Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to import ECCP256 key #36

Closed
vuori opened this issue Aug 5, 2020 · 3 comments
Closed

Unable to import ECCP256 key #36

vuori opened this issue Aug 5, 2020 · 3 comments

Comments

@vuori
Copy link

vuori commented Aug 5, 2020

I'm trying to import an ECCP256 key to a J3H145 card running the latest PivApplet release (PivApplet-0.8.1-jc304-REePSAx.cap). Importing RSA keys works fine, but importing EC keys fails with yubico-piv-tool:

$ yubico-piv-tool -r '' -a import-key -i ec.key -s 82 -A ECCP256 -v2
Connect reader 'Alcor Micro AU9560 00 00' matching ''.
> 00 a4 04 00 05 a0 00 00 03 08 
< 61 71 4f 0b a0 00 00 03 08 00 00 10 00 01 00 79 0d 4f 0b a0 00 00 03 08 00 00 10 00 01 00 50 17 50 69 76 41 70 70 6c 65 74 20 76 30 2e 38 2e 31 2f 52 45 65 50 53 41 5f 50 26 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 61 72 65 6b 69 6e 61 74 68 2f 50 69 76 41 70 70 6c 65 74 ac 11 80 01 03 80 01 06 80 01 07 80 01 11 80 01 14 06 00 90 00 
> 00 fd 00 00 00 
< 05 03 00 90 00 
> 00 f8 00 00 00 
< 98 b0 9a fb 90 00 
Authenticating since action 'import-key' needs that.
<censored>
Successful application authentication.
Now processing for action 'import-key'.
Going to send 34 bytes in this go.
> <censored>
< 6a 80 
Unable to import private key

pivy-tool fails in a similar manner:

$ pivy-tool -a eccp256 import 82 < ec.key
pivy-tool: error occurred while executing 'import'
  Caused by cmd_import: failed to import key
    in cmd_import() at pivy-tool.c:1354
  Caused by APDUError: Card replied with SW=6a80 (WRONG_DATA) to INS_IMPORT_ASYM(82)
    in ykpiv_import() at piv.c:2532

Meanwhile pivy-tool -a eccp256 generate 82 works. However, the import attempt leaves the slot in a wonky state: if an RSA key is not generated first in the same slot, the ECC generate fails with APDUError: Card replied with SW=6a81 (FUNC_NOT_SUPPORTED) to INS_GEN_ASYM. After generating an RSA key in the slot first an eccp256 key can be generated on the card.

ssh-keygen -f ec.key -y on the private key I'm attempting to import produces the expected public key. openssl ec output:

ASN1 OID: prime256v1
NIST CURVE: P-256

Is there something wrong with my key or PivApplet? (This key has been successfully imported to a Yubikey 5 with ykman.)

@arekinath
Copy link
Owner

It looks like during the work to add support for P-384 the setCurveParameters() calls got moved around and now EC import doesn't work. Should be an easy fix, and I'll add an auto-test to avoid regressions with it in future (there's an auto-test for RSA import but not EC import currently).

Re: the import attempt leaving the slot in a wonky state, that looks like a closely related bug -- the same swapping around of the order of those calls vs. clearKey() / key slot setup should fix that too.

@arekinath
Copy link
Owner

Fix for this will be in 0.8.2

@vuori
Copy link
Author

vuori commented Aug 6, 2020

Thanks, built the applet from master, imported the EC key, wrote a history object and it's working in pivy-agent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants