csis / enrollmentstation Goto Github PK

tried using a Yubikey 4 although it read the device fine upon enrollment I receive "failed to generate key pair" error message

This is a feature request to add "PIN tries amount" to configuration.

Currently if the policy is to use some other PIN try amount than the default 3, one has to manually use the PIV tool to change the PIN try amount. But after that is done, the PIN and PUK are reset to default - making the workflow very cumbersome since ES does not readily display the PUK.

As reported by "pkcs15-tool --list-keys" on Linux, the keys created by ES do not have the "sign" usage flag set. For example:

# pkcs15-tool --list-keys
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00
Private RSA Key [PIV AUTH key]
        Object Flags   : [0x1], private
        Usage          : [0x22], decrypt, unwrap

However, keys created with the YubiKey PIV Manager do:

$ pkcs15-tool --list-keys
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00
Private RSA Key [PIV AUTH key]
        Object Flags   : [0x1], private
        Usage          : [0x26], decrypt, sign, unwrap

Most importantly, the "sign" flag is needed for PKINIT to work on Linux as discovered here: https://pagure.io/SSSD/sssd/issue/3616

I'm using a Yubikey4 w/ OTP and CSIS turned on, and Enrollment Station does not detect it. Windows sees it a smart card reader.

Currently no PIN complexity exists when enrolling a yubikey or reset the PIN

Using the Yubikey Minidriver on Windows, where users can change the PIN to something like 1 character is not secure, so we disabled the possibility to change the PIN via Windows

Using PIV Manager there is a PIN complexity, but it follows the standard Windows complexity and integration in Windows is not so nice

Is there a way we can customize the PIN complexity using this tool?

See #13

On enrolling a user, the error "Unable to import a certificate" is displayed. The CA has issued the certificate correctly, which I now have to revoke.

This same error happened on the first YubiKey NEO I attempted to enroll with ES. Then, I fumbled around for a few hours with this YK, tried ES again, and enrollment magically worked with ES. I was happy and moved to the next YK - again the same "Unable to import a certificate" error.

I have checked the NEO Manager, and CCID mode is enabled (disabling + re-enabling CCID did not help). PIV Manager seems to work on it.
I do not remember exactly what I did with the first YK, but it included:

• Renaming the reader with NEO Manager and resetting it back to default name
• Generate certificate with PIV Manager
• Import certificate with PIV Manager

And so on.. I specifically did NOT do any "set-ccc" / "set-chuid" / resetting on it.

We have a number of agents that can issue Yubikeys, but get the attached error when attempting to revoke. Others are able to issue, revoke and terminate on their enrollment station, so it appears to be permissions based. We have attempted revoke with the problem agents on several enrollment stations and they receive the same error.

I am trying to use the code from the ADD-TRIESCONFIG branch and not having any luck.

Using the method
public bool ChangePinPukRetries(byte pinRetryCount, byte pukRetryCount)
This line
return code == YubicoPivReturnCode.YKPIV_OK && sw == YubikeyPivNative.SW_SUCCESS
returns false, because SW is returned as 27010, which is SW_ERR_SECURITY_STATUS and not 0x9000 (or its decimal equivilent)

Digging deeper, the SW is a Status Word, and is outlined here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf (Section 5.6)

I am getting back 69 and 82, which according to that pdf means Security status not satisfied

This issue started this AM on all enrollment stations. We're getting the attached when enrolling a Yubikey.

Hi there,

One more request! Is it possible to have the option to use the touch policy on the Yubikey 4's? I only ask since this so far seems the best way to manage Yubikey's!

Thanks again in advance!

There is a typo on the termination confirmation dialog:
"This will terminate the Yubikey, wiping the PIN, PUK, Management Key and Certificates. This will also revoke the certificiate. Proceed?"

Note "certificiate" and not "certificate".

It would be very nice if a PUK code could be defined in CSIS settings. And the amount of PIN/PUK retries.
Currently the CLI tool is needed to set these manually after programming the key with CSIS.

We are using the EnrollmentStation and YubicoLib code to help write our own Yubikey provisioning software.

We have the need to set the CCC value in order to use the Yubikeys to login to our Mac systems, but the YubikeyPivNative class does not have a method for doing that.

In an attempt to implement it myself I have mimicked the methods in YubikeyPivNative:
[DllImport("Binaries\\libykpiv-1.dll", EntryPoint = "ykpiv_util_set_cccid", CharSet = CharSet.Ansi, SetLastError = true, CallingConvention = CallingConvention.Cdecl)] internal static extern YubicoPivReturnCode YkPivSetCcc(IntPtr state, byte[] ccc);
I found the function name by using DLL Export Viewer, but I get an exception when I attempt to call it using the above code:
'Unable to find an entry point named 'ykpiv_util_set_cccid' in DLL 'Binaries\libykpiv-1.dll

I'm sure I have the method signature wrong, since I don't know what arguments ykpiv_util_set_cccid is expecting.
Is there any light you could shed on this for us?

I'm trying to set up an enrollment station and also getting the 'unable to import a certificate, return code YKPIV_GENERIC_ERROR' I've changed the template minimum key size to 1024 and still no dice. I can use the PIV Manager to generate keys but we want to use ES with an enrollment agent.

When starting the application I'm getting AppCrash Report and specific systems.
I've tried to debug and got the following Error:
Unable to init device: YKNEOMGR_BACKEND_ERROR
at EnrollmentStation.Code.YubikeyNeoManager..ctor()
at EnrollmentStation.MainForm..ctor()
at EnrollmentStation.Program.Main()

Windows Server 2012 R2 Standard x64, via RDP.

Application: EnrollmentStation.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
at EnrollmentStation.Code.YubikeyNeoManager.YkNeoManagerDiscover(IntPtr)
at EnrollmentStation.Code.YubikeyNeoManager.RefreshDevice()
at EnrollmentStation.Code.YubikeyDetector.BackgroundWork()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
at System.Threading.Tasks.Task.ExecutionContextCallback(System.Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef)
at System.Threading.Tasks.Task.ExecuteEntry(Boolean)
at System.Threading.Tasks.Task.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()

Some of the YubiKey tools show management keys with lower case letters. ES does not accept such management key and the letters must be changed to upper case.

The management key with lower case letters should be accepted and ES then internally convert the lower case letters to suitable case.

We have observed that when using a Computer certificate, the ES must be run using Admin rights.

The ES should present a notification that it should be run as admin if it detects a computer certificate, if it doesn't have the necessary rights.

I believe that the best practice is to store the Enrollment Certificate on a smart card for security. It seems EnrollmentStation does not support this?

I have requested an Enrollment Certificate with the PIV Manager tool and saved it to some slot, say 9c or 9d. But when choosing the Agent certificate, "browse" button only displays the certificate on the local computer and not certificates from YubiKey.

Hi,

Just wondered if it is possible to use ECC certificates with the Enrollment Station? How much work would it be to add it in? I can use RSA 1024 / 2048 just fine, but would prefer to use ECC (I have the template set up and it works with the minidriver enrollment, but want to do PIV and use the Enrollment Station).

I'm looking for ECC P256 support specifically.

Thanks in advance!

The "Enroll new SmartCard" dialog has a typo:
"YubiHSM avaliable"
It should probable be "available" with the 'i' moved. Do you guys proof-read these at all? It reflects very poorly on the quality of the program.

I just got a few Yubikey 4's with a newer firmware, v4.3.1. When I try to enroll, it errors with "Unable to create CSR". Previous batch of Yubikey 4's with firmware v4.2.8 work fine.

I've downloaded the leastest commited version and did run the complied Enrollmentstation.exe.
First I configured all required settings such as management-key, ca and agent cert.
After plugging in a yuibkey an clicking on "Enroll Yubikey" an Execution appears like this:
System.Threading.LockRecursionException: Das Einrichten von rekursiven Schreibsperren ist in diesem Modus nicht zulässig.
bei System.Threading.ReaderWriterLockSlim.TryEnterWriteLockCore(TimeoutTracker timeout)
bei System.Threading.ReaderWriterLockSlim.TryEnterWriteLock(TimeoutTracker timeout)
bei EnrollmentStation.DlgEnroll.YubikeyStateChange()
bei EnrollmentStation.DlgEnroll.DlgEnroll_Load(Object sender, EventArgs e)
bei System.Windows.Forms.Form.OnLoad(EventArgs e)
bei System.Windows.Forms.Form.OnCreateControl()
bei System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
bei System.Windows.Forms.Control.CreateControl()
bei System.Windows.Forms.Control.WmShowWindow(Message& m)

The current procedure for updating expired certificates is to terminate the Yubikey (which revokes the certificate) and enroll it again. This has 2 issues:

1. Best practice is to keep the revocation list on a CA as small as possible. We are putting expired/soon to expire smart cards on the revocation list.
2. The Yubikey gets reset (terminated) and the user has to re-enter the PIN code.

Clockscrew considerations

• To prevent clockscrew issues and faulty clock implementations, we could implement a threshold of about 24 hours. Is the certificate expired more than 24 hours ago, we simply delete it from the smart card without revocation. This could be configurable.
• Soon to expire certificates should be revoked, as they are technically valid, even for a short amount of time.

Key renewal discussion

• The key renewal strategy depends on a couple of factors:
  • The length of time the certificate has been valid
  • The length of the key
  • The possibility that the key was obtained by a malicious user
  • The usage of the key (authentication only, signing and/or encryption)
• It should be configurable to renew keys or reuse keys

*User's PIN

• After termination, the user has to enter his old PIN or get assigned a new one. This depends on the PIN strategy used by the company. It could be prudent to apply the old PIN automatically to the smart card when we just renew the certificate.
• This should be configurable.

Documentation considerations

• We should perhaps keep track of statistics. How many smart cards have been issued? how many have been revoked? how many are expired? how many can be cleaned up?
• Document how to prune Microsoft CA for expired certificates.
• To encourage high security, we could show a security indicator (high/degraded) in the settings window

Add a check on a PIN length of minimum 6 characters in firmware 4.3.1+

See #14

We're getting the attached message when trying to revoke or terminate. Workstation OS is Win7 32bit. Thank you.

At this time it is required for the PIN RESET to be 6 or more characters, but you can use more than 8

This is a problem for Yubikey NEO used on Windows systems with the Yubikey Mini Driver, which do not allow more than 8 characters

At customer site (>500 Yubikeys) the users need to RESET their PIN at a an enrollment facility, and are told to use between 6-8, but users can and therefor will not listen and use more than 8 anyways :)

Is there a setting which can be altered to set the maximum to 8 characters for the PIN Reset?

Hi,
we are getting the following error while trying to enrole a custom version of the default smartcar user template. We only changed a few settings like the vality duration, security groups and hash algorithm.

Looking at https://forum.yubico.com/viewtopic.php?f=25&t=2764 there has been a massive change in how YK PIV functionality can work.

Am I mistaken in thinking that the Minidriver makes EnrollmentStation (ES) more or less redundant? Are there some functions in ES that the are missing from the native Windows functionality leveraging the Minidriver?

Does this mean the ES, that has not seen a release in a year, will be getting even less development?

Pushing out the Minidriver through Windows Updates surprised us, bad, and I think we cannot move to use it because we use the YK PIV functionality in macOS as well. I understood if you go the Minidriver way and re-enroll the YK, it cannot be used under macOS/OpenSC? These non-ES-related questions I shall put to the official YK forum as well.

Edit: the aforementioned forum link totally does not even mention ES. Is this product/workflow actually still officially supported by YubiCo??

Hello, we are currently evaluating the YubiKey for use by our users. I installed a new root CA and configured it with the instruction from your documentation. I have been able to use the CSIS Enrollment Station to issue my first certificate for one user and was able to succesfully log into the users workstation via the smartcard. I now want to revoke the certificate to make more tests and I'm getting the following error. Please see screenshot:

https://dl.dropboxusercontent.com/u/7894017/Yubi_Error.jpg

Doing a google search, it seems to be because I'm running the Enrollment Station on a 64bit OS (Windows 10)

I'm using this version of the enrollment station https://github.com/CSIS/EnrollmentStation/releases/download/0.3.5.0/Enrollment.Station.v0.3.5.0.zip

How can I get around this issue?

Thank you

Currently the Enrollment Station appears not to support the 4 and 4 Nano. If you guys need some devices to test with, please e-mail [email protected] and I'd be happy to send as many as you need. Great work on this project!

Looking at the commit frequency graph, there are clear peaks and valleys in the activity.
I do not know if it suits your development process, but could you please consider using the "releases" functionality of GitHub? This would make it much easier for end-users to get the whole thing installed. It is not very convenient to download binaries one by one.

All project build ok but when try debug the project I have this error in YubikeyNeoManager.cs
YubicoNeoReturnCode res = YubikeyNeoNative.YkNeoManagerListDevices(deviceHandle.Device, ptr, ref len);

Error:

An unhandled exception of type 'System.AccessViolationException' occurred in YubicoLib.dll
Additional information: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Run visual studio 2015 in parallels machine with windows server 2012 r2

Please help!!

Installed, as Administrator on new 2016 Domain Controller for YubiKey Roll-Out, CA is present en Certificates are valid.

Recently I tried to get the software running. I'm currently failing hard.
Are there any specific requirements on installation and running the software?
I think it would be really great to have install and requirements guide on that.
Is it possible to interact with 3rd party provisioned devices?