Menu
▾
▴
Re: [Opensc-devel] OpenSC and Yubikey 4 (OpenPGP)
|
From: Douglas E E. <dee...@gm...> - 2018-01-02 16:36:15
|
I opened an issue yesterday on this: https://github.com/OpenSC/OpenSC/issues/1230 Can you try the simple fix in: https://github.com/OpenSC/OpenSC/issues/1230#issuecomment-354787390 This would show it the problem is in just the select file vs select AID or if more is needed. On 1/2/2018 9:37 AM, Jakub Jelen wrote: > On Sun, 2017-12-31 at 14:56 +0100, Grzegorz Kulewski wrote: >> I saw that issue before. Thank you for looking into it. >> >> What is the easiest/best way to disable PIV for now in the config >> file? > > Hello. > The referenced issue is from my point of view about consecutive usage > of OpenPGP card and PIV at the same time from PKCS#11 and PGP directly. > > This question looks more like if we can access the OpenPGP card on > yubikey using OpenSC. > > We have a openpgp driver and if we adjust the driver priority using > card_drivers in /etc/opensc.conf, we should achieve this. > > But it does not work for me and I am not able to make the OpenSC detect > the OpenPGP applet over PKCS#11 (with OpenSC 0.17.0). I don't have a > lot of experience with OpenPGP, but it might be the case that the > driver does not support the version on yubikey or the vice versa. The > debug log should say more. > > Regards, > Jakub > >> W dniu 31.12.2017 o 14:41, Douglas E Engert pisze: >>> You may want to read this issue and the comment: >>> https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 >>> >>> The main problem comes from having two applets on the same card >>> that can not both be active >>> at the same time because they interfere with each other and lose >>> the login state or two different applications >>> try to have exclusive access to the card and lock each other out >>> for long periods. Which makes it >>> impossible to get the serial number or determine if the applet even >>> exists or is being used. >>> >>> Yubico could have solved this by treating the PGP and PIV apps as >>> separate USB devices on the same Yubikey. >>> They already emulate multiple USB devices but all the CCID applets >>> look like they are on the same device. >>> Best I can tell U2F does not use CCID so to the OS the Yubikey >>> looks like multiple devices and U2F can work >>> independently from the PIV or PGP. >>> >>> Right now OpenSC does not have a good way to determine which applet >>> the user wants to use, PIV or PGP, >>> other then to turn off one of the drivers in the opensc.conf file. >>> Right now, if there is a PIV applet >>> It is selected. >>> >>> As I said in https://github.com/OpenSC/OpenSC/issues/953#issuecomme >>> nt-353591483 >>> I am going to look at what it would take to change the PIV driver >>> to see if the PIV applet looks >>> like it is active i.e. has some certificate or other indication >>> that it is initialized. If not, then >>> let the PGP driver have a look at it. OR use environment variable >>> to say which one to select. OR see >>> if both the PIV and PGP applets could be selected within OpenSC and >>> present then as multiple slots to PKCS#11. >>> >>> The Yubikey is the only device I know of that has two applets >>> OpenSC can support and OpenSC only selects one. >>> >>> >>> >>> On 12/30/2017 6:25 PM, Grzegorz Kulewski wrote: >>>> Hello, >>>> >>>> Excuse me if it was answered before but I can't find it anywhere. >>>> Also excuse my ignorance in SC standards and protocols. >>>> >>>> I think that OpenSC supports normal OpenPGP cards for some time, >>>> directly, without software like scute. For example there is >>>> openpgp-tool and with opensc-pkcs11.so programs like Firefox can >>>> access OpenPGP card as a key/cert store for TLS client >>>> certificate auth. >>>> >>>> Yubikey 4 is supposed to emulate OpenPGP card (and support other >>>> protocols, including PIV and U2F). But openpgp-tool doesn't seem >>>> to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox >>>> seems to only discover PIV side of Yubikey 4. Also https://github >>>> .com/sektioneins/micro-ca-tool does not seem to talk with Yubikey >>>> 4, probably because OpenSC doesn't recognize it as OpenPGP card. >>>> >>>> Since in our organization we care about compatibility with >>>> "normal" OpenPGP cards, we want to configure OpenSC to support >>>> Yubikey 4 as a normal OpenPGP card (in addition or instead of >>>> PIV). Is it possible? If not: why? If yes: how? >> >> -- Douglas E. Engert <DEE...@gm...> |
