Closed kmille closed 1 year ago
Exporting a public key from the YubiKey itself is only supported on YubiKey 5.3 and later. Since you have the RSA private key in pem format you can probably use that to export the public key: openssl rsa -in privkey.pem -pubout > pubkey.pem
Why can't we tell this to the the user instead of just saying "Unable to export public key"? In addition, exporting a public key from the Yubikey works If I generated the private key on the Yubikey previously:
kmille@linbox:~ ykman piv keys generate 9a pubkey.pem
Enter a management key [blank to use default key]:
kmille@linbox:~ ykman piv keys export 9a pubkey.pem
kmille@linbox:~ head -n 1 pubkey.pem
-----BEGIN PUBLIC KEY-----
Sorry to say but the tooling around the Yubikey is really annoying sometimes. Even if an operation works, it would be nice to tell the user.
When generating a private key on the YubiKey the public key is always returned/exported, but you cannot export it from the YubiKey after that, unless you have firmware 5.3 or later. The export command will attempt to use several different mechanisms to export the public key. On >= 5.3 it will simply export the key. Otherwise it can export the certificate and pull the public key from that (requires a certificate with the correct public key to be stored on the corresponding slot of the YubiKey). This is explained in the --help
output of the command:
Usage: ykman.exe piv keys export [OPTIONS] SLOT PUBLIC-KEY
Export a public key corresponding to a stored private key.
This command uses several different mechanisms for exporting the public key corresponding to a stored private key,
which may fail. If a certificate is stored in the slot it is assumed to contain the correct public key. If this is
not the case, the wrong public key will be returned.
The --verify flag can be used to verify that the public key being returned matches the private key, by using the
slot to create and verify a signature. This may require the PIN to be provided.
SLOT PIV slot of the private key
PUBLIC-KEY file to write the public key to (use '-' to use stdout)
Options:
-F, --format [PEM|DER] encoding format [default: PEM]
-v, --verify verify that the public key matches the private key in the slot
-P, --pin TEXT PIN code (used for --verify)
-h, --help show this message and exit```
Finally, it worked with these commands:
kmille@linbox:~ ssh-keygen -f test -b 2048 -P ''
Generating public/private rsa key pair.
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:Al3v269+p7kW3JsGO/ZGmKuUDjRQK6H/A9tHRsrvuus kmille@linbox
The key's randomart image is:
+---[RSA 2048]----+
| ... |
| ...o.. |
| ...o ... |
| .. +.o |
| .oS=.o .o. |
| .* =o.+o..|
| . =.=. =.o|
| B *o*.|
| .E+==+X= |
+----[SHA256]-----+
kmille@linbox:~ ssh-keygen -p -m pem -f test
Key has comment 'kmille@linbox'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
kmille@linbox:~ ykman piv keys import 9a test
Enter a management key [blank to use default key]:
kmille@linbox:~ openssl rsa -in test -pubout | tee testpub.pem
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApd42z1KA+tQW8C+CaLeh
YRFRjuZRJ+Wuh5vA0cV7iMyWFWcGzAQXh3nYooSqBoh/hke4V+TaSr60afaxb5Bk
1NXYTVfn1a1XlqIDlB/y4qDVr6qEymW7S5ZF6T8YmF+kdtTjbl8U7W/SnFzZcel5
yTd0ba+IliPA+3OWQZi/gZ7BEdySYxcd+Cv5fHdXnkJrt4BLgM+9MgV1bNfoN2YT
6nyCOvejFBdUkemkD+7IuePZuuEw/cUruQOTCuwEe+dTw736JPjUcCj33xXjvgqK
/gVjDLkVlRcUU3m52DgEvociOrIAEjonBCT1LTXFCkivp2DOY9cN8vP+XO4hCc9I
4QIDAQAB
-----END PUBLIC KEY-----
kmille@linbox:~ ykman piv certificates generate --subject "CN=yubico" 9a testpub.pem
Enter a management key [blank to use default key]:
Enter PIN:
kmille@linbox:~
Steps to reproduce I really have troubles importing and using an existing rsa-2048-ssh-key (used as PIV):
I need
pubkey.pem
for doingykman piv certificates generate --subject "CN=demo" 9a pubkey.pem