You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The text was updated successfully, but these errors were encountered:
tillmann-crabnebula
changed the title
Creation of Certificate Sign Requests Fails if Key Pin Policy is Set to Once or Always
Creation of Certificate Sign Requests Fails if Key Pin Policy is Set to Once or Always in Combination with Attestation
Feb 28, 2023
Yes this is a known issue, the problem is that the tool performs several operations against the device within a single action, hence pin cannot be verified directly before the signing operation, which is required by keys with the always-auth pin policy. There are two PRs implemented to solve this in two different ways, but a decision hasn't been made yet which one to commit to.
Hey @qpernil thanks for the heads up!
I saw the PRs are around 2 years old, so I don't expect any merge soon. Any recommendation which branch we should use in the meantime?
I would assume #326 is the more simplistic change suited for our case, as it's only affecting the tool and not the library.
Used version:
yubico-piv-tool --version yubico-piv-tool 2.3.1
Reproduction commands:
Create key on device
yubico-piv-tool --slot 9c --pin 123456 --action verify-pin,generate --pin-policy always --touch-policy never
Create signing request for generated key
yubico-piv-tool --slot 9c --pin 123456 --action verify-pin,request-certificate --attestation --output 9c.csr --subject "/CN=Example/OU=example/[email protected]/"
Observe output
I saw similar issues mentioning this behavior #383 and some recent changes ubuntu tracker 1988833 ubuntu tracker 1993908 but the issue persists for me.
The above example works once the
--pin-policy
is set tonever
or the--attestation
flag is removed.Raw output:
The text was updated successfully, but these errors were encountered: