Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable support for keys obtained through PKCS#11 #38

Merged
merged 2 commits into from
Jun 26, 2024
Merged

Enable support for keys obtained through PKCS#11 #38

merged 2 commits into from
Jun 26, 2024

Conversation

CRKatri
Copy link
Member

@CRKatri CRKatri commented Mar 19, 2024

This allows signing using a HSM or a Smartcard (ex. Yubikey)

Sponsered by: @ZonD80

Setup

  1. Build with make SMARTCARD=1
  2. Install the OpenSSL engine for PKCS#11 (libengine-pkcs11-openssl on Debian, part of libp11)

Load Key Into Smartcard

It is recommend that you generate the key on the card itself, but you can import it if needed.

For yubikeys:

  1. Extract Cert and Key from p12
openssl pkcs12 -in Certificates.p12 -out cert.crt.pem -clcerts -nokeys -legacy
openssl pkcs12 -in Certificates.p12 -out key.pem -nocerts -nodes -legacy
  1. Import into Key
yubico-piv-tool -s 9c -a import-certificate -i cert.crt.pem
yubico-piv-tool -s 9c -a import-key -i key.pem
yubico-piv-tool -s 9c -a set-chuid
  1. You can use p11tool --list-privkeys --login to identify the URI for the slot (make sure that type is not in the URI, as seperate URIs for the cert and private key are not currently supported from the command line)

Sign

  1. ldid -K'pkcs11:model=YubiKey%20YK5;id=%02' -Sents.xml ls.bin
  2. If the correct PKCS#11 module is not being loaded, try setting PKCS11_MODULE_PATH in your environment (ex. export PKCS11_MODULE_PATH="/usr/local/lib/p11-kit-proxy.so" or PKCS11_MODULE_PATH="/usr/local/lib/libykcs11.so")

@CRKatri
Enable support for keys obtained through PKCS#11
88b05b3 
This allows signing using a HSM or a Smartcard (ex. Yubikey)
Look at PKCS11.md for help on getting started.

Sponsered by: @ZonD80
@CRKatri
Add -X flag for seperate pkcs11 uri for Certificate
798f55b 
Ex:
ldid -K'pkcs11:object=MyKey;type=private' -X'pkcs11:object=MyKey;type=cert'
ldid -KCertificates.p12 -XExtractedFromP12.cer -XAppleWWDRCAG3.cer -XAppleIncRootCertificate.cer
@CRKatri CRKatri merged commit 798f55b into master Jun 26, 2024
6 of 12 checks passed
@Sasa554
Copy link

Sasa554 commented Aug 22, 2024

ldid -K'pkcs11:model=YubiKey%20YK5;id=%02' -Sents.xml ls.bin
If the correct PKCS#11 module is not being loaded, try setting PKCS11_MODULE_PATH in your environment (ex. export PKCS11_MODULE_PATH="/usr/local/lib/p11-kit-proxy.so" or PKCS11_MODULE_PATH="/usr/local/lib/libykcs11.so")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CRKatri @Sasa554