Using gpgsm+scute with p11tool

Stuart Longland stuartl at
Mon Nov 8 05:45:53 CET 2021

Hi all,

I'm trying to get 2FA HTTP client authentication working with a YubiKey
5 hardware token at my workplace.

I currently already have the YubiKey working successfully with GnuPG
2.2 in OpenPGP mode for two-factor SSH authentication and git code
signing.  Aside from a few niggles (like not being able to use two
YubiKeys simultaneously, something GnuPG 2.3 should resolve if I can
get it working right), things have been pretty smooth.

I had `curl` working via OpenSC's PKCS#11 support, but this clashes
with GnuPG, one must re-plug the YubiKey after accessing it via OpenSC,
which gets annoying.  It's been suggested I look at `scute` instead.

The HTTP request I need to perform is this one:

I tried using Firefox, it can see the certificate presented by `scute`,
but it seems Vault isn't designed to authenticate clients that way as
best I can tell.

Using OpenSC PKCS#11, I can do something like this:

$ curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=<snip>;token=<snip>;id=%07;object=<snip>;type=cert' --insecure --data '{"name": "me"}'

I can see what tokens exist with `p11tool`:

$ p11tool --provider=/usr/lib64/pkcs11/ --list-tokens
Token 0:
        URL: pkcs11:model=<snip>;token=PIV_II
        Label: PIV_II
        Type: Hardware token
        Flags: RNG, Requires login
        Manufacturer: piv_II
        Model: <snip>
        Serial: <snip>

If I try doing the same with `scute`, I get nothing:

$ p11tool --provider=/usr/lib64/pkcs11/ --list-tokens

Consequently, I have no idea what hardware token URI to supply to
`curl` when authenticating.

Is there some trick needed to get `scute` to tell me what tokens are
present or how to find out what the URL of my private key is?

Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...'s backed up on a tape somewhere.

More information about the Gnupg-users mailing list