Menu
▾
▴
Re: [Opensc-devel] OpenSC and Yubikey 4 (OpenPGP)
|
From: Douglas E E. <dee...@gm...> - 2017-12-31 13:41:41
|
You may want to read this issue and the comment: https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 The main problem comes from having two applets on the same card that can not both be active at the same time because they interfere with each other and lose the login state or two different applications try to have exclusive access to the card and lock each other out for long periods. Which makes it impossible to get the serial number or determine if the applet even exists or is being used. Yubico could have solved this by treating the PGP and PIV apps as separate USB devices on the same Yubikey. They already emulate multiple USB devices but all the CCID applets look like they are on the same device. Best I can tell U2F does not use CCID so to the OS the Yubikey looks like multiple devices and U2F can work independently from the PIV or PGP. Right now OpenSC does not have a good way to determine which applet the user wants to use, PIV or PGP, other then to turn off one of the drivers in the opensc.conf file. Right now, if there is a PIV applet It is selected. As I said in https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 I am going to look at what it would take to change the PIV driver to see if the PIV applet looks like it is active i.e. has some certificate or other indication that it is initialized. If not, then let the PGP driver have a look at it. OR use environment variable to say which one to select. OR see if both the PIV and PGP applets could be selected within OpenSC and present then as multiple slots to PKCS#11. The Yubikey is the only device I know of that has two applets OpenSC can support and OpenSC only selects one. On 12/30/2017 6:25 PM, Grzegorz Kulewski wrote: > Hello, > > Excuse me if it was answered before but I can't find it anywhere. Also excuse my ignorance in SC standards and protocols. > > I think that OpenSC supports normal OpenPGP cards for some time, directly, without software like scute. For example there is openpgp-tool and with opensc-pkcs11.so programs like Firefox can access OpenPGP card as a key/cert store for TLS client certificate auth. > > Yubikey 4 is supposed to emulate OpenPGP card (and support other protocols, including PIV and U2F). But openpgp-tool doesn't seem to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox seems to only discover PIV side of Yubikey 4. Also https://github.com/sektioneins/micro-ca-tool does not seem to talk with Yubikey 4, probably because OpenSC doesn't recognize it as OpenPGP card. > > Since in our organization we care about compatibility with "normal" OpenPGP cards, we want to configure OpenSC to support Yubikey 4 as a normal OpenPGP card (in addition or instead of PIV). Is it possible? If not: why? If yes: how? > > Thank you in advance. > -- Douglas E. Engert <DEE...@gm...> |
