yubico-piv-tool should clarify circumstances of "Failed signing certificate"

[nealmcb]

Running this command:

yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9c -S '/CN=root/' --valid-days=365 -i public.pem -o cert.pem

can generate this error:

Failed signing certificate

First, that is a very uninformative error. No other output is seen other than Successfully verified PIN.

Second, that string shows up in two places in the code:

yubico-piv-tool/tool/yubico-piv-tool.c

Lines 1006 to 1024 in bc72c73

	if(!sign_data(state, signinput, len, signature, &sig_len, algorithm, key)) {
	fprintf(stderr, "Failed signing certificate.\n");
	goto selfsign_out;
	}
	M_ASN1_BIT_STRING_set(x509->signature, signature, sig_len);
	/* setting flags to ASN1_STRING_FLAG_BITS_LEFT here marks that no bits
	* should be subtracted from the bit string, thus making sure that the
	* certificate can be validated. */
	x509->signature->flags = ASN1_STRING_FLAG_BITS_LEFT;
	}
	#else
	/* With opaque structures we can not touch whatever we want, but we need
	* to embed the sign_data function in the RSA/EC key structures */
	wrap_public_key(state, algorithm, public_key, key, oid, oid_len);
	if(X509_sign(x509, public_key, md) == 0) {
	fprintf(stderr, "Failed signing certificate.\n");
	goto selfsign_out;
	}

The code should print distinct messages, with relevant details, for these two situations.

Finally, how do I figure out what went wrong? What information would be useful to you to help debug this?

[a-dma]

Start by adding a -v2 flag to show more verbose output. Keep in mind that this will dump all the APDU exchanged with the YubiKey, including your PIN. Make sure to omit it if it's not the default PIN.

Also, how was the key generated?

[nealmcb]

Thanks for the quick response. And for the record, I generated the key via

yubico-piv-tool -s 9c -a generate -k --pin-policy=always --touch-policy=always --algorithm=ECCP256 -o public.pem

The -v2 flag yielded this extra bit of info:

• Failed sign command with code 6982.

It appears that that cryptic code may mean "User did not touch the yubikey within 15 seconds"

There is no message asking the user to touch the yubikey, and the documentation doesn't mention it. But now I see that it does flash for 15 seconds, so count me as being a bit oblivious. And it does make sense that the user should confirm the action via a touch.

So I think that the code should be changed to distinguish the two cases I pointed out in the code, and for this particular situation, to clarify that the yubikey was not touched.

Also, the UI and documentation should both be changed to clarify all the necessary steps, including touching the yubikey.

[a-dma]

Glad you got it to work. I see your point, unfortunately it's not easy to know when the YubiKey is waiting for a touch from the application point of view (at least as far as PIV goes).
I'll leave this issue open for now so that we can discuss it internally.

Thanks.

[qpernil]

yubico-piv-tool 2.0.0 is out and contains major upgrade to ykcs11, and to a lesser degree libykpiv, which is used by yubico-piv-tool. Please try that version.

Information on whether touch will be required is only sometimes available with current YubiKey firmware.
(It is embedded in the attestation certificate, but that can only be created for onboard-generated keys)
A coming version will allow this information to be retrieved for imported keys as well. Future versions of yubico-piv-tool may make use of this information, but the current one doesn't.

I'm closing this issue for now.