Description
This article will look at some specific error messages that a user might run into while code signing on Windows with SignTool and JarSigner together with some suggested solutions to these problems.
SignTool
Code Signing fails with Error: 0x8010006A
This error message could indicate that the private key's PIN policy was set to "Always", which is not working with the YubiKey Smart Card Minidriver and SignTool due to a restriction in the Microsoft Base Smart Card CSP.
Solutions:
Generate the Private Key and CSR from a PIV slot that does not have the PIN policy set to "Always" as default, like slot 9a where the default PIN policy is "once".
Error: SignerSign() failed." (-2146435071/0x80100001)
This error message indicates that there might be an issue where the public key not being compatible with the YubiKey's PIV applet (sometimes accompanied by ykpiv_sign_data failed: YKPIV_ALGORITHM_ERROR (-12))
For instance, the private key in a particular slot, 9a, could be ECCP384 but the certificate which is imported into the same slot has a public key that is RSA3072, which also means that the public key is not related to the private key in the same slot.
Perform the steps mentioned in the test-signature Yubico-PIV-tool article to see if this might be the case. The signature verification will most likely fail with the following message:
yubico-piv-tool -a read-certificate -a verify-pin -a test-signature -s 9a -o cert.pem -i cert.pem
Enter PIN:
Successfully verified PIN.
Unusable RSA key of 3072 bits, only 1024 and 2048 are supported.
Solutions:
- Import the certificate that was generated from the CSR (Certificate Signing Request) of the Private Key in this PIV slot.
- Generate a new CSR and import the resulting certificate into the same PIV slot.
- Contact your Signing Certificate Vendor to understand what might have gone wrong.
"The smart card cannot perform the requested operation"
If this message is presented when trying to perform a signature in Windows, chances are that the issue is somehow related to the YubiKey Smart Card Minidriver's interaction with the YubiKey.
- Verify the YubiKey Smart Card MiniDriver installation using the command found in this article.
- Signatures via RDP require that the YubiKey Smart Card Minidriver was installed with INSTALL_LEGACY_NODE=1.
- If the YubiKey Smart Card Minidriver is installed correctly but there are still issues, activate the YubiKey Smart Card Minidriver log, according to this article.
YubiKey Smart Card Minidriver log entries
"cardid is not set, attempting to authenticate with default key"
If the YubiKey's PIV application does not have a CHUID set, the YubiKey Smart Card Minidriver will try to generate one on the YubiKey before proceeding to other interactions. The YubiKey Smart Card Minidriver will use the default Management Key to generate the CHUID, but if the Management Key has been manually changed before the CHUID has been set, this operation will fail.
ykcontext.cpp:703 cardid is not set, attempting to authenticate with default key ykcontext.cpp:706 ykpiv_authenticate failed: YKPIV_AUTHENTICATION_ERROR (-5) ykcontext.cpp:707 device must be reset using an external utility
Solution:
- Verify if the CHUID is set using ykman cli:
ykman piv info
Example:
ykman piv info PIV version: 5.7.1 PIN tries remaining: 3/3 PUK tries remaining: 3/3 Management key algorithm: AES192 WARNING: Using default PIN! WARNING: Using default PUK! CHUID: No data available CCC: No data available Slot 9A (AUTHENTICATION): Private key type: ECCP256 Public key type: ECCP256 Subject DN: O=example.com,OU=test,CN=piv_auth Issuer DN: O=example.com,OU=test,CN=piv_auth Serial: 11877141116048607627 (0xa4d414ead143898b) Fingerprint: d71ed82de0aa848f5baaaea3718297e1b801438a9f8e583c2ae24f2111f0616c Not before: 2025-03-14T12:53:23+00:00 Not after: 2026-03-14T12:53:23+00:00
- If the CHUID is blank, proceed to generate a new CHUID with ykman cli:
ykman piv objects generate CHUID
Example:
ykman piv objects generate CHUID Enter a management key [blank to use default key]: Object generated.
-
Reinsert the YubiKey.
- Verify that the CHUID status with the command:
ykman piv info
Example:
ykman piv info PIV version: 5.7.1 PIN tries remaining: 3/3 PUK tries remaining: 3/3 Management key algorithm: AES192 WARNING: Using default PIN! WARNING: Using default PUK! CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410167260ea66e444a2bd359dc7a8548630350832303330303130313e00fe00 CCC: No data available Slot 9A (AUTHENTICATION): Private key type: ECCP256 Public key type: ECCP256 Subject DN: O=example.com,OU=test,CN=piv_auth Issuer DN: O=example.com,OU=test,CN=piv_auth Serial: 12426771478595413891 (0xac74c2d1e6a2a783) Fingerprint: f934dbcf4c4efe8329abd1184a738882466730ae1e94b1c6cdf66f26e3d305b0 Not before: 2025-03-14T12:16:55+00:00 Not after: 2026-03-14T12:16:55+00:00
At this point the CHUID should be set and the YubiKey Smart Card Minidriver should be able to proceed with the subsequent interactions and you should be able to see the certificate populate in the users personal certificate store, ready to be used for signing.
JarSigner
PKIX path building failed
If you are receiving the message “PKIX path failed” when performing a signature with jarsigner, you likely need to make the full certificate chain available to the java keystore or make sure that the full certificate chain is imported unto the Yubikey. If the Certificate chain is only installed on the YubiKey itself, the YubiKey needs to be plugged in in order to verify the PKIX path.
Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Solutions:
Importing the certificate chain to the Java keystore:
-
keytool -import -noprompt -cacerts -storepass changeit -alias <rootCA_Name> -file ./<RootCA.pem>
-
keytool -import -noprompt -cacerts -storepass changeit -alias <Intermediate_Name> -file ./<Intermediate.pem>
Importing the certificate chain to the YubiKey:
-
ykman piv certificates import 82 "PATH\TO\ROOT\CERTIFICATE.pem"
-
ykman piv certificates import 83 "PATH\TO\INTERMEDIATE\CERTIFICATE.pem
Full PKIX path not included in the signature
In some cases the Root and intermediate certificates are stored in the PIV “Retired Key Management”slots, for example slots 82 and 83. While this is the case, a regular third party PKCS#11 module might not be able to access these slots. If this is the case, then the usage of the libykcs11.dll/so/dylib that comes packaged with the Yubico PIV Tool would be needed.
The following example shows how to use ykman CLI to verify the slots used by the various certificates stored on the YubiKey, where slot 82 and 83 are used for storing the complete certificate chain:
> ykman piv info
PIV version: 5.2.4
PIN tries remaining: 3
Management key algorithm: TDES
PUK is blocked
Management key is stored on the YubiKey, protected by PIN.
CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410b5d5b9e16f4b93d9a0fdbff69258add9350832303330303130313e00fe00
CCC: No data available
Slot 82 (RETIRED1):
Algorithm: Unsupported
Subject DN: CN=Test subordinate CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
Issuer DN: CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
Serial: 511651191053291511271809405270923685088546626025
Fingerprint: 87c1c689b57282a861930f407250778824fc1eeb75b578b64cd780c42ffa7049
Not before: 2023-07-10T06:36:00
Not after: 2024-07-09T06:36:00
Slot 83 (RETIRED2):
Algorithm: Unsupported
Subject DN: CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
Issuer DN: CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
Serial: 550933977875801178869348069256368183726342668431
Fingerprint: 37f140c04d5c1f431e136ab4a084e23c646859faadf9c5e55140d3fdbbabda5f
Not before: 2023-07-10T06:35:58
Not after: 2033-07-07T06:35:58
Slot 9A (AUTHENTICATION):
Algorithm: ECCP256
Subject DN: CN=2ndCodeSign_9aECC
Issuer DN: CN=Test subordinate CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
Serial: 716532520625805465224678543206795883186711977292
Fingerprint: c2b6032daf9b4c622dc843bfea7b684191530a6b241d86eba860da0dc4dc186f
Not before: 2023-07-20T07:06:38
Not after: 2024-07-19T07:06:38
Solutions:
Make sure that the java pkcs#11 configuration file has the "Library" configured to point to the libykcs11.dll file, as shown in the JarSigner Prerequisites example.
Using a non-default token slot with OpenJDK
If there are other Smart Card readers available on your PC there is a risk that the YubiKey will be available in a different token slot, other than the default token slot 0. This situation would typically occur if the PC has a built-in smart card reader.
Under these circumstances the user would need to specify both the slot-id and a "showinfo" parameter in the ykcs11.config file.
Error message:
keytool error: java.security.KeyStoreException: PKCS11 not found
java.security.KeyStoreException: PKCS11 not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:873)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:963)
at java.base/sun.security.tools.keytool.Main.run(Main.java:419)
at java.base/sun.security.tools.keytool.Main.main(Main.java:412)
Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:655)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:870)
... 3 more
Solution:
Check which slot the YubiKey is located in using OpenSC pkcs11-tool:
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --list-slots Available slots: Slot 0 (0x0): Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 00 00 (empty) Slot 1 (0x1): Broadcom Corp 58200 [Contactless SmartCard] (0123456789ABCD) 01 (empty) Slot 2 (0x2): Yubico YubiKey OTP+FIDO+CCID 02 00 token label : YubiKey PIV #12345678 token manufacturer : Yubico (www.yubico.com) token model : YubiKey YK5 token flags : login required, rng, token initialized, PIN initialized hardware version : 1.0 firmware version : 5.43 serial num : 12345678 pin min/max : 6/64
In the example above we can see that the YubiKey is located in slot 2, which is what we would then need to specify in the ykcs11.config file.
Example ykcs11.config:
name = ykcs11 library = "C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll" slot = 2 showinfo = true