Possible incompatibility with yubikey-agent created keys

[maxgoedjen]

@cmoog reported in #124:

Keys generated with the yubikey-agent command don't seem to appear in secretive... to reproduce on a yubikey, first reset the PIV application, then run

yubikey-agent -setup

And the resulting PIV authentication key in 9a does not work with Secretive. My best guess is that yubikey agent passes different default configuration options than keys generated from the yubikey-manager UI, and Secretive has a compatibility issue with those options? Maybe the touch policy? It can't be the algo since that is EC256...

For reference, this is what the PIV cert looks like in the Yubikey Manager UI:

@maxgoedjen, thoughts on what could be causing the incompatibility?

[maxgoedjen]

@cmoog I haven't tested with this before, I don't have a spare key handy with me at the moment but I will in about a week, I'll test it then.

Just to rule out the obvious: you're able to use this key in other contexts from this Mac? I'm curious what the SSH agent sees the key as – I know you mentioned it's an EC256 key, but it starts with ecdsa-sha2-nistp256?

[maxgoedjen]

Oh interesting, didn't realize yubikey-agent wasn't their app (but instead by our friend @FiloSottile) – I'll have to play with that when I have a test key handy.

[cmoog]

I'm curious what the SSH agent sees the key as – I know you mentioned it's an EC256 key, but it starts with ecdsa-sha2-nistp256?

For a key generated with yubikey-agent -setup:

$ SSH_AUTH_SOCK=/usr/local/var/run/yubikey-agent.sock ssh-add -L
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGmcMdlX+379KzIqnKU7YS4o17szya3CBBS9FXCGYJtcY6JhsfL6BJDE7ehBPhTZ8mGwoE6X8AigdCnN1GeKlPE= YubiKey #16361072 PIV Slot 9a

[maxgoedjen]

Definitely could be the policies. Peeking in the source, I don't see anything that should make it incompatible, I'll have to try it out a bit more.

[dlgoodr]

:eyes:

Semi-related (and I'll move this to another issue if that's the right thing to do): @maxgoedjen, do you have a "preferred" way of setting up PIV keys on a YubiKey since they're the brand you recommend for non-Secure-Enclave Macs?

[maxgoedjen]

@dlgoodr I just use their tool (I think this is the latest one? They have a few https://www.yubico.com/support/download/yubikey-personalization-tools/). So long as you use the right key type there (ec) then it should be fine.

[dlgoodr]

The YubiKey Manager is the only one that worked on my m1 mba. Thanks!

[cmoog]

Any chance someone has narrowed down the cause here?

[maxgoedjen]

I spent a tiny bit of time debugging this and afaict just sometimes the way the key gets set up by yubikey-setup doesn't report as a PIV token to macOS.

Basically: Tried setting up with yubikey-agent -setup, removed + inserted key Secretive (by way of https://developer.apple.com/documentation/cryptotokenkit/tktokenwatcher) doesn't get notified it's inserted. Reset the key Set up through yubikey-manager, worked fine. Removed that key Set up through yubikey-agent again, worked fine this time.

@FiloSottile anything that jumps to mind that yubikey-agent specifically might be doing in its setup that would cause this?

[maxgoedjen]

Seems fairly consistent:

If I erase the key -> setup from clean state with yubikey-agent, TKTokenWatcher doesn't see the key. If I erase the key -> set up a key with yubikey manager -> erase that key -> set up from that state with yubikey-agent, TKTokenWatcher can see the key.

Maybe yubikey manager is setting some flag that causes it to report as a PIV that yubikey-agent isn't?

[zviratko]

My 2 cents - I suspect a new CHUID isn't generated by yubikey-agent? With it staying the same, it could get cached and thus ignored because it "didn't use to have a certificate".

[ph00lt0]

@maxgoedjen is there any update on this issue? what is the recommended way to setup ssh keys on yubikey using secretive?

[bblacey]

My 2 cents - I suspect a new CHUID isn't generated by yubikey-agent? With it staying the same, it could get cached and thus ignored because it "didn't use to have a certificate".

I believe you are correct. I was having problems with the correct PIV keys appearing in Secretive. Ultimately I solved the problem by using yubico-piv-tool -a set-chuid to change the chuid, removed+inserted key, and used yubico-piv-tool -a generate -a verify-pin -a selfsign -a import-certificate -s 9a -k -A ECCP256 -S '/CN=ssh_auth/OU=<admin>/O=<mydomain>') to generate a new ssh key compatible with Secretive.