Using gpgsm+scute with p11tool
Stuart Longland
stuartl at longlandclan.id.au
Mon Nov 8 05:45:53 CET 2021
Hi all,
I'm trying to get 2FA HTTP client authentication working with a YubiKey
5 hardware token at my workplace.
I currently already have the YubiKey working successfully with GnuPG
2.2 in OpenPGP mode for two-factor SSH authentication and git code
signing. Aside from a few niggles (like not being able to use two
YubiKeys simultaneously, something GnuPG 2.3 should resolve if I can
get it working right), things have been pretty smooth.
I had `curl` working via OpenSC's PKCS#11 support, but this clashes
with GnuPG, one must re-plug the YubiKey after accessing it via OpenSC,
which gets annoying. It's been suggested I look at `scute` instead.
The HTTP request I need to perform is this one:
https://www.vaultproject.io/docs/auth/cert#via-the-api
I tried using Firefox, it can see the certificate presented by `scute`,
but it seems Vault isn't designed to authenticate clients that way as
best I can tell.
Using OpenSC PKCS#11, I can do something like this:
$ curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=<snip>;token=<snip>;id=%07;object=<snip>;type=cert' --insecure --data '{"name": "me"}' https://tls.server.example.com:8200/v1/auth/cert/login
I can see what tokens exist with `p11tool`:
$ p11tool --provider=/usr/lib64/pkcs11/opensc-pkcs11.so --list-tokens
Token 0:
URL: pkcs11:model=<snip>;token=PIV_II
Label: PIV_II
Type: Hardware token
Flags: RNG, Requires login
Manufacturer: piv_II
Model: <snip>
Serial: <snip>
Module:
If I try doing the same with `scute`, I get nothing:
$ p11tool --provider=/usr/lib64/pkcs11/scute.so --list-tokens
Consequently, I have no idea what hardware token URI to supply to
`curl` when authenticating.
Is there some trick needed to get `scute` to tell me what tokens are
present or how to find out what the URL of my private key is?
Regards,
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
More information about the Gnupg-users
mailing list