yubikey-manager icon indicating copy to clipboard operation
yubikey-manager copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Attestattion certificate for OpenPGP ENC slot has unparsable public key

Open ya-isakov opened this issue 3 years ago • 2 comments

  • YubiKey Manager (ykman) version: 4.0.0
  • How was it installed?: Gentoo package
  • Operating system and version: Gentoo
  • YubiKey model and version: YubiKey 5 NFC, Firmware version: 5.2.4
  • Bug description summary: openssl cannot parse public key from attestation certificate for OpenPGP ENC key.

Steps to reproduce

  • Set enc slot to cv25519
  • Use ykman key attest ENC test.crt
  • Verify certificate with openssl x509 -in test.crt -text

Expected result

OpenSSL should show that everything is good :)

Actual results and logs

So, I have a key with all three slots set to use Curve25519/Ed25519: Key attributes ...: ed25519 cv25519 ed25519 I can encrypt via gpg to my key, and on decrypting, gpg says that gpg: encrypted with 256-bit ECDH key But, when I'm trying to attest this key via ykman key attest ENC test.crt, and check this test.crt with openssl x509 -in test.crt -text, it thinks that certificate has: Signature Algorithm: sha256WithRSAEncryption, also I'm getting this error:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:a8:12:c8:22:b7:d4:ec:52:44:c2:59:6b:d3:3b:2a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Yubikey OPGP Attestation
        Validity
            Not Before: Aug  1 00:00:00 2019 GMT
            Not After : Dec 17 00:00:00 2046 GMT
        Subject: CN = YubiKey OPGP Attestation DEC
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            Unable to load Public Key
139714749192000:error:100D7010:elliptic curve routines:eckey_pub_decode:EC lib:crypto/ec/ec_ameth.c:168:
139714749192000:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:crypto/x509/x_pubkey.c:125:
... (skipped)

Other info

OpenSSL is of version 1.1.1k

Also, only ENC slot has this problem, other slots are fine.

ya-isakov avatar Apr 02 '21 21:04 ya-isakov

I've just generated new key via gpg --edit-card -> addcardkey, and still the same problem

Also, verification of generated cert works, so, it's only openssl which cannot parse certificate.

ya-isakov avatar Apr 02 '21 21:04 ya-isakov

Thanks for reporting! I've notified our firmware team of this, it looks like an incompatibility with how the public key is encoded in the certificate which will likely be changed in a future version.

dainnilsson avatar Apr 16 '21 06:04 dainnilsson