-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathyubico-escrowed-encrypt-key.bash
executable file
·130 lines (102 loc) · 4.19 KB
/
yubico-escrowed-encrypt-key.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
set -e
set -u
if [[ $# != 2 ]] || [[ -z ${ENCRYPT_PASSPHRASE:+x} ]] ; then
cat <<EOF
Generates auth, sign, and encrypt keys in PIV slots 9a, 9c, and 9d
on a Yubikey Neo or Yubikey 4
Usage:
init-yubikey.sh outdirectory /SUBJECT/LINE/HERE/
REQUIRED environment variable:
ENCRYPT_PASSPHRASE -- passphrase for protecting the encryption key
Optional environment variables:
YUBI_PIN -- currently set PIN for the yubikey
YUBI_MGMT_KEY -- current admin/management key for the yubikey
Example subject line:
/C=US/ST=CA/L=Anytown/O=Company/OU=Unit/CN=Jane Doe/emailAddress=j@example.com/
WARNING: this stores a private key on your disk!
The following files are placed in the output directory:
auth.pubkey
auth.selfsign.crt
auth.ssh.pub -- OpenSSH format public key
auth.csr
sign.pubkey
sign.selfsign.crt
sign.csr
encrypt.private.key -- passphrase protected by env. var ENCRYPT_PASSPHRASE
encrypt.selfsign.crt -- contains public key as well
encrypt.csr
The certificates in *.selfsign.crt are onto the key. If you wish to
get your certs signed, you can use the *.csr files, and then reimport
them to the corresponding key slots.
For key escrow, save encrypt.private.key securely.
EOF
exit 2
fi
O=$1
SUBJECT=$2
PIN=''
if [[ ! -z ${YUBI_PIN:+x} ]]; then
echo 'Using PIN from $YUBI_PIN...' > /dev/stderr
PIN="-P $YUBI_PIN"
fi
if [[ ! -z ${YUBI_MGMT_KEY:+x} ]]; then
echo 'Using admin key from $YUBI_MGMT_KEY...' > /dev/stderr
PIN="$PIN --key=$YUBI_MGMT_KEY"
fi
umask 077
mkdir -p $O
if ls -ld $O | cut -c 5-10 | grep -qe '[^-]'; then
echo Directory $O has group and other permissions set
exit 3
fi
echo
echo GENERATING authentication key
yubico-piv-tool -a verify-pin $PIN -a generate -s 9a -o $O/auth.pubkey
yubico-piv-tool -a verify-pin $PIN -a request-certificate \
-s 9a -o $O/auth.csr -i $O/auth.pubkey -S "$SUBJECT"
yubico-piv-tool -a verify-pin $PIN -a selfsign-certificate \
-s 9a -o $O/auth.selfsign.crt -i $O/auth.pubkey -S "$SUBJECT"
yubico-piv-tool -a verify-pin $PIN -a import-certificate \
-s 9a -i $O/auth.selfsign.crt
ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e \
| head -1 \
> $O/auth.ssh.pub
echo
echo GENERATING signing key
yubico-piv-tool -a verify-pin $PIN -a generate -s 9c -o $O/sign.pubkey
yubico-piv-tool -a verify-pin $PIN -a request-certificate \
-s 9c -o $O/sign.csr -i $O/sign.pubkey -S "$SUBJECT"
yubico-piv-tool -a verify-pin $PIN -a selfsign-certificate \
-s 9c -S "$SUBJECT" -i $O/sign.pubkey -o $O/sign.selfsign.crt
yubico-piv-tool -a verify-pin $PIN -a import-certificate -s \
9c -i $O/sign.selfsign.crt
echo
echo GENERATING encryption key
openssl req -out $O/encrypt.csr \
-passout env:ENCRYPT_PASSPHRASE -keyout $O/encrypt.key \
-new -newkey rsa:2048 -sha256 -subj "$SUBJECT" -keyform pem \
-pubkey
yubico-piv-tool -a verify-pin $PIN -a import-key \
-s 9d -i $O/encrypt.key -p "$ENCRYPT_PASSPHRASE"
yubico-piv-tool -a verify-pin $PIN -a selfsign-certificate \
-s 9d -S "$SUBJECT" -i $O/encrypt.csr -o $O/encrypt.selfsign.crt
yubico-piv-tool -a verify-pin $PIN -a import-certificate \
-s 9d -i $O/encrypt.selfsign.crt
### To sign these with a CA that has the key on the yubikey, do:
# brew install engine_pkcs11
# then in openssl interactive:
# engine dynamic -pre SO_PATH:/Users/cvaske/homebrew/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so -pre VERBOSE
# x509 -engine pkcs11 -CAkeyform engine -CAkey slot_1-id_2 -sha256 -CA sign.crt -req -passin pass:123456 -in encrypt.csr -out encrypt.crt -set_serial 1
# This is a weird bit here
# openssl pkcs12 -export -out encrypt.pfx -inkey encrypt.key -in encrypt.crt -certfile sign.crt
# LEARN THE GPG KEYS:
# echo providers opensc > ~/.gnupg/gnupg-pkcs11-scd.conf
# echo provider-opensc-library /Library/OpenSC/lib/opensc-pkcs11.so >> ~/.gnupg/gnupg-pkcs11-scd.conf
# echo SCD LEARN \
# | gpg-agent --server gpg-connect-agent 2>1 \
# | grep KEY-FRIEDNLY \
# | cut -f 3 -d' ' \
# | sed -e '1s/^/openpgp-auth /' -e '2s/^/openpgp-sign /' -e '3s/^/openpgp-encr /' \
# >> ~/.gnupg/gnupg-pkcs11-scd.conf
# echo emulate-openpgp >> ~/.gnupg/gnupg-pkcs11-scd.conf