piv

package
v0.2.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 6, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SlotAuthenticate  = Slot("9a")
	SlotSignature     = Slot("9c")
	SlotKeyManagement = Slot("9d")
	SlotKeyCardAuth   = Slot("9e")
)

Slot represents the YubiKey card slot that is covered by the attestation. 

$ yubico-piv-tool -h
  9a is for PIV Authentication
  9c is for Digital Signature (PIN always checked)
  9d is for Key Management
  9e is for Card Authentication (PIN never checked)
  82-95 is for Retired Key Management
  f9 is for Attestation

Variables

This section is empty.

Functions

This section is empty.

Types

type Attestation 

type Attestation struct {
	// Slot is the key slot
	Slot Slot

	// Version of the YubiKey's firmware.
	Version Version

	// Serial is the YubiKey's serial number.
	Serial uint32

	// Formfactor indicates the physical type of the YubiKey.
	//
	// Formfactor may be empty Formfactor(0) for some YubiKeys.
	Formfactor Formfactor

	// PINPolicy set on the slot.
	PINPolicy PINPolicy

	// TouchPolicy set on the slot.
	TouchPolicy TouchPolicy
}

Attestation returns additional information about a key attested to be on a card.

func ParseAttestation 

func ParseAttestation(attestCert *x509.Certificate) (*Attestation, error)

ParseAttestation parses a YubiKey PIV attestation certificate and returns an Attestation.

func VerifyAttestation 

func VerifyAttestation(req VerificationRequest) (*Attestation, error)

VerifyAttestation verifies the signature chain of an attestation cert and evaluates the attributes in the attestation against a list of policies. If the cert chain is valid and all policy rules apply nil is returned. Otherwise an error that may be cast to .(VerificationErrors) will be returned. This accumulator contains a slice of one or more errors representing policy violations.

type Formfactor 

type Formfactor int

Formfactor enumerates the physical set of forms a key can take. USB-A vs. USB-C and Keychain vs. Nano. 

const (
	FormfactorUnspecified Formfactor = iota
	FormfactorUSBAKeychain
	FormfactorUSBANano
	FormfactorUSBCKeychain
	FormfactorUSBCNano
	FormfactorUSBCLightningKeychain
)

Formfactors recognized by this package.

func (Formfactor) MarshalJSON added in v0.1.0 

func (f Formfactor) MarshalJSON() ([]byte, error)

MarshalJSON encodes value into String().

func (Formfactor) String 

func (f Formfactor) String() string

type PINPolicy 

type PINPolicy int

PINPolicy represents PIN requirements when signing or decrypting with an asymmetric key in a given slot. 

const (
	PINPolicyNever PINPolicy = iota + 1
	PINPolicyOnce
	PINPolicyAlways
)

PIN policies supported by this package.

BUG(ericchiang): Caching for PINPolicyOnce isn't supported on YubiKey versions older than 4.3.0 due to issues with verifying if a PIN is needed. If specified, a PIN will be required for every operation.

func (PINPolicy) MarshalJSON added in v0.1.0 

func (p PINPolicy) MarshalJSON() ([]byte, error)

MarshalJSON encodes value into String().

func (PINPolicy) String 

func (p PINPolicy) String() string

type Policy 

type Policy struct {
	AllowedSlots         []Slot
	AllowedPINPolicies   []PINPolicy
	AllowedTouchPolicies []TouchPolicy
}

Policy represents a set of allowed contents of a YubiKey PIV attestation certificate.

type Slot 

type Slot string

type TouchPolicy 

type TouchPolicy int

TouchPolicy represents proof-of-presence requirements when signing or decrypting with asymmetric key in a given slot. 

const (
	TouchPolicyNever TouchPolicy = iota + 1
	TouchPolicyAlways
	TouchPolicyCached
)

Touch policies supported by this package.

func (TouchPolicy) MarshalJSON added in v0.1.0 

func (t TouchPolicy) MarshalJSON() ([]byte, error)

MarshalJSON encodes value into String().

func (TouchPolicy) String 

func (t TouchPolicy) String() string

type VerificationErrors 

type VerificationErrors []error

VerificationErrors holds errors representing policy violations from a verification request.

func (VerificationErrors) Error 

func (ve VerificationErrors) Error() string

Error implements the error interface for VerificationErrors and returns a summary of the error messages. To inspect the list of errors individually you would cast the err to VerificationError and inspect the list. 

errs := err.(VerificationErrors)

type VerificationRequest 

type VerificationRequest struct {
	AttestCert       *x509.Certificate
	AttestSignerCert *x509.Certificate
	Policy           Policy
}

VerificationRequest contains a Yubikey Attestation certificate signed by a attestation signer key.

Attestation (AttestCert) certs can be generated with the `yubico-piv-tool` utility 

# generate an attestation cert against the 9a slot:
 yubico-piv-tool --action=attest --slot=9a >piv-attest.pem

# export the signer cert:
 yubico-piv-tool --action=read-certificate --slot=f9 >piv-attestation-signer.pem

type Version 

type Version struct {
	Major int
	Minor int
	Patch int
}

Version encodes a major, minor, and patch version.

Notes

Bugs

  • Caching for PINPolicyOnce isn't supported on YubiKey versions older than 4.3.0 due to issues with verifying if a PIN is needed. If specified, a PIN will be required for every operation.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.