UX: parsing a recipient without including pcscd

[awnumar]

What were you trying to do

I'm trying to encrypt to an age1yubikey recipient inside a restricted environment, using a Go program that is using the official age Go library.

What happened

Unfortunately, the Go library needs to exec out to age-plugin-yubikey in order to parse a public key recipient string. This is complicated for us to support because age-plugin-yubikey is not a static binary and instead depends on pcscd and specific versions of GLIBC.

Often the generation of sensitive data happens in a restricted environment which rarely has dynamic libraries available.

We don't need the Yubikey integration or any support for talking to a Yubikey. All we need is a small piece of code that can translate a age1yubikey public key recipient into something that the age library understands natively.

Would you be able to provide a small Go function or static binary that can translate a public key recipient from this package's custom format into a normal age Recipient?

[str4d]

age is not execing to age-plugin-yubikey just to parse the recipient; it is calling out to age-plugin-yubikey to produce the piv-p256 stanzas that will go into the file header. This is the normal age plugin protocol.

What you are actually asking for is a Go implementation of the recipient wrapping code for piv-p256 stanzas, which involves:

• Parsing the age1yubikey1 recipient string to obtain a P-256 public key.
• Generating a new ephemeral secret.
• Deriving a shared secret using ephemeral-static ECDH.
• Encrypting the file key with that shared secret.
• Returning a piv-p256 stanza.

This is indeed logic that can be factored out for use in a library context (and I probably will at some point for #171). But the code in this repo would only be usable in a Rust library context (i.e. with the age Rust crate). What you need is a Go reimplementation, and I'm a Rust developer, so I can't help you do that. I can point you to the relevant Rust code however:

https://github.com/str4d/age-plugin-yubikey/blob/36290c74ebd2723832aae684d43b927c9104f744/src/p256.rs#L36-L45 https://github.com/str4d/age-plugin-yubikey/blob/36290c74ebd2723832aae684d43b927c9104f744/src/p256.rs#L58-L64 https://github.com/str4d/age-plugin-yubikey/blob/36290c74ebd2723832aae684d43b927c9104f744/src/p256.rs#L71-L79 https://github.com/str4d/age-plugin-yubikey/blob/36290c74ebd2723832aae684d43b927c9104f744/src/format.rs#L113-L144 https://github.com/str4d/age-plugin-yubikey/blob/36290c74ebd2723832aae684d43b927c9104f744/src/format.rs#L64-L75