Support new key types in Yubikey 5.7 firmware

go-piv / piv-go

Keys and certificates for YubiKeys, written in Go

Apache License 2.0

355 stars 64 forks source link

Support new key types in Yubikey 5.7 firmware #143

Open smlx opened 4 months ago

smlx commented 4 months ago

Yubico have announced new firmware with expanded key type support. They've also added support to their tooling.

Would you accept PRs to add these new non-standard key types once hardware is available to test them?

ericchiang commented 4 months ago

Happy to add them! One note is that I don't have test hardware. If it's possible, it might be nice if Yubikey would consider contributing a device to development.

phiekl commented 1 month ago

https://github.com/go-piv/piv-go/blob/43b5a932f1b431f05e7bbf4a4f0ee02ac850db33/v2/piv/piv.go#L73 By changing 0x22 into 0xe0 (as found in the link above), I got piv-go to work with ed25519 keys on a YubiKey 5.7.3.

Of course, the final patch won't be as simple as just changing the value, but just wanted to let you know. :smile:

ericchiang commented 1 month ago

This sounds like a slightly different issue, but would be happy to switch some of the ed25519 support over to whatever yubikeys use, particularly if that's spec supported. That feature was initially added for non-standard hardware

smlx commented 1 month ago

FYI Solo keys never actually implemented PIV and the project now seems to be abandoned. So that hardware never got beyond vapourware stage.

https://github.com/solokeys/solo2/discussions/88

hslatman commented 5 days ago

My colleague @maraino opened a PR: https://github.com/go-piv/piv-go/pull/157.

maraino commented 4 days ago

@smlx @ericchiang on #157, I've added support for the new algorithms included in 5.7.x: RSA-3072, RSA-4096, Ed25519, and X25519. This last one is only implemented if the Go version is 1.20 or newer, and it will return an error if not.

I'm implementing X25519 only in Go 1.20+ because I'm using the crypto/ecdh package to return the public key (or import a private key). It would be possible to support lower versions, but it will imply using a new type in the piv-go/piv package or using []byte. But for example, let's say you want to import a key using a type piv.X25519; generating the key is easy, but you probably also want to be able to get the public key or even do ECDH, then we will have to implement scalar multiplications, and I don't think this is something this package will need to support.