yubico-piv-tool
yubico-piv-tool copied to clipboard
Yubico
ykcs11 - OpenSSL engine req discards named curve OID, returns explicit parameters
Certificate Signing Requests using ykcs11 as the OpenSSL engine returns explicit EC parameters instead of an ASN.1 OID named curve for the public key.
yubico-piv-tool, ykman, openssl, and openssl-pkcs11 were installed from Fedora 36 repositories.
$ yubico-piv-tool -aversion
Application version 5.4.3 found.
$ ykman --version
YubiKey Manager (ykman) version: 4.0.9
$ openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
yubico-piv-tool shows version 2.3.0 from DNF, so not sure where the discrepancy is with the version command showing 5.4.3.
Using the following openssl.cnf:
[ default ]
openssl_conf = openssl_def
[ openssl_def ]
engines = engines_def
[ engines_def ]
pkcs11 = pkcs11_def
[ pkcs11_def ]
engine_id = pkcs11
MODULE_PATH = /usr/lib64/libykcs11.so.2
$ ykman piv reset -f
Resetting PIV data...
Success! All PIV data have been cleared from the YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
PIN: 123456
PUK: 12345678
Management Key: 010203040506070801020304050607080102030405060708
$ openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve | openssl ec -aes256 -out priv.key
read EC key
writing EC key
Enter pass phrase for PEM:
Verifying - Enter pass phrase for PEM:
$ ykman piv keys import 9a priv.key
Enter password to decrypt key:
Enter a management key [blank to use default key]:
$ ykman piv keys export 9a pub.key
$ openssl ec -text -noout -pubin -in pub.key
read EC key
Public-Key: (384 bit)
pub:
04:46:03:8d:f4:51:06:68:a3:f8:94:18:1a:bd:71:
fb:29:8c:49:c2:f4:22:a6:a4:29:79:6f:6f:46:fe:
4c:d8:ae:6f:46:a0:76:fd:99:d5:94:1e:3f:8b:eb:
29:1f:48:1d:c5:2e:07:29:3c:45:bb:8f:3f:2d:0b:
42:e8:b0:fc:75:2b:7f:8d:ae:d8:12:ca:d7:46:e8:
89:74:fa:19:11:6c:a0:0a:d3:25:40:80:9e:42:a9:
6e:96:2e:cd:fe:d5:64
ASN1 OID: secp384r1
NIST CURVE: P-384
Importing the private key using ykman or yubico-piv-tool gives the same CSR results.
Public key was exported so I could create a request using ykman and the private key stored in slot 9a in the Yubikey.
Creating the CSR with ykman results in the public key portion showing the ASN.1 OID for the P-384 curve, which is expected.
$ ykman piv certificates request -s 'CN=Test One' -P 123456 9a pub.key - | openssl req -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = Test One
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:c3:1a:41:37:a2:b1:c8:93:cc:d3:ae:88:ac:df:
61:e7:80:c6:e1:2a:a0:cb:c7:a3:9f:c5:56:b2:01:
f6:19:da:0d:7f:79:a7:9e:d2:a4:08:29:12:1c:b6:
83:bc:41:32:bb:ba:a3:80:cf:cc:b4:78:36:fb:ed:
1c:11:03:b7:39:f9:53:50:b3:8c:1c:52:15:92:bd:
da:51:43:12:2c:29:ea:83:ac:7a:99:e2:d1:54:34:
18:b0:46:0a:e4:ff:9b
ASN1 OID: secp384r1
NIST CURVE: P-384
Attributes:
(none)
Requested Extensions:
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:65:02:31:00:87:14:0f:bd:a0:31:bc:81:43:a0:d5:81:d6:
03:16:b3:ea:5a:ea:8b:21:46:63:a6:0a:a8:88:50:63:4e:80:
4b:6d:ec:f3:1e:02:0e:28:fe:c6:74:00:ec:89:68:d6:a3:02:
30:70:88:7f:0d:ae:fb:21:f5:0a:73:c4:39:0f:12:3a:89:e5:
a9:a5:5e:cc:ea:15:e7:b4:37:bb:d7:9e:63:82:ea:d4:30:50:
ec:f2:29:73:77:2e:c6:a5:01:92:e5:bc:2b
Creating the CSR with the OpenSSL engine, however, results in a public key with explicit parameters instead of the expected ASN.1 OID.
$ openssl req -config openssl.cnf -new -engine pkcs11 -keyform engine -key "pkcs11:id=%01;type=private" -passin pass:123456 -subj '/CN=Test Two' -text -noout
Engine "pkcs11" set.
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = Test Two
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:c3:1a:41:37:a2:b1:c8:93:cc:d3:ae:88:ac:df:
61:e7:80:c6:e1:2a:a0:cb:c7:a3:9f:c5:56:b2:01:
f6:19:da:0d:7f:79:a7:9e:d2:a4:08:29:12:1c:b6:
83:bc:41:32:bb:ba:a3:80:cf:cc:b4:78:36:fb:ed:
1c:11:03:b7:39:f9:53:50:b3:8c:1c:52:15:92:bd:
da:51:43:12:2c:29:ea:83:ac:7a:99:e2:d1:54:34:
18:b0:46:0a:e4:ff:9b
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:fe:ff:ff:ff:ff:00:00:00:00:00:00:00:00:
ff:ff:ff:ff
A:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:fe:ff:ff:ff:ff:00:00:00:00:00:00:00:00:
ff:ff:ff:fc
B:
00:b3:31:2f:a7:e2:3e:e7:e4:98:8e:05:6b:e3:f8:
2d:19:18:1d:9c:6e:fe:81:41:12:03:14:08:8f:50:
13:87:5a:c6:56:39:8d:8a:2e:d1:9d:2a:85:c8:ed:
d3:ec:2a:ef
Generator (uncompressed):
04:aa:87:ca:22:be:8b:05:37:8e:b1:c7:1e:f3:20:
ad:74:6e:1d:3b:62:8b:a7:9b:98:59:f7:41:e0:82:
54:2a:38:55:02:f2:5d:bf:55:29:6c:3a:54:5e:38:
72:76:0a:b7:36:17:de:4a:96:26:2c:6f:5d:9e:98:
bf:92:92:dc:29:f8:f4:1d:bd:28:9a:14:7c:e9:da:
31:13:b5:f0:b8:c0:0a:60:b1:ce:1d:7e:81:9d:7a:
43:1d:7c:90:ea:0e:5f
Order:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:c7:63:4d:81:f4:
37:2d:df:58:1a:0d:b2:48:b0:a7:7a:ec:ec:19:6a:
cc:c5:29:73
Cofactor: 1 (0x1)
Seed:
a3:35:92:6a:a3:19:a2:7a:1d:00:89:6a:67:73:a4:
82:7a:cd:ac:73
Attributes:
(none)
Requested Extensions:
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:65:02:30:33:bf:f4:4e:03:2f:56:13:4d:ea:c2:53:c6:32:
df:00:6a:64:7a:04:c1:a2:11:fa:a1:bb:b8:30:67:ba:a0:57:
ec:8b:ad:fa:a0:4c:53:f6:35:c9:31:06:33:17:38:09:02:31:
00:98:27:ac:85:59:3b:a2:58:3d:cf:3c:2a:bb:de:db:26:9d:
9a:f6:93:0c:2b:f4:c2:74:41:ae:f0:86:52:35:64:39:cf:46:
52:71:55:a6:2d:02:93:b1:9b:0b:e5:3f:46
This only occurs with imported keys. Keys generated on-device with ykman or yubico-piv-tool results in an ASN.1 OID in the public key.
ykman was used to generate the first CSR instead of yubico-piv-tool because the later fails to sign the request with the following error:
$ yubico-piv-tool -a request-certificate -s 9a -S '/CN=Test One/' -i pub.key
Failed signing request.
004302CF0B7F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:284:
I'm not sure if this is related, but included it for completeness.
