Openssl 使用存储在Yubikey上的CA对证书签名请求进行签名

我想使用私钥&存储在PIV数字签名槽中的证书对证书签名请求进行签名

我正在使用最新版本的OpenSC for MacOS（）

我试过pkcs11工具、pkcs15工具和yubikey piv工具。 这三个工具都提供了一个--sign API，但它们对从数据生成的摘要进行了签名

我的要求是对证书签名请求进行签名以生成证书

我唯一的选择是将PKCS#11引擎用于OpenSSL。 PKCS#11引擎：

brew安装引擎_pkcs11

PKCS#11模块：opensc-pkcs11.so

我将使用常规的OpenSSL命令对CSR进行签名，使用引擎选项提供密钥和存储在Yubikey上的证书（可能使用PKCS#11uri）

使用OpenSSL 1.0.2，我尝试了以下命令

engine -t dynamic -pre SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so

答复：

(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
     [ available ]

engine "pkcs11" set.
PKCS#11 token PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: a.com
Email Address []:
4536252012:error:8000A101:PKCS11 library:PKCS11_rsa_sign:User not logged in:p11_ops.c:131:
4536252012:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:

engine "pkcs11" set.
Signature ok
subject=/CN=C44F3320626D/C=IN/ST=MH/O=test
Getting CA Private Key
PKCS#11 token PIN:
4394223212:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:p_lib.c:137:
4394223212:error:8000A101:PKCS11 library:PKCS11_rsa_sign:User not logged in:p11_ops.c:131:
4394223212:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:

要签署CSR，我使用这个命令

req -engine pkcs11 -keyform engine -key 02 -new -x509 -in ~/Desktop/sample.csr -out cert.pem 

答复：

(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
     [ available ]

engine "pkcs11" set.
PKCS#11 token PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: a.com
Email Address []:
4536252012:error:8000A101:PKCS11 library:PKCS11_rsa_sign:User not logged in:p11_ops.c:131:
4536252012:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:

engine "pkcs11" set.
Signature ok
subject=/CN=C44F3320626D/C=IN/ST=MH/O=test
Getting CA Private Key
PKCS#11 token PIN:
4394223212:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:p_lib.c:137:
4394223212:error:8000A101:PKCS11 library:PKCS11_rsa_sign:User not logged in:p11_ops.c:131:
4394223212:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:

即使输入正确的PIN码，我也会遇到这个错误。Yubikey证书上的CA密钥/证书也没有密码

在PyKCS#11示例中出现类似错误：

使用另一个类似的OpenSSL命令

OPENSSL_CONF=engine.conf openssl x509 -req -engine pkcs11 -in ~/Desktop/sample.csr -CAkeyform engine -CAkey 02 -CA rootCA.pem -sha256 -out cert.pem

答复：

(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/Cellar/engine_pkcs11/0.1.8/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
     [ available ]

engine "pkcs11" set.
PKCS#11 token PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: a.com
Email Address []:
4536252012:error:8000A101:PKCS11 library:PKCS11_rsa_sign:User not logged in:p11_ops.c:131:
4536252012:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:

engine "pkcs11" set.
Signature ok
subject=/CN=C44F3320626D/C=IN/ST=MH/O=test
Getting CA Private Key
PKCS#11 token PIN:
4394223212:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:p_lib.c:137:
4394223212:error:8000A101:PKCS11 library:PKCS11_rsa_sign:User not logged in:p11_ops.c:131:
4394223212:error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:306:

我想知道问题是在macOS OpenSSL、Yubikey、PKCS#11还是OpenSSL PKCS#11引擎中

---

我希望CSR能够使用Yubikey在MacOS上签署到证书中。请帮助。

您的

-CAkey 02

应该是

-CAkey slot\u 0-id\u 2

对于yubikey上的slot

9c

/index

02

，其他一切看起来都很好（不过请注意，插槽9c上的带插针要求可能会影响您）

关于yubikeys和pkcs#11的工作示例，您可能想查看一下

---

祝你好运

尝试使用与Yubikey PIV一起工作的工具（至少在linux上）。祝你好运-CAkey 02在Linux上工作。问题出在OSX上，

brew安装libp11

在libp11上安装了一个过时的版本。ryankurte/pki回购协议很有帮助。