EKXgzy9Mn2LGDTso+bBRtKTgXd5Db4Fe7O2aro4UtXCeBISa5Bim
d+dQDl6rMshzRgpxD10g8UF1lHp246WqCw3EtIyeO3Ihegi/weXTOq08MmiXH147
aoI8o6SCkF4CpxqqgUlcid8gAvXTHHOsqzp+XbVyn9o20XPRBey34+9+E4FZEUSk
00nP9juTmmdleZJlxv3ISnLyRiDMg82ozI0SfQjP1nK0hNHCmjI+z/Y=
-----END CERTIFICATE REQUEST-----

At this point I have the cert signed as cert.pem

# ykman piv import-certificate -v 9a cert.pem 
Enter PIN: 
Usage: ykman piv import-certificate [OPTIONS] SLOT CERTIFICATE

Error: This certificate is not tied to the private key in the AUTHENTICATION slot.

Steps to reproduce

See the steps and commands above.

I also tried generating the private key myself, outside the Yubikey using openssl and then importing the key, followed by import-certificate, but that gave the same result.

Expected result

I would expect ykman piv import-certificate -v to not claim that the cert.pem does not match the private key in slot 9a.

[erikvanzijst]

FWIW, the signed certificate:

-----BEGIN CERTIFICATE-----
MIIFIDCCAwigAwIBAgIIeiBeE1xHMRswDQYJKoZIhvcNAQENBQAwgYQxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MR4wHAYDVQQKDBVHaG9z
dCBMb2NvbW90aW9uIEluYy4xDzANBgNVBAsMBk9SQU5HRTEXMBUGA1UEAwwOREVWRUxPUE1FTlQg
Q0EwHhcNMjAwMzE4MDAwMDAwWhcNMjAwNDE3MDAwMDAwWjAPMQ0wCwYDVQQDDARlcmlrMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqAFmQTWRXOeDeXNiKmkYpfoliCg+ftavElBcHLl3
K7MMfx51CLFb6UzNZQB8XGyurmTU4LCQLHIQfeJkZondLpB8sWHhTv+gkwU4tg6A13p0t+Ugy2ta
Im6X69nDPjD6wQfZIodj2Q1qbStg/jKBuD84cUx3sifjGaASaN5up8BLY0yX0T92XulKJdoxj0g0
7QiCwUoqM8wFmbmE9IaMeSMnbKw4ueckEW/Z9KNrcXYGuMA2Ggk7mqyeigYSINkK7Tae+/fk5kBQ
gHidzWerxWVKNTFtidA4fKBg5qVDinqJJMC9TIpqgOCWfk99nt2m1deTyUsvWnpKODz6KZySawID
AQABo4IBCDCCAQQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBTX3cUQGXt/kiwdt+na1GY7f8ZFETCB
1QYDVR0lBIHNMIHKBggrBgEFBQcDAQYIKwYBBQUHAwIGDGCGSAHF9XsFBwMCAQYMYIZIAcX1ewUH
AwICBgxghkgBxfV7BQcDAgUGDGCGSAHF9XsFBwMCBwYMYIZIAcX1ewUHAwIIBgxghkgBxfV7BQcD
AgMGDGCGSAHF9XsFBwMCBAYMYIZIAcX1ewUHAwIJBgxghkgBxfV7BQcDAgsGDGCGSAHF9XsFBwMC
BgYMYIZIAcX1ewUHAwIMBgxghkgBxfV7BQcDAg0GDGCGSAHF9XsFBwMCDjANBgkqhkiG9w0BAQ0F
AAOCAgEAHCGoiwwAGLjQUl1lrMez2j9GD+vsG8uiyB0LVW098Z1HjHxZZwH4fQ0Pixpj+/Ck0L09
WYvVIApL5x90smt/AyMe42ZU4MlmxkNlGBbe+ttq1fJdVC5hut8VRkyLRB3hSEB5avxRMG0LXEiZ
uO5eR0uHK8Gzh61uvqe+OXNQg0iaFzcdEUGQnqers9klRi/woTPEbbd8GInrhRX2tN1iGd2ph0r2
yQ7ZBazop3es4DH1BD7gHDa+/EiiPEuFu+tKsSvcdvinAviSXmUWKdeEncr2XwxzHc+im5qfMdoX
AfnMOS5wRUlsdRSUyqw6Pk/H+UATx1sTCMZmLpP3edq7TR18XPHg1bKoXSgdyT1ItF0chWZFMhIZ
Ra5Y03tbh6vOEcbpOtjCSA3HL9fefdxwFiRRD5J8Ii5YCkaXeJaYFSmC4VK8797okHWSiyddltn0
lNk7KX0S7BS/IlEIevWplBmIyAiNdyuaqbziccuQyYGj3kuLrmeloJfz2xvoLyDOX16hD6SAPhf8
Tu+YxJ5dvDAHzVjRCTYAdXpAiLzLl9bu0sycXPT6aUILTCQG83dQ4Hw/AXJD9OGbmWTiVQKrVtYB
FrS2TfJvQyH6RuwzKu28Lj9W6HaJwsQRJOzQJSjjDGtVVpL2pr+aAnU1wlveYCzgkLxmyJzX9ZFJ
lRT4RJg=
-----END CERTIFICATE-----

[dagheyman]

Thanks for the detailed report!

I'm not able to easily reproduce it:

$ ykman piv generate-key --pin 123456 -a RSA2048 --pin-policy NEVER --touch-policy NEVER -F PEM 9a pub.pem
$ ykman piv generate-csr --pin 123456 -s erik 9a pub.pem csr.pem

Then used this site for getting a cert from the CSR.

$ ykman piv import-certificate -v 9a ~/Desktop/erik-2020-03-18-233700.pem 
$ ykman piv info
PIV version: 5.2.4
PIN tries remaining: 3
CHUID:  3019d4e739da739ced39ce739d836858210842108421c84210c3eb341079dd112a333c9b65575c5fd8a972714b350832303330303130313e00fe00
CCC:    No data available.
Slot 9a:
        Algorithm:      RSA2048
        Subject DN:     CN=erik
        Issuer DN:      C=US,ST=Washington,L=Seattle,O=getaCert - www.getacert.com
        Serial:         2184
        Fingerprint:    3098a69fd2494817ef79a1d4747f82dfc539be0d775b270f94f1a2cf3930dc47
        Not before:     2020-03-19 06:37:01
        Not after:      2020-05-18 06:37:01

However, looking at the code, I suspect the error message might be wrong, or at least assuming too much.

Could you try again with debug logging enabled to see if it gives any clues?

$ ykman --log-level DEBUG piv import-certificate -v 9a cert.pem 

[erikvanzijst]

I think it's simpler than that. The client certificate is signed by the certificate provider, not by us. It should match their private key instead.

Please ignore my ignorance while I go sit in a corner :-/

[dagheyman]

No worries, closing this then.