WinCryptSSHAgent icon indicating copy to clipboard operation
WinCryptSSHAgent copied to clipboard

Published 20 hours ago verified publisher icon buptczq

The smart card cannot peform the requested operation or the operation requires a different smart card

Open dniasoff opened this issue 3 years ago • 11 comments

This is probably similar to https://github.com/buptczq/WinCryptSSHAgent/issues/12

But when I try to login, I typically have to click ok on a few popups containing the above message before WinCryptSSHAgent will present the correct key.

I keep deleting the invalid certs from my user certificate store but they magically reappear???

Screenshot 2021-12-15 115307

dniasoff avatar Dec 15 '21 12:12 dniasoff

Incredible software by the way. I have struggled over the years with windows, ssh-agent and wsl and this is the first solution that JUST WORKS!!!!

dniasoff avatar Dec 15 '21 12:12 dniasoff

Yeah, I have the same issue here (and the same compliements as @dniasoff )

DKhalil avatar Jan 04 '22 10:01 DKhalil

do you also get this when executing certutil.exe -scinfo? I do.

Judging from your screenshot you are on windows 11 as well as me.

image

GottZ avatar Jan 21 '22 19:01 GottZ

Sorry for the delay in responding.

I am trying to reproduce the issue but so far I haven't been able to.

Not using SSH much right now. Beforehand this issue bothered me 10 times a day.

On Fri, 21 Jan 2022 at 19:14, Jan-Stefan Janetzky @.***> wrote:

do you also get this when executing certutil.exe -scinfo?

— Reply to this email directly, view it on GitHub https://github.com/buptczq/WinCryptSSHAgent/issues/65#issuecomment-1018788121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7BXDKXZEMNOHHDMVD3SG3UXGWAXANCNFSM5KDQQOZA . You are receiving this because you were mentioned.Message ID: @.***>

dniasoff avatar Jan 25 '22 14:01 dniasoff

For some reason, the issue hasn't happened the last couple of days

But this is what I see when I run the above command

The Microsoft Smart Card Resource Manager is running. Current reader/card status: Readers: 1 0: Yubico YubiKey OTP+FIDO+CCID 0 --- Reader: Yubico YubiKey OTP+FIDO+CCID 0 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED --- Status: The card is available for use. --- Card: YubiKey Smart Card --- ATR: 3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY 75 62 69 4b 65 79 40 ubiKey@

======================================================= Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0 Microsoft Base Smart Card Crypto Provider: Missing stored keyset

--------------===========================-------------- ================ Certificate 0 ================ --- Reader: Yubico YubiKey OTP+FIDO+CCID 0 --- Card: YubiKey Smart Card Provider = Microsoft Smart Card Key Storage Provider Key Container = c5cebbe6-d351-5d07-1043-66af425fc105

Serial Number: 69cf2c183e230992349829ee7ecf97106f8403b9 Issuer: @._desktop NotBefore: 07/11/2021 15:00 NotAfter: 20/10/2023 15:00 Subject: @._desktop Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): cea5b5882977a03c3e44a86ff420b1edac59c118

Performing public key matching test... Public key matching test succeeded Key Container = c5cebbe6-d351-5d07-1043-66af425fc105 Provider = Microsoft Smart Card Key Storage Provider ProviderType = 0 Flags = 1 0x1 (1) KeySpec = 0 -- XCN_AT_NONE Private key verifies Microsoft Smart Card Key Storage Provider: KeySpec=0 AES256+RSAES_OAEP(ECC:CNG) test skipped

Performing cert chain verification... CertGetCertificateChain(dwErrorStatus) = 0x20 Chain on smart card is invalid dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20 Issuer: @._desktop NotBefore: 07/11/2021 15:00 NotAfter: 20/10/2023 15:00 Subject: @._desktop Serial: 69cf2c183e230992349829ee7ecf97106f8403b9 Cert: cea5b5882977a03c3e44a86ff420b1edac59c118 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

Exclude leaf cert: Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709 Full chain: Chain: cea5b5882977a03c3e44a86ff420b1edac59c118 Issuer: @._desktop NotBefore: 07/11/2021 15:00 NotAfter: 20/10/2023 15:00 Subject: @._desktop Serial: 69cf2c183e230992349829ee7ecf97106f8403b9 Cert: cea5b5882977a03c3e44a86ff420b1edac59c118 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)

Verifies against UNTRUSTED root Displayed cert for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================-------------- CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist

Thanks

Daniel

On Tue, 25 Jan 2022 at 14:11, Daniel Niasoff @.***> wrote:

Sorry for the delay in responding.

I am trying to reproduce the issue but so far I haven't been able to.

Not using SSH much right now. Beforehand this issue bothered me 10 times a day.

On Fri, 21 Jan 2022 at 19:14, Jan-Stefan Janetzky < @.***> wrote:

do you also get this when executing certutil.exe -scinfo?

— Reply to this email directly, view it on GitHub https://github.com/buptczq/WinCryptSSHAgent/issues/65#issuecomment-1018788121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7BXDKXZEMNOHHDMVD3SG3UXGWAXANCNFSM5KDQQOZA . You are receiving this because you were mentioned.Message ID: @.***>

dniasoff avatar Jan 26 '22 01:01 dniasoff

This is my output from the above command

C:\Users\daniel>certutil.exe -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@


=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Microsoft Base Smart Card Crypto Provider: Missing stored keyset

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = XXXXXXXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXXXXXXXXXXXX
Issuer:  XXXXXXXXXXXXXXXXXXXXX
 NotBefore: 07/11/2021 15:00
 NotAfter: 20/10/2023 15:00
Subject: XXXXXXXXXXXXXXXXXXXXX
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): XXXXXXXXXXXXXXXXXXXXX

Performing  public key matching test...
Public key matching test succeeded
  Key Container = XXXXXXXXXXXXXXXXXXXXX
  Provider = Microsoft Smart Card Key Storage Provider
  ProviderType = 0
  Flags = 1
    0x1 (1)
  KeySpec = 0 -- XCN_AT_NONE
Private key verifies
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(ECC:CNG) test skipped

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x20
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: XXXXXXXXXXXXXXXXXXXXX
  NotBefore: 07/11/2021 15:00
  NotAfter: 20/10/2023 15:00
  Subject: XXXXXXXXXXXXXXXXXXXXX
  Serial: XXXXXXXXXXXXXXXXXXXXX
  Cert: XXXXXXXXXXXXXXXXXXXXX
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

Exclude leaf cert:
  Chain: XXXXXXXXXXXXXXXXXXXXX
Full chain:
  Chain: XXXXXXXXXXXXXXXXXXXXX
  Issuer: XXXXXXXXXXXXXXXXXXXXX
  NotBefore: 07/11/2021 15:00
  NotAfter: 20/10/2023 15:00
  Subject: XXXXXXXXXXXXXXXXXXXXX
  Serial: XXXXXXXXXXXXXXXXXXXXX
  Cert: XXXXXXXXXXXXXXXXXXXXX
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
------------------------------------
Verifies against UNTRUSTED root
Displayed  cert for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

And I am getting the issue alot now. The command pops up a prompt to view certificate like below and that's when I get the error CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist

image

dniasoff avatar Feb 17 '22 15:02 dniasoff

Getting it every time I use it and would love a fix pleeeeeease

this is what I see on certinfo image

dniasoff avatar Mar 29 '22 13:03 dniasoff

yep. annoying. i've moved to using a normal cert with classic passphrase until this issue is resolved. my yubikey works fine on linux using this method.

GottZ avatar Apr 16 '22 21:04 GottZ

@buptczq Any chance you can address this? it is getting a real pain? Perhaps someway of selecting the card to present to windows instead of allowing it to see all certs/cards? Would really appreciate it and it would improve my efficiency and quality of life dramatically.

Happy to help in any way I can but I don't write in go currently

dniasoff avatar May 23 '22 15:05 dniasoff

I have the same issue and would also appreciate a creative solution. Would unloading certain keys be an option? WinSCP won‘t connect with more than one certificate available. Unfortunately it checks the incorrect ones first and stops connecting.

michaelfm avatar May 23 '22 16:05 michaelfm

I have found a workaround for my problem. Certificates are created when you RDP into a machine so that you can use a smartcard over RDP remotely and when you disconnect, the certificate remains in the user's personal store which confuses Wincrypt. Removing that certificate manually prevents the pop-up.

Also windows hello for business supports smart-card enumeration which also confuses WinCrypt. Disabling Windows hello smart card enumeration should resolve this

image

Computer Configuration/Administrative Templates/Windows Components/Windows Hello for Business.

I found that in one case that wasn't enough and I also had to disable the specific cert in Users/Personal store (later on the cert disappeared so it might just take time)

dniasoff avatar Jun 15 '22 20:06 dniasoff