Menu
▾
▴
Re: [Opensc-devel] OpenSC and Yubikey 4 (OpenPGP)
|
From: Grzegorz K. <gk...@le...> - 2017-12-31 13:56:55
|
I saw that issue before. Thank you for looking into it. What is the easiest/best way to disable PIV for now in the config file? W dniu 31.12.2017 o 14:41, Douglas E Engert pisze: > You may want to read this issue and the comment: > https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 > > The main problem comes from having two applets on the same card that can not both be active > at the same time because they interfere with each other and lose the login state or two different applications > try to have exclusive access to the card and lock each other out for long periods. Which makes it > impossible to get the serial number or determine if the applet even exists or is being used. > > Yubico could have solved this by treating the PGP and PIV apps as separate USB devices on the same Yubikey. > They already emulate multiple USB devices but all the CCID applets look like they are on the same device. > Best I can tell U2F does not use CCID so to the OS the Yubikey looks like multiple devices and U2F can work > independently from the PIV or PGP. > > Right now OpenSC does not have a good way to determine which applet the user wants to use, PIV or PGP, > other then to turn off one of the drivers in the opensc.conf file. Right now, if there is a PIV applet > It is selected. > > As I said in https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 > I am going to look at what it would take to change the PIV driver to see if the PIV applet looks > like it is active i.e. has some certificate or other indication that it is initialized. If not, then > let the PGP driver have a look at it. OR use environment variable to say which one to select. OR see > if both the PIV and PGP applets could be selected within OpenSC and present then as multiple slots to PKCS#11. > > The Yubikey is the only device I know of that has two applets OpenSC can support and OpenSC only selects one. > > > > On 12/30/2017 6:25 PM, Grzegorz Kulewski wrote: >> Hello, >> >> Excuse me if it was answered before but I can't find it anywhere. Also excuse my ignorance in SC standards and protocols. >> >> I think that OpenSC supports normal OpenPGP cards for some time, directly, without software like scute. For example there is openpgp-tool and with opensc-pkcs11.so programs like Firefox can access OpenPGP card as a key/cert store for TLS client certificate auth. >> >> Yubikey 4 is supposed to emulate OpenPGP card (and support other protocols, including PIV and U2F). But openpgp-tool doesn't seem to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox seems to only discover PIV side of Yubikey 4. Also https://github.com/sektioneins/micro-ca-tool does not seem to talk with Yubikey 4, probably because OpenSC doesn't recognize it as OpenPGP card. >> >> Since in our organization we care about compatibility with "normal" OpenPGP cards, we want to configure OpenSC to support Yubikey 4 as a normal OpenPGP card (in addition or instead of PIV). Is it possible? If not: why? If yes: how? -- Grzegorz Kulewski |
