I want to sign a Certificate Signing Request using the private key & the certificate stored in the PIV Digital Signature slot.
I'm using the latest release of OpenSC for MacOS(https://github.com/OpenSC/OpenSC/releases/tag/0.19.0).
I have tried the pkcs11-tool, pkcs15-tool & yubikey-piv-tool. All three tools provide a --sign API but they sign a digest generated from the data.
My requirement is to sign the Certificate Signing Request to generate a certificate.
The only option I have is to use the PKCS#11 engine for OpenSSL.
PKCS#11 engine: brew install engine_pkcs11
PKCS#11 Module: opensc-pkcs11.so
I will sign the CSR using the regular OpenSSL commands giving the key & the cert stored on the Yubikey using the engine option.(Probably using the PKCS#11 URI)
Using OpenSSL 1.0.2, I tried the following command.
engine -t dynamic -pre SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so
Response:
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
[ available ]
To sign the CSR, I'm using this command,
req -engine pkcs11 -keyform engine -key 02 -new -x509 -in ~/Desktop/sample.csr -out cert.pem
Response:
engine "pkcs11" set.
PKCS#11 token PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: a.com
Email Address []:
4536252012:error:8000A101:PKCS11 library:PKCS11_rsa_sign:User not logged in:p11_ops.c:131:
4536252012:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:
Even on inputting the right PIN, I'm getting this error. The CA key/cert on the Yubikey Certs have no passwords too.
Got a similar error in a PyKCS#11 example: https://github.com/LudovicRousseau/PyKCS11/issues/61
With another similar OpenSSL command.
OPENSSL_CONF=engine.conf openssl x509 -req -engine pkcs11 -in ~/Desktop/sample.csr -CAkeyform engine -CAkey 02 -CA rootCA.pem -sha256 -out cert.pem
Response:
engine "pkcs11" set.
Signature ok
subject=/CN=C44F3320626D/C=IN/ST=MH/O=test
Getting CA Private Key
PKCS#11 token PIN:
4394223212:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:p_lib.c:137:
4394223212:error:8000A101:PKCS11 library:PKCS11_rsa_sign:User not logged in:p11_ops.c:131:
4394223212:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:
I'm wondering if the issue is in macOS OpenSSL, Yubikey, PKCS#11 or OpenSSL-PKCS#11 engine.
I am expecting the CSR to be signed into a certificate on MacOS using the Yubikey. Please help.
Your -CAkey 02 should be -CAkey slot_0-id_2 for slot 9c / index 02 on the yubikey, everything else there looks okay (though note there is an issue with pin requirements on slot 9c which may effect you).
For a working example of yubikeys with pkcs#11 you might like to check out https://github.com/ryankurte/pki
Good luck!