Menu
▾
▴
Re: [Opensc-devel] OpenSC and Yubikey 4 (OpenPGP)
|
From: Jakub J. <jj...@re...> - 2018-01-02 15:37:51
|
On Sun, 2017-12-31 at 14:56 +0100, Grzegorz Kulewski wrote: > I saw that issue before. Thank you for looking into it. > > What is the easiest/best way to disable PIV for now in the config > file? Hello. The referenced issue is from my point of view about consecutive usage of OpenPGP card and PIV at the same time from PKCS#11 and PGP directly. This question looks more like if we can access the OpenPGP card on yubikey using OpenSC. We have a openpgp driver and if we adjust the driver priority using card_drivers in /etc/opensc.conf, we should achieve this. But it does not work for me and I am not able to make the OpenSC detect the OpenPGP applet over PKCS#11 (with OpenSC 0.17.0). I don't have a lot of experience with OpenPGP, but it might be the case that the driver does not support the version on yubikey or the vice versa. The debug log should say more. Regards, Jakub > W dniu 31.12.2017 o 14:41, Douglas E Engert pisze: > > You may want to read this issue and the comment: > > https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 > > > > The main problem comes from having two applets on the same card > > that can not both be active > > at the same time because they interfere with each other and lose > > the login state or two different applications > > try to have exclusive access to the card and lock each other out > > for long periods. Which makes it > > impossible to get the serial number or determine if the applet even > > exists or is being used. > > > > Yubico could have solved this by treating the PGP and PIV apps as > > separate USB devices on the same Yubikey. > > They already emulate multiple USB devices but all the CCID applets > > look like they are on the same device. > > Best I can tell U2F does not use CCID so to the OS the Yubikey > > looks like multiple devices and U2F can work > > independently from the PIV or PGP. > > > > Right now OpenSC does not have a good way to determine which applet > > the user wants to use, PIV or PGP, > > other then to turn off one of the drivers in the opensc.conf file. > > Right now, if there is a PIV applet > > It is selected. > > > > As I said in https://github.com/OpenSC/OpenSC/issues/953#issuecomme > > nt-353591483 > > I am going to look at what it would take to change the PIV driver > > to see if the PIV applet looks > > like it is active i.e. has some certificate or other indication > > that it is initialized. If not, then > > let the PGP driver have a look at it. OR use environment variable > > to say which one to select. OR see > > if both the PIV and PGP applets could be selected within OpenSC and > > present then as multiple slots to PKCS#11. > > > > The Yubikey is the only device I know of that has two applets > > OpenSC can support and OpenSC only selects one. > > > > > > > > On 12/30/2017 6:25 PM, Grzegorz Kulewski wrote: > > > Hello, > > > > > > Excuse me if it was answered before but I can't find it anywhere. > > > Also excuse my ignorance in SC standards and protocols. > > > > > > I think that OpenSC supports normal OpenPGP cards for some time, > > > directly, without software like scute. For example there is > > > openpgp-tool and with opensc-pkcs11.so programs like Firefox can > > > access OpenPGP card as a key/cert store for TLS client > > > certificate auth. > > > > > > Yubikey 4 is supposed to emulate OpenPGP card (and support other > > > protocols, including PIV and U2F). But openpgp-tool doesn't seem > > > to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox > > > seems to only discover PIV side of Yubikey 4. Also https://github > > > .com/sektioneins/micro-ca-tool does not seem to talk with Yubikey > > > 4, probably because OpenSC doesn't recognize it as OpenPGP card. > > > > > > Since in our organization we care about compatibility with > > > "normal" OpenPGP cards, we want to configure OpenSC to support > > > Yubikey 4 as a normal OpenPGP card (in addition or instead of > > > PIV). Is it possible? If not: why? If yes: how? > > -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. |
