Unable to select the smartcard certificate

[wdthikl]

I was looking into the Smartcard.gif which was committed recently. I would love to use that feature, but I'm unable to select the smartcard certificate. It only shows my user certificate store when I'm trying to load a certificate. My SmartCard service is running and I'm able to use the smartcard for other purposes in the same user-session.

Is the smartcard feature already present in the current release? Or is it something in development?

[sbidy]

The feature is present. Can you please check that the smart card certificate is present in the Microsoft user certificate store? Keep in mind that the certificate is only selectable if the certificate is present/plugged in. I'll also review the function - maybe MS has changed the behavior in a update.

[wdthikl]

I didn't have the certificate in my local user store (at least not the private key). I found that the Certificate Propagation Service was not properly configured in the GPO. It now is and I got one step further now, thanks for pointing me in the right direction!

It now says 'The smart card cannot perform the requested operation or the operation requires a different smart card.' Can you tell me what property/key usage/intended purpose I need in my template for this operation to succeed?

Edit: I'm using a PIV enabled Yubikey4 for this.

[sbidy]

Mh, there is a issue with the Yubikey smartcard access and the used .Net function. I'll dig into that and try to fix it. I hope to release a new version ASAP.

[wdthikl]

Fantastic! Take your time, no rush...

[queesamor]

It now says 'The smart card cannot perform the requested operation or the operation requires a different smart card.'

I'm using a PIV enabled Yubikey4 for this.

I am running into exactly the same conundrum with the same hardware, and I am effervescing with happiness that you are already working on solving this! 🎉 👏

[sbidy]

I found out that something has change by MS. It is not directly related to the Yubikey - it seams to be a general misbehavior. The plugin can't access the private key from the smart card to encrypt the database key.

I'm working on that - thank you for the feedback!

[queesamor]

Thanks @sbidy! I would be happy to help test if you have any need for that 🙂

[wimapibr]

I´m facing the same problem and could note that uninstalling the Yubikey Smart Card Mini Driver (currently at 3.3.1.5 version) in Windows Device Manager the Yubikey start to work with Keepass KeyManager module.

That's because without the Yubico proprietary driver the Yubikey is recognized as a generic "Identity Device (NIST SP 800-73 [PIV])" smartcard and this works perfectly with KeyManager module.

Obviously using this workaround the Yubikey 4 stops to work as Windows logon smartcard.

I´m just relating this in order to help the problem diagnostic.

[sbidy]

Hey, sorry for the late update - I'm really busy at the moment. But after some first investigations, it looks like a problem with the Microsoft Minidriver (introduced in Win 8.1). @wdthikl describes a similar problem.

In my opinion the "default" crypto api from Microsoft dosn't support the new minidriver.

[sbidy]

Weeks later ... I haven't an update on that. It is still not possible to access a private key from a minidriver based smartcard. I'll talk to MS for a possible solution ...

[queesamor]

Does this have to be implemented with your code having direct access to the private key? Or is it possible to submit a value to the smart card / driver and ask for it to be signed or decrypted by the smart card, and then deal with the returned signature/ciphertext?

Maybe I'm not fully understand where the new driver is causing the issues.

Have you asked Yubico for their feedback, since they developed the new minidriver? My organization was having a different problem with the "new" driver, and after corresponding with their developers we were able to get some pretty low-level documentation and answers and it led to a pretty straightforward solution on our side.

Please pardon me if I'm suggesting avenues you've already pursued!

On Tue, Jun 12, 2018, 12:34 AM Stephan Traub notifications@github.com wrote:

Update: Weeks later ... I haven't an update on that. It is still not possible to access a private key from a minidriver based smartcard. I'll talk to MS for a possible solution ...

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sbidy/KeePass-KeyManager/issues/4#issuecomment-396394674, or mute the thread https://github.com/notifications/unsubscribe-auth/AEZw-kFGyslN-kZWlI5zNElxitJkv6x3ks5t7uJegaJpZM4R1OwH .

--

-Denver Root

[sbidy]

So, with the v3.7.0.152 minidriver for the YubiKey 4 and a patched Windows 10 1803 is seems to work without the ASN1 error (magic .... ). Please test the plugin with this minidriver version again and give me feedback 😃 .

Please also keep in mind that the certificate MUST contain the Key Encipherment (a0) key usage property! If the property is not set, the certificate is not listed the cert. store list.

[HikariWS]

Hello. I'm not even being able to see the certificate.

I'm using a Ominkey 3021, and SafeSign Token Administration Utility 3.0.0.3920 to manage the smartcard.

I used Adobe Acrobat Reader DC to create a self-signed Digital ID (pfx) and was able to import it to the smartcard. On Token Administration, I right click the smartcard > Show Token Objects and see my certificate (private no) and its private key (private yes).

But I'm unable to add it to Windows Local Store, where the plugin seems to look for. The Select certificate dialog is empty.

I guess I'm able to open mmc and import the pfx file to it, but that's not what I want. I don't wanna store the Digital ID on Windows and use it to open KeePass DB, I want it to access the certificate from the smartcard.