Yubikey provider not being recognized? #82
Comments
|
Fortify has logging capabilities. If you look in the tray application menu, enable logging, insert token, and go back to tray application you can get the log. Please attach it here. |
|
Hi Ryan, I'm attaching the fortify log from a "fresh" boot. I see this interesting warn line: {"level":"warn","message":"Cannot parse MessageSignedProtocol","source":"server","timestamp":"2022-07-09T21:00:54.092Z"} I still don't see it as a provider. Since the first post; I've pulled down the sample sign html/javascript demo. I put that into a docker image and launched it under localhost. Localhost shows up under the tool's trusted site. When I go to the localhost page; I see the certificates. I select the certificate serial that maps to the yubikey 9c slot for digital signing and press the continue. I get a popup saying "failed to sign xml". I subsequently tried selecting all the certificates. All w/ the same net result. I'm also attaching the extended fortify.log Here's the screenshot of the signing error.
Thanks for the quick feedback response and any assistance you can provide. |
|
I noticed; I skipped a step (pull token & reinsert token). So here's updated logs with clean-boot-then-plugin-key.log then attempt sign request |
|
Can you reproduce this transaction and gather the console log of the sample when the error is thrown. |
|
I see from your log file that Fortify sees token {
"cryptokiVersion": {
"major": 2,
"minor": 40
},
"firmwareVersion": {
"major": 1,
"minor": 0
},
"level": "info",
"library": "/usr/local/lib/libykcs11.dylib",
"libraryVersion": {
"major": 2,
"minor": 30
},
"manufacturerId": "Yubico (www.yubico.com)",
"message": "PKCS#11 library information",
"source": "provider",
"timestamp": "2022-07-09T21:00:53.200Z"
}
{
"id": "b16ca252e8404535a826bc598bfa670a4078da6ae6c599e8dbd03b2e8759d7a7",
"level": "info",
"library": "/usr/local/lib/libykcs11.dylib",
"message": "Crypto provider was added to the list",
"name": "Yubico Yubikey 4 OTP+U2F+CCID",
"reader": "Yubico YubiKey OTP+FIDO+CCID",
"source": "provider",
"timestamp": "2022-07-09T21:00:53.201Z"
}And I see the
I'm wondering why it doesn't show the Yubikey provider in tools app. It must show the provider if because there are logs about the provider registering and it's items getting. Maybe there are some problems with token event catching and this problem is not stable. Could you try to restart the Fortify app multiple times and check out that it doesn't show the Yubikey provider on each time
It's ok. It can't be a reason of the problem |
|
It does look like a javascript browser issue. I'm attaching 3 different files.
Error looks like "TypeError: cyclic object value". I don't remember seeing this error over the weekend (not sure if that's being good or bad) I think this is causing the error: var provider = await event.detail.socketProvider.getCrypto(providerId); Any ideas how to debug? Secondarily, the providers still don't show up in the tools app; which is weird b/c I agree it appears it should be rendering based on the logs. Thanks for helping me research these issues. |
|
I've updated your script and uploaded it to https://codesandbox.io/s/issue-82-4d8hsf It works fine with my Yubikey token. Yubikey: 1.2.4 |
It occurs on |
|
I've tested with your sandbox. Now I'm even more baffled. (yikes). So it works. I saw the xmldsig. I'm pretty much 99.999999% certain I had selected the 2E:F8:6A:D6:AE:A2:F2:85:2A:30:15:BE:04:C8:59:D4:8B:47:3E:AA serial certificate. So I was like "cool" let me copy down the html/js and test locally. After building a new nginx container (with sandbox code). It didn't work (huh?). I went to remove the trusted localhost site. Re-trusted it and tested again. Again no bueno. So I click one of the other certificates that listed. That worked! So essentially the other 3 slots now work somehow? I went back to the sandbox and tested the 2E; which no longer works. But the other 3 certs do. So largely, I'm confused lol. After that I closed down the browser again; and tried again. 2E works. Long story short I’m losing it :) Here's the screenshot of the console log
It’s a real head scratcher. The other piece I need clarification on for my own understanding. I thought Yubikey could only digitally sign based on the key in the 9C slot? I assumed that when it generates the key pair inside the Yubikey Manager; it would only give the type capability associated to the PIV slot type? Based on the Yubikey documentation it says: 9A - authentication So how does xmldsig even work w/ 9A/D/E? Does fortify verify the key type operation mode? |
|
Keytype in this context is a PIVism and not something that fortify is aware of. If the device supports the operation then fortify uses it. As for your inconsistent behavior without logs we can’t help. |
|
I've got the same error with my test and here is my ticket You can call |
|
@microshine thanks for the tips... yeah that provider.logout allowed me to resign over and over (obviously had to refresh certs & re-pass pin b/c of logout). really appreciate the assistance on wrapping my head around all this. i guess my only remaining question is around the original question. why the fortify tools doesn't list the yubikey provider? I've tried to load that page multiple times and it's always blank (see original screen shot)... any ideas on how to debug this? I agree that from the logs it says yubikey stuff but in the UI it's empty.
but the debugging browser console
thoughts? |
|
@icenfrosty Have you tried to restart Fortify?
Fortify shows my Yubico token provider each time. I can't reproduce your problem |
I'm new to fortify & yubikey tooling; and exploring the capabilities of this application. Here's what I've done so far.
I have tested the yubikey and it appears to work correctly. I have also ran yubikey-piv-tool and able to read certificates; ie yubico-piv-tool -s 9(a|c|d) --action read-certificate and it comes back with the certificates. Yubikey manager appears to functioning correctly.
When I launch the Fortify Tools the only providers that show up are Mac Crypto & NSS Certificate DB. The Yubikey provider does not show up. I have tested this with firefox & chrome and the same results.
I looked into the ~/.fortify/config.json. Everything looks vanilla.
In ~/.fortify/card.json; I see
{
"id": "993988460d8f49a2ac519a2935f00533",
"name": "YubiKey",
"file": {
"osx": "/usr/local/lib/libykcs11.dylib",
"linux": "/usr/local/lib/libykcs11.so",
"windows": "%WINDIR/System32/libykcs11-1.dll"
}
},
I've confirmed that the dylib is in the matching location:
$ ls -talr /usr/local/lib/libykcs11.dylib
lrwxr-xr-x 1 root wheel 17 Jul 3 17:15 /usr/local/lib/libykcs11.dylib -> libykcs11.2.dylib
Any idea on next steps to look at to try to figure out why the Yubikey provider is not showing up? I've tried to follow all the documentation/postings I could find to debug; what am I doing wrong?
The text was updated successfully, but these errors were encountered: