age-plugin-yubikey icon indicating copy to clipboard operation
age-plugin-yubikey copied to clipboard

Published 20 hours ago verified publisher icon str4d

UX: Generic error message on Windows 11

Open arnefm opened this issue 3 years ago • 1 comments
trafficstars

What were you trying to do

I've been trying to set up this plugin on Windows to use with WSL, as I sadly am dependent on Windows-only VPN software for work. However, I've been completely unable to get this to work on Windows 11, on either of my computers. The main problem here is the error message which offers no clues as to what is wrong making it hard to find the root cause of my problem.

I'm actually not 100% sure if this is a UX issue or a bug (or both), but no one else has reported a similar problem that I've seen, so I'm assuming it's me doing something dumb.

  1. I've used age-plugin-yubikey on Linux to set up an age identity on my Yubikeys successfully. Everything works as expected.
  2. I rebooted my computer into Windows 11.
  3. I dropped the released, precompiled age-plugin-yubikey binary into C:\Windows\System32, as it's on my $PATH.
  4. I've unblocked the executable: image
  5. Inserted a Yubikey into the computer.
  6. Opened up WSL and tried to list the identities on the Yubikey.

What happened

I get a generic error message, as shown in the transcript below. The Yubikey is fully functional in Windows, as I use to to log on the computer itself and as a second factor for a lot of websites (both Yubikey 2FA and FIDO).

$ age-plugin-yubikey.exe -i
Error: Error while communicating with YubiKey: generic error

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]

$ age-plugin-yubikey.exe --list
Error: Error while communicating with YubiKey: generic error

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]

$ age-plugin-yubikey.exe --list-all
Error: Error while communicating with YubiKey: generic error

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]

$ age-plugin-yubikey.exe --serial ******** --list
Error: Error while communicating with YubiKey: generic error

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]

Things I've tried:

  • Running age-plugin-yubikey as Administrator
  • Multiple computers
  • Multiple different Yubikeys, all with an age key installed in PIV slot 10.

arnefm avatar Aug 23 '22 05:08 arnefm

generic error is an error coming from the yubikey crate on which this depends, so there's no better error I can give. Even there I believe it's partly due to the YubiKey itself not being particularly verbose about error causes.

Have you confirmed that you can interact with the YubiKey itself on Windows outside of age-plugin-yubikey? Try using https://developers.yubico.com/yubikey-manager-qt/ and check that you can interact with the PIV applet.

Another thing you can try is running age-plugin-yubikey.exe directly from Windows, via e.g. PowerShell, to eliminate the WSL component as a potential cause. Try enabling trace-level log output (which the yubikey crate does have) and then running commands like:

> $env:RUST_LOG="trace"
> age-plugin-yubikey.exe --list

str4d avatar Sep 07 '22 22:09 str4d

I encountered the same problem, and the issue for me was that it is incorrectly trying to use the Windows Hello for Business virtual smartcard instead of the YubiKey. Here is the output with $env:RUST_LOG="trace" set:

[INFO  i18n_embed::requester] Current Locale: [LanguageIdentifier { language: Language(Some("en")), script: None, region: Some(Region("US")), variants: None }]
[DEBUG i18n_embed] Selecting translations for domain "age_plugin_yubikey"
[DEBUG i18n_embed] Searching for available languages, found language file: "en-US/age_plugin_yubikey.ftl"
[DEBUG i18n_embed] Requested Languages: [LanguageIdentifier { language: Language(Some("en")), script: None, region: Some(Region("US")), variants: None }]
[DEBUG i18n_embed] Available Languages: [LanguageIdentifier { language: Language(Some("en")), script: None, region: Some(Region("US")), variants: None }]
[DEBUG i18n_embed] Supported Languages: [LanguageIdentifier { language: Language(Some("en")), script: None, region: Some(Region("US")), variants: None }]
[DEBUG i18n_embed] Attempting to load language file: "en-US/age_plugin_yubikey.ftl"
[DEBUG i18n_embed::fluent] Loaded language file: "en-US/age_plugin_yubikey.ftl" for language: "en-US"
[INFO  yubikey::yubikey] connected to reader: Windows Hello for Business 1
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
[TRACE yubikey::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
[TRACE yubikey::apdu] <<< Response { status_words: NotFoundError, data: [] }
[ERROR yubikey::transaction] failed selecting application: 6a82
[INFO  yubikey::yubikey] connected to reader: Windows Hello for Business 1
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
[TRACE yubikey::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
[TRACE yubikey::apdu] <<< Response { status_words: NotFoundError, data: [] }
[ERROR yubikey::transaction] failed selecting application: 6a82
Error: Error while communicating with YubiKey: generic error

Manually specifying the serial number of the YubiKey with --serial xxxxxxx works in conjunction with --generate, but no other command works. For example, age-plugin-yubikey.exe --serial xxxxxxx --list fails with the following:

[INFO  i18n_embed::requester] Current Locale: [LanguageIdentifier { language: Language(Some("en")), script: None, region: Some(Region("US")), variants: None }]
[DEBUG i18n_embed] Selecting translations for domain "age_plugin_yubikey"
[DEBUG i18n_embed] Searching for available languages, found language file: "en-US/age_plugin_yubikey.ftl"
[DEBUG i18n_embed] Requested Languages: [LanguageIdentifier { language: Language(Some("en")), script: None, region: Some(Region("US")), variants: None }]
[DEBUG i18n_embed] Available Languages: [LanguageIdentifier { language: Language(Some("en")), script: None, region: Some(Region("US")), variants: None }]
[DEBUG i18n_embed] Supported Languages: [LanguageIdentifier { language: Language(Some("en")), script: None, region: Some(Region("US")), variants: None }]
[DEBUG i18n_embed] Attempting to load language file: "en-US/age_plugin_yubikey.ftl"
[DEBUG i18n_embed::fluent] Loaded language file: "en-US/age_plugin_yubikey.ftl" for language: "en-US"
[INFO  yubikey::yubikey] connected to reader: Windows Hello for Business 1
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
[TRACE yubikey::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
[TRACE yubikey::apdu] <<< Response { status_words: NotFoundError, data: [] }
[ERROR yubikey::transaction] failed selecting application: 6a82
[INFO  yubikey::yubikey] connected to reader: Windows Hello for Business 1
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
[TRACE yubikey::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
[TRACE yubikey::apdu] <<< Response { status_words: NotFoundError, data: [] }
[ERROR yubikey::transaction] failed selecting application: 6a82
Error: Error while communicating with YubiKey: generic error

[ Did this not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/age-plugin-yubikey/report              ]

mlipscombe avatar Dec 08 '22 18:12 mlipscombe

Ooh, this is interesting! So there are two issues here:

  • APIs like --list that aim to show everything, should probably be tolerant of individual communication failures. Though in this case, the output would be partial, so we'd need to clearly indicate this to the user, as well as think about what users are likely to do in the face of partial information.
  • It looks like Windows Hello for Business virtual smartcard doesn't support the PIV application, but due to being hardwired into the OS it is always present (vs e.g. the blue "Security Key by Yubico", which also doesn't support PIV but can be unplugged by the user). This suggests that the yubikey crate should expose a way to distinguish whether a smart card connection doesn't support PIV, so it can be ignored instead of treated as an error. And indeed, the current error for "PIV not supported" that is returned by yubikey is "generic error".

str4d avatar Dec 28 '22 14:12 str4d

@arnefm @mlipscombe Could you test #129 and see if it resolves this particular issue for you?

str4d avatar Feb 12 '23 00:02 str4d

For what it's worth, I had the same issue with Windows Hello and the fix in #129 resolved the issue for me. I am also no longer seeing #80 when switching from the latest release version (0.3.3) to #129. Thank You!

There are some errors logged, but otherwise the output is as expected:

cargo install --git https://github.com/str4d/age-plugin-yubikey --branch 78-ignore-readers-without-piv-applet

age-plugin-yubikey.exe -l
[ERROR yubikey::transaction] failed selecting application: 6a82
[ERROR yubikey::yubikey] Could not use reader: PIV applet not found
[WARN  age_plugin_yubikey::key] Ignoring Windows Hello for Business 1: Missing PIV applet

However it may be best to confirm resolution with the original issue poster in case their issue was different than mine.

jyoung15 avatar Feb 21 '23 20:02 jyoung15