Closed FStelzer closed 2 years ago
alonbl
commented
2 years ago Hi, Can you please check the https://github.com/alonbl/pkcs11-helper/tree/always-auth with the https://github.com/alonbl/gnupg-pkcs11-scd/tree/pincache branch? It should solve the yubikey issue. Thanks,
FStelzer
commented
2 years ago Hi, i'v tested the pincache branch. My use-case works just as well with it. signing & encryption works as expected. I tried configuring pin cache in the gnupg-pkcs11-scd.conf (both pin-cache & use-gnupg-pin-cache) but it only works for a few seconds (which is what my yubikey hardware is configured to and what i actually want to happen). So I'm not sure what behaviour is exepcted here.
Regarding the pkcs11-helper i'm not sure how to test this (i'd be happy to help if i can). I'm not using opensc, but p11-kit-proxy with the libykcs11 module from yubico directly.
Thanks.
alonbl
commented
2 years ago Hi @FStelzer,
Thank you for testing.
The pin-cache is used to enforce the insecure gnupg pin cache using the gpg-preset-passphrase[1], unless you use this utility to avoid passphrase prompt you should not use it.
The question is how yubikey actually works for you if you do not use pkcs11-helper always-auth branch... I have added support for context specific login as required by yubikey PIV PKCS#11 driver[2]. As far as I know it should not work for you as it enforces CONTEXT_SPECIFIC, unless you have done something special. Maybe the p11-kit is the one that doing something strange... why do you use it?
Please notice that although pkcs11-helper is maintained within opensc project, it has nothing to do with the opensc drivers, it interact with pure PKCS#11 modules and is the access layer of the gnupg-pkcs11-scd.
If you can test a configuration without p11-kit using the https://github.com/alonbl/pkcs11-helper/tree/always-auth with the https://github.com/alonbl/gnupg-pkcs11-scd/tree/pincache it would be great. Please remove pkcs11-helper from your system when building the solution, you may install all into your home directory using:
cd pkcs11-helper-*
./configure --prefix="${HOME}/root1"
make install
cd ..
cd gnupg-pkcs11-scd-*
PKG_CONFIG_PATH="${HOME}/root1/lib" ./configure --prefix="${HOME}/root1"
make installJust remember to export LD_LIBRARY_PATH="${HOME}/root1/lib"
Thanks,
[1] https://www.gnupg.org/documentation/manuals/gnupg/gpg_002dpreset_002dpassphrase.html [2] https://developers.yubico.com/yubico-piv-tool/YKCS11/
FStelzer
commented
2 years ago In my initial setup i did on fedora34 (gpg-2.2) i had the issue described here initially. I could only sign or encrypt stuff when setting the private-mask flag to the corresponding operation. This worked with p11-kit or libykcs11 directly both.
On Fedora35 (gpg-2.3) with your patch both works just fine. With p11-kit and also libykcs11 directly. I had some issues using opensc-pkcs11 in the past so i did not try it this time. I am using a Yubikey with 3 PIV Certs for multiple use cases.
Since not all of these tools seem to use a shared connection to the yubikey (I had issues in the past when thunderbird would block the key from other use until restarted) i configured all to use p11-kit-proxy module, which as far as i understand uses a shared connection to the key but can simulate both types with the applications. Since then I never had to reset anything or reinsert the key.
I can try the libykcs11 (without p11-kit) with the system pkcs11-helper and with the version from your branch tomorrow.
Thanks
alonbl
commented
2 years ago Thanks for the description.
You are correct that the mozilla suite once locked the session so other application were blocked, this was invalid behavior of this particular application. I was sure that thunderbird is not maintained anymore...
FStelzer
commented
2 years ago Ok, i tried directly configuring libykcs11.so in the pincache scd build (with the OS pkcs11-helper from fedora35) and signing & encryption also work just fine. (i only have to enter my pin once) When i build scd with the always-auth branch of pkcs11-helper then eveything works just as well. However i get prompted for the pin twice and the pin prompt showing the token to use has encodings in it (Yubico\x20\x28www....). Otherwise this is some pkcs11: model=, manufacturer= string. This and that i need to enter the pin twice is the only difference i could find.
When using thunderbird to sign email directly i usually have to enter the pin twice as well though. Not sure why...
I have 3 certs on my key. One with digital signature key usage that i use for singing emails. this key has a hardware pin caching policy of "once". so i'll need to type my key everytime i use it. The two other certs/keys are for encryption & authentication and have a short pin cache policy (a few seconds i think)
I know that this whole pkcs11 token stuff is hard to debug and the logs could contain personal and even secret information. So i'm of course hesitant to share those... But if your are interested in specific sections of the scd log during some operation then let me know.
alonbl
commented
2 years ago Yubikey PKCS#11 driver has a restriction on key usage, this is why you need to authenticate twice, once for using the token and then once for each key usage. This is why I do not understand how it works with the native pkcs11-helper which should have not worked in this configuration.
Anyway, I am glad everything is working, I will perform additional tests before merging it.
alonbl
commented
2 years ago Should work with gnupg-pkcs11-scd-0.9.3
Hi, I'm using gpgme with gnupg-pkcs11-scd & a pkcs11 lib for a yubikey5 (does not matter if i use the opensc lib, libykcs11 or p11-kit) to sign & encrypt email. My Yubikey contains a standard set of PIV certificates. For PIV it is common to have 3 seperate certs/keys. One each for Authentication, Digital Signature and Encryption. The key usage in these are set correct for each one and those keys can have different pin policies.
I am able to sign emails with the correct key when i configure: provider-p1-private-mask 1 However i can then not encrypt/decrypt at all.
When i configure provider-p1-private-mask 4 i can successfully encrypt/decrypt but no longer sign anything :/
If I set the private-mask not at all or to 0 then i can do neither. I looked through the code but only found that the private-mask is passed on to the pkcs11 provider. Any ideas?