README
¶
go-openpgp-card: A Go Implementation of the OpenPGP Smart Card application
go-openpgp-card is a Go package providing an interface to the OpenPGP application on ISO Smart Card Operating Systems.
Features
go-openpgp-card implements the Functional Specification of the OpenPGP application in Version v3.4.1.
-
Supported commands:
- 7.2.1
SELECT - 7.2.2
VERIFY - 7.2.3
CHANGE REFERENCE DATA - 7.2.4
RESET RETRY COUNTER - 7.2.5
SELECT DATA - 7.2.6
GET DATA- Application related
- Security Support Template
- Private data
- Cardholder related
- Password status
- Login data
- Public key URL
- Cardholder certificates
- User interaction flag
- 7.2.7
GET NEXT DATA - 7.2.8
PUT DATA- Resetting Code
- Name
- Language
- Sex
- Public Key URL
- Login data
- Private data
- User interaction flag
- Key Import
- RSA
- EC
- 7.2.9
GET RESPONSE - 7.2.10
PSO: COMPUTE DIGITAL SIGNATURE- RSA
- ECDSA
- Attestation
- 7.2.11
PSO: DECIPHER- AES
- RSA
- ECDH
- 7.2.12
PSO: ENCIPHER- AES Key
- 7.2.13
INTERNAL AUTHENTICATE - 7.2.14
GENERATE ASYMMETRIC KEY PAIR- RSA
- Elliptic Curves
- 7.2.15
GET CHALLENGE - 7.2.16
TERMINATE DF - 7.2.17
ACTIVATE FILE - 7.2.18
MANAGE SECURITY ENVIRONMENT
- 7.2.1
-
Key Derivation Function (KDF) for
VERIFY
YubiKey extensions
- Set PIN Retry counters
Tested implementations
- Yubikey
- FW version 5.4.3
Install
When build with CGO_ENABLED, go-openpgp-card requires the following external dependencies.
apt-get install \
libpcsclite-dev
Authors
- Steffen Vogel (@stv0g)
License
go-openpgp-card is licensed under the Apache 2.0 license.
Documentation
¶
Overview ¶
Package openpgp implements the interface to the OpenPGP application on ISO Smart Card Operating Systems v3.4.1 See: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf
Index ¶
- Constants
- Variables
- type AlgHash
- type AlgKDF
- type AlgPubkey
- type AlgSymmetric
- type AlgorithmAttributes
- type ApplicationIdentifier
- type ApplicationRelated
- type AuthError
- type Card
- func (c *Card) AlgorithmAttributes(slot Slot) (attrs AlgorithmAttributes, err error)
- func (c *Card) Challenge(cnt int) ([]byte, error)
- func (c *Card) ChangePassword(pwType byte, pwCurrent, pwNew string) error
- func (c *Card) ChangeResettingCode(rc string) error
- func (c *Card) ClearPasswordState(pwType byte) error
- func (c *Card) ClearResettingCode() error
- func (c *Card) Close() error
- func (c *Card) DecryptAES(pt []byte) (ct []byte, err error)
- func (c *Card) EncryptAES(pt []byte) (ct []byte, err error)
- func (c *Card) FactoryReset() error
- func (c *Card) GenerateKey(slot Slot, attrs AlgorithmAttributes) (crypto.PrivateKey, error)
- func (c *Card) GetApplicationRelatedData() (ar *ApplicationRelated, err error)
- func (c *Card) GetCardholder() (ch *Cardholder, err error)
- func (c *Card) GetCardholderCertificate(slot Slot) ([]byte, error)
- func (c *Card) GetCardholderCertificates() ([][]byte, error)
- func (c *Card) GetKDF() (k *KDF, err error)
- func (c *Card) GetLoginData() (string, error)
- func (c *Card) GetPasswordStatus() (*PasswordStatus, error)
- func (c *Card) GetPublicKeyURL() (*url.URL, error)
- func (c *Card) GetSecuritySupportTemplate() (sst *SecuritySupportTemplate, err error)
- func (c *Card) GetSignatureCounter() (int, error)
- func (c *Card) ImportKey(_ Slot, _ crypto.PrivateKey) error
- func (c *Card) ManageSecurityEnvironment(op SecurityOperation, slot Slot) error
- func (c *Card) PasswordState(pwType byte) (bool, error)
- func (c *Card) PrivateData(index int) ([]byte, error)
- func (c *Card) PrivateKey(slot Slot) (crypto.PrivateKey, error)
- func (c *Card) ResetRetryCounter(newPw string) error
- func (c *Card) ResetRetryCounterWithResettingCode(rc, newPw string) error
- func (c *Card) Select() error
- func (c *Card) SetCardholder(ch Cardholder) error
- func (c *Card) SetLanguage(lang string) error
- func (c *Card) SetLoginData(login string) error
- func (c *Card) SetName(name string) error
- func (c *Card) SetPrivateData(index int, b []byte) error
- func (c *Card) SetPublicKeyURL(url *url.URL) error
- func (c *Card) SetRetryCounters(pw1, rc, pw3 byte) error
- func (c *Card) SetSex(sex Sex) error
- func (c *Card) SetupKDF(alg AlgKDF, iterations int, pw1, pw3 string) (err error)
- func (c *Card) SupportedAlgorithms() (map[Slot][]AlgorithmAttributes, error)
- func (c *Card) VerifyPassword(pwType byte, pw string) (err error)
- type Cardholder
- type Curve
- type ECDHKey
- type ECPublicKey
- type ExtendedCapabilities
- type ExtendedCapabilitiesFlag
- type ExtendedLengthInfo
- type Fingerprint
- type GeneralFeatures
- type ImportFormat
- type KDF
- type KeyInfo
- type LifeCycleStatus
- type Manufacturer
- type PasswordStatus
- type SecurityOperation
- type SecuritySupportTemplate
- type Sex
- type Slot
- type Status
- type UserInteractionFlag
- type UserInteractionMode
Constants ¶
const ( PW1 byte = 0x81 // User PIN (PSO:CDS command only) RC byte = 0x82 // Resetting code PW3 byte = 0x83 // Admin PIN )
const ( GeneralFeatureTouchscreen byte = (1 << iota) GeneralFeatureMicrophone GeneralFeatureSpeaker GeneralFeatureLED GeneralFeatureKeyPad GeneralFeatureButton GeneralFeatureBiometric GeneralFeatureDisplay )
Variables ¶
var ( DefaultPW = map[byte]string{ RC: DefaultPW1, PW3: DefaultPW3, } DefaultPW1 = "123456" DefaultPW3 = "12345678" )
var (
ErrInvalidLength = errors.New("invalid length")
)
Functions ¶
This section is empty.
Types ¶
type AlgPubkey ¶
type AlgPubkey byte
const ( AlgPubkeyRSA AlgPubkey = 1 // RSA (Encrypt or Sign) AlgPubkeyRSAEncOnly AlgPubkey = 2 // RSA Encrypt-Only (legacy) AlgPubkeyRSASignOnly AlgPubkey = 3 // RSA Sign-Only (legacy) AlgPubkeyElgamalEncOnly AlgPubkey = 16 // Elgamal (Encrypt-Only) AlgPubkeyDSA AlgPubkey = 17 // DSA (Digital Signature Algorithm) AlgPubkeyECDH AlgPubkey = 18 // RFC-6637 AlgPubkeyECDSA AlgPubkey = 19 // RFC-6637 AlgPubkeyElgamalEncSignOnly AlgPubkey = 20 // Elgamal encrypt+sign, reserved by OpenPGP (legacy) AlgPubkeyEdDSA AlgPubkey = 22 // EdDSA AlgPubkeyKy768_25519 AlgPubkey = 29 // Kyber768 + X25519 AlgPubkeyKy1024_448 AlgPubkey = 30 // Kyber1024 + X448 AlgPubkeyDil3_25519 AlgPubkey = 35 // Dilithium3 + Ed25519 AlgPubkeyDil5_448 AlgPubkey = 36 // Dilithium5 + Ed448 AlgPubkeySPHINXSHA2 AlgPubkey = 41 // SPHINX+-simple-SHA2 )
type AlgSymmetric ¶
type AlgSymmetric byte
const ( AlgSymPlaintext AlgSymmetric = iota // Plaintext or unencrypted data AlgSymIDEA // IDEA AlgSymTripleDES // TripleDES (DES-EDE, - 168 bit key derived from 192) AlgSymCAST5 // CAST5 (128 bit key, as per RFC2144) AlgSymBlowfish // Blowfish (128 bit key, 16 rounds) AlgSymAES128 // AES with 128-bit key AlgSymAES192 // AES with 192-bit key AlgSymAES256 // AES with 256-bit key AlgSymTwofish // Twofish with 256-bit key )
type AlgorithmAttributes ¶
type AlgorithmAttributes struct {
Algorithm AlgPubkey
// Relevant for RSA
LengthModulus uint16
LengthExponent uint16
// Relevant for ECDSA/ECDH
OID []byte
ImportFormat ImportFormat
}
func EC ¶
func EC(curve Curve) AlgorithmAttributes
func RSA ¶
func RSA(bits int) AlgorithmAttributes
func (AlgorithmAttributes) Curve ¶
func (a AlgorithmAttributes) Curve() Curve
func (*AlgorithmAttributes) Decode ¶
func (a *AlgorithmAttributes) Decode(b []byte) error
func (AlgorithmAttributes) Encode ¶
func (a AlgorithmAttributes) Encode() (b []byte)
func (AlgorithmAttributes) Equal ¶
func (a AlgorithmAttributes) Equal(ab AlgorithmAttributes) bool
func (AlgorithmAttributes) String ¶
func (a AlgorithmAttributes) String() string
type ApplicationIdentifier ¶
type ApplicationIdentifier struct {
RID iso.RID
Application byte
Version iso.Version
Serial [4]byte
Manufacturer Manufacturer
}
func (*ApplicationIdentifier) Decode ¶
func (aid *ApplicationIdentifier) Decode(b []byte) error
type ApplicationRelated ¶
type ApplicationRelated struct {
AID ApplicationIdentifier
HistoricalBytes iso.HistoricalBytes
LengthInfo ExtendedLengthInfo
Capabilities ExtendedCapabilities
Features GeneralFeatures
PasswordStatus PasswordStatus
Keys [4]KeyInfo
}
func (*ApplicationRelated) Decode ¶
func (ar *ApplicationRelated) Decode(b []byte) (err error)
type AuthError ¶
type AuthError struct {
// Retries is the number of retries remaining if this error resulted from a retry-able
// authentication attempt. If the authentication method is blocked or does not support
// retries, this will be 0.
Retries int
}
AuthError is an error indicating an authentication error occurred (wrong PIN or blocked).
type Card ¶
type Card struct {
Rand io.Reader
Clock func() time.Time
*ApplicationRelated
*Cardholder
*SecuritySupportTemplate
// contains filtered or unexported fields
}
func (*Card) AlgorithmAttributes ¶
func (c *Card) AlgorithmAttributes(slot Slot) (attrs AlgorithmAttributes, err error)
func (*Card) Challenge ¶
Challenge generates a random number of cnt bytes.
See: OpenPGP Smart Card Application - Section 7.2.15 GET CHALLENGE
func (*Card) ChangePassword ¶
ChangePassword changes the user or admin password.
Access condition: Always Access level: None (current password must be provided) See: OpenPGP Smart Card Application - Section 7.2.3 CHANGE REFERENCE DATA
func (*Card) ChangeResettingCode ¶
ChangeResettingCode sets the resetting code of the cards.
Access condition: Admin/PW3 See: OpenPGP Smart Card Application - Section 4.3.4 Resetting Code
func (*Card) ClearPasswordState ¶
ClearPasswordState clears the passwort unlock state from the card.
Access condition: Always Note: Appears to be broken on YubiKey 5 See: OpenPGP Smart Card Application - Section 7.2.2 VERIFY
func (*Card) ClearResettingCode ¶
func (*Card) DecryptAES ¶
DecryptAES encrypts a plain text with an AES-key stored in a special DO (D5).
See: OpenPGP Smart Card Application - Section 7.2.12 PSO: ENCIPHER
func (*Card) EncryptAES ¶
EncryptAES encrypts a plain text with an AES-key stored in a special DO (D5).
See: OpenPGP Smart Card Application - Section 7.2.12 PSO: ENCIPHER
func (*Card) FactoryReset ¶
FactoryReset resets the applet to its original state
Access condition: Admin/PW3
Alternatively, we will try to block the Admin PIN by repeatedly calling VerifyPassword() with a wrong password to enable TERMINATE DF without Admin PIN.
See: OpenPGP Smart Card Application - Section 7.2.16 TERMINATE DF & 7.2.17 ACTIVATE FILE
func (*Card) GenerateKey ¶
func (c *Card) GenerateKey(slot Slot, attrs AlgorithmAttributes) (crypto.PrivateKey, error)
func (*Card) GetApplicationRelatedData ¶
func (c *Card) GetApplicationRelatedData() (ar *ApplicationRelated, err error)
GetApplicationRelatedData fetches the application related data from the card.
func (*Card) GetCardholder ¶
func (c *Card) GetCardholder() (ch *Cardholder, err error)
GetCardholder fetches the card holder information from the card.
func (*Card) GetCardholderCertificate ¶
func (*Card) GetCardholderCertificates ¶
func (*Card) GetLoginData ¶
func (*Card) GetPasswordStatus ¶
func (c *Card) GetPasswordStatus() (*PasswordStatus, error)
func (*Card) GetSecuritySupportTemplate ¶
func (c *Card) GetSecuritySupportTemplate() (sst *SecuritySupportTemplate, err error)
GetSecuritySupportTemplate fetches the the security template from the card.
func (*Card) GetSignatureCounter ¶
func (*Card) ManageSecurityEnvironment ¶
func (c *Card) ManageSecurityEnvironment(op SecurityOperation, slot Slot) error
See: OpenPGP Smart Card Application - Section 7.2.18 MANAGE SECURITY ENVIRONMENT
func (*Card) PasswordState ¶
PasswordState returns true if the given password is unlocked.
Access condition: Always Note: Appears to be broken on YubiKey 5 See: OpenPGP Smart Card Application - Section 7.2.2 VERIFY
func (*Card) PrivateKey ¶
func (c *Card) PrivateKey(slot Slot) (crypto.PrivateKey, error)
func (*Card) ResetRetryCounter ¶
ResetRetryCounter reset the PIN retry counter and a new password.
Access condition: Admin/PW3 See: OpenPGP Smart Card Application - Section 7.2.4 RESET RETRY COUNTER
func (*Card) ResetRetryCounterWithResettingCode ¶
ResetRetryCounterWithResettingCode resets the PIN retry counter using a reset code.
Access condition: None (reset code is required) See: OpenPGP Smart Card Application - Section 7.2.4 RESET RETRY COUNTER
func (*Card) Select ¶
Select selects the OpenPGP applet.
See: OpenPGP Smart Card Application - Section 7.2.1 SELECT
func (*Card) SetCardholder ¶
func (c *Card) SetCardholder(ch Cardholder) error
func (*Card) SetLanguage ¶
func (*Card) SetLoginData ¶
func (*Card) SetRetryCounters ¶
SetRetryCounters sets the number of PIN attempts to allow before blocking.
Access condition: Admin/PW3 Note: This is a YubiKey extensions Warning: On YubiKey NEO this will reset the PINs to their default values.
func (*Card) SetupKDF ¶
SetupKDF initialize the KDF data object and updates passwords to work with it.
Resetting code must be set again. User/PW1 and Admin/PW3 are unchanged.
Access condition: Admin/PW3 (User/PW1 and AdminPW3 must be passed as arguments) See: OpenPGP Smart Card Application - Section 4.3.2 Key derived format
func (*Card) SupportedAlgorithms ¶
func (c *Card) SupportedAlgorithms() (map[Slot][]AlgorithmAttributes, error)
type Cardholder ¶
func (*Cardholder) Decode ¶
func (ch *Cardholder) Decode(b []byte) (err error)
type ECPublicKey ¶
type ExtendedCapabilities ¶
type ExtendedCapabilities struct {
Flags ExtendedCapabilitiesFlag
AlgSM byte
MaxLenChallenge uint16
MaxLenCardholderCert uint16
MaxLenSpecialDO uint16
Pin2BlockFormat byte
CommandMSE byte
}
func (*ExtendedCapabilities) Decode ¶
func (ec *ExtendedCapabilities) Decode(b []byte) error
type ExtendedCapabilitiesFlag ¶
type ExtendedCapabilitiesFlag byte
const ( CapKDF ExtendedCapabilitiesFlag = (1 << iota) CapAES CapAlgAttrsChangeable CapPrivateDO CapPasswordStatusChangeable CapKeyImport CapGetChallenge CapSecureMessaging )
type ExtendedLengthInfo ¶
func (*ExtendedLengthInfo) Decode ¶
func (li *ExtendedLengthInfo) Decode(b []byte) error
type Fingerprint ¶
type Fingerprint [20]byte
type GeneralFeatures ¶
type GeneralFeatures byte
func (*GeneralFeatures) Decode ¶
func (gf *GeneralFeatures) Decode(b []byte) error
type ImportFormat ¶
type ImportFormat byte
const ( ImportFormatRSAStd ImportFormat = iota ImportFormatRSAStdWithModulus ImportFormatRSACRT ImportFormatRSACRTWithModulus ImportFormatECDSAStdWithPublicKey ImportFormat = 0xff )
type KDF ¶
type KeyInfo ¶
type KeyInfo struct {
Reference byte
Status Status
AlgAttrs AlgorithmAttributes
Fingerprint []byte
FingerprintCA []byte
GenerationTime time.Time
UIF UserInteractionFlag
}
type LifeCycleStatus ¶
type LifeCycleStatus byte
See: OpenPGP Smart Card Application - Section 6 Historical Bytes
const ( LifeCycleStatusNoInfo LifeCycleStatus = 0x00 LifeCycleStatusInitialized LifeCycleStatus = 0x03 LifeCycleStatusOperational LifeCycleStatus = 0x05 )
type Manufacturer ¶
type Manufacturer uint16
const (
ManufacturerYubico Manufacturer = 0x0006
)
From: https://github.com/gpg/gnupg/blob/9e4d52223945d677c1ffcb0e20dae48299e9aae1/scd/app-openpgp.c#L293
func (Manufacturer) String ¶
func (m Manufacturer) String() string
type PasswordStatus ¶
type PasswordStatus struct {
ValidityPW1 uint8
LengthPW1 uint8
LengthRC uint8
LengthPW3 uint8
AttemptsPW1 uint8
AttemptsRC uint8
AttemptsPW3 uint8
}
func (*PasswordStatus) Decode ¶
func (ps *PasswordStatus) Decode(b []byte) error
type SecurityOperation ¶
type SecurityOperation byte
const ( SecurityOperationSign SecurityOperation = iota SecurityOperationAuthenticate // Authentication SecurityOperationDecrypt // Confidentiality )
type SecuritySupportTemplate ¶
func (*SecuritySupportTemplate) Decode ¶
func (sst *SecuritySupportTemplate) Decode(b []byte) (err error)
type UserInteractionFlag ¶
type UserInteractionFlag struct {
Mode UserInteractionMode
Feature byte
}
func (*UserInteractionFlag) Decode ¶
func (uif *UserInteractionFlag) Decode(b []byte) error
type UserInteractionMode ¶
type UserInteractionMode byte
const ( UserInteractionDisabled UserInteractionMode = 0x00 UserInteractionEnabled UserInteractionMode = 0x01 UserInteractionEnabledFixed UserInteractionMode = 0x02 UserInteractionCached UserInteractionMode = 0x03 UserInteractionCachedFixed UserInteractionMode = 0x04 )
Source Files
Directories