On Mon, Dec 5, 2016 at 2:41 AM, Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > On 12/03/2016 01:50 PM, Nathaniel McCallum wrote: >> >> So apparently yubico-piv-tool ships $libdir/libykpkcs11.so*, but this >> doesn't get picked up by p11-kit by default. I suspect it has gone >> unnoticed largely because for most crucial operations the opensc >> module also works with Yubikeys. However, this is not true for all >> operations (in particular, in my case, key creation). >> >> How can we make this happen? Is there some intentional reason Yubico's >> PKCS#11 module has been excluded? > > Hello, > In case of the modules accessing the same hardware tokens, there is a > problem that they shows up more times while listed by p11-kit. We had > similar problem with opensc && coolkey once both of them worked with PIV > cards. > > Ideal solution would be to implement the PIV key creation in OpenSC (what > exactly does not work with which yubikey?). We can't use only yubico module, > since PIV is not only the yubico one. $ pkcs11-tool --module /usr/lib64/libykcs11.so.1 -l --login-type so -k --key-type EC:prime256v1 -d 1 --usage-sign Using slot 0 with a present token (0x0) Logging in to "YubiKey PIV". Please enter SO PIN: Key pair generated: Private Key Object; EC label: Private key for Card Authentication ID: 01 Usage: sign Public Key Object; EC EC_POINT 256 bits EC_POINT: 04410434d393db4a9ba3ca022404e3f887fa98d3b1d9e35c2d4b901bf62b31bfecd3beee4919b310c02677edac6eef482fd2881f5fae0ac61d3765ef5b6c390221a4ab EC_PARAMS: 06082a8648ce3d030107 label: Public key for Card Authentication ID: 01 Usage: verify $ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l --login-type so -k --key-type EC:prime256v1 -d 1 --usage-sign Using slot 0 with a present token (0x0) Logging in to "PIV_II (PIV Card Holder pin)". Please enter SO PIN: error: PKCS11 function C_Login failed: rv = CKR_ARGUMENTS_BAD (0x7) $ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l --login-type so -k Using slot 0 with a present token (0x0) Logging in to "PIV_II (PIV Card Holder pin)". Please enter SO PIN: error: PKCS11 function C_Login failed: rv = CKR_ARGUMENTS_BAD (0x7) $ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l -k --key-type EC:prime256v1 -d 1 --usage-sign Using slot 0 with a present token (0x0) Logging in to "PIV_II (PIV Card Holder pin)". Please enter User PIN: error: Generate EC key mechanism not supported $ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -l -k Using slot 0 with a present token (0x0) Logging in to "PIV_II (PIV Card Holder pin)". Please enter User PIN: error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
