Add support to set CHUID and CCC

[jc-m]

It seems that OSX (at least on 10.14.6) will not accept smartcards without a CHUID resulting in the following error:
failed to read CHUID record (Error Domain=CryptoTokenKit Code=-6 "(null)")
and the yubikey is not showing in
security list-smartcards

The card works for pkcs11 use cases, but is not recognized.

Values for yubikey CHUID and CCC are available here:
https://github.com/Yubico/yubico-piv-tool/blob/ebee7f63b85fe4373efc4d8d44cbe5fe321c158c/lib/util.c#L44

[ericchiang]

Mind expanding on what the change would look like to this package? I'm testing on 10.15.4 and haven't had any issues :)

[jc-m]

I believe that it is an insGetData and insPutData similar to getting / storing certificates.
They would be implemented as SetCHUID/GetCHUID and SetCCC/GetCCC.

when you insert a key do you see the dialog asking to pair it ? or does it show in the list of smartcards ? This is on a vanilla install without opensc.
Also, another issue is that the key/certs are not showing in the keychain.

If you install opensc, then you cannot use your library because it requires exclusive access.

[jc-m]

you can try the following steps

$ yubico-piv-tool -a status
Version:        4.4.5
Serial Number:  xxxxxxxx
CHUID:  No data available
CCC:    No data available
Slot 9a:
        Algorithm:      RSA2048
$ security list-smartcards
No smartcards found.
$ yubico-piv-tool -k -a set-chuid
Enter management key:
Successfully set new CHUID.
$ security list-smartcards
com.apple.pivtoken:1234567890ABCDEF1234567890ABCDEF

[ericchiang]

when you insert a key do you see the dialog asking to pair it ? or does it show in the list of smartcards ? This is on a vanilla install without opensc.
Also, another issue is that the key/certs are not showing in the keychain.

Per https://github.com/go-piv/piv-go#installation I don't have anything installed that's not out of the box. I've just plugged in my YubiKey and everything's worked :)

I don't actually know what CHUID or CCC are. So more context would be helpful to understand what the request here is. Does this have something to do with the CryptoTokenKit API? Can you paste a small program using piv-go that shows what you expect to happen and what actually happens? If you're attempting to propose new APIs could you paste an example of what you'd want the new API to look like?

[jc-m]

CHUID and CCC are defined in NIST SP 800-73-4 : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf
You can read all the details there in section 3.1 Mandatory Data Elements.
the Program would look like:

pivKey, err := piv.Open(cardName)
if err != nil {
    ....
}
defer pivKey.Close()

cardID, err := pivKey.CardId()
if err != nil {
     ...
}
if len(cardID) < piv.CardIdSize {
   if err := pivKey.SetCardId(randomNumber); err != nil {
       ....
   }
}

same model for CCC

you can see the API for in yubico-piv-tool here:
https://github.com/Yubico/yubico-piv-tool/blob/39582701465d1fadfac17e85ebe835a5864fb226/lib/ykpiv.h#L462-L522

[ericchiang]

If you'd like to send a PR with associated that adds the following API I'd be happy to take it.

func (y *YubiKey) ID() (string, error)
func (y *YubiKey) SetID(id string) error

(or []byte or [N]byte instead of string if that's more appropriate)

If not I can take a look to add it later.

[ericchiang]

I'm less clear about what CCC would be used for. Will have to read more.

[ericchiang]

Also would CHUID be better in the Metadata struct? I always imagined that would expand to hold a lot of these optional fields that aren't required to actually use the key.

[jc-m]

I'll see if i can finish these functions - see #67

[feeltheajf]

@ericchiang @jc-m

Thanks for all the great work you've done! I can't really explain why CHUID/CCC are needed, but in my case Google Chrome and Safari refuse to use a client certificate stored in any PIV slot until those fields are set. They don't even prompt for certificate choice or PIN. Current workaround is to generate them using yubikey manager CLI, but I'd really love to see this functionality implemented in this package

 ykman piv objects generate CHUID
 ykman piv objects generate CCC

Do let me know if you need a test example or any help to finalise and merge #67

[jc-m]

I have tested CHUID as implemented in #67 - I had the same problem with Apple MacOS not accepting cards without CHUID. Did you try with just the CHUID ? It was sufficient in my use case.
I've not seen any movement on this repo in a while. Maybe @ericchiang can chime in.

[ericchiang]

Sorry for ghosting #67 :( I don't have a ton of bandwidth for this project but I should have left a comment.

I'm a little lost on what CHUID/CCC are. There's signatures and unique IDs, but I'm not clear who's supposed to generate those signatures or IDs, and how you'd actually validate them (or when you need to validate them). Are they just ways to name the slot? Or would an organization actually set them to a proper signed value using a CA? If it's the later, the API probably needs to accept a CA or be named "Insecure" like our method for setting a private key.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf#page=17
https://pkg.go.dev/github.com/go-piv/piv-go/piv?utm_source=godoc#YubiKey.SetPrivateKeyInsecure

While #67 has a pre-generated value, I don't understand how it was generated.

Is there anything someone can point me to that explains CHUID that'd be really helpful. It's hard to review and API without that context.

[feeltheajf]

Did you try with just the CHUID?

Just tried it one more time and yep, it did work with only CHUID set.

Here are some bits and pieces I was able to find

1. From https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

For the application to be usable in windows the object CHUID (Card Holder Unique Identifier) has to be set and unique. The card contents are also aggressively cached so the CHUID has to be changed if the card contents change.

Although, as I've already mentioned, it didn't work for me on macOS as well.

2. Yubikey manager automatically updates CHUID on each of the following operations:

import_certificate: https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L795

generate_certificate (self-signed): https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L877

delete_certificate: https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L946

3. There was a discussion on signed CHUIDs, which ended up with Yubikey Manager API having a method for setting arbitrary objects, so that if it's really needed, you could implement it on your own. Otherwise, the CHUID is set to semi-random value as shown in (2) and (4)

Yubico/yubico-piv-tool#48

4. Here is a reference piece of code responsible for generating CHUIDs

https://github.com/Yubico/yubikey-manager/blob/3e9fd2a4844fb90b08492b494d3304e4aace78e4/ykman/piv.py#L381

[jc-m]

While #67 has a pre-generated value, I don't understand how it was generated.

@ericchiang the explanation is in the comment in the PR. If we need to support different (like signed CHUIDs) I would recommend that we do like the yubico tool and allow to directly pass in the encoded value instead of using the template.