[BUG] MSCMAP not created when management key is modified

[IDevJoe]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

After importing certificates using the SDK with a modified management key, windows fails to recognize the imported certificates because the containers are never created.

> certutil -scinfo
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]

Cannot open the AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
Cannot open the AT_KEYEXCHANGE key for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = (null) [Default Container]

Cannot open the  key for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------

> yubico-piv-tool -astatus
Version:        5.4.3
Serial Number:  <Redacted>
CHUID:  No data available
CCC:    No data available
Slot 9a:
        Algorithm:      RSA2048
        Subject DN:     CN=<Redacted>
        Issuer DN:      C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=yes CA
        Fingerprint:    cb098930feb7b0ef022748bda766a2be3969b0e52173272fff677bc8d4cc53a4
        Not Before:     Jul 22 14:55:58 2024 GMT
        Not After:      Oct  8 14:55:58 2024 GMT
Slot 9e:
        Algorithm:      RSA2048
        Subject DN:     CN=<Redacted>
        Issuer DN:      C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=yes CA
        Fingerprint:    9700b7bcc2dc59bfac36445806535aaf6c8e8d1b779a6982f43de3d90e7ad398
        Not Before:     Jul 22 14:55:09 2024 GMT
        Not After:      Oct  8 14:55:09 2024 GMT
PIN tries left: 3

Not modifying the management key fixes the behavior, since the minidriver is able to modify the MSCMAP itself.

Expected Behavior

During the import operation, the MSCMAP should be updated on the card, allowing the certificates to be recognized (or a separate function should be available to do this). The documentation states that this operation already exists: any necessary operations with the MSCMAP will be handled by the SDK, but there is no trace of the SDK modifying the MSCMAP.

Steps To Reproduce

Run the code (obviously replace necessary components to make it work):

public bool ChangeKeyAndLoad() {
  using(var session = new PivSession(_yubiKeyDevice)) {
    session.KeyCollector = DefaultKeyCollector;
    var kp = (PivRsaPublicKey)session.GenerateKeyPair(PivSlot.CardAuthentication, PivAlgorithm.Rsa2048);
    var csr = GenerateRequestFromKey(kp, PivSlot.CardAuthentication, "CN=" + Serial, session);
    
    // Insert logic to get certificate
  
    session.ImportCertificate(PivSlot.CardAuthentication, _cert);
  
    if(!session.TryChangeManagementKey(GetKeyFromString("010203040506070801020304050607080102030405060708"), _new_manage_key))
    {
        return false;
    }
    return true;
  }
}

Version

1.8.0

Version

5.4.3

Anything else?

No response

[IDevJoe]

Updated and reproduced on SDK 1.11.0

[DennisDyallo]

Hi @IDevJoe,

Thanks for reporting this issue. To help us better understand and resolve the problem, could you please provide the following information:

Environment Details:
Any relevant configurations on your machine.

Detailed Reproduction Steps:
More detailed steps to reproduce the issue, including any specific configurations of the YubiKey device.

Key Management:
Details about the old and new management keys. Are you using a standard key change process?
Have you tried using different keys or configurations?

Current Workarounds:
Details on the process and state of the YubiKey when you do not modify the management key.

With this information, we will be in a better position to investigate and resolve the issue.

[IDevJoe]

@DennisDyallo

Environment Details:
Windows 10 21H2
.NET Framework 4.8

Reproduction steps:
(From reset state)

1. Generate keypair for slot 9A
2. Change management key and PUK for Yubikey device
3. Load new certificate into 9A
4. Run certutil -scinfo

Key management:
The management key is changed to a randomized key during the initial provisioning process. It is one of the first steps. I have tried changing where in the process the key is changed, but the key container seems to never be generated no matter where it happens. The key is always changed when from the reset state of the card.

Current workarounds:
The only workaround that doesn't add additional overhead is to simply not change the management key. In theory, you could ask the user to unplug the key and plug it back in before the management key is actually changed (triggering the smartcard minidriver to create the containers).