Open drew-512 opened 1 month ago
ebourg
commented
1 month ago Thank you for reporting this issue. What is the version of the Yubikey firmware? Does it work better if you install the Yubico PIV Tool and use --storetype YUBIKEY instead of PIV?
drew-512
commented
1 month ago Hi! I very much appreciate your assistance friend.
Looks like 5.4.2 (also see below).
I tried --storetype YUBIKEY but jsign is saying it failed:
sign/tools/jsign.cmd --replace --storetype YUBIKEY --storepass XXXXXX --alias 'X.509 Certificate for PIV Authentication' --tsaurl http://timestamp.sectigo.com dummy.exe
Adding Authenticode signature to dummy.exe
jsign: Couldn't sign dummy.exe
java.security.SignatureException: Signature verification failed, the private key doesn't match the certificate
at net.jsign.AuthenticodeSigner.verify(AuthenticodeSigner.java:498)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:382)
...$ ./yubico-piv-tool -astatus
Version: 5.4.2
Serial Number: 16718214
CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb341006b2bf1aa6befa10096ef486570ffc4b350832303330303130313e00fe00
CCC: No data available
Slot 9a:
Algorithm: ECCP384
Subject DN: serialNumber=3334581/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization, C=US, ST=New York, O=SoundSpectrum, Inc., CN=SoundSpectrum, Inc.
Issuer DN: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV E36
Fingerprint: e90f53e7e1d16400662590c2455346ab87e1e5a1bcd0a1d4e28e418a057e4155
Not Before: May 21 00:00:00 2024 GMT
Not After: May 21 23:59:59 2025 GMT
Slot 82:
Algorithm: RSA2048
Subject DN: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Issuer DN: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Fingerprint: d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
Not Before: Jan 1 00:00:00 2004 GMT
Not After: Dec 31 23:59:59 2028 GMT
Slot 83:
Algorithm: ECCP384
Subject DN: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root E46
Issuer DN: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Fingerprint: db44cb073b747cb2addfada3b7a6bf855e0a278194be6dc28113ce97a7ed26bb
Not Before: Feb 28 00:00:00 2023 GMT
Not After: Dec 31 23:59:59 2028 GMT
Slot 84:
Algorithm: ECCP256
Subject DN: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV E36
Issuer DN: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root E46
Fingerprint: 9ecee96bda8eec6f28e40d78e0c2d58d57837827eaa23b43176f1c0be255b993
Not Before: Mar 22 00:00:00 2021 GMT
Not After: Mar 21 23:59:59 2036 GMT
PIN tries left: 3drew@amp-org-pcdev /cygdrive/c/Program Files/Yubico/YubiKey Manager CLI
$ ./ykman piv info
PIV version: 5.4.2
PIN tries remaining: 3/3
PUK tries remaining: 1/3
Management key algorithm: TDES
Management key is stored on the YubiKey, protected by PIN.
CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb341006b2bf1aa6befa10096ef486570ffc4b350832303330303130313e00fe00
CCC: No data available
Slot 82 (RETIRED1):
Private key type: EMPTY
Public key type: RSA2048
Subject DN: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer DN: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
Serial: 1
Fingerprint: d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
Not before: 2004-01-01T00:00:00+00:00
Not after: 2028-12-31T23:59:59+00:00
Slot 83 (RETIRED2):
Private key type: EMPTY
Public key type: ECCP384
Subject DN: CN=Sectigo Public Code Signing Root E46,O=Sectigo Limited,C=GB
Issuer DN: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
Serial: 284056931552150898782024188839649458891
Fingerprint: db44cb073b747cb2addfada3b7a6bf855e0a278194be6dc28113ce97a7ed26bb
Not before: 2023-02-28T00:00:00+00:00
Not after: 2028-12-31T23:59:59+00:00
Slot 84 (RETIRED3):
Private key type: EMPTY
Public key type: ECCP256
Subject DN: CN=Sectigo Public Code Signing CA EV E36,O=Sectigo Limited,C=GB
Issuer DN: CN=Sectigo Public Code Signing Root E46,O=Sectigo Limited,C=GB
Serial: 73711211433345001245318154040046987031
Fingerprint: 9ecee96bda8eec6f28e40d78e0c2d58d57837827eaa23b43176f1c0be255b993
Not before: 2021-03-22T00:00:00+00:00
Not after: 2036-03-21T23:59:59+00:00
Slot 9A (AUTHENTICATION):
Private key type: ECCP256
Public key type: ECCP384
Subject DN: CN=SoundSpectrum\, Inc.,O=SoundSpectrum\, Inc.,ST=New York,C=US,2.5.4.15=Private Organization,1.3.6.1.4.1.311.60.2.1.2=Delaware,1.3.6.1.4.1.311.60.2.1.3=US,2.5.4.5=3334581
Issuer DN: CN=Sectigo Public Code Signing CA EV E36,O=Sectigo Limited,C=GB
Serial: 122169199998415683808222965368559008620
Fingerprint: e90f53e7e1d16400662590c2455346ab87e1e5a1bcd0a1d4e28e418a057e4155
Not before: 2024-05-21T00:00:00+00:00
Not after: 2025-05-21T23:59:59+00:00
Slot 9C (SIGNATURE):
Private key type: ECCP256There is something weird with the slot 9A, the algorithm of the private key (ECCP256) doesn't match the algorithm of the public key (ECCP384). How did you load the private key and the certificate on the Yubikey? Did you generate the private key on the Yubikey yourself and Sectigo sent the certificate, or did Sectigo send the preloaded Yubikey directly?
drew-512
commented
1 month ago Hi! Indeed, I noticed that but didn't consider myself expert enough to identify that as an issue. Silly me -- to assume that the Yubikey would verify that an imported crt matches the private key before accepting it!
I've contacted Sertigo and getting a reissue on ECCP384. Hopefully this explains my issues in which case I will be proud to tells others about jsign. Will report back here later today. Emmanuel! Your work is most appreciated!
drew-512
commented
1 month ago Ok, it's confirmed that Sectigo sent me the wrong cert (sending a ECCP384 rather than ECCP256). I am rather unimpressed that Yubikey merrily imports a cert without doing any verification.
Anyway, jsign is signed no problem with a newly issued ECCP384 and imported cert. My only thought was that if jsign caught this exception in a meaningful way and describe what was happening that may help. If there was a bad cert in there but happened to be ECCP384, you wouldn't have been tipped off.
Thank you again Emmanuel! My favorite name! <3
ebourg
commented
1 month ago My only thought was that if jsign caught this exception in a meaningful way and describe what was happening that may help. If there was a bad cert in there but happened to be ECCP384, you wouldn't have been tipped off.
Yes I agree. Jsign performs a basic verification after the signature is created, and a mismatch between the private key and the public key is reported:
But the issue here appears before the signature is created, the Yubikey refused to sign the payload. I have to investigate why.
Hi gents, appreciate all the work that's gone into jsign!
I am getting an exception that is not clear when signing from a Yubikey FIPS 5. I have verified things are working somewhat by changing
storepassand it is returning an appropriate bad pin error.Flipping through things I suspect the issue is the jsign side. Using jsign 6.0.0 on Windows 11 (through Cygwin).