Long shot - Yubikey 5 - Anyone able to initialize PKCS#11 with OpenSC? #2937
Replies: 10 comments
-
Or log in as SO C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -v -l --login-type so -t I can log in as a user fine. Their PKCS#11 minidriver allows login but it's missing all the features of PKCS#11 3.0 s11.dll" -l --login-type so -t |
Beta Was this translation helpful? Give feedback.
-
OpenSC can not handle using two different applets on the same token at the same time. If you want to use the openpgp applet instead:
(Note: PIV cards were not designed to be provisioned by end users using PKCS11.) |
Beta Was this translation helpful? Give feedback.
-
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -l --login-type so -k --key-type EC:curve25519 Closer. I can log in as SO now. Now it won't generate an X25519 key. Hypothetically it is supported, maybe I'll try with gnupg, and see if it's usable for operations like DH with pkcs11. It's able to create other key types. edit: Hm, maybe I need to create the key with GPG tools, OpenSC doesn't support writing. Edit: Yup, exactly that. Thanks. |
Beta Was this translation helpful? Give feedback.
-
I am not very good with openpgp... OpenPGP has two pins, a signature pin and a second pin used for authentication and key agreement. OPENSC_DRIVER=openpgp ./pkcs11-tool --list-slots With your OPENSC_DRIVER=openpgp pkcs11-tool -l --login-type so -k --key-type EC:curve25519 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
It's cool y'all were able to implement pkcs#11 at all ontop of OpenPGP card. |
Beta Was this translation helpful? Give feedback.
-
I assume you got it to work with both curve25519 and X25519 keys? Can you list the commands you used, starting with initializing the token? |
Beta Was this translation helpful? Give feedback.
-
Well, it got as far as I see them in pkcs11-tool. They were generated with gpg4win. By that I mean, I think, using PKCS#11 function CKM_ECDH1_DERIVE - with the CKD_NULL param in CK_ECDH1_DERIVE_PARAMS - that should give a SK to be used for a symmetric cipher. I should be able to do a DH handshake between libsodium and PKCS#11 over X25519 and ensure the SK is the same as a valid test. I also want to validate cross-compatibility with CKM_EDDSA\EDDSA signing. This would validate that the key generated on chip from GPG tools is usable in OpenSC. I would write a testcase likely with lib11 or pkcs11-helper. The documentation for this is barely there, but I am going to attempt, if it works I'll document... I have no idea if the OpenSC PKCS#11 implementation for OpenPGP cards supports all the necessities to do this. I don't think showing key objects in pkcs11-tool is useful, I want to make sure it's actually usable for something. It doesn't look like OpenPGP cards support PKCS#11 natively, I am not sure how far the devs of OpenSC have bent over backwards or the extent of the creativity to actually have enough of it working to be useful? |
Beta Was this translation helpful? Give feedback.
-
Here is a test script I use with PIV cards with EC keys using p-256 or p-384 to derive a shared secret key. |
Beta Was this translation helpful? Give feedback.
-
And a test script to use CMS. |
Beta Was this translation helpful? Give feedback.
-
pkcs11-tool --module "c:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" --init-token --label yubikey
Using slot 0 with a present token (0x0)
Please enter the new SO PIN: Please enter the new SO PIN (again): error: PKCS11 function C_InitToken failed: rv = CKR_DEVICE_ERROR (0x30)
Aborting.
Or with the OpenSC driver
I'm trying to use the generic pkcs#11 functionality, not through the PIV module.
I want to create keys and such, was trying to see if curve25519 is supported as I know the OpenPGP stuff works on Yubi.
I'm thinking they're not supporting PKCS#11 anymore than what is needed for the PIV implementation?
Beta Was this translation helpful? Give feedback.
All reactions