Better prompt messages for YubiKey 5C

[karamellpelle]

Thanks for creating this necessary project! I have a YubiKey 5C, and I am able to sign using the YubiKey. These are my settings in /etc/ssl/openssl.cnf:

[provider_sect]
default = default_sect
pkcs11  = pkcs11_sect

[default_sect]
# important to activate default provider if we add additional providers! 
activate = 1

[pkcs11_sect]
activate           = 1
module             = /usr/lib64/ossl-modules/pkcs11.so
# Yubico's libykcs11.so makes it possible to get access to Retired Key data objects:
pkcs11-module-path = /usr/lib/libykcs11.so
pkcs11-module-cache-pins = cache

To sign a CSR request.csr and create certificate.crt I use for example:

openssl x509 -req -in request.csr -extfile config/piv.cnf -extensions sign -CA 'pkcs11:id=%05' -CAkey 'pkcs11:id=%05' -sha512 -days 800 -out certificate.crt` 

where id=%05 was found using pkcs11-tool --module /usr/lib64/libykcs11.so -O (which is my Root CA added into Slot 82 (Retired Key 1) using the ykman command) (piv.cnf is a file with my sign settings like x509v3 keys). Then I will be given the following prompt:

Enter pass phrase for PKCS#11 Token (Slot 0 - Yubico YubiKey OTP+FIDO+CCID 00 00):

If I remove the line pkcs11-module-cache-pins = cache in openssl.cnf, I get two prompts:

Enter pass phrase for PKCS#11 Token (Slot 0 - Yubico YubiKey OTP+FIDO+CCID 00 00):
Enter PIN for PKCS#11 Token (Slot 0 - Yubico YubiKey OTP+FIDO+CCID 00 00):

For each prompt, I need to type my PIN. Then the command stops, but the YubiKey starts blinking, and I have to touch the YubiKey. After that, the CSR gets signed (which is very nice!). But in the beginning I didn't know what "pass phrase" meant (but tried my PIN - correct), and found out after a while that the command stopped because it was waiting for a touch on the YubiKey.

Expected behavior

It would be an improvement if you can give better prompt messages:

• Use the word "PIN" instead of "pass phrase"
• Print "Touch the YubiKey" (or something similar)

Not sure if these prompt messages are given by OpenSSL or this pkcs11-provider project.

Additional context

FYI, here is my piv.cnf:

[ req ]
utf8                   = yes
distinguished_name     = req_dn
prompt                 = no

[ req_dn ]
commonName             = James Bond

# PIV.9a
[ auth ]
basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
keyUsage               = keyAgreement, keyEncipherment, digitalSignature
#subjectAltName        = @auth_alt_name

# PIV.9c
[ sign ]
basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
keyUsage               = digitalSignature, keyEncipherment
extendedKeyUsage       = codeSigning
#subjectAltName        = @sign_alt_name

[Jakuje]

Regarding to the prompts, I think we do not have complete control of the prompts as if it prompts in different contexts, the wording might be a bit different, but it is something we should double-check.

Regarding to the touch requirement, this is really specific to yubikeys. This is something that is not visible right now on the PKCS#11 level for the pkcs11-provider so if we would like the pkcs11-provider to show this information, we would need to adjusts OpenSC (or your pkcs11 module of choice) to provide custom attribute for a key with this property. We have a PR in progress to support this better in OpenSC/OpenSC#3071, but it is still in progress.