App crash when plugging in Yubikey during smart card extension configuration
delfuego opened this issue · 4 comments
When trying to use the smart card extension configuration function in Yubico Authenticator (three-dot menu at upper right > Configuration > Smart card extension), the app immediately crashes when I plug my Yubico 5Ci into my device. (Of note, I am using a FIPS device.)
I've attached the crash log from iOS here.
Device info: iPhone 13 Pro, iOS 16.3.1.
Yubico Authenticator: v1.7.1 (build 96)
YubiKey: YubiKey 5Ci FIPS, firmware 5.4.2
I was asked to provide more info about our Yubikey keys, so here that info is.
First, we have no issues using the derived PIV-D certs on the keys for system login, either on Mac or Windows; they work perfectly. The Yubikey Manager app (on macOS) can't read the PIV certs, though — when going to Applications > PIV, it reports "Failed connecting to the YubiKey.Make sure the application has the required permissions.". We've worked through all the advice on this page, but it doesn't look like it's a permissions issue per se — all the necessary permissions are granted to the app, so that must be a more generic error message that doesn't reflect the actual issue the app has in reading the certs/keys.
Second, the certs are written to the keys using a Deloitte-written application that uses Entrust's PIV-D system as its underpinnings.
Finally, I was asked about the key size of the keys; according to the macOS security/smartcard support infra (at the command line, security export-smartcard), this is the info about the first private key on the card (there are two, and they're similar):
==== private key #1
crtr : 0
esiz : 0
decr : 0
atag : ""
kcls : 1
agrp : "com.apple.token"
pdmn : "dk"
bsiz : 2,048
type : 42
klbl : <ce 20 3e 93 24 c5 bb e1 1b ae d7 66 28 0d 66 5e 25 bc 8d a5>
edat : 2001-01-01 00:00:00 +0000
sign : 1
mdat : 2023-04-13 12:45:43 +0000
drve : 0
labl : "Key For PIV Authentication (Jason E. Levine -A11)"
sync : 0
musr : <>
sha1 : <ff c7 8b b1 e3 77 c0 5b d8 7d 5b 01 cf 0a 29 70 48 db 54 86>
cdat : 2023-04-13 12:45:43 +0000
tkid : "com.apple.pivtoken:00000000000000000000000000000000"
sdat : 2001-01-01 00:00:00 +0000
tomb : 0
priv : 1
accc : constraints: {
osgn : "PIN"
}
protection: {
tkid : "com.apple.pivtoken:00000000000000000000000000000000"
}
unwp : 0
====
@jensutbult Will there be a new version of Yubico Authenticator released to the iOS App Store so that we can test whether this resolves the issue on our end?
@delfuego there's a new release coming out next week that includes this fix.
@jensutbult Excellent! If you do any app testing with TestFlight, we'd be happy to enroll and test out the new build before you release it to confirm that it resolves our issue.