Troubleshooting code signing on Windows


 

Description

This article will look at some specific error messages that a user might run into while code signing on Windows with SignTool and JarSigner together with some suggested solutions to these problems. 

 

 

 

SignTool

 

Code Signing fails with Error: 0x8010006A

This error message could indicate that the private key's PIN policy was set to "Always", which is not working with the YubiKey Smart Card Minidriver and SignTool due to a restriction in the Microsoft Base Smart Card CSP. 

 

Solutions:

Generate the Private Key and CSR from a PIV slot that does not have the PIN policy set to "Always" as default, like slot 9a where the default PIN policy is "once".

 

 

Error: SignerSign() failed." (-2146435071/0x80100001)

This error message indicates that there might be an issue where the public key not being compatible with the YubiKey's PIV applet (sometimes accompanied by ykpiv_sign_data failed: YKPIV_ALGORITHM_ERROR (-12))

For instance, the private key in a particular slot, 9a, could be ECCP384 but the certificate which is imported into the same slot has a public key that is RSA3072, which also means that the public key is not related to the private key in the same slot.

 

Perform the steps mentioned in the test-signature Yubico-PIV-tool article to see if this might be the case. The signature verification will most likely fail with the following message:

yubico-piv-tool -a read-certificate -a verify-pin -a test-signature -s 9a -o cert.pem -i cert.pem
Enter PIN:
Successfully verified PIN.
Unusable RSA key of 3072 bits, only 1024 and 2048 are supported.

 

Solutions:

  1. Import the certificate that was generated from the CSR (Certificate Signing Request) of the Private Key in this PIV slot.
  2. Generate a new CSR and import the resulting certificate into the same PIV slot.
  3. Contact your Signing Certificate Vendor to understand what might have gone wrong.

 

 

"The smart card cannot perform the requested operation"

If this message is presented when trying to perform a signature in Windows, chances are that the issue is somehow related to the YubiKey Smart Card Minidriver's interaction with the YubiKey.

 

  1. Verify the YubiKey Smart Card MiniDriver installation using the command found in this article.
  2. Signatures via RDP require that the YubiKey Smart Card Minidriver was installed with INSTALL_LEGACY_NODE=1.
  3. If the YubiKey Smart Card Minidriver is installed correctly but there are still issues, activate the YubiKey Smart Card Minidriver log, according to this article.

 

YubiKey Smart Card Minidriver log entries

"cardid is not set, attempting to authenticate with default key"

If the YubiKey's PIV application does not have a CHUID set, the YubiKey Smart Card Minidriver will try to generate one on the YubiKey before proceeding to other interactions. The YubiKey Smart Card Minidriver will use the default Management Key to generate the CHUID, but if the Management Key has been manually changed before the CHUID has been set, this operation will fail.

ykcontext.cpp:703 cardid is not set, attempting to authenticate with default key
ykcontext.cpp:706 ykpiv_authenticate failed: YKPIV_AUTHENTICATION_ERROR (-5)
ykcontext.cpp:707 device must be reset using an external utility

 

Solution:

  1. Verify if the CHUID is set using ykman cli:
    ykman piv info

    Example:

    ykman piv info
    PIV version:              5.7.1
    PIN tries remaining:      3/3
    PUK tries remaining:      3/3
    Management key algorithm: AES192
    WARNING: Using default PIN!
    WARNING: Using default PUK!
    CHUID: No data available
    CCC:   No data available
    Slot 9A (AUTHENTICATION):
      Private key type: ECCP256
      Public key type:  ECCP256
      Subject DN:       O=example.com,OU=test,CN=piv_auth
      Issuer DN:        O=example.com,OU=test,CN=piv_auth
      Serial:           11877141116048607627 (0xa4d414ead143898b)
      Fingerprint:      d71ed82de0aa848f5baaaea3718297e1b801438a9f8e583c2ae24f2111f0616c
      Not before:       2025-03-14T12:53:23+00:00
      Not after:        2026-03-14T12:53:23+00:00
  2. If the CHUID is blank, proceed to generate a new CHUID with ykman cli:
    ykman piv objects generate CHUID

    Example:
    ykman piv objects generate CHUID
    Enter a management key [blank to use default key]:
    Object generated.
  3. Reinsert the YubiKey.

  4. Verify that the CHUID status with the command:
    ykman piv info

    Example:

    ykman piv info
    PIV version:              5.7.1
    PIN tries remaining:      3/3
    PUK tries remaining:      3/3
    Management key algorithm: AES192
    WARNING: Using default PIN!
    WARNING: Using default PUK!
    CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410167260ea66e444a2bd359dc7a8548630350832303330303130313e00fe00
    CCC:   No data available
    Slot 9A (AUTHENTICATION):
      Private key type: ECCP256
      Public key type:  ECCP256
      Subject DN:       O=example.com,OU=test,CN=piv_auth
      Issuer DN:        O=example.com,OU=test,CN=piv_auth
      Serial:           12426771478595413891 (0xac74c2d1e6a2a783)
      Fingerprint:      f934dbcf4c4efe8329abd1184a738882466730ae1e94b1c6cdf66f26e3d305b0
      Not before:       2025-03-14T12:16:55+00:00
      Not after:        2026-03-14T12:16:55+00:00

At this point the CHUID should be set and the YubiKey Smart Card Minidriver should be able to proceed with the subsequent interactions and you should be able to see the certificate populate in the users personal certificate store, ready to be used for signing.

 

 

JarSigner

 

PKIX path building failed

If you are receiving the message “PKIX path failed” when performing a signature with jarsigner, you likely need to make the full certificate chain available to the java keystore or make sure that the full certificate chain is imported unto the Yubikey. If the Certificate chain is only installed on the YubiKey itself, the YubiKey needs to be plugged in in order to verify the PKIX path.

Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Solutions:

Importing the certificate chain to the Java keystore:

  1. keytool -import -noprompt -cacerts -storepass changeit -alias <rootCA_Name> -file ./<RootCA.pem>
  2. keytool -import -noprompt -cacerts -storepass changeit -alias <Intermediate_Name> -file ./<Intermediate.pem>

Importing the certificate chain to the YubiKey:

  1. ykman piv certificates import 82 "PATH\TO\ROOT\CERTIFICATE.pem"
  2. ykman piv certificates import 83 "PATH\TO\INTERMEDIATE\CERTIFICATE.pem

 

Full PKIX path not included in the signature

In some cases the Root and intermediate certificates are stored in the PIV “Retired Key Management”slots, for example slots 82 and 83. While this is the case, a regular third party PKCS#11 module might not be able to access these slots. If this is the case, then the usage of the libykcs11.dll/so/dylib that comes packaged with the Yubico PIV Tool would be needed.

The following example shows how to use ykman CLI to verify the slots used by the various certificates stored on the YubiKey, where slot 82 and 83 are used for storing the complete certificate chain:

 

> ykman piv info
PIV version:              5.2.4
PIN tries remaining:      3
Management key algorithm: TDES
PUK is blocked
Management key is stored on the YubiKey, protected by PIN.
CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410b5d5b9e16f4b93d9a0fdbff69258add9350832303330303130313e00fe00
CCC:   No data available
Slot 82 (RETIRED1):
 Algorithm:   Unsupported
 Subject DN:  CN=Test subordinate CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Issuer DN:   CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Serial:      511651191053291511271809405270923685088546626025
 Fingerprint: 87c1c689b57282a861930f407250778824fc1eeb75b578b64cd780c42ffa7049
 Not before:  2023-07-10T06:36:00
  Not after:   2024-07-09T06:36:00

Slot 83 (RETIRED2):
 Algorithm:   Unsupported
 Subject DN:  CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Issuer DN:   CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Serial:      550933977875801178869348069256368183726342668431
 Fingerprint: 37f140c04d5c1f431e136ab4a084e23c646859faadf9c5e55140d3fdbbabda5f
 Not before:  2023-07-10T06:35:58
 Not after:   2033-07-07T06:35:58

Slot 9A (AUTHENTICATION):
 Algorithm:   ECCP256
 Subject DN:  CN=2ndCodeSign_9aECC
 Issuer DN:   CN=Test subordinate CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Serial:      716532520625805465224678543206795883186711977292
 Fingerprint: c2b6032daf9b4c622dc843bfea7b684191530a6b241d86eba860da0dc4dc186f
 Not before:  2023-07-20T07:06:38
  Not after:   2024-07-19T07:06:38

 

Solutions:

Make sure that the java pkcs#11 configuration file has the "Library" configured to point to the libykcs11.dll file, as shown in the JarSigner Prerequisites example.

 

 

Using a non-default token slot with OpenJDK

If there are other Smart Card readers available on your PC there is a risk that the YubiKey will be available in a different token slot, other than the default token slot 0. This situation would typically occur if the PC has a built-in smart card reader.

Under these circumstances the user would need to specify both the slot-id and a "showinfo" parameter in the ykcs11.config file.

 

Error message:

keytool error: java.security.KeyStoreException: PKCS11 not found
java.security.KeyStoreException: PKCS11 not found
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:873)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:963)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:419)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:412)
Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.base/java.security.Security.getImpl(Security.java:655)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:870)
        ... 3 more

 

Solution:

Check which slot the YubiKey is located in using OpenSC pkcs11-tool:

pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --list-slots 
Available slots:
Slot 0 (0x0): Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 00 00
  (empty)
Slot 1 (0x1): Broadcom Corp 58200 [Contactless SmartCard] (0123456789ABCD) 01
  (empty)
Slot 2 (0x2): Yubico YubiKey OTP+FIDO+CCID 02 00
  token label        : YubiKey PIV #12345678
  token manufacturer : Yubico (www.yubico.com)
  token model        : YubiKey YK5
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 1.0
  firmware version   : 5.43
  serial num         : 12345678
  pin min/max        : 6/64

 

In the example above we can see that the YubiKey is located in slot 2, which is what we would then need to specify in the ykcs11.config file.

 

Example ykcs11.config:

name = ykcs11
library = "C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll"
slot = 2
showinfo = true