Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to perform attestation on selfsigned certificate with key protected with PIN #448

Open
andreluis034 opened this issue Sep 23, 2023 · 1 comment
Open

Unable to perform attestation on selfsigned certificate with key protected with PIN #448

andreluis034 opened this issue Sep 23, 2023 · 1 comment

Comments

@andreluis034
Copy link

andreluis034 commented Sep 23, 2023
edited
Loading

I'm facing an issue when I try to created an attested self-signed certificate with a key that always requires a PIN to be used.

yubico-piv-tool HEAD: a72b205 - current master
Yubikey application version: 5.1.2

Steps to reproduce:

  1. Generate a key on the yubikey with pin-policy set to always - yubico-piv-tool -a generate -s 82 -o pub.pem --pin-policy=always --touch-policy=never
  2. Request a self signed certificate with the --attestation flag - yubico-piv-tool -a verify-pin -a selfsign-certificate --attestation -s 82 -S "/CN=foo/" -i pub.pem -o cert.pem
  3. The program will fail to generate a self-signed certificate and give the error "Failed signing data: Authentication error."

Expected output:
The program outputs "Successfully generated a new self signed certificate." and generates a self-signed certificate cert.pem with the attestation extensions.

Verbose=3 Logs:

% yubico-piv-tool -a verify-pin -a selfsign-certificate --attestation -s 82 -S "/CN=foo/" -i pub.pem -o cert.pem --verbose=3
DBG ykpiv.c:589 (ykpiv_connect): Connect reader 'Yubico YubiKey FIDO+CCID' matching 'Yubikey'.
DBG ykpiv.c:595 (ykpiv_connect): SCardConnect succeeded for 'Yubico YubiKey FIDO+CCID', protocol=2
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 11 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00a4040005a00000030800 (11)
DBG ykpiv.c:802 (_ykpiv_transmit): < 61114f0600001000010079074f05a0000003089000 (21)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 0020008000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 63c3 (2)
DBG ykpiv.c:775 (ykpiv_translate_sw): SW_63c3
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00fd000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0501029000 (5)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00f8000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 009ae9c89000 (6)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
Now processing for action 'verify-pin'.
Action 'verify-pin' does not need authentication.
Enter PIN:
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 14 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 0020008008383436373334333400 (14)
DBG ykpiv.c:802 (_ykpiv_transmit): < 9000 (2)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
Successfully verified PIN.
Now processing for action 'selfsign-certificate'.
Action 'selfsign-certificate' does not need authentication.
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00f9820000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 3082032030820208a003020102021064eb1b4d57a1ee2fcee1d4937d348f97300d06092a864886f70d01010b05003021311f301d06035504030c1659756269636f20504956204174746573746174696f6e3020170d3136303331343030303030305a180f32303532303431373030303030305a30253123302106035504030c1a597562694b657920504956204174746573746174696f6e20383230820122300d06092a864886f70d01010105000382010f003082010a0282010100b9e917a4e92406964f99a40599b92b4d983e3d95d4e751fcb0a6b5949428e6c5026c629fa797e83d22cd1086b050e1211e29166e8581300edadfffb23a83a00771656e3b9d6100 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 147c2d8c90126b7f6b585b0d4a6c44d16dd3041620d571e5465ae92c0309f27cb528c055e1d0bbd4fca3f735c756a99cf886c7a2da4d42b269a47ba0dc87dc3a89b2566f055b661fb6e01f0b69de23b432d121cbb507097b181d2b34ccbcae5f35a784426f7db6507aba62be662192bf0582e53bbc6255bb11679005816bf17620eb60ba932719aecce86a0708aa3fefe42c3c05829a8e12422152106931b1340862e1609ef6a5e263cfb4060c81958c7d56446641141498453eb90203010001a34e304c3011060a2b0601040182c40a030304030501023014060a2b0601040182c40a030704060204009ae9c83010060a2b0601040182c40a030804020301306100 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0f060a2b0601040182c40a0309040101300d06092a864886f70d01010b050003820101000a1ff9a71f37f5e4281b80fb7b22f9de0effa4d3cfbdecd671504b6e0f94a318755eafabb4e2e3426fb5d83050b9a08598cfe7382e76a941bb84b53a8efc744ab8d652db084161686e4849f036be3b86dc257d683512794ab493a49870e48a6a95dbe5cde5bc228bef8dfb433114fe991c3f3714ae8ce0011a534978d9a2995f8c9cb2b68d699ece9dbf0b4420a860e5c86aab43fe07a44c4476814fde44cbe49c4ea64561743662cfc74def883e05e1243f3da99a3cf048eff07f9fadd81eeb57fb78dc65381b8031ef4ec09458b102675bb047c659b4fa3ff0f9776124 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 36 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000024 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 1af11488864f662673a2d34cff52d38d70cf46d2ab38cccc6f214c73cb351d408d8e22939000 (38)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 11 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00cb3fff055c035fff0100 (11)
DBG ykpiv.c:802 (_ykpiv_transmit): < 53820302708202fe308202fa308201e2a003020102020900867717e01d192b26300d06092a864886f70d01010b0500302b3129302706035504030c2059756269636f2050495620526f6f742043412053657269616c203236333735313020170d3136303331343030303030305a180f32303532303431373030303030305a3021311f301d06035504030c1659756269636f20504956204174746573746174696f6e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c55b8de9b93c53698288feda70fc5c88784125a21d7b848e9336ad672b4cab45beb2e0d59c1ba168d56bf8635c83cb833862b764ae8337378ec86080e6016100 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < f875aaaef66ea7d576c5c125adaa9e9ddcb57ee98e2ab43f990df79f20a028a09fb3b1225faf38fb7346f4c79330ddfad086e0c9c67299affb2497058787dd61456f8186ca4308dcde04a3a6d6a6209649ca0c8fc59da70b902c8d69895be49767504c7e2fc8aad925a4020e7b50f3884f43e1cf746fc570a0b8c8fe056b1200f561bf996700185a2f46ffcbb5783a9ad929f912a2556e6074b962a4559c37a927b232944a5d329116e3feeb38748caa8708101f123edd938e26c1ad9bf391ca096f0203010001a32930273011060a2b0601040182c40a0303040305010230120603551d130101ff040830060101ff020100300d06092a864886f70d01010b056100 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0003820101000557b7bf5a4174f95fec2ed2b87826e5ef4feabf5a64c9cf067fca8c0afc1a471cd6acedc85b5472009fb859ab7325b2d602a359833169eec15f3df22b1b22cab6fcf9fb21329e08f308546dc9261042081d3cb5f05ab198d468dc91f1d391547aa0348bf665eb139f3a1cbf43c5d1d03323c625a04ce4e9aa5980d8021eb0105fb8e10d0c301c72e91130b4d70d8f7b2f696e0c54c9f7d35a1ca8e384238b1e64d206e0924b987f17aae84a2eeb8e1d9b10e684acb1be1b5855580cdf04d5e0aec52e8ab59193458a84929e52b7cd3c82e10b3607ff32c4688b0b8d183eb6798a26ed84e0876875272b8bba065615728545b90eb717fbff023e6106 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 6 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000006 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < a9e806977bcd9000 (8)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 261 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 10870782ff7c8201068200818201000001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d060960864801650304020105000420ef18cf2cf97c20aae6ad6f0fe13ddd3fa2f165156b00 (261)
DBG ykpiv.c:802 (_ykpiv_transmit): < 9000 (2)
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 17 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 008707820b2f577e5091021d2e4a9cdc00 (17)
DBG ykpiv.c:802 (_ykpiv_transmit): < 6982 (2)
DBG ykpiv.c:751 (ykpiv_translate_sw): SW_ERR_SECURITY_STATUS
DBG ykpiv.c:1249 (_general_authenticate): Sign command failed
Failed signing data: Authentication error.
Failed signing certificate.
8085676160:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:224:
DBG ykpiv.c:344 (ykpiv_disconnect): Disconnect card #10152392.

Debugging the code I can figure out that the attestation is actually being performed correctly, but the part of actually generating the self-signed certificate fails. My "theory" is that process of performing the attestation/signature with attestation key, the input of the PIN has been "consumed" and is no longer valid for the usage of the next key.

As a super dirty work-around I applied the following patch which hard codes a call to verify_pin after the attestation:

diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c
index 0487bdb..bf03f5e 100644
--- a/tool/yubico-piv-tool.c
+++ b/tool/yubico-piv-tool.c
@@ -956,7 +956,7 @@ static const struct {
   {NID_authority_key_identifier, "keyid", 0},
   {NID_basic_constraints, "CA:true", 1},
 };
-
+static bool verify_pin(ykpiv_state *state, const char *pin);
 static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_format,
     const char *input_file_name, enum enum_slot slot, char *subject, enum enum_hash hash,
     const int *serial, int validDays, const char *output_file_name, int attest) {
@@ -1036,6 +1036,10 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo
     }
   }

+  if(verify_pin(state, "84673434")) {
+    fprintf(stderr, "Successfully verified PIN.\n");
+  }
+
   unsigned char algorithm = get_algorithm(public_key);
   if(algorithm == 0) {
     goto selfsign_out;

And now the attestation of the self signed certificate works:

% ./tool/yubico-piv-tool -a verify-pin -a selfsign-certificate --attestation -s 82 -S "/CN=foo/" -i pub.pem -o cert.pem --verbose=3
DBG ykpiv.c:589 (ykpiv_connect): Connect reader 'Yubico YubiKey FIDO+CCID' matching 'Yubikey'.
DBG ykpiv.c:595 (ykpiv_connect): SCardConnect succeeded for 'Yubico YubiKey FIDO+CCID', protocol=2
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 11 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00a4040005a00000030800 (11)
DBG ykpiv.c:802 (_ykpiv_transmit): < 61114f0600001000010079074f05a0000003089000 (21)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 0020008000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 63c3 (2)
DBG ykpiv.c:775 (ykpiv_translate_sw): SW_63c3
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00fd000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0501029000 (5)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00f8000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 009ae9c89000 (6)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
Now processing for action 'verify-pin'.
Action 'verify-pin' does not need authentication.
Enter PIN:
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 14 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 0020008008383436373334333400 (14)
DBG ykpiv.c:802 (_ykpiv_transmit): < 9000 (2)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
Successfully verified PIN.
Now processing for action 'selfsign-certificate'.
Action 'selfsign-certificate' does not need authentication.
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 5 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00f9820000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 3082032030820208a00302010202103632efe7731e8165eaca10549637fa1e300d06092a864886f70d01010b05003021311f301d06035504030c1659756269636f20504956204174746573746174696f6e3020170d3136303331343030303030305a180f32303532303431373030303030305a30253123302106035504030c1a597562694b657920504956204174746573746174696f6e20383230820122300d06092a864886f70d01010105000382010f003082010a0282010100b9e917a4e92406964f99a40599b92b4d983e3d95d4e751fcb0a6b5949428e6c5026c629fa797e83d22cd1086b050e1211e29166e8581300edadfffb23a83a00771656e3b9d6100 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 147c2d8c90126b7f6b585b0d4a6c44d16dd3041620d571e5465ae92c0309f27cb528c055e1d0bbd4fca3f735c756a99cf886c7a2da4d42b269a47ba0dc87dc3a89b2566f055b661fb6e01f0b69de23b432d121cbb507097b181d2b34ccbcae5f35a784426f7db6507aba62be662192bf0582e53bbc6255bb11679005816bf17620eb60ba932719aecce86a0708aa3fefe42c3c05829a8e12422152106931b1340862e1609ef6a5e263cfb4060c81958c7d56446641141498453eb90203010001a34e304c3011060a2b0601040182c40a030304030501023014060a2b0601040182c40a030704060204009ae9c83010060a2b0601040182c40a030804020301306100 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0f060a2b0601040182c40a0309040101300d06092a864886f70d01010b050003820101009fe66d513c360e43ef88113d1eef60efeec297890bd7ec51fa22f2395211a70f3aea06e8630c0fc02f9516b9c94caa81592e3d678705f411daf4ac3ff9bd2304c88cb68f09523aed40e168fbaeb8c61ab7cfa4ec1d5b8d0bf0235a4d8146d59956c70d9ec6711cc3c5bc3a609c0be61e43321ead6255d94985e193131069e51dd90548712fb98df91be3c15aa618a83c05bfc37e4819a53fb662bbda4aff5873f307f89e0216df1c7d3a15be04a93fdebc68b77435d0e5a26a24bd31b97e3dc0855eefcd79bc4933a41894d103ba82e5e1deaca7789a4955e4ced5036124 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 36 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000024 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 84486fa7166c29025dd3725b0bb3493c86f4b758638f8966a186f0ef4a653b05f2aa5b559000 (38)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 11 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00cb3fff055c035fff0100 (11)
DBG ykpiv.c:802 (_ykpiv_transmit): < 53820302708202fe308202fa308201e2a003020102020900867717e01d192b26300d06092a864886f70d01010b0500302b3129302706035504030c2059756269636f2050495620526f6f742043412053657269616c203236333735313020170d3136303331343030303030305a180f32303532303431373030303030305a3021311f301d06035504030c1659756269636f20504956204174746573746174696f6e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c55b8de9b93c53698288feda70fc5c88784125a21d7b848e9336ad672b4cab45beb2e0d59c1ba168d56bf8635c83cb833862b764ae8337378ec86080e6016100 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < f875aaaef66ea7d576c5c125adaa9e9ddcb57ee98e2ab43f990df79f20a028a09fb3b1225faf38fb7346f4c79330ddfad086e0c9c67299affb2497058787dd61456f8186ca4308dcde04a3a6d6a6209649ca0c8fc59da70b902c8d69895be49767504c7e2fc8aad925a4020e7b50f3884f43e1cf746fc570a0b8c8fe056b1200f561bf996700185a2f46ffcbb5783a9ad929f912a2556e6074b962a4559c37a927b232944a5d329116e3feeb38748caa8708101f123edd938e26c1ad9bf391ca096f0203010001a32930273011060a2b0601040182c40a0303040305010230120603551d130101ff040830060101ff020100300d06092a864886f70d01010b056100 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 0003820101000557b7bf5a4174f95fec2ed2b87826e5ef4feabf5a64c9cf067fca8c0afc1a471cd6acedc85b5472009fb859ab7325b2d602a359833169eec15f3df22b1b22cab6fcf9fb21329e08f308546dc9261042081d3cb5f05ab198d468dc91f1d391547aa0348bf665eb139f3a1cbf43c5d1d03323c625a04ce4e9aa5980d8021eb0105fb8e10d0c301c72e91130b4d70d8f7b2f696e0c54c9f7d35a1ca8e384238b1e64d206e0924b987f17aae84a2eeb8e1d9b10e684acb1be1b5855580cdf04d5e0aec52e8ab59193458a84929e52b7cd3c82e10b3607ff32c4688b0b8d183eb6798a26ed84e0876875272b8bba065615728545b90eb717fbff023e6106 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 6 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000006 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < a9e806977bcd9000 (8)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 14 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 0020008008383436373334333400 (14)
DBG ykpiv.c:802 (_ykpiv_transmit): < 9000 (2)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
Successfully verified PIN.
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 261 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 10870782ff7c8201068200818201000001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d06096086480165030402010500042021f598adaa7751f173d195db1ae72094cc20582c9400 (261)
DBG ykpiv.c:802 (_ykpiv_transmit): < 9000 (2)
DBG ykpiv.c:846 (_ykpiv_transfer_data): Going to send 17 bytes in this go.
DBG ykpiv.c:795 (_ykpiv_transmit): > 008707820bf150462aeba74db9cc9eac00 (17)
DBG ykpiv.c:802 (_ykpiv_transmit): < 7c6100 (3)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 256 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000000 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 820104828201004e87e908ba999baea14dacbc6fdc14e54dbee711bb3106d3e5b022804f171fcab2e4c704ea7b56ea9353989cde17bb7b23567136b4430b92ed6250c8999f822dcf1ce0ae0518c431acc411f45f12403a9a6cccd677388c7433f749c25d260299d723016bafb063a2b2ba04e2098f202df88bcb2eaf873c0966acf2f740925cb39d21f95b474bb47e0ab8efaaa9ac6a4f0ed62558015d084896e0385ac5aa7d3a6234db2af6979734ab4f3e06839acebffce92d67e3db8b993da62e331f954e49245020476c1073896fa453b6162129837506a9a6b0907f68a1118e699e2c5c9b9c39e575372327d53441ffff057ac0e7c431261408f7dcfbe46107 (258)
DBG ykpiv.c:875 (_ykpiv_transfer_data): The card indicates there is 7 bytes more data for us.
DBG ykpiv.c:795 (_ykpiv_transmit): > 00c0000007 (5)
DBG ykpiv.c:802 (_ykpiv_transmit): < 1f711a399f15e59000 (9)
DBG ykpiv.c:748 (ykpiv_translate_sw): SW_SUCCESS
Successfully generated a new self signed certificate.
DBG ykpiv.c:344 (ykpiv_disconnect): Disconnect card #10152392.

Am I using the command line arguments correctly or have I missed something?

If this is an actual issue, I can make a PR to address this, but what would be the appropriate approach to address this? Pass a parameter to selfsign_certificate to tell it if a PIN has been requested, if it has and an attestation has been performed, ask again for the PIN?
@qpernil
Copy link
Contributor

qpernil commented Sep 26, 2023
edited
Loading

This is a known problem. You are correct that the PIN is 'consumed' by essentially any other activity, the PIV spec says that PIN has to be verified directly before the sign operation for such keys. There have been two solutions developed but none has been considered good enough, see #338 and #326, as well as #321.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andreluis034 @qpernil