Using Yubikey 5 with Cosign via PKCS#11 #4731
-
|
Hi, $ cosign pkcs11-tool list-tokens --module-path /path/to/lib/libykcs11.dylib
Listing tokens of PKCS11 module '/path/to/lib/libykcs11.dylib'
Token in slot 0
Label: YubiKey PIV <Serial Number>
Manufacturer: Yubico (www.yubico.com)
Model: YubiKey YK5But: $ cosign pkcs11-tool list-keys-uris --module-path /path/to/lib/libykcs11.dylib
Error: get token info: pkcs11: 0x3: CKR_SLOT_ID_INVALID
error during command execution: get token info: pkcs11: 0x3: CKR_SLOT_ID_INVALIDMy private key is in slot Cosign installation info: $ cosign version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / || | / _____|| \ | |
| ,----'| | | | | (----`| | | | __ | \| |
| | | | | | \ \ | | | | |_ | | . ` |
| `----.| `--' | .----) | | | | |__| | | |\ |
\______| \______/ |_______/ |__| \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v3.0.5
GitCommit: unknown
GitTreeState: clean
BuildDate: unknown
GoVersion: go1.25.7
Compiler: gc
Platform: darwin/arm64libykcs version: 2.7.3 (installed with yubico-piv-tool) |
Beta Was this translation helpful? Give feedback.
Answered by
salrashid123
Mar 8, 2026
Replies: 1 comment 1 reply
-
|
looks like the pkcs go library isn't initializing the session correclty if the slot is recalled....(i'm not sure why that'd be the case). how i got around that is with the diff shown below which i compiled into HEAD after that, i can use the cosign cli and export COSIGN_PKCS11_IGNORE_CERTIFICATE=1
export COSIGN_PKCS11_MODULE_PATH="/usr/lib/x86_64-linux-gnu/libykcs11.so"
export COSIGN_PKCS11_PIN="123456"
$ cosign pkcs11-tool list-tokens
Listing tokens of PKCS11 module '/usr/lib/x86_64-linux-gnu/libykcs11.so'
Token in slot 0
Label: YubiKey PIV #13981219
Manufacturer: Yubico (www.yubico.com)
Model: YubiKey YK5
S/N: 13981219
$ cosign pkcs11-tool list-keys-uris --slot-id=0
Enter PIN for PKCS11 token 'YubiKey PIV #13981219':
Listing URIs of keys in slot '0' of PKCS11 module '/usr/lib/x86_64-linux-gnu/libykcs11.so'
Object 0
Label: Private key for PIV Authentication
ID: 01
URI: pkcs11:token=YubiKey%20PIV%20%2313981219;slot-id=0;id=%01;object=Private%20key%20for%20PIV%20Authentication?module-path=/usr/lib/x86_64-linux-gnu/libykcs11.so&pin-value=123456
Object 1
Label: Private key for Digital Signature
ID: 02
URI: pkcs11:token=YubiKey%20PIV%20%2313981219;slot-id=0;id=%02;object=Private%20key%20for%20Digital%20Signature?module-path=/usr/lib/x86_64-linux-gnu/libykcs11.so&pin-value=123456
Object 2
Label: Private key for PIV Attestation
ID: 19
URI: pkcs11:token=YubiKey%20PIV%20%2313981219;slot-id=0;id=%19;object=Private%20key%20for%20PIV%20Attestation?module-path=/usr/lib/x86_64-linux-gnu/libykcs11.so&pin-value=123456for me, the yubikey i had has the following export PKCS_MODULE="/usr/lib/x86_64-linux-gnu/libykcs11.so"
$ pkcs11-tool --module $PKCS_MODULE --list-token-slots
Available slots:
Slot 0 (0x0): Yubico YubiKey OTP+FIDO+CCID 00 00
token label : YubiKey PIV #13981219
token manufacturer : Yubico (www.yubico.com)
token model : YubiKey YK5
token flags : login required, rng, token initialized, PIN initialized
hardware version : 1.0
firmware version : 5.27
serial num : 13981219
pin min/max : 6/64
uri : pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=13981219;token=YubiKey%20PIV%20%2313981219
$ pkcs11-tool --module $PKCS_MODULE --login --list-objects -y privkey
Using slot 0 with a present token (0x0)
Logging in to "YubiKey PIV #13981219".
Please enter User PIN:
Private Key Object; RSA
label: Private key for PIV Authentication
ID: 01
Usage: decrypt, sign
Access: sensitive, always sensitive, never extractable, local
uri: pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=13981219;token=YubiKey%20PIV%20%2313981219;id=%01;object=Private%20key%20for%20PIV%20Authentication;type=private
Private Key Object; RSA
label: Private key for Digital Signature
ID: 02
Usage: decrypt, sign
Access: always authenticate, sensitive, always sensitive, never extractable, local
uri: pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=13981219;token=YubiKey%20PIV%20%2313981219;id=%02;object=Private%20key%20for%20Digital%20Signature;type=private
Private Key Object; RSA
label: Private key for PIV Attestation
ID: 19
Usage: none
Access: sensitive, always sensitive, never extractable
uri: pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=13981219;token=YubiKey%20PIV%20%2313981219;id=%19;object=Private%20key%20for%20PIV%20Attestation;type=privateso to export PKCS11_PRIVATE_KEY="pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=13981219;slot-id=0;token=YubiKey%20PIV%20%2313981219;id=%02;object=Private%20key%20for%20Digital%20Signature;type=private?pin-value=123456&module-path=/usr/lib/x86_64-linux-gnu/libykcs11.so"
cosign sign-blob --key "$PKCS11_PRIVATE_KEY" --bundle /tmp/artifact.sigstore.json /tmp/message.txtif you really want to debug this and you can start with standalone sample here and work backwards why cosign isnt' working _, err = p.GetSlotList(true)
if err != nil {
fmt.Println(err)
return 1
}export PKCS11_URI="pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=13981219;slot-id=0;token=YubiKey%20PIV%20%2313981219;id=02;object=Private%20key%20for%20Digital%20Signature;type=private?pin-value=123456&module-path=/usr/lib/x86_64-linux-gnu/libykcs11.so"
go run main.go $PKCS11_URIsome more references incase you want to try using
diff --git a/cmd/cosign/cli/pkcs11cli/commands.go b/cmd/cosign/cli/pkcs11cli/commands.go
index 59cd5ea8..0a69764f 100644
--- a/cmd/cosign/cli/pkcs11cli/commands.go
+++ b/cmd/cosign/cli/pkcs11cli/commands.go
@@ -98,6 +98,11 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string)
defer ctx.Destroy()
defer ctx.Finalize()
+ _, err = ctx.GetSlotList(true)
+ if err != nil {
+ return nil, fmt.Errorf("error getting slotlist %w", err)
+ }
+
// Get token Info.
var tokenInfo pkcs11.TokenInfo
tokenInfo, err = ctx.GetTokenInfo(uint(slotID))
diff --git a/pkg/cosign/pkcs11key/pkcs11key.go b/pkg/cosign/pkcs11key/pkcs11key.go
index 50dfb1ed..c37403ad 100644
--- a/pkg/cosign/pkcs11key/pkcs11key.go
+++ b/pkg/cosign/pkcs11key/pkcs11key.go
@@ -187,6 +187,9 @@ func GetKeyWithURIConfig(config *Pkcs11UriConfig, askForPinIfNeeded bool) (*Key,
cert, _ = ctx.FindCertificate(nil, config.KeyLabel, nil)
}
}
+ if err != nil {
+ return nil, err
+ }
return &Key{ctx: ctx, signer: signer, cert: cert}, nil
}
@@ -265,9 +268,10 @@ func (k *Key) SignerVerifier() (signature.SignerVerifier, error) {
}
func (k *Key) Close() {
- k.ctx.Close()
+ fmt.Println(">>>>>>> close called")
+ // k.ctx.Close()
- k.signer = nil
- k.cert = nil
- k.ctx = nil
+ // k.signer = nil
+ // k.cert = nil
+ // k.ctx = nil
} |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks for the detailed reply. I also think this is the way to fix it, I came across this old issue on ykcs today and it seems to be the reason. Let me give this a try and see if I can patch it. |
Beta Was this translation helpful? Give feedback.
Answer selected by
Kynson
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
looks like the pkcs go library isn't initializing the session correclty if the slot is recalled....(i'm not sure why that'd be the case).
how i got around that is with the diff shown below which i compiled into HEAD
after that, i can use the cosign cli and
sign-blobusing the9cPIV (ID=02 below)