search

mtrojnar / osslsigncode

OpenSSL based Authenticode signing for PE/MSI/Java CAB files
Other
801 stars 131 forks source link

Question: how to use osslsigncode with yubikey PIV? #306

Closed ba0f3 closed 1 year ago

ba0f3 commented 1 year ago

Anyone has success sign code w/ Yubikey 4, 5 using osslsigncode? can you please share me your config?

Thank you!

gushengyuan commented 10 months ago

Did you resolve this issue?

I ran this command below, and did'nt list the user cert. p11tool --provider /usr/local/lib/libykcs11.so --list-all-certs

I don't know how to get the yubikey PIV pkcs11 URL, would you please share your instructions?

ba0f3 commented 10 months ago

Did you resolve this issue?

I ran this command below, and did'nt list the user cert. p11tool --provider /usr/local/lib/libykcs11.so --list-all-certs

I don't know how to get the yubikey PIV pkcs11 URL, would you please share your instructions?

here my usage:

Install required modules:

# apt install libengine-pkcs11-openssl ykcs11

Sign code w/ this command:

# osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so -pkcs11module /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 -key "pkcs11:id=%02;type=private" -certs /path/to/your/certificate.crt -h sha256 -ts http://ts.ssl.com -in input.dll output.dll
gushengyuan commented 10 months ago

Amazing. I changed my pkcs11 URL to "pkcs11:id=%01;type=private", and it works for me. Seams like the YubiKey support the old pkcs11 URL format. Thank you @ba0f3 , your reply help me a lot:-

ba0f3 commented 10 months ago

you are welcome!

gushengyuan commented 10 months ago

Further investigation, if we have multiple YubiKeys on the same machine, we should indicate the YubiKey token in the pkcs11 URL.

Using pkcs11-tool to show the YubiKey token infomation:

demo@boat:~/Downloads$ pkcs11-tool --module /usr/local/lib/libykcs11.so -L
Available slots:
Slot 0 (0x0): Yubico YubiKey OTP+FIDO+CCID 00 00
  token label        : YubiKey PIV #ABCDEF9
  token manufacturer : Yubico (www.yubico.com)
  token model        : YubiKey YK5
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 1.0
  firmware version   : 5.43
  serial num         : ABCDEF9
  pin min/max        : 6/64
demo@boat:~/Downloads$

Then we should indicate the model, manufacturer and serial in the pkcs11 URL, in my demo case, they are

model=YubiKey YK5
manufacturer=Yubico (www.yubico.com)
serial=ABCDEF9

Then I changed my pkcs11 URL string like below, it works too.

"pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20(www.yubico.com);serial=ABCDEF9;id=%01;type=private"