search

iqlusioninc / yubikey.rs

Pure Rust YubiKey host-side driver for PIV-based RSA/ECC key storage + signing/encryption support
BSD 2-Clause "Simplified" License
217 stars 26 forks source link

Generating CSR #349

Open Scarjit opened 2 years ago

Scarjit commented 2 years ago

I currently need to generate CSR's programmatically, but i can't find out how to do it, with yubikey.rs.

The "normal" workflow would be (According to the yubico docs:

yubico-piv-tool -a generate -s 9c -A RSA2048 -o pub.key
Successfully generated a new private key.
yubico-piv-tool -a verify-pin -a request-certificate -s 9c -S '/CN=digi_sign/OU=test/O=example.com/' -i pub.key -o csr.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a certificate request.

After sending the certificate request to the CA and getting a signed certificate:

yubico-piv-tool -a import-certificate -s 9c -i cert.pem
Successfully imported a new certificate.

I was able to reproduce the first step, using:


    let mut ykey = YubiKey::open_by_serial(Serial::from_str("17040128").unwrap()).unwrap();
    ykey.authenticate(MgmKey::default());
    ykey.verify_pin(b"123456");

    let generated_key = yubikey::piv::generate(&mut ykey,
                             SlotId::Retired(RetiredSlotId::R1),
                             AlgorithmId::Rsa2048,
                             PinPolicy::Default,
                             TouchPolicy::Default
    ).unwrap();

However the library only seems to expose a function to generate an self-signed certificate, instead of an csr.

Is there any function im missing, or is it not implemented ?

tony-iqlusion commented 2 years ago

FYI, we have a work-in-progress implementation of PKCS#10 (CSRs) going here:

https://github.com/RustCrypto/formats/tree/master/pkcs10

However to use that, we'll also need to switch over to the RustCrypto X.509 crate: #348

npmccallum commented 2 years ago

@Scarjit I'm working very hard to make it possible to publish a polished x509 crate right now because we need it too. Please come help with reviews because we have lots of open PRs. :)

Scarjit commented 2 years ago

@npmccallum I will definitively do that !

tony-iqlusion commented 1 year ago

FYI, we've migrated to x509-cert as of #495

baloo commented 7 months ago

I think that should be doable with https://docs.rs/x509-cert/latest/x509_cert/builder/struct.RequestBuilder.html and https://docs.rs/yubikey/latest/yubikey/certificate/yubikey_signer/struct.Signer.html