Add dynamic support for AES128/192/256 management keys, including set…

…ting them. Prefer AES192 over 3DES when possible. Update supportsVersion to use *version and bytes instead of Version and ints to eliminate a lot of unnecessary calls to .Version()
go-piv · Jul 9, 2024 · 6b1bedd · 6b1bedd
1 parent df01a03
commit 6b1bedd
Show file tree

Hide file tree

Showing 5 changed files with 142 additions and 80 deletions.
diff --git a/README.md b/README.md
@@ -75,6 +75,7 @@ if err != nil {
 The PIV applet has three unique credentials:
 
 * Management key (3DES key) used to generate new keys on the YubiKey.
+  * YubiKey firmware 5.4.0+ adds support for AES128/192/256 keys
 * PIN (up to 8 digits, usually 6) used to access signing operations.
 * PUK (up to 8 digits) used to unblock the PIN. Usually set once and thrown
   away or managed by an administrator.
@@ -103,7 +104,7 @@ newPIN := fmt.Sprintf("%06d", newPINInt)
 newPUK := fmt.Sprintf("%08d", newPUKInt)
 
 // Set all values to a new value.
-if err := yk.SetManagementKey(piv.DefaultManagementKey, newKey); err != nil {
+if err := yk.SetManagementKey(piv.DefaultManagementKey, newKey[:]); err != nil {
 	// ...
 }
 if err := yk.SetPUK(piv.DefaultPUK, newPUK); err != nil {
@@ -113,8 +114,8 @@ if err := yk.SetPIN(piv.DefaultPIN, newPIN); err != nil {
 	// ...
 }
 // Store management key on the YubiKey.
-m := piv.Metadata{ManagementKey: &newKey}
-if err := yk.SetMetadata(newKey, m); err != nil {
+m := piv.Metadata{ManagementKey: &newKey[:]}
+if err := yk.SetMetadata(newKey[:], m); err != nil {
 	// ...
 }
 

diff --git a/v2/piv/key.go b/v2/piv/key.go
@@ -743,8 +743,8 @@ func marshalASN1(tag byte, data []byte) []byte {
 // SetCertificate stores a certificate object in the provided slot. Setting a
 // certificate isn't required to use the associated key for signing or
 // decryption.
-func (yk *YubiKey) SetCertificate(key [24]byte, slot Slot, cert *x509.Certificate) error {
-	if err := ykAuthenticate(yk.tx, key, yk.rand); err != nil {
+func (yk *YubiKey) SetCertificate(key []byte, slot Slot, cert *x509.Certificate) error {
+	if err := ykAuthenticate(yk.tx, key, yk.rand, yk.version); err != nil {
 		return fmt.Errorf("authenticating with management key: %w", err)
 	}
 	return ykStoreCertificate(yk.tx, slot, cert)
@@ -797,8 +797,8 @@ type Key struct {
 
 // GenerateKey generates an asymmetric key on the card, returning the key's
 // public key.
-func (yk *YubiKey) GenerateKey(key [24]byte, slot Slot, opts Key) (crypto.PublicKey, error) {
-	if err := ykAuthenticate(yk.tx, key, yk.rand); err != nil {
+func (yk *YubiKey) GenerateKey(key []byte, slot Slot, opts Key) (crypto.PublicKey, error) {
+	if err := ykAuthenticate(yk.tx, key, yk.rand, yk.version); err != nil {
 		return nil, fmt.Errorf("authenticating with management key: %w", err)
 	}
 	return ykGenerateKey(yk.tx, slot, opts)
@@ -926,7 +926,7 @@ func (k KeyAuth) do(yk *YubiKey, pp PINPolicy, f func(tx *scTx) ([]byte, error))
 }
 
 func pinPolicy(yk *YubiKey, slot Slot) (PINPolicy, error) {
-	if supportsVersion(yk.Version(), 5, 3, 0) {
+	if supportsVersion(yk.version, 5, 3, 0) {
 		info, err := yk.KeyInfo(slot)
 		if err != nil {
 			return 0, fmt.Errorf("get key info: %v", err)
@@ -1005,7 +1005,7 @@ func (yk *YubiKey) PrivateKey(slot Slot, public crypto.PublicKey, auth KeyAuth)
 // Keys generated outside of the YubiKey should not be considered hardware-backed,
 // as there's no way to prove the key wasn't copied, exfiltrated, or replaced with malicious
 // material before being imported.
-func (yk *YubiKey) SetPrivateKeyInsecure(key [24]byte, slot Slot, private crypto.PrivateKey, policy Key) error {
+func (yk *YubiKey) SetPrivateKeyInsecure(key []byte, slot Slot, private crypto.PrivateKey, policy Key) error {
 	// Reference implementation
 	// https://github.com/Yubico/yubico-piv-tool/blob/671a5740ef09d6c5d9d33f6e5575450750b58bde/lib/ykpiv.c#L1812
 
@@ -1073,7 +1073,7 @@ func (yk *YubiKey) SetPrivateKeyInsecure(key [24]byte, slot Slot, private crypto
 		tags = append(tags, param...)
 	}
 
-	if err := ykAuthenticate(yk.tx, key, yk.rand); err != nil {
+	if err := ykAuthenticate(yk.tx, key, yk.rand, yk.version); err != nil {
 		return fmt.Errorf("authenticating with management key: %w", err)
 	}
 

diff --git a/v2/piv/key_test.go b/v2/piv/key_test.go
@@ -202,7 +202,7 @@ func TestPINPrompt(t *testing.T) {
 }
 
 func supportsAttestation(yk *YubiKey) bool {
-	return supportsVersion(yk.Version(), 4, 3, 0)
+	return supportsVersion(yk.version, 4, 3, 0)
 }
 
 func TestSlots(t *testing.T) {