On 12/05/2016 04:44 PM, Nathaniel McCallum wrote:
On Mon, Dec 5, 2016 at 10:35 AM, Nikos Mavrogiannopoulos
<n...@redhat.com> wrote:
On Mon, 2016-12-05 at 10:23 -0500, Nathaniel McCallum wrote:
Indeed, in the case where one has both ykcs11 and opensc, he would
have
to supply --detailed-urls to p11tool to be able to distinguish
between
objects. That is, because they will have identical URLs except for
the
library-description and library-manufacturer fields, which are not
normally printed.
That would be a bit more than just inconvenience because of the
duplicate listings, it would be that if you don't specify the
library
fields on the URL, you wouldn't know which module was used for the
operation.
They don't, in fact, have different URIs. If I add a .module file for
ykcs11.so, I get the attached output for p11tool --list-tokens.
You forgot to attach it :)
Let's try again. :)
I suspect the problem is related to the issue #98 on github [1] already
fixed in git, but not yet released. The PKCS#11 module returns a very
weird results at this point:
239: C_GetSlotList
2016-12-06 13:15:19.158
[in] tokenPresent = 0x1
[out] pSlotList:
Slot 0
Slot -1
[...garbage values ...]
[out] *pulCount = 0x30
Returned: 0 CKR_OK
I would pull the module to p11-kit no earlier than this will get fixed.
Also the duplicate keys might be related to the issue #101 [2]. The
returned values might be really different objects, bug Yubico is unable
to get the serial from them. This module might be good enough for
yubico-piv-tool, but I am not sure if for other use cases (p11-kit and
system-wide querying).
[1] https://github.com/Yubico/yubico-piv-tool/issues/98
[2] https://github.com/Yubico/yubico-piv-tool/issues/101
We should ping yubico on that. Is there some reason they didn't
implement the key generation on opensc? Ideally we won't ship that
additional module.
I don't know. But I suspect it would require hardware change. There
are a lot of existing YubiKeys out there.
opensc-pkcs11 is an alternative driver for the same hardware, the same
as ykcs11. As it is now, it seems that opensc misses only the
generation part, and I think it would be preferable to pointing yubico
in adding that functionality in opensc, rather than shipping a separate
driver in fedora.
I agree. However, I suspect that the two drivers are using two
different hardware interfaces. And I suspect that YubiKeys may not
implement key creation through the SC hardware interface. I may
misunderstand this. Corrections are welcome.
This is a good point. I am not so knowledgable about the details, but it
is possible that it might not be possible using SC.
About the OpenSC and key generation with PIV, I checked the OpenSC
source and this method is really not implemented. Asking yubico for
clarification would certainly make sense. Do you have some good
contacts, or should I just drop a mail/issue on github?
Kind regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
