Yubikey PIV“智能卡无法执行请求的操作。”

问题描述 投票:0回答:2

我正在尝试使用 Yubikey 与 Microsoft 的 AAD CBA 进行身份验证,但是当我连接 Yubikey 时出现错误:

智能卡无法执行请求的操作或该操作需要不同的智能卡

为了排除故障,我已使用 Yubico 工具确保证书位于 yubikey 中:

并验证 yubikey 智能卡微型驱动程序已安装在 PC 的设备管理器中。

我确实注意到,当连接 Yubikey 时,Microsoft USbccid 智能卡读取也被添加到设备管理器中。

如果这是驱动程序问题或我应该查看的其他问题,请提供任何指导。

编辑: 按照本页的故障排除https://github.com/Yubico/yubikey-piv-manager/issues/24我更改了 yubikey 注册表项以使用 msclmd.dll 而不是 yubikey 微型驱动程序,并且能够获得certutil 信息来识别证书。那里

The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@

=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@


=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]

Cannot open the AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@


=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105 [Default Container]

No AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
Serial Number: 2000000015eb9e5f830f3b8636000000000015
Issuer: CN=same-CA, DC=same, DC=domain
 NotBefore: 7/25/2022 11:47 AM
 NotAfter: 7/25/2023 11:47 AM
Subject: [email protected]
Non-root Certificate
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert Hash(sha1): aae49e206c1fbcac5595e966bb806558317f0518

Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
  Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105
  Provider = Microsoft Base Smart Card Crypto Provider
  ProviderType = 1
  Flags = 1
    0x1 (1)
  KeySpec = 1 -- AT_KEYEXCHANGE
Private key verifies

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/25/2022 11:47 AM
  NotAfter: 7/25/2023 11:47 AM
  Subject: [email protected]
  Serial: 2000000015eb9e5f830f3b8636000000000015
  SubjectAltName: Other Name:Principal [email protected]
  Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
  Cert: aae49e206c1fbcac5595e966bb806558317f0518
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/23/2022 10:09 PM
  NotAfter: 7/23/2027 10:19 PM
  Subject: CN=same-CA, DC=same, DC=domain
  Serial: 22186ead3636cda04a63b3d2357bc2e7
  Cert: b64f289bdf0fe3bb54638a928a5e8c37f1418931
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  Chain: aae49e206c1fbcac5595e966bb806558317f0518
Full chain:
  Chain: 4be2869ed0c351f6686e3aaf16fd4f5d8b715a50
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/25/2022 11:47 AM
  NotAfter: 7/25/2023 11:47 AM
  Subject: [email protected]
  Serial: 2000000015eb9e5f830f3b8636000000000015
  SubjectAltName: Other Name:Principal [email protected]
  Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
  Cert: aae49e206c1fbcac5595e966bb806558317f0518
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
Displayed AT_KEYEXCHANGE cert for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = 36736414-a18e-4d23-add2-a9c7515fc105

Cannot open the  key for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------

Done.
CertUtil: -SCInfo command completed successfully.

但是,正如您所看到的,它表示找不到第二个证书(不知道该容器中存储了什么证书,因为我只使用 9a)。我在 AAD CBA 中仍然遇到同样的错误。

x509certificate smartcard yubico yubikey
2个回答
2
投票

联系 Yubico 支持后发现这是由于更改管理密钥导致的。 Yubico Minidriver 希望管理密钥成为默认值,并使用 PIN 对其进行保护。重新安装微型驱动程序并保留默认管理解决了该问题。

0
投票

我今天也遇到了同样的问题,已解决:
A。安装 Yubikey 迷你驱动程序。
b.重置 Yubikey PIV,执行证明过程,然后将正确的(!)

.der
文件导入 Yubikey
C。弹出(!!!)Yubikey
d.从“证书管理器”中删除代码签名证书
cmd>
certmgr.msc
导航到“个人”>“证书”,如果出现则从那里删除证书。 (别担心,你的 Yubikey 上有它,记得吗?)
e.再次插入 Yubikey。

问题解决了!!

https://stackoverflow.com/a/78255625/2992810

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.