YKCS11 9c slot unusable with FW 5.7.4

[dlakatos847]

I'm using my Yubikey 5C NFC 5.4.3 /w YKCS11 for years without an issue, to sign PDF documents. As a backup, I purchased another Yubikey 5C NFC, but it has the newer firmware 5.7.4. Installed the same EC P-256 certificate and EC parameters onto both keys. While the one with FW 5.4.3 works perfectly, the newer 5.7.4 cannot be used for some reason. Tried debugging the issue by recompiling the ykcs11.so with the cmake .. -DYKCS11_DBG=2 command, but it hits some sort of YKCS11 bug unfortunately (segfault). Using Arch Linux+Okular+NSSDB.

Working key:

$ modutil -list ykcs11 -dbdir ~/.pki/nssdb/

-----------------------------------------------------------
Name: ykcs11
Library file: /usr/lib/libykcs11.so
Manufacturer: Yubico (www.yubico.com)         
Description: PKCS#11 PIV Library (SP-800-73) 
PKCS #11 Version 3.0
Library Version: 2.72
Cipher Enable Flags: None
Default Mechanism Flags: None

  Slot: Yubico YubiKey OTP+FIDO+CCID 00 00
  Slot Mechanism Flags: None
  Manufacturer: Yubico (www.yubico.com)         
  Type: Hardware
  Version Number: 1.0
  Firmware Version: 1.0
  Status: Enabled
  Token Name: YubiKey PIV #********           
  Token Manufacturer: Yubico (www.yubico.com)         
  Token Model: YubiKey YK5     
  Token Serial Number: ********        
  Token Version: 1.0
  Token Firmware Version: 5.43
  Access: NOT Write Protected
  Login Type: Login required
  User Pin: Initialized

-----------------------------------------------------------

Not working key:

[:~] $ modutil -list ykcs11 -dbdir ~/.pki/nssdb/

-----------------------------------------------------------
Name: ykcs11
Library file: /usr/lib/libykcs11.so
Manufacturer: Yubico (www.yubico.com)         
Description: PKCS#11 PIV Library (SP-800-73) 
PKCS #11 Version 3.0
Library Version: 2.72
Cipher Enable Flags: None
Default Mechanism Flags: None

  Slot: Yubico YubiKey OTP+FIDO+CCID 00 00
  Slot Mechanism Flags: None
  Manufacturer: Yubico (www.yubico.com)         
  Type: Hardware
  Version Number: 1.0
  Firmware Version: 1.0
  Status: Enabled
  Token Name: YubiKey PIV #********           
  Token Manufacturer: Yubico (www.yubico.com)         
  Token Model: YubiKey YK5     
  Token Serial Number: ********        
  Token Version: 1.0
  Token Firmware Version: 5.74
  Access: NOT Write Protected
  Login Type: Login required
  User Pin: Initialized

-----------------------------------------------------------

Okular requests the PIN twice while using the working key:

1. Reading the certificate metadata
2. Signing the document

Okular only requests the PIN once while using the non-working key:

1. Reading the certificate metadata

[aveenismail]

Just to make sure that I'm understanding this correctly, using the same libykcs11 version:

1. YubiKey with firmware version 5.4.3, PIN login succeeds
2. YubiKey with firmware version 5.7.4, PIN login fails

In both cases, there is a EC-P256 key in slot 9c. Is that correct?

Is the pin-policy and touch-policy for slot 9c the same on both keys? Is PIN complexity enforced on the The 5.7 key? See https://docs.yubico.com/hardware/yubikey/yk-tech-manual/5.7-firmware-specifics.html#pin-complexity

For the record, it is not necessary to re-compile libykcs11 to enable debugging. It is enough to set the environment variable YKCS11_DBG to a positive value before calling it