pentane πŸ‡ΊπŸ‡¦Feb 27

after 8 hours of debugging, I successfully narrowed down the YubiKey PIV PKCS#11 libp11 openssl provider issue stopping openssl from finding the correct private key: The yubikey is (incorrectly) returning an X.509 attestation certificate without a public key entry if invoked via the libp11 openssl provider, but one with a public key (correctly) if invoked via p11-kit.

unfortunately i have zero clue how to continue debugging from here.

#aurorasprint

Show threadpentane πŸ‡ΊπŸ‡¦
maybe it's wisest to pack my shit and write a bug report
Feb 27 at 1:29amWeb
Show threadpentane πŸ‡ΊπŸ‡¦Feb 27
nah nvm. i have a new lead and i AM going to beat the shit out of this bug
Show threadpentane πŸ‡ΊπŸ‡¦Feb 27
fixed it. it was caused by me erroneously just enabling the libp11 openssl provider instead of both the libp11 AND the `default` openssl provider. The `default` provider missing caused openssl to be unable to decode the DER X.509 certificate blob received from the YubiKey. Debugging was significantly complicated because the function parsing DER X.509 certificates intentionally ignored all errors coming from the public key extraction function for whatever reason.
Show threadJadyn - πŸ–¨οΈ empress - ☎ 7889Feb 27
@cyclopentane If you have a working command/setup for using a yubikey as a key source for openssl, hit me up. I have a use case I finally want to finish, a normal yubikey is enough for my use case and I don't want to spend the money for a proper HSM...
Show threadpentane πŸ‡ΊπŸ‡¦Feb 27

@jadyn

(using Nix/NixOS)

put the following into a file called `openssl.cnf`:
```
[openssl_init]
providers = provider_sect

[provider_sect]
pkcs11 = pkcs11_sect
default = default_sect

[default_sect]
activate = 1

[pkcs11_sect]
identity = pkcs11prov
module = pkcs11prov.so
debug_level = 7
pin = 123456
activate = 1
```

1/2

Show threadJadyn - πŸ–¨οΈ empress - ☎ 7889Feb 27
@cyclopentane can I do pin entry interactively (stdin), parameter in the command or with a different file?
Show threadpentane πŸ‡ΊπŸ‡¦Feb 27

@jadyn yep, see openssl(1), section "Pass Phrase Arguments":

https://linux.die.net/man/1/openssl

e.g. `-passin file:/var/lib/secrets/yubikey-pin`

Show threadpentane πŸ‡ΊπŸ‡¦Feb 27

@jadyn

set the following env vars:
```
export OPENSSL_CONF=openssl.cnf
export OPENSSL_MODULES=${pkgs.libp11}/lib/ossl-module
export PKCS11_MODULE_PATH=${pkgs.yubico-piv-tool}/lib/libykcs11.so
```

look up the private key label of your PIV slot at https://docs.yubico.com/software/yubikey/tools/pivtool/piv-tool-ykcs11.html#key-alias-per-slot-and-object-type

for instance "Private key for Digital Signature" for slot 9c

2/3

PIV YKCS11 Module β€” YubiKey PIV Tool User Guide documentation

Show threadpentane πŸ‡ΊπŸ‡¦Feb 27

@jadyn then, e.g. run:
```
$ openssl pkeyutl -provider default -provider pkcs11prov -sign -inkey "pkcs11:object=Private%20key%20for%20Digital%20Signature" -in test -out test.sig
```

3/3

Show threadpentane πŸ‡ΊπŸ‡¦Feb 27

@jadyn

resources:

https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md

https://github.com/OpenSC/libp11

https://developers.yubico.com/yubico-piv-tool/YKCS11/

Show threadSophiaFeb 27
@cyclopentane you got this :3