search

rhboot / pesign

Linux tools for signed PE-COFF binaries
GNU General Public License v2.0
111 stars 51 forks source link

Unable to sign files with YubiHSM #93

Open CompanyXY opened 2 years ago

CompanyXY commented 2 years ago

Hello.

We're unable to utilize Yubico's YubiHSM2 FIPS for signing binaries.

pesign claims it could not find our certificate:

[pesign@hsm ~]$ pesign -t "YubiHSM" -n /etc/pki/pesign/ -c CompanyX --sign -i /grubx64.efi.empty -o /pesign-writable/grubx64.efi
Enter Password or Pin for "YubiHSM":
cms_common.c:find_certificate:470: could not find certificate in list:
Unrecognized Object Identifier.
pesign: Could not find certificate CompanyX

While the certificate is clearly present in the HSM:

[pesign@hsm ~]$ p11tool --provider /usr/lib64/pkcs11/yubihsm_pkcs11.so --login  --list-all "pkcs11:model=YubiHSM;manufacturer=Yubico%20%28www.yubico.com%29;serial=[...];token=YubiHSM"
Token 'YubiHSM' with URL 'pkcs11:model=YubiHSM;manufacturer=Yubico%20%28www.yubico.com%29;serial=[...];token=YubiHSM' requires user PIN
Enter PIN:
[...]
Object 2:
        URL: pkcs11:model=YubiHSM;manufacturer=Yubico%20%28www.yubico.com%29;serial=[...];token=YubiHSM;id=%00%05;object=CompanyX;type=private
        Type: Private key (RSA-2048)
        Label: CompanyX
        Flags: CKA_PRIVATE; CKA_EXTRACTABLE; CKA_SENSITIVE;
        ID: 00:05

Object 3:
        URL: pkcs11:model=YubiHSM;manufacturer=Yubico%20%28www.yubico.com%29;serial=[...];token=YubiHSM;id=%00%05;object=CompanyX;type=public
        Type: Public key (RSA-2048)
        Label: CompanyX
        Flags: CKA_EXTRACTABLE;
        ID: 00:05
[...]

I'll also attach its objectinfo:

yubihsm> get objectinfo 0 0x0005 asymmetric-key
id: 0x0005, type: asymmetric-key, algorithm: rsa2048, label: "CompanyX", length: 896, domains: 1, sequence: 1, origin: imported, capabilities: exportable-under-wrap:sign-pkcs

I was using a 'Master Key' with all capabilities there are for this attempt so capabilities should not be the problematic thing.

What could possibly be going on here?

joostd commented 1 year ago

This is possibly due to some issues with NSS-based tools for which there is a workaround implemented in the YubiHSM2 PKCS#11 module. Can you try with the 2023.01 version of the YubiHSM2 SDK for your platform, available here?

See this gist for an example signing on an Ubuntu VM.

aronowski commented 1 year ago

While I guess @joostd's response might resolve the issue, there is something else that I believe should be said.

This report does not contain several details that might prove invaluable to resolve this issue. I can't see the system distribution name and release. I can't see any information on Yubico's utilities: their versions along with their origin. Where did they came from? Yubico's official site? EPEL? Fedora's repositories? I can, however, see a fundamental unfamiliarity with the pesign utility.

I can read between the lines and guess this case was with either Fedora or RHEL because of $PS1 formatting and if that's true, then the bad effects might well be caused by doing the thing that was not supposed to be done. I mean running a shell as the Unix account pesign.

I see there's been an attempt to use the system-wide NSS database /etc/pki/pesign/ but in this case the Standard Operating Procedure on RHEL is to add one's own account to the Unix group pesign and re-login. The entries in /etc/passwd hint on that.

$ grep pesign /etc/passwd
pesign:x:977:977:Group for the pesign signing daemon:/run/pesign:/sbin/nologin

I agree this might be neither intuitive nor documented enough and I'll try to do something about it in the future.