search

go-piv / piv-go

Keys and certificates for YubiKeys, written in Go
Apache License 2.0
354 stars 64 forks source link

Support AES Management keys #109

Open scj643 opened 1 year ago

scj643 commented 1 year ago

https://github.com/smallstep/crypto/issues/114

Currently this library doesn't support AES management keys as described in https://docs.yubico.com/hardware/yubikey/yk-5/tech-manual/yk5-piv-tech-desc.html#piv-aes-management-key

ericchiang commented 1 year ago

Thanks for opening!

The main issue looks like this package's signatures expect a 24 byte key:

func (yk *YubiKey) GenerateKey(key [24]byte, slot Slot, opts Key) (crypto.PublicKey, error)

Where as AES-128, AES-192, or AES-256 are 16, 24, and 32 bytes respectively.

Out of curiosity, is there a reason DES doesn't work for you? In most threat models I've worked in, the ability to generate a new key isn't as important, since it would have to be attested to be unexportable anyway.

udf2457 commented 1 year ago

@ericchiang

Per Yubico tech :

PIV management key in AES format renders the YubiKey compatible with current or future FIPS-compliant CMS services.

84adam commented 1 month ago

Any updates on or progress on adding this?

EDIT: Just saw https://github.com/go-piv/piv-go/issues/146#issuecomment-2220738079