[Pcsclite-muscle] Directly using RSA key of a smartcard
David Woodhouse
dwmw2 at infradead.org
Fri Jun 23 04:57:08 PDT 2023
On Wed, 2023-06-21 at 13:08 -0400, Michael Conrad wrote:
>
> Thanks, and if you want some stackexchange credit I have the question at
>
> https://unix.stackexchange.com/questions/749431/is-there-a-tool-that-can-perform-direct-rsa-decryption-with-a-yubikey
I've just spotted from the preamble on your StackExchange question that
what you asked about here isn't what you want to do at all :)
> The use case I'm looking for is that I walk up to a headless server
> and "unlock" it using a hardware key, where scripts on the server
> recognize that I've plugged it in and automatically use it without a
> pin or password or additional factors.
I think you want http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html
Make your own CA for pam_pkcs11 to trust. Generate a key on the Yubikey
and a corresponding cert signed with your CA. Configure pam_pkcs11
accordingly.
For examples of how to do some of those things, you can crib from
https://gitlab.com/openconnect/openconnect/-/blob/v9.12/tests/Makefile.am
I found it easier to generate a key in software, issue the
corresponding certificate, and import them both into the Yubikey. When
I created the key in the Yubikey and then tried to generate a CSR from
it, strange things happened.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/pcsclite-muscle/attachments/20230623/1ed45b9c/attachment-0001.p7s>
More information about the pcsclite-muscle
mailing list