mtrojnar/osslsigncode

Question: how to use osslsigncode with yubikey PIV?

ba0f3 opened this issue · 5 comments

ba0f3 commented

Anyone has success sign code w/ Yubikey 4, 5 using osslsigncode? can you please share me your config?

Thank you!

Did you resolve this issue?

I ran this command below, and did'nt list the user cert.
p11tool --provider /usr/local/lib/libykcs11.so --list-all-certs

I don't know how to get the yubikey PIV pkcs11 URL, would you please share your instructions?

ba0f3 commented

Did you resolve this issue?

I ran this command below, and did'nt list the user cert. p11tool --provider /usr/local/lib/libykcs11.so --list-all-certs

I don't know how to get the yubikey PIV pkcs11 URL, would you please share your instructions?

here my usage:

Install required modules:

# apt install libengine-pkcs11-openssl ykcs11

Sign code w/ this command:

# osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so -pkcs11module /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 -key "pkcs11:id=%02;type=private" -certs /path/to/your/certificate.crt -h sha256 -ts http://ts.ssl.com -in input.dll output.dll

Amazing. I changed my pkcs11 URL to "pkcs11:id=%01;type=private", and it works for me.
Seams like the YubiKey support the old pkcs11 URL format.
Thank you @ba0f3 , your reply help me a lot:-

ba0f3 commented

you are welcome!

Further investigation, if we have multiple YubiKeys on the same machine, we should indicate the YubiKey token in the pkcs11 URL.

Using pkcs11-tool to show the YubiKey token infomation:

demo@boat:~/Downloads$ pkcs11-tool --module /usr/local/lib/libykcs11.so -L
Available slots:
Slot 0 (0x0): Yubico YubiKey OTP+FIDO+CCID 00 00
  token label        : YubiKey PIV #ABCDEF9
  token manufacturer : Yubico (www.yubico.com)
  token model        : YubiKey YK5
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 1.0
  firmware version   : 5.43
  serial num         : ABCDEF9
  pin min/max        : 6/64
demo@boat:~/Downloads$

Then we should indicate the model, manufacturer and serial in the pkcs11 URL, in my demo case, they are

model=YubiKey YK5
manufacturer=Yubico (www.yubico.com)
serial=ABCDEF9

Then I changed my pkcs11 URL string like below, it works too.

"pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20(www.yubico.com);serial=ABCDEF9;id=%01;type=private"