XCA cannot properly access a YubiHSM2 (login issues maybe)

[rkuerbitz]

I try to use XCA with a YubiHSM 2 to create certificates. However, XCA somehow cannot properly access the device via PKCS#11. I can successfully assign the PKCS#11 driver in options.

Trying Token / Manage security token gives the error message
The token 'YubiHSM' did not contain any keys or certificates.
I can, however, create a Private key on the devices with XCA and then have it in my XCA database.

When I want to create a certificate using this PK, I get the error message
Please insert card: Yubico (www.yubico.com) YubiHSM [YubiHSM] with serial: xxxx

After clicking cancel, the following message shows:
The following error occurred: Failed to find the key on the token

The log file of the YubiHSM PKCS#11 driver show the following error:
[P11 - ERR 11:41:59.204728] D:\a\yubihsm-shell\yubihsm-shell\yubihsm-shell-2.4.2\pkcs11\util_pkcs11.c:3856 (get_session): Session user not logged in
As XCA did not ask for my PIN, this seems to be the cause.

Could this be a bug in XCA? Any help would be appreciated.

[chris2511]

Maybe related to #43 (comment)

So, the solution would be to check if the key on token is CKA_ALWAYS_AUTHENTICATE, and do C_Login(CKU_CONTEXT_SPECIFIC,...)

Maybe I will find the time to look into it, soon.

[rkuerbitz]

Thanks for the hints.
However, I did not succeed in either of them. Trying to create a key pair with pkcs11-tool using the --always-auth flag gives me this error:
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Regarding the opensc.conf options, I am unsure if the YubiHSM PKCS#11 driver even uses the pin_cache_ignore_user_consent = true; option.

So, I would really appreciate if you could look into it, as I am a bit lost right now.

[chris2511]

Either the keypair hasn't been created completely (Public and private key object), see: https://hohnstaedt.de/xca-doc/html/smartcard.html#key-management-on-the-token .
Did you create the keys with XCA or with an other tool and then import them into XCA?
Do you see the created keys when you select "Manage Security token" ?

[rkuerbitz]

Hi, I contacted Yubico about this, and this is what they answered:
When we are testing the XCA tool it seems like it is not able to establish a session using the yubihsm_pkcs11 module.
The reason is likely that the YubiHSM2 does not support the SO-PIN concept, as is stated in the YubiHSM2 PKCS#11 documentation, and it seems like all the interactions to sign in is using the SO PIN, rather than the regular PIN.

Could this help with adressing this issue within XCA?

[chris2511]

Added login option with 3457454
Please try a build from https://github.com/chris2511/xca/actions/runs/8195398369

[rkuerbitz]

Dear Chris,
thanks a lot for providing the additional login option so fast! I tested the build, but however, XCA just stalls and has to be force-closed after entering the PIN. I am attaching the PCKS11 log for one XCA session, so if you could have a look at it, that would be great:
yubiHSM.txt

[chris2511]

Auto close with 3457454 was not correct

[rkuerbitz]

Dear Chris,
may I kindly ask if there are any news on this issue?