pkcs11-provider with yubikey token

[gilweis]

Hi,
I am trying to check the library with yubikey token.

OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
latest pkcs11-provider library
pkcs11 module: /usr/lib/x86_64-linux-gnu/libykcs11.so
key-type: "rsa:2048"

The operation of reading the public key is ok:
$ openssl pkey -in "pkcs11:type=public;id=%02" -pubin -pubout -out testkey2.pub

The operation with private key fails:
$ openssl req -new -batch -key "pkcs11:type=private;id=%02" -out tmp.csr

Error making certificate request
4007D721007F0000:error:0580006F:x509 certificate routines:X509_PUBKEY_set:unsupported algorithm:../crypto/x509/x_pubkey.c:359:

[simo5]

Certificate objects are not supported yet, it is one of the next items on my list.

[gilweis]

Thanks.
I tested the private key with pkeyutl command and it's ok:
$ openssl pkeyutl -inkey "pkcs11:type=private;id=%02" -in pinfile.txt -sign -out out.sig

Why openssl req command that create CSR need something with Certificate objects from the provider?

[simo5]

It actually does not need a certificate object, but it needs an encoder to encode the public key into a SubjectPublicKeyInfo Der format.
I was not providing those encoding functions, but should be able to get them shortly and then I will add a openssl req command to the test suite, stay tuned.

[dengert]

Why openssl req command that create CSR need something with Certificate objects from the provider?

When I have used openssl req it does not need a certificate.

The CSR will contain the public key to be added in the new certificate. The CSR is signed by the matching private key.
req does have "-x509 Output a x509 structure instead of a cert request (Required by some CA's)" but this output, and not input.

A test Certificate Management System ends up calling:
req $SSLEAY_CONFIG -engine pkcs11 -sha256 -new -keyform engine -key $KEY_ID -out cards/$1.myreq.$KEYID.pem -text
with something like:

-----BEGIN CERTIFICATE REQUEST-----
MIICpTCCAY0CAQAwEzERMA8GA1UEAxMIZGVlbmdlcnQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCWpyfsD4k50Yfpg17jMpoXhF5TsYRe+JX/lhU1L4XD
qpBXwB4SLDoiuf6WIjTn68NUq/OaKx/Aghj2PeduQ7QVsA8dfXxIPwT4KicNT9Cu
N88hckMgFpdKzelcRs8nqribu9lGJ8KP9k2RdpNQNkHEN0l9RblnUeVmNukaCNvZ
nziwuAOF0AGrMOMF7rNwxxDmoZv9yjEbzQtWr5re4QFWM6tDwWTmMr/cHjuSTuD1
AiScxBmMBfsAtMp0CqnKXE1SLiEIKDJ61Gsjc3zXIV2FsB+vSSbjElzBe1hFdKwm
gKSHaJsHvCplk69lqlJMnsxwhme8u3m9wz9zxIxB8lF/AgMBAAGgTTBLBgkqhkiG
9w0BCQ4xPjA8MAsGA1UdDwQEAwIFoDAtBgNVHREEJjAkoCIGCisGAQQBgjcUAgOg
FAwSZGVlbmdlcnRAZ21haWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCUnrkGJ+0b
qxybFQcf2LFAatniBqSOH9D1UAtfO75lrP6fXxgCqE4FP3eNG6fu7KHoW4aeY+hR
ytV2SteLGHjctC3JWwnFu/K72sVUwFfJ/bf2E0ASn6uW+tBdRMkmoatf/5hMn1PY
32dgRyWjBcf5AtmEPE+nFR5I6lMFhjbz+TioAk6S8pTZzCAetBkRh9Ra9wBBDGnw
d2BvGreQl2HazZlNliW0nsDfx6dvlThKqISsZ4xpj/7Cq9erYKrhLXRjZlGDsiK6
3BGiXDHw9N7VAF7dR9b7inGRLmLP7DopYlJa01kYLi9SMyQiCogQpoWkBgVBTTn+
DkF+HU/A5sdf
-----END CERTIFICATE REQUEST-----

[gilweis]

The openssl req command that I used generate CSR and not x509 format.
Anyway, the provider only need to sign on the hash of the request so I don't understand why "Certificate objects" relevant to the provider for this operation.

[dengert]

4007D721007F0000:error:0580006F:x509 certificate routines:X509_PUBKEY_set:unsupported algorithm:../crypto/x509/x_pubkey.c:359:

comes from OpenSSL crypto/x509/x_pubkey.c line 359. In latest version https://github.com/openssl/openssl/blob/master/crypto/x509/x_pubkey.c#L364

It it is trying to create the "SubjectPublicKeyInfo" to be inserted into the CSR from the public key. OpenSSL store info on public and private in same structure. Smartcards and PKCS11 store them separately and to determine the type and size of the key, engine or provider need to access the public key.

But it looks like your Yubikey is configured for a PIV card?

NIST PIV specifications does not directly store a public key on the card. So there is catch-22 when creating a CSR. Only time card returns a public key is when a key is created which must be saved so it can be used in a CSR to create a certificate that will have the public key which can the be read for the card.

How was the private key generated?

I am not familiar with libykcs11.so https://developers.yubico.com/yubico-piv-tool/ writes pub key to stdout during keygen. It can also created a CSR with pubkey from stdin.

I am familiar with OpenSC piv-tool. When piv-tool generates a key, it writes the public to a file. The OpenSC pkcs11 module via card-piv.c will try and read certificate to get public key. If no certificate it will look in environment for path to the pubkey stored by piv-tool, to avoid the catch-22 situation.

[gilweis]

Hi,
Yes, my Yubikey is configured for a PIV card but I know that the public key store in the card.
I can read the public from Yubikey via openssl pkey -in "pkcs11:type=public;id=%02" -pubin -pubout -out testkey2.pub (work with engine or provider).
With engine, the openssl csr command with Yubikey is working without external public key file.

From openssl x_pubkey.c code, it's look that something with OSSL_ENCODER_CTX_new_for_pkey() or d2i_X509_PUBKEY() fail.
I guess that OSSL_ENCODER_CTX_new_for_pkey need some info about the public key that the provider currently not support.

[simo5]

So I have an encoder for SubjectPublicKeyInfo now, however there is an issue.
openssl req -new -batch -key "pkcs11:type=private;id=%02" -out tmp.csr takes a private key ... but then somehow expects to be able to get the Subject Public KeyInfo and store it in the cert.
Internally I am passed a private key though.

In some cases the private key may contain the public key modulus and exponent (which are needed to generate the der SubjectPublicKeyInfo), but it is not a given in pkcs11 ...

[simo5]

In libp11 I see in pkcs11_get_ec() it will try to find the public key corresponding to the private key at hand. This will work only if the token stores the public key with the same CKA_ID as the private key. (It also tries with the certificate)

It is customary to have the same CKA_ID for pub, priv and associated cert on a token, but not reauired.

For tokens like yubikey PIV specifically I think there is no public key but only private key and cert obj.

So it will take some time to have a fully functional fallback for this kind of token because I do not have the code to pull out cert objects yet (it is planned).

[dengert]

Libp11 does expect the CKA_ID of cert, public key and private key to be the same. But as I said in some other post about PIV cards, there is a catch-22 that there is no cert until the CSR is signed by CA and returned and written to card. NIST specifically does not support a pubkey object on PIV cards as the the cert has the pubkey. (PIV cards where not designed to be writable by users, only by a CMS run by gov agencies, and how to provision the card was left up to the card vendors.)
So a driver has to read the cert to get key size or curveName for any PIV card.
Note on PIV cards the certificate is contained within a data object and may be zipped. Both OpenSC and Yubico internally can pull the certificate form the object and unzip if needed.

Yubikey as a card vendor, does allow users to provision their cards. yubico-piv-tool does says to avoid the catch-22, it internally creates a dummy cert with the public key during keygen. It has to read the cert and extract the pubkey i.e. SPKI any way, so it may also present pkcs11 pubkey.

The OpenSC pkcs11-tool can use any pkcs11 module, so try this:
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so -O --login It should list all objects including the certificate (real or dummy) and may present a public key object derived from the certificate. You can read other objects too.

The OpenSC piv-tool saves the pubkey to a file during keygen and the OpenSC pkcs11 module if it does not find a cert on the card, it will look in env for path to pubkey, and return pubkey from either the file or the cert. If it can not find either it does not list a private key as it does not know the size or type or if exists on the card.

[dengert]

takes a private key ... but then somehow expects to be able to get the Subject Public KeyInfo and store it in the cert.

OpenSSL expects a EVP_KEY will have both public and private parts.
PKCS11 treats these as two different objects. Smart cards go even further and may force the card driver to find the key size or curveName some other way, like the pubkey or SPKI of a certificate. So your provider will need do what libp11 does and get the public key or certificate to get key size and type and curveName.

[simo5]

@gilweis I figured all out, see #87

[simo5]

Libp11 does expect the CKA_ID of cert, public key and private key to be the same. But as I said in some other post about PIV cards, there is a catch-22 that there is no cert until the CSR is signed by CA and returned and written to card. NIST specifically does not support a pubkey object on PIV cards as the the cert has the pubkey. (PIV cards where not designed to be writable by users, only by a CMS run by gov agencies, and how to provision the card was left up to the card vendors.) So a driver has to read the cert to get key size or curveName for any PIV card. Note on PIV cards the certificate is contained within a data object and may be zipped. Both OpenSC and Yubico internally can pull the certificate form the object and unzip if needed.

Yubikey as a card vendor, does allow users to provision their cards. yubico-piv-tool does says to avoid the catch-22, it internally creates a dummy cert with the public key during keygen. It has to read the cert and extract the pubkey i.e. SPKI any way, so it may also present pkcs11 pubkey.

The OpenSC pkcs11-tool can use any pkcs11 module, so try this: pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so -O --login It should list all objects including the certificate (real or dummy) and may present a public key object derived from the certificate. You can read other objects too.

The OpenSC piv-tool saves the pubkey to a file during keygen and the OpenSC pkcs11 module if it does not find a cert on the card, it will look in env for path to pubkey, and return pubkey from either the file or the cert. If it can not find either it does not list a private key as it does not know the size or type or if exists on the card.

Good to know,
at the moment I do not think openssl providers can successfully provision keys/certs to tokens anyway, they lack the flexibility to use login credentials at the right time. So I'll leave provisioning to tool like OpenSC's pkcs11-tool, I have no reason to provide duplicate tools like those in this project.

[simo5]

The solution to this specific question should be in #87

[gilweis]

p11prov-debug.log

[simo5]

This seem to ask for some info (unfortunately not logged what) via get_ctx_params, and then nothing.
Sounds like it got an answer it didn't like.
Unfortunately not much logging is provided when that call fails, I had an issue that gave the same symptoms with ECDSA because the get_ctx_params there was always returning an error (it was fixed in the PR).

If you are comfortable running gdb I can tell you what to look for, but I would really rather move this to its own issue.

[gilweis]

Please send me instructions how to compile the library with debug info and what to look for. I'll try with gdb.
Thanks

[simo5]

All you should need is to CFLAGS="-O0 -ggdb3" ./configure then make as usual
gdb --args
in gdb break on p11prov_rsasig_get_ctx_params()
inspect the params argument to see which params are asked let me know if there is any not currently handled by this function), then step through the function and see if any of the requested parameter causes a failure.
If not keep stepping through the openssl parent function to see if there is any clue of what openssl didn't like.

HTH,
Simo.

[simo5]

Ah one more thing, can you check if the yubikey driver returns mechanisms?

Set PKCS11_PROVIDER_DEBUG="file:p11prov-debug.log,level:2" and rerun and attahc the log, so I can see what mechanisms are advertised.
If the yubikey driver do not expose this info I will need to add a quirk specific to this token/token-family, to enable the supported algorithms.