Page MenuHome GnuPG
Create Task
Maniphest T5790

Cannot use "Retired Cert Key Mgm [1-20]” Slots on YubiKey
Open, NormalPublic
Actions

Description

Desired behavior: Keys in the Slots 0x9d and 0x82 – 0x95 Can be used as encryption keys

Reason: I would like use the retired keys slots to store old keys

Observed behavoiour: only Keys in the Slot 0x9d can be used as encryption keys, keys in slot 0x82 – 0x95 canntot be used

The Yubikey provided utilities show that the key exists:

$  yubico-piv-tool -a status
Version:      5.1.2
Serial Number: 10114510
CHUID:       3019d4e739da739ced39ce739d836858210842108421c84210c3eb34102dbe5858f8fc511b186e42b664f8ba01350832303330303130313e00fe00
CCC:       f015a000000116ff02e7b9ec5dc46e7e5e3761b1c20f62f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
Slot 9a:     
       Algorithm:    RSA2048
       Subject DN:   CN=CAcert WoT User/emailAddress=XXXXXX
       Issuer DN:    O=CAcert Inc., OU=http://XXXXX, CN=XXXX
       Fingerprint:  826[...]
       Not Before:   Dec 28 00:08:36 2019 GMT
       Not After:    Dec 27 00:08:36 2021 GMT
Slot 9c:     
       Algorithm:    RSA2048
       Subject DN:   C=DE, CN=XXXXXXXX
       Issuer DN:    C=BE, O=XXXXXXX
       Fingerprint:  69ed[...]
       Not Before:   Jan 15 14:24:57 2020 GMT
       Not After:    Jan 15 14:24:57 2023 GMT
Slot 9d:     
       Algorithm:    RSA2048
       Subject DN:   emailAddress=XXXXX
       Issuer DN:    C=XXXXXXXXXX
       Fingerprint:  4203[...]
       Not Before:   Nov  8 00:00:00 2019 GMT
       Not After:    Nov  7 23:59:59 2022 GMT
Slot 9e:     
       Algorithm:    RSA2048
       Subject DN:   C=DE, ST=North Rhine-Westphalia, [...]
       Issuer DN:    C=DE, ST=North Rhine-Westphalia, [...]
       Fingerprint:  0905[...]
       Not Before:   Jan 14 21:15:28 2020 GMT
       Not After:    Jan 13 21:15:28 2022 GMT
Slot 82:     
       Algorithm:    RSA2048
       Subject DN:   CN=XXXXXXX
       Issuer DN:    CN=XXXXXXXX
       Fingerprint:  f50c[...]
       Not Before:   Dec 17 19:04:46 2019 GMT
       Not After:    Dec 14 19:04:46 2029 GMT
PIN tries left:      10

The keys seams to get listed, but can not be selected:

2022-01-12 22:00:01 scdaemon[15338] DO 'Retired Cert Key Mgm 1': 5382036170820358308203543082023c[...]

$  grep "DO " ~/Library/Logs/scdaemon-dev.log
2022-01-12 21:31:23 scdaemon[12833] DO 'Card Capability Container': 5333f015a000000116ff02e7b9ec5dc4[...]
2022-01-12 21:31:23 scdaemon[12833] DO 'Cardholder Unique Id': 533b3019d4e739da739ced39ce739d83[...]
2022-01-12 21:31:23 scdaemon[12833] DO 'Cert PIV Authentication': 5382055e708205553082055130820339[...]
2022-01-12 21:31:23 scdaemon[12833] DO 'Cardholder Fingerprints' not available: Bad PIN
2022-01-12 21:31:23 scdaemon[12833] DO 'Security Object' not available: No such file or directory
2022-01-12 21:31:23 scdaemon[12833] DO 'Cardholder Facial Image' not available: Bad PIN
2022-01-12 21:31:23 scdaemon[12833] DO 'Cert Card Authentication': 538206d0708206c7308206c3308204ab[...]
2022-01-12 21:31:23 scdaemon[12833] DO 'Cert Digital Signature': 53820508708204ff308204fb308203e3[...]
2022-01-12 21:31:23 scdaemon[12833] DO 'Cert Key Management': 5382051f7082051630820512308203fa[...]
2022-01-12 21:31:23 scdaemon[12833] DO 'Printed Information' not available: Bad PIN
2022-01-12 21:31:23 scdaemon[12833] DO 'Discovery Object': 7e124f0ba0000003080000100001005f[...]
2022-01-12 21:31:23 scdaemon[12833] DO 'Key History Object': 5308c10114c20100fe00
2022-01-12 21:31:23 scdaemon[12833] DO 'Retired Cert Key Mgm 1': 5382036170820358308203543082023c[...]
2022-01-12 21:31:23 scdaemon[12833] DO 'Cardholder Iris Images' not available: Bad PIN
2022-01-12 22:00:01 scdaemon[15338] DO 'Card Capability Container': 5333f015a000000116ff02e7b9ec5dc4[...]
2022-01-12 22:00:01 scdaemon[15338] DO 'Cardholder Unique Id': 533b3019d4e739da739ced39ce739d83[...]
2022-01-12 22:00:01 scdaemon[15338] DO 'Cert PIV Authentication': 5382055e708205553082055130820339[...]
2022-01-12 22:00:01 scdaemon[15338] DO 'Cardholder Fingerprints' not available: Bad PIN
2022-01-12 22:00:01 scdaemon[15338] DO 'Security Object' not available: No such file or directory
2022-01-12 22:00:01 scdaemon[15338] DO 'Cardholder Facial Image' not available: Bad PIN
2022-01-12 22:00:01 scdaemon[15338] DO 'Cert Card Authentication': 538206d0708206c7308206c3308204ab[...]
2022-01-12 22:00:01 scdaemon[15338] DO 'Cert Digital Signature': 53820508708204ff308204fb308203e3[...]
2022-01-12 22:00:01 scdaemon[15338] DO 'Cert Key Management': 5382051f7082051630820512308203fa[...]
2022-01-12 22:00:01 scdaemon[15338] DO 'Printed Information' not available: Bad PIN
2022-01-12 22:00:01 scdaemon[15338] DO 'Discovery Object': 7e124f0ba0000003080000100001005f[...]
2022-01-12 22:00:01 scdaemon[15338] DO 'Key History Object': 5308c10114c20100fe00
2022-01-12 22:00:01 scdaemon[15338] DO 'Retired Cert Key Mgm 1': 5382036170820358308203543082023c[...]
2022-01-12 22:00:01 scdaemon[15338] DO 'Cardholder Iris Images' not available: Bad PIN

Details

Version
2.3.4

Related Objects
Search...

Event Timeline

manonfgoo created this task.Jan 18 2022, 1:19 AM
manonfgoo updated the task description. (Show Details)Jan 18 2022, 1:21 AM
werner triaged this task as Normal priority.Jan 18 2022, 7:20 AM
werner edited projects, added Feature Request, scd, gnupg (gpg23); removed Bug Report.
manonfgoo added a comment.Oct 6 2022, 10:29 PM

Attached you find a patch to this issue. This Patch sets the "keypair" attribute to the keys 0x82 to 0x95 unconditionaly.

If you do not want this to be set unconditionally, I could try to add a option "--piv-use-retired-keys " to scdaemon, and have the following meaning of
keypair: 0: do not use this slot for keys, 1:do not use this slot for keys when "opt.piv_use_retired_keys" is set, 2: Always use this slot for keys

What do you think about this?

diff --git a/scd/app-piv.c b/scd/app-piv.c
index a51ac31ec..14c5ee6fc 100644
--- a/scd/app-piv.c
+++ b/scd/app-piv.c
@@ -128,45 +128,45 @@ static struct data_object_s data_objects[] = {
     "Discovery Object" },
   { 0x5FC10C, 0, 0,1, 0,0, 0, "",   "2.96.96", NULL,
     "Key History Object" },
-  { 0x5FC10D, 0, 0,1, 0,0, 0, "82", "2.16.1",  "e",
+  { 0x5FC10D, 0, 0,1, 0,0, 1, "82", "2.16.1",  "e",
     "Retired Cert Key Mgm 1" },
-  { 0x5FC10E, 0, 0,1, 0,0, 0, "83", "2.16.2",  "e",
+  { 0x5FC10E, 0, 0,1, 0,0, 1, "83", "2.16.2",  "e",
     "Retired Cert Key Mgm 2" },
-  { 0x5FC10F, 0, 0,1, 0,0, 0, "84", "2.16.3",  "e",
+  { 0x5FC10F, 0, 0,1, 0,0, 1, "84", "2.16.3",  "e",
     "Retired Cert Key Mgm 3" },
-  { 0x5FC110, 0, 0,1, 0,0, 0, "85", "2.16.4",  "e",
+  { 0x5FC110, 0, 0,1, 0,0, 1, "85", "2.16.4",  "e",
     "Retired Cert Key Mgm 4" },
-  { 0x5FC111, 0, 0,1, 0,0, 0, "86", "2.16.5",  "e",
+  { 0x5FC111, 0, 0,1, 0,0, 1, "86", "2.16.5",  "e",
     "Retired Cert Key Mgm 5" },
-  { 0x5FC112, 0, 0,1, 0,0, 0, "87", "2.16.6",  "e",
+  { 0x5FC112, 0, 0,1, 0,0, 1, "87", "2.16.6",  "e",
     "Retired Cert Key Mgm 6" },
-  { 0x5FC113, 0, 0,1, 0,0, 0, "88", "2.16.7",  "e",
+  { 0x5FC113, 0, 0,1, 0,0, 1, "88", "2.16.7",  "e",
     "Retired Cert Key Mgm 7" },
-  { 0x5FC114, 0, 0,1, 0,0, 0, "89", "2.16.8",  "e",
+  { 0x5FC114, 0, 0,1, 0,0, 1, "89", "2.16.8",  "e",
     "Retired Cert Key Mgm 8" },
-  { 0x5FC115, 0, 0,1, 0,0, 0, "8A", "2.16.9",  "e",
+  { 0x5FC115, 0, 0,1, 0,0, 1, "8A", "2.16.9",  "e",
     "Retired Cert Key Mgm 9" },
-  { 0x5FC116, 0, 0,1, 0,0, 0, "8B", "2.16.10", "e",
+  { 0x5FC116, 0, 0,1, 0,0, 1, "8B", "2.16.10", "e",
     "Retired Cert Key Mgm 10" },
-  { 0x5FC117, 0, 0,1, 0,0, 0, "8C", "2.16.11", "e",
+  { 0x5FC117, 0, 0,1, 0,0, 1, "8C", "2.16.11", "e",
     "Retired Cert Key Mgm 11" },
-  { 0x5FC118, 0, 0,1, 0,0, 0, "8D", "2.16.12", "e",
+  { 0x5FC118, 0, 0,1, 0,0, 1, "8D", "2.16.12", "e",
     "Retired Cert Key Mgm 12" },
-  { 0x5FC119, 0, 0,1, 0,0, 0, "8E", "2.16.13", "e",
+  { 0x5FC119, 0, 0,1, 0,0, 1, "8E", "2.16.13", "e",
     "Retired Cert Key Mgm 13" },
-  { 0x5FC11A, 0, 0,1, 0,0, 0, "8F", "2.16.14", "e",
+  { 0x5FC11A, 0, 0,1, 0,0, 1, "8F", "2.16.14", "e",
     "Retired Cert Key Mgm 14" },
-  { 0x5FC11B, 0, 0,1, 0,0, 0, "90", "2.16.15", "e",
+  { 0x5FC11B, 0, 0,1, 0,0, 1, "90", "2.16.15", "e",
     "Retired Cert Key Mgm 15" },
-  { 0x5FC11C, 0, 0,1, 0,0, 0, "91", "2.16.16", "e",
+  { 0x5FC11C, 0, 0,1, 0,0, 1, "91", "2.16.16", "e",
     "Retired Cert Key Mgm 16" },
-  { 0x5FC11D, 0, 0,1, 0,0, 0, "92", "2.16.17", "e",
+  { 0x5FC11D, 0, 0,1, 0,0, 1, "92", "2.16.17", "e",
     "Retired Cert Key Mgm 17" },
-  { 0x5FC11E, 0, 0,1, 0,0, 0, "93", "2.16.18", "e",
+  { 0x5FC11E, 0, 0,1, 0,0, 1, "93", "2.16.18", "e",
     "Retired Cert Key Mgm 18" },
-  { 0x5FC11F, 0, 0,1, 0,0, 0, "94", "2.16.19", "e",
+  { 0x5FC11F, 0, 0,1, 0,0, 1, "94", "2.16.19", "e",
     "Retired Cert Key Mgm 19" },
-  { 0x5FC120, 0, 0,1, 0,0, 0, "95", "2.16.20", "e",
+  { 0x5FC120, 0, 0,1, 0,0, 1, "95", "2.16.20", "e",
     "Retired Cert Key Mgm 20" },
   { 0x5FC121, 0, 2,2, 0,0, 0, "",   "2.16.21", NULL,
     "Cardholder Iris Images" },
manonfgoo mentioned this in T6229: Include ability to use any/all of the keys stored on YubiKey's PIV applet ("retired" keys).Oct 6 2022, 10:30 PM
werner closed this task as a duplicate of T6229: Include ability to use any/all of the keys stored on YubiKey's PIV applet ("retired" keys).Oct 7 2022, 9:34 AM
werner closed this task as a duplicate of T6229: Include ability to use any/all of the keys stored on YubiKey's PIV applet ("retired" keys).
werner added a parent task: T6229: Include ability to use any/all of the keys stored on YubiKey's PIV applet ("retired" keys).
werner reopened this task as Open.Oct 7 2022, 9:36 AM
werner added a subscriber: werner.

[Merging didn't work]

manonfgoo added a comment.EditedOct 7 2022, 10:37 AM

The patch applies with -p1 to the master brach, alternatively I could push a commit, but my user does not seam to be allowed to do so:

manon@mycomputer gnupg % git diff  > /tmp/piv.patch 
manon@fiona gnupg % git remote -v 
origin	git://git.gnupg.org/gnupg.git (fetch)
origin	git://git.gnupg.org/gnupg.git (push)
manon@mycomputer gnupg % cd /tmp 
manon@mycomputer /tmp % git clone git://git.gnupg.org/gnupg.git  
Cloning into 'gnupg'...
....
manon@mycomputer /tmp % cd gnupg 
manon@mycomputer gnupg % patch -p1 < /tmp/piv.patch 
patching file scd/app-piv.c
manon@mycomputer gnupg % git checkout -b T5790-piv-w-retired-keys
Switched to a new branch 'T5790-piv-w-retired-keys'
manon@mycomputer gnupg % git add scd/app-piv.c
manon@mycomputer gnupg % git commit -m "T5790: allow access to retired keys"
manon@mycomputer gnupg % git push --set-upstream origin T5790-piv-w-retired-keys

fatal: remote error: access denied or repository not exported: /gnupg.git
manon@mycomputer gnupg %
manonfgoo added a comment.Oct 7 2022, 10:49 AM

Here is the patch as file:

piv.patch3 KBDownload

margirou added a subscriber: margirou.Oct 7 2022, 12:17 PM
manonfgoo updated the task description. (Show Details)Oct 7 2022, 2:46 PM
manonfgoo added a comment.Oct 8 2022, 8:41 PM

@margirou:

Can you test the Patch, does it work for you ?

Kind regards,
Manon

manonfgoo added a comment.Oct 8 2022, 8:44 PM
In T5790#163886, @werner wrote:

[Merging didn't work]

Dear @werner,

I am not familiar with your build environment. Is it possible to Sent you create a merge request on the GnuPG Development Hub?

Kind regards,
Manon

margirou added a comment.Oct 9 2022, 11:39 AM
In T5790#163980, @manonfgoo wrote:

@margirou:

Can you test the Patch, does it work for you ?

Kind regards,
Manon

Hello,

Unfortunately, I do not have a build environment ready ATM. Im using Gpg4win and there are come issues with DLL rebasing and Code Integrity that I haven't got into fixing yet.

werner added a project: gnupg24.Dec 13 2022, 11:21 AM
manonfgoo added a comment.Aug 1 2023, 2:45 AM

Dear Werner, have you had any toughts about this ?

Kind regards,
Manon