Open rkuerbitz opened 6 months ago
chris2511
commented
6 months ago Maybe related to https://github.com/chris2511/xca/issues/43#issuecomment-551197297
So, the solution would be to check if the key on token is CKA_ALWAYS_AUTHENTICATE, and do C_Login(CKU_CONTEXT_SPECIFIC,...)
Maybe I will find the time to look into it, soon.
rkuerbitz
commented
6 months ago Thanks for the hints.
However, I did not succeed in either of them. Trying to create a key pair with pkcs11-tool using the --always-auth flag gives me this error:
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Regarding the opensc.conf options, I am unsure if the YubiHSM PKCS#11 driver even uses the pin_cache_ignore_user_consent = true; option.
So, I would really appreciate if you could look into it, as I am a bit lost right now.
chris2511
commented
6 months ago Either the keypair hasn't been created completely (Public and private key object), see: https://hohnstaedt.de/xca-doc/html/smartcard.html#key-management-on-the-token . Did you create the keys with XCA or with an other tool and then import them into XCA? Do you see the created keys when you select "Manage Security token" ?
rkuerbitz
commented
6 months ago Hi, I contacted Yubico about this, and this is what they answered: _When we are testing the XCA tool it seems like it is not able to establish a session using the yubihsm_pkcs11 module. The reason is likely that the YubiHSM2 does not support the SO-PIN concept, as is stated in the YubiHSM2 PKCS#11 documentation, and it seems like all the interactions to sign in is using the SO PIN, rather than the regular PIN._
Could this help with adressing this issue within XCA?
chris2511
commented
6 months ago Added login option with 3457454e88150a823228e24cb7e14a154b610efe Please try a build from https://github.com/chris2511/xca/actions/runs/8195398369
rkuerbitz
commented
6 months ago Dear Chris, thanks a lot for providing the additional login option so fast! I tested the build, but however, XCA just stalls and has to be force-closed after entering the PIN. I am attaching the PCKS11 log for one XCA session, so if you could have a look at it, that would be great: yubiHSM.txt
chris2511
commented
6 months ago Auto close with 3457454e88150a823228e24cb7e14a154b610efe was not correct
rkuerbitz
commented
4 months ago Dear Chris, may I kindly ask if there are any news on this issue?
I try to use XCA with a YubiHSM 2 to create certificates. However, XCA somehow cannot properly access the device via PKCS#11. I can successfully assign the PKCS#11 driver in options.
Trying Token / Manage security token gives the error message
The token 'YubiHSM' did not contain any keys or certificates.I can, however, create a Private key on the devices with XCA and then have it in my XCA database.When I want to create a certificate using this PK, I get the error message
Please insert card: Yubico (www.yubico.com) YubiHSM [YubiHSM] with serial: xxxxAfter clicking cancel, the following message shows:
The following error occurred: Failed to find the key on the tokenThe log file of the YubiHSM PKCS#11 driver show the following error:
[P11 - ERR 11:41:59.204728] D:\a\yubihsm-shell\yubihsm-shell\yubihsm-shell-2.4.2\pkcs11\util_pkcs11.c:3856 (get_session): Session user not logged inAs XCA did not ask for my PIN, this seems to be the cause.Could this be a bug in XCA? Any help would be appreciated.