Comments (16)
OpenSC 0.20.0 is some years old. Can you try with more recent version or master?
Do you have some backtrace from the crash? The operations look successful in all the examples you provided.
from opensc.
PIV type cards determine the type and size of a key from the certificate that is stored on the card in the Subject PublicKeyInfo. Some possible problems:
- ykman has not updated the certificate if one is already present.
- OpenSC's certificate cache on disk is being used and it is out of date and cert has the wrong SPKI. See
man opensc.conf
"use_file_caching" - The SSH host has the wrong public key.
An OpenSC debug log would help as would ./pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
from opensc.
PIV type cards determine the type and size of a key from the certificate that is stored on the card in the Subject PublicKeyInfo. Some possible problems:
- ykman has not updated the certificate if one is already present.
- OpenSC's certificate cache on disk is being used and it is out of date and cert has the wrong SPKI. See
man opensc.conf
"use_file_caching"- The SSH host has the wrong public key.
An OpenSC debug log would help as would
./pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
Using reader with a card: Yubico YubiKey FIDO+CCID 0
Warning: Reading certificate from stdin since no -in or -new option is given
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=yubico
Validity
Not Before: Mar 18 04:42:21 2024 GMT
Not After : Mar 18 04:42:21 2025 GMT
Subject: CN=yubico
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
ASN1 OID: prime256v1
NIST CURVE: P-256
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
from opensc.
certutil -scinfo: https://gist.github.com/Z1Turn0/ef37fc2fd3807c91d2ba4ddae7ecc924
some log: https://gist.github.com/Z1Turn0/9387f073729ef3894e327034dcbcb623
from opensc.
@Z1Turn0 in the output from #3073 (comment) did you blank out the "Serial Number", "pub:" and "Signature:" ? if not it looks like ykman only wrote the minimal information to let PIV driver know there is a private key.
What is output of pkcs15-tool.exe --read-ssh-key 01
https://netsarang.atlassian.net/wiki/spaces/ENSUP/pages/2086437094/SSH+access+via+PIV+smart+card+using+CAPI
says: "Select ‘RSA2048’ or ‘RSA1024’ as the algorithm. As of November 20, 2023, ECCP256 is not supported by Xshell", so testing using certutil (which uses CAPI) is not a part of this problem. Also Windows uses the Microsoft built-in PIV driver for CAPI.
Do you see any indications that XShell using PKCS11 supports using ECC keys? All examples I have seen are RSA.
from opensc.
OpenSC 0.20.0 is some years old. Can you try with more recent version or master?
Do you have some backtrace from the crash? The operations look successful in all the examples you provided.
Because I crashed using the latest release version, I finally changed to version 0.20.0 in the xshell document.
from opensc.
@Z1Turn0 in the output from #3073 (comment) did you blank out the "Serial Number", "pub:" and "Signature:" ? if not it looks like ykman only wrote the minimal information to let PIV driver know there is a private key.
What is output of
pkcs15-tool.exe --read-ssh-key 01
https://netsarang.atlassian.net/wiki/spaces/ENSUP/pages/2086437094/SSH+access+via+PIV+smart+card+using+CAPI says: "Select ‘RSA2048’ or ‘RSA1024’ as the algorithm. As of November 20, 2023, ECCP256 is not supported by Xshell", so testing using certutil (which uses CAPI) is not a part of this problem. Also Windows uses the Microsoft built-in PIV driver for CAPI.
Do you see any indications that XShell using PKCS11 supports using ECC keys? All examples I have seen are RSA.
Yes, I deleted the printout the "Serial Number", "pub:" and "Signature:".
from opensc.
@Z1Turn0 in the output from #3073 (comment) did you blank out the "Serial Number", "pub:" and "Signature:" ? if not it looks like ykman only wrote the minimal information to let PIV driver know there is a private key.
What is output of
pkcs15-tool.exe --read-ssh-key 01
https://netsarang.atlassian.net/wiki/spaces/ENSUP/pages/2086437094/SSH+access+via+PIV+smart+card+using+CAPI says: "Select ‘RSA2048’ or ‘RSA1024’ as the algorithm. As of November 20, 2023, ECCP256 is not supported by Xshell", so testing using certutil (which uses CAPI) is not a part of this problem. Also Windows uses the Microsoft built-in PIV driver for CAPI.
Do you see any indications that XShell using PKCS11 supports using ECC keys? All examples I have seen are RSA.
I thought that the certificate algorithm is handled by opensc middleware, so I didn't consider whether xshell supports ecc ...
from opensc.
What is output of pkcs15-tool.exe --read-ssh-key 01
Can you try using putty.
thought that the certificate algorithm is handled by opensc middleware, so I didn't consider whether xshell supports ecc ...
That is not clear.
Also try using OpenSC SPY to get trace of PKCS11 calls and get opensc debug log. See: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
from opensc.
................................................................
...............
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(630.33b4): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
eax=00000000 ebx=00000000 ecx=00f5c034 edx=00f5c034 esi=00000000 edi=00000378
eip=77a7679c esp=0019da60 ebp=0019dacc iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
ntdll!NtWaitForSingleObject+0xc:
77a7679c c20c00 ret 0Ch
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.mSec
Value: 2546
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 1694018
Key : Analysis.Init.CPU.mSec
Value: 202
Key : Analysis.Init.Elapsed.mSec
Value: 34212
Key : Analysis.Memory.CommitPeak.Mb
Value: 127
Key : Timeline.OS.Boot.DeltaSec
Value: 613
Key : Timeline.Process.Start.DeltaSec
Value: 4
Key : WER.OS.Branch
Value: ni_release
Key : WER.OS.Timestamp
Value: 2022-05-06T12:50:00Z
Key : WER.OS.Version
Value: 10.0.22621.1
Key : WER.Process.Version
Value: 7.0.0.39
FILE_IN_CAB: crashdump.dmp
CONTEXT: (.ecxr)
eax=007b3000 ebx=00000000 ecx=00f5c034 edx=00f5c034 esi=007b3000 edi=007b0014
eip=00eb4baf esp=0019ee3c ebp=00000000 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
nsssh3!NSSSH_IsCheckInTimeModified+0xcaf:
00eb4baf f6401004 test byte ptr [eax+10h],4 ds:002b:007b3010=??
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00eb4baf (nsssh3!NSSSH_IsCheckInTimeModified+0x00000caf)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 007b3010
Attempt to read from address 007b3010
PROCESS_NAME: XshellCore.exe
READ_ADDRESS: 007b3010
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 007b3010
STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 nsssh3!NSSSH_IsCheckInTimeModified+0xcaf
STACK_COMMAND: ~0s; .ecxr ; kb
SYMBOL_NAME: nsssh3+caf
MODULE_NAME: nsssh3
IMAGE_NAME: nsssh3.dll
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_nsssh3.dll!Unknown
OS_VERSION: 10.0.22621.1
BUILDLAB_STR: ni_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
IMAGE_VERSION: 7.0.0.38
FAILURE_ID_HASH: {1ae78aa9-17ac-96e3-4b03-e7f816e7ff60}
Followup: MachineOwner
---------
0:000> ~0s; .ecxr ; kb
eax=00000000 ebx=00000000 ecx=00f5c034 edx=00f5c034 esi=00000000 edi=00000378
eip=77a7679c esp=0019da60 ebp=0019dacc iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
ntdll!NtWaitForSingleObject+0xc:
77a7679c c20c00 ret 0Ch
eax=007b3000 ebx=00000000 ecx=00f5c034 edx=00f5c034 esi=007b3000 edi=007b0014
eip=00eb4baf esp=0019ee3c ebp=00000000 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
nsssh3!NSSSH_IsCheckInTimeModified+0xcaf:
00eb4baf f6401004 test byte ptr [eax+10h],4 ds:002b:007b3010=??
*** Stack trace for last set context - .thread/.cxr resets it
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00000000 00000000 00000000 00000000 00000000 nsssh3!NSSSH_IsCheckInTimeModified+0xcaf
from opensc.
的输出是什么
pkcs15-tool.exe --read-ssh-key 01
你可以尝试使用腻子吗?
以为证书算法是opensc中间件处理的,所以没有考虑xshell是否支持ecc...
这还不清楚。
还可以尝试使用 OpenSC SPY 来获取 PKCS11 调用的跟踪并获取 opensc 调试日志。请参阅: https: //github.com/OpenSC/OpenSC/wiki/Using-OpenSC
pkcs15-tool.exe --read-ssh-key 01
Using reader with a card: Yubico YubiKey FIDO+CCID 0
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCbFQO09NGnBtLwqgMpKTi3NNroOtAw74pIOsGaU1kDC5OtxgJm0lQ1Otg9MEmZR+cVEvVIYPHhDMQvD/yIbF5c= PIV AUTH pubkey
from opensc.
I would say its a bug in the xshell. I do not see any indication of opensc functions in the backtrace and as the key can be used ok with the pkcs15-tool, there is not much we can do, except for recommending to use other ssh client. There is Putty-CAC, which (regardless of the name), should work with any smart cards and PKCS#11.
from opensc.
I would say its a bug in the xshell. I do not see any indication of opensc functions in the backtrace and as the key can be used ok with the pkcs15-tool, there is not much we can do, except for recommending to use other ssh client. There is Putty-CAC, which (regardless of the name), should work with any smart cards and PKCS#11.
I just tested Putty-CAC x86 , it becomes unresponsive for a while and then an error pops up.
from opensc.
This looks more promissing. Can you get a OpenSC debug log from this operation?
from opensc.
Also run pkcs11-tool -O
look for usage on each key. (And please provide a OpenSC debug log from the failing operation.)
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/pkcs15-piv.c#L534 list the default usage for the 01 cert i.e. 9A key.
If this is a non government PIV then here is where the certificate's keyUsage is obtained:
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/pkcs15-piv.c#L812-L827
Here is where the usage is set for EC keys:
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/pkcs15-piv.c#L888-L927
You may also want to try Yubico's PKCS11 module:
https://developers.yubico.com/yubico-piv-tool/Releases/
https://support.yubico.com/hc/en-us/articles/360021606180-Using-YubiKey-PIV-with-Windows-native-SSH-client
https://developers.yubico.com/yubico-piv-tool/YKCS11/
Yubico/yubico-piv-tool#223 it is old but points out you may need to generate a CSR, have it signed by a CA so it has the correct correct keyUsage.
from opensc.
@dengert @Jakuje
I finally found that I still need to touch yubikey, Putty-CAC works normally, it should be a problem with xshell.
from opensc.
Related Issues (20)
- SmartCard-HSM DKEK share error "error generating random number failed with transmit failed" HOT 1
- Chrome / Chromium crashes HOT 3
- crash in pcsc_transmit -> sc_apdu_log -> sc_hex_dump HOT 1
- Recursion too deep in piv_card_reader_lock_obtained HOT 12
- asymmetric key encryption in pkcs11 module does not work
- Use ccache to speed up CI builds
- Windows certificate caching in GIDS HOT 2
- OpenSC + Smartcard-HSM + secp521r1 + OpenSSH = signing failed for ECDSA "secp521r1": error in libcrypto HOT 12
- Unable to generate RSA key using piv-tool HOT 6
- OpenSC Minidriver with PIVApplet + ECC keys on Win11: error on slot 9c - public key does not match private key HOT 28
- MacOS S/MIME Outlook or Mail.app no certificates on Yubikey smartcard detected HOT 17
- OpenSC build for macOS M1 Pro HOT 10
- OpenSC 0.25.1 + SmartCard-HSM 3.6 + brainpoolP256t1 = `point is not on curve` HOT 3
- RSA padding in release 0.25.1 HOT 3
- French eID - reading HOT 1
- OpenSC Minidriver Does Not Display the Second Key Container of JPKI Card When certutil -scinfo Is Executed HOT 30
- Closing orphaned open sessions HOT 2
- Extend the tests with PivApplet to use piv-tool instead of yubico-piv-tool
- Understanding/Documentation of why after ssh-ing to a system the card readers dissapear. HOT 4
- Current master fails to build (problem with man pages?) HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.