Note: This post was written while working through Ian’s cool tutorial: YubiKey — Code signing with a smart card
In this short hands-on session we show how-to sign a file with the smart card YubiKey available from yubico.
YubiKeys - Your key to two-factor authentication. Easy to use. Affordable. Secure.
Prerequirements
To work through this hands-on example you’ll need OpenSC installed on your computer. If you are working with OSX grab OpenSC-0.17.0.dmg from the OpenSC Wiki.
The YubiKey in Action
Let’s create a digest of the plain message.txt file:
$ openssl dgst -sha256 -binary message.txt > message.txt.sha256
Instead of signing the original message.txt we sign the small digest message.txt.sha256 with the signing key from our YubiKey.
Let’s check that only one YubiKey is present (with command lines provided by Markus) and matches our expected serial number:
// Check if there is only one YubiKey plugged in
sh '[[ $(ykman list | wc -l) -eq 1 ]]'
// Check if the YubiKey SN equals 4711
sh '[[ $(ykman list | grep "Serial: 4711” | wc -l) -eq 1 ]]'
Fine.
$ pkcs15-crypt --sign --input message.txt.sha256 --output message.txt.sha256.sig --signature-format openssl --sha-256 --pkcs1 --key 02
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID
Enter PIN [PIV Card Holder pin]:
Note: You can use
--pin <YOUR_PIN>to avoid entering the PIN manually via keyboard.
Fine. We’ve got a signed digest. To verify the signature we use the public key of our signing key.
You can view the public key from the YubiKey certificate with: pkcs15-tool --read-ssh-key 02 2> /dev/null or save the public key directly with pkcs15-tool --read-ssh-key 02 > signing-key.pub in openssl format.
For further processing we convert the public key to pkcs8 format:
$ ssh-keygen -f signing-key.pub -e -m pkcs8 > signing-key.pem
Once you have the public key in PEM format available - it’s easy to verify the signature with:
$ openssl dgst -sha256 -verify signing-key.pem -signature message.txt.sha256.sig message.txt
Verified OK
Happy signing!