Documentation ¶
Index ¶
Constants ¶
const ( SlotAuthenticate = Slot("9a") SlotSignature = Slot("9c") SlotKeyManagement = Slot("9d") SlotKeyCardAuth = Slot("9e") )
Slot represents the YubiKey card slot that is covered by the attestation.
$ yubico-piv-tool -h 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82-95 is for Retired Key Management f9 is for Attestation
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Attestation ¶
type Attestation struct { // Slot is the key slot Slot Slot // Version of the YubiKey's firmware. Version Version // Serial is the YubiKey's serial number. Serial uint32 // Formfactor indicates the physical type of the YubiKey. // // Formfactor may be empty Formfactor(0) for some YubiKeys. Formfactor Formfactor // PINPolicy set on the slot. PINPolicy PINPolicy // TouchPolicy set on the slot. TouchPolicy TouchPolicy }
Attestation returns additional information about a key attested to be on a card.
func ParseAttestation ¶
func ParseAttestation(attestCert *x509.Certificate) (*Attestation, error)
ParseAttestation parses a YubiKey PIV attestation certificate and returns an Attestation.
func VerifyAttestation ¶
func VerifyAttestation(req VerificationRequest) (*Attestation, error)
VerifyAttestation verifies the signature chain of an attestation cert and evaluates the attributes in the attestation against a list of policies. If the cert chain is valid and all policy rules apply nil is returned. Otherwise an error that may be cast to .(VerificationErrors) will be returned. This accumulator contains a slice of one or more errors representing policy violations.
type Formfactor ¶
type Formfactor int
Formfactor enumerates the physical set of forms a key can take. USB-A vs. USB-C and Keychain vs. Nano.
const ( FormfactorUnspecified Formfactor = iota FormfactorUSBAKeychain FormfactorUSBANano FormfactorUSBCKeychain FormfactorUSBCNano FormfactorUSBCLightningKeychain )
Formfactors recognized by this package.
func (Formfactor) MarshalJSON ¶ added in v0.1.0
func (f Formfactor) MarshalJSON() ([]byte, error)
MarshalJSON encodes value into String().
func (Formfactor) String ¶
func (f Formfactor) String() string
type PINPolicy ¶
type PINPolicy int
PINPolicy represents PIN requirements when signing or decrypting with an asymmetric key in a given slot.
PIN policies supported by this package.
BUG(ericchiang): Caching for PINPolicyOnce isn't supported on YubiKey versions older than 4.3.0 due to issues with verifying if a PIN is needed. If specified, a PIN will be required for every operation.
func (PINPolicy) MarshalJSON ¶ added in v0.1.0
MarshalJSON encodes value into String().
type Policy ¶
type Policy struct { AllowedSlots []Slot AllowedPINPolicies []PINPolicy AllowedTouchPolicies []TouchPolicy }
Policy represents a set of allowed contents of a YubiKey PIV attestation certificate.
type TouchPolicy ¶
type TouchPolicy int
TouchPolicy represents proof-of-presence requirements when signing or decrypting with asymmetric key in a given slot.
const ( TouchPolicyNever TouchPolicy = iota + 1 TouchPolicyAlways TouchPolicyCached )
Touch policies supported by this package.
func (TouchPolicy) MarshalJSON ¶ added in v0.1.0
func (t TouchPolicy) MarshalJSON() ([]byte, error)
MarshalJSON encodes value into String().
func (TouchPolicy) String ¶
func (t TouchPolicy) String() string
type VerificationErrors ¶
type VerificationErrors []error
VerificationErrors holds errors representing policy violations from a verification request.
func (VerificationErrors) Error ¶
func (ve VerificationErrors) Error() string
Error implements the error interface for VerificationErrors and returns a summary of the error messages. To inspect the list of errors individually you would cast the err to VerificationError and inspect the list.
errs := err.(VerificationErrors)
type VerificationRequest ¶
type VerificationRequest struct { AttestCert *x509.Certificate AttestSignerCert *x509.Certificate Policy Policy }
VerificationRequest contains a Yubikey Attestation certificate signed by a attestation signer key.
Attestation (AttestCert) certs can be generated with the `yubico-piv-tool` utility
# generate an attestation cert against the 9a slot: yubico-piv-tool --action=attest --slot=9a >piv-attest.pem # export the signer cert: yubico-piv-tool --action=read-certificate --slot=f9 >piv-attestation-signer.pem
Notes ¶
Bugs ¶
Caching for PINPolicyOnce isn't supported on YubiKey versions older than 4.3.0 due to issues with verifying if a PIN is needed. If specified, a PIN will be required for every operation.