-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support to set CHUID and CCC #66
Comments
Mind expanding on what the change would look like to this package? I'm testing on 10.15.4 and haven't had any issues :) |
I believe that it is an insGetData and insPutData similar to getting / storing certificates. when you insert a key do you see the dialog asking to pair it ? or does it show in the list of smartcards ? This is on a vanilla install without opensc. If you install opensc, then you cannot use your library because it requires exclusive access. |
you can try the following steps
|
Per https://github.com/go-piv/piv-go#installation I don't have anything installed that's not out of the box. I've just plugged in my YubiKey and everything's worked :) I don't actually know what CHUID or CCC are. So more context would be helpful to understand what the request here is. Does this have something to do with the CryptoTokenKit API? Can you paste a small program using piv-go that shows what you expect to happen and what actually happens? If you're attempting to propose new APIs could you paste an example of what you'd want the new API to look like? |
CHUID and CCC are defined in NIST SP 800-73-4 : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf
same model for CCC you can see the API for in yubico-piv-tool here: |
If you'd like to send a PR with associated that adds the following API I'd be happy to take it.
(or []byte or [N]byte instead of string if that's more appropriate) If not I can take a look to add it later. |
I'm less clear about what CCC would be used for. Will have to read more. |
Also would CHUID be better in the Metadata struct? I always imagined that would expand to hold a lot of these optional fields that aren't required to actually use the key. |
I'll see if i can finish these functions - see #67 |
Thanks for all the great work you've done! I can't really explain why CHUID/CCC are needed, but in my case Google Chrome and Safari refuse to use a client certificate stored in any PIV slot until those fields are set. They don't even prompt for certificate choice or PIN. Current workaround is to generate them using yubikey manager CLI, but I'd really love to see this functionality implemented in this package
Do let me know if you need a test example or any help to finalise and merge #67 |
I have tested CHUID as implemented in #67 - I had the same problem with Apple MacOS not accepting cards without CHUID. Did you try with just the CHUID ? It was sufficient in my use case. |
Sorry for ghosting #67 :( I don't have a ton of bandwidth for this project but I should have left a comment. I'm a little lost on what CHUID/CCC are. There's signatures and unique IDs, but I'm not clear who's supposed to generate those signatures or IDs, and how you'd actually validate them (or when you need to validate them). Are they just ways to name the slot? Or would an organization actually set them to a proper signed value using a CA? If it's the later, the API probably needs to accept a CA or be named "Insecure" like our method for setting a private key. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf#page=17 While #67 has a pre-generated value, I don't understand how it was generated. Is there anything someone can point me to that explains CHUID that'd be really helpful. It's hard to review and API without that context. |
Just tried it one more time and yep, it did work with only CHUID set. Here are some bits and pieces I was able to find
Although, as I've already mentioned, it didn't work for me on macOS as well.
import_certificate: https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L795 generate_certificate (self-signed): https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L877 delete_certificate: https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L946
|
@ericchiang the explanation is in the comment in the PR. If we need to support different (like signed CHUIDs) I would recommend that we do like the yubico tool and allow to directly pass in the encoded value instead of using the template. |
It seems that OSX (at least on 10.14.6) will not accept smartcards without a CHUID resulting in the following error:
failed to read CHUID record (Error Domain=CryptoTokenKit Code=-6 "(null)")
and the yubikey is not showing in
security list-smartcards
The card works for pkcs11 use cases, but is not recognized.
Values for yubikey CHUID and CCC are available here:
https://github.com/Yubico/yubico-piv-tool/blob/ebee7f63b85fe4373efc4d8d44cbe5fe321c158c/lib/util.c#L44
The text was updated successfully, but these errors were encountered: