-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to import pfx in YubiKey PIV manager #16
Comments
Additionally, if I re-open the management app, and attempt to load, it will prompt for the PIN and then the Management key. I'm wondering if the key derivation for the management key is failing some how. |
It looks like it may have something to do with the management pin. Manager is just calling the piv-tool, with the command:
|
It seems that the GUI manager app tries to write a special configuration object into the applet (with tag I've reproduced this myself, and then also altered the applet to support storing and retrieving this configuration object at It looks like the newer |
This fixed the error with it keeping popping up the PIN dialog, but it still won't let me import. Using a fresh install of the latest .cap: Test certificate, password "1234". |
Trying to hunt down what's going on here, I did a capture. The first packets (<=8722) were launching the YubiKey PIV manager, letting it detect the card, and changing the PIN/master key (to 222222 and a derived master key from the PIN). The later packets (>=12890) consist of attempting to load a P12 file to the card. It's a test .p12. I've attached both a text and a pcap capture of the process. |
It looks like over and over again throughout this it's failing to perform the admin (9b) authentication with the card. Interestingly, this is not what it does for me here (it seems to work fully from setting up PIN to importing a p12 file) -- but I'm on Linux not Windows and might have a different version of the PIV manager. Is there any chance you could get a APDU trace like that with the full data rather than "..." at the end of things? It would be useful to see the full 3DES key it actually set the admin key to and try to verify the encryption by hand. |
Looks like the pcap file is truncated by the windows usb capture driver I'm using. I'm working on a utility to reconstruct packets from the USB analyzer I have into WireShark so I can use the CCID decoder and dump all the APDUs. |
Ah, sorry, thought the pcap was truncated as well, but it isn't actually in any of the packets that actually matter (just in some mostly irrelevant spots). Looking at the admin auth attempts, it seems like the card is behaving correctly. The value for the first challenge-response pair that the host is sending (with the default admin key) looks right, then it changes the admin key, and then the auth on the new admin key looks ok as well. In the final exchange of the earlier set of packets it writes the PIVMAN file, and that succeeds. This is roughly the same as what I observe In the second set of APDUs (after +83 seconds) the host does successful admin auth with the card and then... stops? It doesn't send any APDUs to try to import a key or certificate, but it also doesn't receive any errors from the card. I've decrypted the challenge-response pairs there and the admin auth looks fine and using the correct key (the new one it set in the first exchange). It seems like it's not actually trying to send the key/certificate to the card. Could it be that it's actually having trouble interpreting the FWIW I've tried with the .p12 you have in the |
To clarify, I don't mean that I think it's not the applet's fault (since you said it works with a real yubikey), but I'm not sure we're going to figure out what it's doing wrong from its side or the packet trace (since the application has decided not to bother trying the key import apparently) |
I am unable to import a .pfx file using the latest released .cap and the YubiKey PIV Manager GUI.
The card is successfully detected, and I am prompted to perform device initialization. I select to use the PIN as management key. Once that finishes, I go to Certificates, Authentication, and attempt to import a .pfx file.
This gets me the error:
"Error: Failed to load PKCS12 from file. Unable to import private key"
As a test, I generated a new .pfx from scratch using the following commands:
Import still fails.
The text was updated successfully, but these errors were encountered: