如何在外壳程序脚本中将yubikey引脚传递给openssl命令 [英] how to pass yubikey pin to openssl command in shell script
问题描述
我正在尝试使用opensssl命令签署CSR. 证书和信任根由yubikey承担,并且yubikey充当HSM权限. 每次我执行命令时,都会要求输入Yubikey Pin. 我该如何在命令行中传递PIN,这样我就不必手动输入它,并且可以将其完全掏空.
openssl x509 -engine pkcs11 -req -days 30 -CAform PEM -CA"$ subCert" -CAkeyform engine -CAkey"pkcs11:pin-value = $ pin" -sha256 -CAcreateserial -in"$ csr_file" -outform DER -out"$ crt_file"
此命令不应要求输入PIN,而应从"pkcs11:pin-value = $ pin"中获取PIN
某些背景:在各种注释中提出了不同的pin方法可以解决此问题的方法,用于传递pin的选项有:
- 在yubikey文档此处中指定
-passin pass:123456
... li> - 将
PIN=123456
添加到[pkcs11_section]
中的openssl配置文件中
- 使用PKCS#11 URI(通过openssl传递到pkcs11库),如下所示:
-CAKey 'pkcs11:id=%02;type=private;pin-value=$PIN'
然而,所有这些似乎仅影响令牌引脚,而不影响密钥引脚(通常都要求使用二者).我不清楚这是错误还是功能.>
Opensc有一些讨论,建议您在
在使用插槽9c(索引02)的yubikey时,openssl总是断言CKA_ALWAYS_AUTHENTICATE
,因此(还需要弄清楚这是否是相同的问题)(也不清楚).可以通过使用建议的 OpenSC的pkcs11-tool 对于某些似乎没有相同问题的功能
祝你好运!
I am trying to sign the CSR using opensssl command. The certificate and root of trust goes to yubikey and yubikey act as HSM authority. Every time i execute the command it asks for the Yubikey Pin. How can i pass the PIN in command line so that i don't have to enter it manually and it can be shelled out completely.
openssl x509 -engine pkcs11 -req -days 30 -CAform PEM -CA "$subCert" -CAkeyform engine -CAkey "pkcs11:pin-value=$pin" -sha256 -CAcreateserial -in "$csr_file" -outform DER -out "$crt_file"
this command should not be asking for PIN and should be taking pin from "pkcs11:pin-value=$pin"
Some background: it is proposed in various comments that different pin methods may resolve this issue, the options for passing a pin in are:
- specifying
-passin pass:123456
as in the yubikey docs here. - adding
PIN=123456
to your openssl configuration file in the[pkcs11_section]
- using a PKCS#11 URI as you have (which is passed through openssl to the pkcs11 library), something like:
-CAKey 'pkcs11:id=%02;type=private;pin-value=$PIN'
However, all of of these seem to only impact the token pin, not the key pin (both of which are normally requested). It is unclear to me whether this is a bug or a feature.
Opensc has some discussion suggesting that you set pin_cache_ignore_user_consent = true;
in the framework pkcs15
section of your opensc configuration, however, this did not change the behaviour when I tested it.
There (also? unclear if this is the same issue or not) appears to be an issue with yubikeys using slot 9c (index 02) where openssl always asserts CKA_ALWAYS_AUTHENTICATE
, thus requiring pin entry for the key. This can be avoided by using slot 9a (index 01, slot0-id1
or pkcs11:id=%01;
) as suggested here.
You may also be able to use OpenSC's pkcs11-tool for some functions, which does not appear to have the same problem
Good luck!
这篇关于如何在外壳程序脚本中将yubikey引脚传递给openssl命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!