Support GET METADATA command and use it to derive default PIN policy #129
Comments
|
Yep, this API seems great. I don't know if I actually have a key that supports this myself, but feel free to add a test regardless |
Merovius
added a commit
to Merovius/piv-go
that referenced
this issue
Aug 31, 2023
Add support for a YubiKey vendor extension to retrieve public metadata (including the public key, PIN/Touch policies and whether or not the key was hardware generated) for a given key slot. Also use this new method to determine the pin policy, for YubiKeys that support it. This is more general than using the attestation certificate, as it also works for keys that have been generated offline and imported into the hardware token. Fixes go-piv#129
Merovius
added a commit
to Merovius/piv-go
that referenced
this issue
Aug 31, 2023
Add support for a YubiKey vendor extension to retrieve public metadata (including the public key, PIN/Touch policies and whether or not the key was hardware generated) for a given key slot. Also use this new method to determine the pin policy, for YubiKeys that support it. This is more general than using the attestation certificate, as it also works for keys that have been generated offline and imported into the hardware token. Fixes go-piv#129
Merovius
added a commit
to Merovius/piv-go
that referenced
this issue
Aug 31, 2023
Add support for a YubiKey vendor extension to retrieve public metadata (including the public key, PIN/Touch policies and whether or not the key was hardware generated) for a given key slot. Also use this new method to determine the pin policy, for YubiKeys that support it. This is more general than using the attestation certificate, as it also works for keys that have been generated offline and imported into the hardware token. Fixes go-piv#129
ericchiang
pushed a commit
that referenced
this issue
Aug 31, 2023
Add support for a YubiKey vendor extension to retrieve public metadata (including the public key, PIN/Touch policies and whether or not the key was hardware generated) for a given key slot. Also use this new method to determine the pin policy, for YubiKeys that support it. This is more general than using the attestation certificate, as it also works for keys that have been generated offline and imported into the hardware token. Fixes #129
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(*Yubikey).PrivateKeyrequires you to give the PIN policy for the used slot, otherwise it derives a default from the attestation certificate. This fails if the key has not been generated on the hardware, as the Yubikey won't provide an attestation certificate in that case. So there is no robust way, currently, to set the correct PIN policy for such keys.YubiKeys after 5.3 support a vendor-specific command to get metadata about a given key slot. In particular, that metadata contains the PIN/Touch policy for the given key slot. There is reference code to retrieve and parse the metadata.
I would like to add support to a) retrieve that metadata, and b) use that to derive the default PIN policy in
PrivateKey, if it is available. My proposal is to add some public API:I chose the name
KeyInfo, becauseMetadata(which seems a more canonical name, based on the command) is already taken for "PIN protected Metadata" (currently only the management key).I have a PoC implemented and verified with my own YubiKey that it works. If this is wanted, I could clean it up, add some tests and send it as a PR.
The text was updated successfully, but these errors were encountered: