1

I am trying to sign an efi image with a Yubikey 4

I configured Yubikey with the following:

yubico-piv-tool -k $key -a import-key -s 9c < test-key.rsa
yubico-piv-tool -k $key -a import-certificate -s 9c < test-cert.pem

I included the certificate in a certdir:

certutil -A -n "efi-cert" -t ,,Tu -d $CERTDIR -a -i test-cert.pem

I can see the token in pkcs11-tool:

$ pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Yubico Yubikey 4 OTP+CCID 00 00
  token label        : PIV_II (PIV Card Holder pin)
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 00000000

But when I try to use it with pesign, it doesn't find the token

$ sudo pesign -i bootx64.efi --export-signature bootx64.sig --sign -d sha256 -t "PIV_II (PIV Card Holder pin)" -c "efi-cert" -n $CERTDIR
could not find token "PIV_II (PIV Card Holder pin)"
pesign: Could not find certificate efi-cert

In strace I saw that pesign doesn't read opensc-pkcs11.so, but it reads libnssckbi.so, can this be the reason? Should I configure the Yubikey differently?

Any help would be much appreciated.

Lilás
  • 339
  • 2
  • 7

1 Answers1

0

I just managed to get it working:

In strace I saw that pesign was looking for $CERTDIR/libnssckbi.so, but doing ln -s /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so $CERTDIR/libnssckbi.so didn't work, so to solve this I linked with opensc-pkcs11.so:

ln -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so $CERTDIR/libnssckbi.so

And now it finds the token. Please, let me know if there is a better solution (as this doesn't seems ideal).

Also, my argument in pesign ... -c "efi-cert" ... was wrong, as I should use the label in the token and not the one I gave to the certificate when including it in the certdir.

Executing the following revelled that the right label was "Certificate for Digital Signature" instead of "efi-cert":

$ pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
Using slot 1 with a present token (0x1)
Public Key Object; RSA 2048 bits
  label:      SIGN pubkey
  ID:         02
  Usage:      encrypt, verify
Certificate Object, type = X.509 cert
  label:      Certificate for Digital Signature
  ID:         02
Data object 27638640
  label:          'Card Capability Container'
  application:    'Card Capability Container'
  app_id:         2.16.840.1.101.3.7.1.219.0
  flags:          <empty>

Data object 27637904
  label:          'Card Holder Unique Identifier'
  application:    'Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.0
  flags:          <empty>

Data object 27638000
  label:          'Unsigned Card Holder Unique Identifier'
  application:    'Unsigned Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.2
  flags:          <empty>

Data object 27638096
  label:          'X.509 Certificate for PIV Authentication'
  application:    'X.509 Certificate for PIV Authentication'
  app_id:         2.16.840.1.101.3.7.2.1.1
  flags:          <empty>

Data object 27636560
  label:          'X.509 Certificate for Digital Signature'
  application:    'X.509 Certificate for Digital Signature'
  app_id:         2.16.840.1.101.3.7.2.1.0
  flags:          <empty>

Data object 27636656
  label:          'X.509 Certificate for Key Management'
  application:    'X.509 Certificate for Key Management'
  app_id:         2.16.840.1.101.3.7.2.1.2
  flags:          <empty>

Data object 27636752
  label:          'X.509 Certificate for Card Authentication'
  application:    'X.509 Certificate for Card Authentication'
  app_id:         2.16.840.1.101.3.7.2.5.0
  flags:          <empty>

Data object 27636848
  label:          'Security Object'
  application:    'Security Object'
  app_id:         2.16.840.1.101.3.7.2.144.0
  flags:          <empty>

Data object 27636944
  label:          'Discovery Object'
  application:    'Discovery Object'
  app_id:         2.16.840.1.101.3.7.2.96.80
  flags:          <empty>

Now I can execute the following:

$ pesign -i bootx64.efi --export-signature bootx64.sig --sign -d sha256 -t "PIV_II (PIV Card Holder pin)" -c "Certificate for Digital Signature" -n $CERTDIR
Enter Password or Pin for "PIV_II (PIV Card Holder pin)":
Enter passphrase for private key:
Lilás
  • 339
  • 2
  • 7