clevis-encrypt-pkcs11 doesn't consider the ID in the pksc11 uri

[jeremycline]

Hi,

I'm playing around with Clevis to see if it meets my needs. In particular, I'm interested in requiring some combination of yubikeys and TPMs be available on a host to access a secret. I hit a few bumps trying out clevis-encrypt-pkcs11, however.

I'm testing with a Yubikey where I've already set up some keys in the PIV application. In the slot that corresponds to ID 1 I have an EC key, which from what I understand isn't expected to work with this, which is fine. I've got an RSA key in slot ID 19, but if I provide a URI to clevis-encrypt-pkcs11 that includes the ID I want it to use, it doesn't make use of it. It would be ideal if it parsed out the ID from the URI like it does for the module and slot.

Also, if I hardcode it to use slot 19 it encrypts fine (with a deprecation warning for rsautil from openssl 3), but passing it back to clevis decrypt fails without prompting for a PIN (I think this is #475). Is the expected workaround for this that I base64 decode the output, append pin-value=whatever to the URI, re-encode it, and then pass it on to clevis decrypt?

[sarroutbi]

Hello @jeremycline . Regarding ID detection ... please, take into account right now Clevis is using pkcs11-tool, and it seems this tool does not provide that information. I will have a look at OpenSC to check if this can be easily integrated.

For decryption, yes, you should use the pin-value=whatever until #475 is fixed. We have no PIN prompt right now integrated in the scripts (a PR is welcomed in case you need it in the short term)