piv

package
v0.0.0-...-15d4781 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 24, 2019 License: ISC Imports: 16 Imported by: 0

Documentation

Overview

package piv provides an interface to FIPS-201 PIV smartcards

Index

Constants

View Source 
const (
	ObjectTagTag             = 0x5C
	ObjectDataTag            = 0x53
	KeyAlgorithmTag          = 0x80
	GenerateKeyControlTag    = 0xAC
	PublicKeyTag             = 0x7F49
	DynamicAuthenticationTag = 0x7C
)

Variables

View Source 
var AID = []byte{0xA0, 0x00, 0x00, 0x03, 0x08, 0x00, 0x00, 0x10, 0x00}

AID is the PIV Application ID

View Source 
var Keys = []KeyInfo{
	KeyInfo{AuthenticationKey, "auth", "Authentication", 0x5FC105},
	KeyInfo{SigningKey, "sign", "Signing", 0x5FC10A},
	KeyInfo{KeyManagementKey, "encryption", "Encryption (Key Management Key)", 0x5FC10B},
	KeyInfo{CardAuthenticationKey, "cardauth", "Card Authentication", 0x5FC101},
	KeyInfo{YubicoAttestationKey, "yk-attestation", "Certificate Attestation", 0x5FFF01},
}

Functions

func GenerateKey 

func GenerateKey(c *card.Card, key KeyID, alg AlgorithmID) (crypto.PublicKey, error)

GenerateKey generates a new key on the card, returning the new publc key. The returned public key is not stored anywhere - you must store it somewhere (e.g. by using the card to self sign a certificate and storing that!)

func GetObject 

func GetObject(c *card.Card, tag uint32) ([]byte, error)

GetObject retrieves the object with the specified tag from the card

func Login 

func Login(c *card.Card, pinId PinID, pin []byte) error

Login attempts a card login. If pin is empty, will return an error indicating the number of PIN attempts remaining

func Logout 

func Logout(c *card.Card) error

Logout signs the user out of the card

func Manage 

func Manage(c *card.Card, key []byte) error

Manage logs in using the card admin PIN

func NewSigner 

func NewSigner(
	card *card.Card,
	pubKey crypto.PublicKey,
	key KeyID,
	prompt func(c *card.Card) error,
) (crypto.Signer, error)

NewSigner creates a signer which is backed by the card

pubKey is the public key of the key that will be used for signing key is the key slot of said key prompt will be called if an authentication required error is returned and may be used to prompt the cardholder for a PIN

func SelectApp 

func SelectApp(c *card.Card) error

SelectApp selects the PIV application

func SetCertificate 

func SetCertificate(c *card.Card, key KeyID, cert Certificate) error

SetCertificate stores the specified certificate on the card

func SetObject 

func SetObject(c *card.Card, tag uint32, data []byte) error

SetObject stores the object with the specified tag on the card

func Sign 

func Sign(c *card.Card, key KeyID, alg AlgorithmID, challenge []byte) ([]byte, error)

Sign signs the specified challenge

func YubicoAttest 

func YubicoAttest(c *card.Card, key KeyID) ([]byte, error)

YubicoAttest asks the card to return the attestation certificate for the specified key (YubiKey 4 specific)

Types

type AlgorithmID 

type AlgorithmID byte

Algorithm encodes a PIV cryptographic algorithm 

const (
	TripleDES   AlgorithmID = 0x00
	TripleDES_B AlgorithmID = 0x03
	RSA_1024    AlgorithmID = 0x06
	RSA_2048    AlgorithmID = 0x07
	AES_128     AlgorithmID = 0x08
	AES_192     AlgorithmID = 0x0A
	AES_256     AlgorithmID = 0x0C
	ECC_P256    AlgorithmID = 0x11
	ECC_P384    AlgorithmID = 0x14
	SM_CS2      AlgorithmID = 0x27
	SM_CS7      AlgorithmID = 0x2E
)

func AlgorithmFromPublicKey 

func AlgorithmFromPublicKey(k crypto.PublicKey) (AlgorithmID, error)

AlgorithmFromPublicKey returns a card algorithm for a public key

func GetAlgorithmID 

func GetAlgorithmID(name string) (AlgorithmID, error)

GetAlgorithmID returns the ID of a named algorihm

func (AlgorithmID) GetInfo 

func (a AlgorithmID) GetInfo() AlgorithmInfo

GetInfo returns the info on this algorithm

func (AlgorithmID) ParsePublicKey 

func (a AlgorithmID) ParsePublicKey(buf []byte) (crypto.PublicKey, error)

ParsePublicKey parses a buffer into a public key for this algorithm

type AlgorithmInfo 

type AlgorithmInfo struct {
	// ID is the PIV algorithm identifier
	ID AlgorithmID
	// Name is a human readable name of the algorithm
	Name string
	// Asymmetric is whether this is an asymemetric algorithm
	Asymmetric bool
	// For asymmetric keys, x509 Public Key Algorithm
	PublicKeyAlgorithm x509.PublicKeyAlgorithm
}

AlgorithmInfo is information about an Algorithm

func GetAlgorithmInfo 

func GetAlgorithmInfo(name string) (AlgorithmInfo, error)

GetAlgorithmInfo returns the information for a named algorithm

type Certificate 

type Certificate struct {
	// Certificate contains the X.509 certificate
	Certificate []byte `ber:"70"`
	// CertInfo contains the certificate info byte
	CertInfo []byte `ber:"71"`
	// MSCUID returns the MSCUUD
	MSCUID []byte `ber:"72"`
	// EDC contains the error detection code (should be 0 on PIV cards)
	EDC []byte `ber:"FE"`
}

Certificate represents a PIV certificate structure

func GetCertificate 

func GetCertificate(card *card.Card, key KeyID) (*Certificate, error)

GetCertificate retrieves the certificate associated with the specified key ID from the card

func (Certificate) MarshalBinary 

func (c Certificate) MarshalBinary() ([]byte, error)

func (Certificate) ParseX509Certificate 

func (c Certificate) ParseX509Certificate() (*x509.Certificate, error)

ParseX509Certificate parses the certificate blob as an X.509 certificate

func (*Certificate) UnmarshalBinary 

func (c *Certificate) UnmarshalBinary(buf []byte) error

type DynamicAuthentication 

type DynamicAuthentication struct {
	Witness        *[]byte `ber:"80"`
	Response       *[]byte `ber:"82"`
	Challenge      *[]byte `ber:"81"`
	Exponentiation *[]byte `ber:"85"`
}

Witness '80' C Demonstration of knowledge of a fact without revealing the fact. An empty witness is a request for a witness. Challenge '81' C One or more random numbers or byte sequences to be used in the authentication protocol. Response '82' C A sequence of bytes encoding a response step in an authentication protocol. Exponentiation '85' C A parameter used in ECDH key agreement protocol

func GeneralAuthenticate 

func GeneralAuthenticate(c *card.Card, alg AlgorithmID, key KeyID, req DynamicAuthentication) (*DynamicAuthentication, error)

func (*DynamicAuthentication) Pack 

func (r *DynamicAuthentication) Pack() ([]byte, error)

func (*DynamicAuthentication) Unpack 

func (r *DynamicAuthentication) Unpack(buf []byte) error

type KeyID 

type KeyID byte

KeyID represents a key identifier 

const (
	// User authentication key (For signing challenges, login required)
	AuthenticationKey KeyID = 0x9A
	// Signing key (For signing documents, PIN required)
	SigningKey KeyID = 0x9C
	// Encryption key
	KeyManagementKey KeyID = 0x9D
	// Card holder authentication key (login *not* required)
	CardAuthenticationKey KeyID = 0x9E
	// Yubico attestation key slot
	// For YubiKey 4s, this slot contains the key which will be used to
	// sign card generated keys.
	YubicoAttestationKey KeyID = 0xF9

	ManagementKey KeyID = 0x9B
)

func GetKeyID 

func GetKeyID(name string) (KeyID, error)

GetKeyID gets a key ID from a name

func RetiredKeyManagementKey 

func RetiredKeyManagementKey(num int) (KeyID, error)

RetiredKeyManagementKey returns the ID of one of the 20 retired key management keys

func (KeyID) GetInfo 

func (k KeyID) GetInfo() KeyInfo

GetInfo gets information about this key ID

type KeyInfo 

type KeyInfo struct {
	ID    KeyID
	Short string
	Name  string
	Tag   uint32
}

KeyInfo represents information about a key

func GetKeyInfo 

func GetKeyInfo(name string) (KeyInfo, error)

GetKeyInfo gets information about the named key

type PinID 

type PinID byte

PinID represents a PIN identifier 

const (
	GlobalPIN      PinID = 0x00
	ApplicationPIN PinID = 0x80
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.