如何在外壳程序脚本中将yubikey引脚传递给openssl命令 [英] how to pass yubikey pin to openssl command in shell script

问题描述

我正在尝试使用opensssl命令签署CSR. 证书和信任根由yubikey承担，并且yubikey充当HSM权限. 每次我执行命令时，都会要求输入Yubikey Pin. 我该如何在命令行中传递PIN，这样我就不必手动输入它，并且可以将其完全掏空.

openssl x509 -engine pkcs11 -req -days 30 -CAform PEM -CA"$ subCert" -CAkeyform engine -CAkey"pkcs11:pin-value = $ pin" -sha256 -CAcreateserial -in"$ csr_file" -outform DER -out"$ crt_file"

此命令不应要求输入PIN，而应从"pkcs11:pin-value = $ pin"中获取PIN

解决方案

某些背景:在各种注释中提出了不同的pin方法可以解决此问题的方法，用于传递pin的选项有:

• 在yubikey文档此处中指定-passin pass:123456... li>
• 将PIN=123456添加到[pkcs11_section]
中的openssl配置文件中
• 使用PKCS#11 URI(通过openssl传递到pkcs11库)，如下所示:-CAKey 'pkcs11:id=%02;type=private;pin-value=$PIN'

然而，所有这些似乎仅影响令牌引脚，而不影响密钥引脚(通常都要求使用二者).我不清楚这是错误还是功能.

Opensc有一些讨论，建议您在pin_cache_ignore_user_consent = true; > opensc配置的部分"，但是，当我测试它时，这并没有改变行为.

在使用插槽9c(索引02)的yubikey时，openssl总是断言CKA_ALWAYS_AUTHENTICATE，因此(还需要弄清楚这是否是相同的问题)(也不清楚).可以通过使用建议的 OpenSC的pkcs11-tool 对于某些似乎没有相同问题的功能

祝你好运！

I am trying to sign the CSR using opensssl command. The certificate and root of trust goes to yubikey and yubikey act as HSM authority. Every time i execute the command it asks for the Yubikey Pin. How can i pass the PIN in command line so that i don't have to enter it manually and it can be shelled out completely.

openssl x509 -engine pkcs11 -req -days 30 -CAform PEM -CA "$subCert" -CAkeyform engine -CAkey "pkcs11:pin-value=$pin" -sha256 -CAcreateserial -in "$csr_file" -outform DER -out "$crt_file"

this command should not be asking for PIN and should be taking pin from "pkcs11:pin-value=$pin"

解决方案

Some background: it is proposed in various comments that different pin methods may resolve this issue, the options for passing a pin in are:

• specifying -passin pass:123456 as in the yubikey docs here.
• adding PIN=123456 to your openssl configuration file in the [pkcs11_section]
• using a PKCS#11 URI as you have (which is passed through openssl to the pkcs11 library), something like: -CAKey 'pkcs11:id=%02;type=private;pin-value=$PIN'

However, all of of these seem to only impact the token pin, not the key pin (both of which are normally requested). It is unclear to me whether this is a bug or a feature.

Opensc has some discussion suggesting that you set pin_cache_ignore_user_consent = true; in the framework pkcs15 section of your opensc configuration, however, this did not change the behaviour when I tested it.

There (also? unclear if this is the same issue or not) appears to be an issue with yubikeys using slot 9c (index 02) where openssl always asserts CKA_ALWAYS_AUTHENTICATE, thus requiring pin entry for the key. This can be avoided by using slot 9a (index 01, slot0-id1 or pkcs11:id=%01;) as suggested here.

You may also be able to use OpenSC's pkcs11-tool for some functions, which does not appear to have the same problem

Good luck!

这篇关于如何在外壳程序脚本中将yubikey引脚传递给openssl命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！