Yubico / yubikit-android

Yubico Mobile Android SDK - YubiKit
Apache License 2.0
115 stars 42 forks source link

PivSession::generateKey do not store private key in Yubikey #81

Closed Chralu closed 1 year ago

Chralu commented 1 year ago

Hello,

PIV key generation behavior seems odd to me.

When generating a PIV key in a given slot, I would expect the private key to be securely stored in the Yubikey. But if I try to retrieve the generated key certificate (through PivSession::getCertificate or using YubikitManager), PIV key slot is empty.

Is it the intended behavior ? In such case, what is the purpose of the PivSession::generateKey method ?

Thanks for your help 🙏

Key generation code example : ```kotlin yubikitManager.startNfcDiscovery(NfcConfiguration(), activity) { device -> device.requestConnection(SmartCardConnection::class.java) { connectionResult -> val connection = connectionResult.getValue() val piv = PivSession(connection) piv.authenticate( managementKeyType, managementKey, ) piv.verifyPin( pin.toCharArray() ) val publicKey = piv.generateKey( Slot.SIGNATURE, KeyType.ECCP256, PinPolicy.DEFAULT, TouchPolicy.DEFAULT, ) } } ```
Certificate retrieval code example : ```kotlin yubikitManager.startNfcDiscovery(NfcConfiguration(), activity) { device -> device.requestConnection(SmartCardConnection::class.java) { connectionResult -> val connection = connectionResult.getValue() val piv = PivSession(connection) piv.verifyPin( pin.toCharArray() ) val certificate = piv.getCertificate(Slot.SIGNATURE) } } ```
dainnilsson commented 1 year ago

Keys and certificates are separate objects, independent of each other. If you want to be able to get a certificate, you will first need to store a certificate.

Chralu commented 1 year ago

Thanks for the explaination.