Private keys in smart-card storage

[gdamjan]

Investigate the possibility of storing the private keys in a smart-card. sbsign doesn't support that for now.

Do we need all of the private keys in a smart-card or the PK.key is enough?

[KenMacD]

Personally I'd be most interested in storing the db.cert alone in a smart-card (yubikey). The others I can keep offline, but the db key will be needed every time I upgrade, so is at the highest risk of being stolen.

I plan to try it in slot 9c on my Yubikey, and then maybe use pesign to sign the .efi.

I suppose the other keys could go in the other slots, or separate smart-cards.

[gdamjan]

you are correct regarding db.key

about pesign, when I tried it, it wouldn't sign properly, I might revisit it.

[xdev-x]

I'm very interested by this. @KenMacD , did your plan was a success ?

[KenMacD]

@davidelbaze I didn't end up trying it after @gdamjan said it didn't work for him. If you get it working thought please let me know.

[gdamjan]

I have version 0.9.2-1 of sbsigntools (on Arch), and sbsign has a --engine option now:

       --engine <eng>
              use the specified engine to load the key

so I guess now it should support having the key in a smart-card (like) device such as a yubikey.

seems that yubico have information how to setup openssl (and other openssl based apps) to use an engine:
https://developers.yubico.com/PIV/Guides/Certificate_authority.html

someone should test this.

[xdev-x]

I'll give it a try. Le lun. 26 août 2019 à 20:12, Дамјан Георгиевски <notifications@github.com> a écrit :

…

I have version 0.9.2-1 of sbsigntools now (on Arch), and sbsign has a --engine option now: --engine <eng> use the specified engine to load the key so I guess now it should support having the key in a smart-card (like) device such as a yubikey. seems that yubico have information how to setup openssl (and other openssl based apps) to use an engine: https://developers.yubico.com/PIV/Guides/Certificate_authority.html someone should test this. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5?email_source=notifications&email_token=AAXCZQNVTZKYSFRHBGAQSD3QGQMIRA5CNFSM4EIZBBCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5FF55I#issuecomment-524967669>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAXCZQOC4UOCEPKTHM4S76DQGQMIRANCNFSM4EIZBBCA> .

[osresearch]

This worked for me with a yubikey:

sbsign \
  --engine pkcs11 \
  --key 'pkcs11:manufacturer=piv_II;id=%02' \
  --cert cert.pem  \
  --output bzImage.signed.efi \
  bzImage

However, the PIN has to be input twice (once to "login" to the card and once to unlock the signing key) and there appears to be a bug in sbsign related to freeing the engine too early:

diff --git a/src/fileio.c b/src/fileio.c
index 032eb1e..1588057 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -90,7 +90,7 @@ EVP_PKEY *fileio_read_engine_key(const char *engine, const char *filename)
 	}
 
 	pkey = ENGINE_load_private_key(e, filename, ui, NULL);
-	ENGINE_finish(e);
+	//ENGINE_finish(e);
 
  out_free:
 	ENGINE_free(e);

[gdamjan]

great input @osresearch

what does exactly 'pkcs11:manufacturer=piv_II;id=%02' mean?

[osresearch]

It is a "PKCS#11 URI format defined in RFC7512", according to the error messages if it is not specified correctly. searching for that turned up OpenSC/libp11#104 (comment) and I remembered reading somewhere that key slot 0x9c was 0x02 according to other tools, so I tried some different things until it worked...

The full workflow for creating the key in slot 9c ("9c is for Digital Signature (PIN always checked)" according to yubico-piv-tool) and the final cert.crt x509 DER file is suitable for enrolling in the UEFI PK/KEK/DB:

yubico-piv-tool -s 9c -a generate -o pubkey.pem # will take a while and overwrite any existing private keys
yubico-piv-tool -s 9c -a verify-pin -a selfsign-certificate -S '/CN=test/OU=test/O=example.com/' -i pubkey.pem -o cert.pem
yubico-piv-tool -s 9c -a import-certificate -i cert.pem
openssl x509 -outform der -in cert.pem -out cert.crt