Question: how to use osslsigncode with yubikey PIV?
ba0f3 opened this issue · 5 comments
Anyone has success sign code w/ Yubikey 4, 5 using osslsigncode? can you please share me your config?
Thank you!
Did you resolve this issue?
I ran this command below, and did'nt list the user cert.
p11tool --provider /usr/local/lib/libykcs11.so --list-all-certs
I don't know how to get the yubikey PIV pkcs11 URL, would you please share your instructions?
Did you resolve this issue?
I ran this command below, and did'nt list the user cert.
p11tool --provider /usr/local/lib/libykcs11.so --list-all-certs
I don't know how to get the yubikey PIV pkcs11 URL, would you please share your instructions?
here my usage:
Install required modules:
# apt install libengine-pkcs11-openssl ykcs11
Sign code w/ this command:
# osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so -pkcs11module /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 -key "pkcs11:id=%02;type=private" -certs /path/to/your/certificate.crt -h sha256 -ts http://ts.ssl.com -in input.dll output.dll
Amazing. I changed my pkcs11 URL to "pkcs11:id=%01;type=private", and it works for me.
Seams like the YubiKey support the old pkcs11 URL format.
Thank you @ba0f3 , your reply help me a lot:-
you are welcome!
Further investigation, if we have multiple YubiKeys on the same machine, we should indicate the YubiKey token in the pkcs11 URL.
Using pkcs11-tool to show the YubiKey token infomation:
demo@boat:~/Downloads$ pkcs11-tool --module /usr/local/lib/libykcs11.so -L
Available slots:
Slot 0 (0x0): Yubico YubiKey OTP+FIDO+CCID 00 00
token label : YubiKey PIV #ABCDEF9
token manufacturer : Yubico (www.yubico.com)
token model : YubiKey YK5
token flags : login required, rng, token initialized, PIN initialized
hardware version : 1.0
firmware version : 5.43
serial num : ABCDEF9
pin min/max : 6/64
demo@boat:~/Downloads$
Then we should indicate the model, manufacturer and serial in the pkcs11 URL, in my demo case, they are
model=YubiKey YK5
manufacturer=Yubico (www.yubico.com)
serial=ABCDEF9
Then I changed my pkcs11 URL string like below, it works too.
"pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20(www.yubico.com);serial=ABCDEF9;id=%01;type=private"