Closed phiekl closed 3 years ago
@phiekl thanks for reporting this! I suppose I'm not entirely surprised. During initial implementation I was a bit surprised about how different and loosely defined the specs were from Yubi between the two attestation formats, as well as differences between firmware versions. And even with about 6 different yubikeys from different vintages there were interesting differences between versions.
I'm interested in understanding and fixing this issue.
It looks like this PIV attestation was generated from v5.2.7 firmware. The closest I have is a 5C-Nano w/ v5.2.4, so I wonder if that matters somehow
Yes, if you wouldn't mind sending me the attestation .pem's that would be great. I'm not sure the best way to send them. Any suggestions? My GPG keys are available on keybase if that helps - https://keybase.io/joemiller and email joe <at>
joemiller.me
Also - What form factor was the attestation generated from? Perhaps there is a newer yubikey we need to account for in the switch statement. (EDIT: although I don't see any new formfactors in the docs 🤔 )
https://github.com/joemiller/yk-attest-verify/blob/master/pkg/piv/attestation.go#L247-L257
@joemiller Thanks for your reply! I've emailed you the pem files.
I'm using the YubiKey 5C NFC. While using the pgp part of yk-attest-verify it's identified like:
- Formfactor : USB-C Keychain
@phiekl great, thank you. i will take a look this week
My initial read on the situation:
your attestation cert parses correctly after I make a similar change:
YubiKey PIV Attestation:
- Key slot : 9a
- YubiKey Version: v5.2.7
- Serial # : <redacted>
- Formfactor : USB-C Keychain
- PIN Policy : Once
- Touch Policy : Cached
I'm going to keep poking at it but it feels like the fix here is to assume the form-factor extension is encoded as a raw byte instead of ASN.1 encoded. So instead of trying to do formfactor := asn1.Unmarshal(e.Value)
we will need to do formfactor := e.Value
@phiekl Should be fixed in v0.0.3 https://github.com/joemiller/yk-attest-verify/releases
I've encountered the following issue, using the current master (d77c47bf):
I've tried exporting the attestation certificate using both ykman 4.0.1 and yubico-piv-tool, tried with RSA2048 and ECCP256 keys, and compiled the program with golang 1.14 (debian buster backports) and 1.15 (debian bullseye), but it just ends up like this.
By removing the whole
case e.Id.Equal(extIDFormFactor)
block from pkg/piv/attestation.go, it executes successfully:If you'd like to see the .pem files I can send it privately.
This is a very nice project btw, and the openpgp part works great, thanks!