Documentation ¶
Overview ¶
package piv provides an interface to FIPS-201 PIV smartcards
Index ¶
- Constants
- Variables
- func GenerateKey(c *card.Card, key KeyID, alg AlgorithmID) (crypto.PublicKey, error)
- func GetObject(c *card.Card, tag uint32) ([]byte, error)
- func Login(c *card.Card, pinId PinID, pin []byte) error
- func Logout(c *card.Card) error
- func Manage(c *card.Card, key []byte) error
- func NewSigner(card *card.Card, pubKey crypto.PublicKey, key KeyID, ...) (crypto.Signer, error)
- func SelectApp(c *card.Card) error
- func SetCertificate(c *card.Card, key KeyID, cert Certificate) error
- func SetObject(c *card.Card, tag uint32, data []byte) error
- func Sign(c *card.Card, key KeyID, alg AlgorithmID, challenge []byte) ([]byte, error)
- func YubicoAttest(c *card.Card, key KeyID) ([]byte, error)
- type AlgorithmID
- type AlgorithmInfo
- type Certificate
- type DynamicAuthentication
- type KeyID
- type KeyInfo
- type PinID
Constants ¶
const ( ObjectTagTag = 0x5C ObjectDataTag = 0x53 KeyAlgorithmTag = 0x80 GenerateKeyControlTag = 0xAC PublicKeyTag = 0x7F49 DynamicAuthenticationTag = 0x7C )
Variables ¶
var AID = []byte{0xA0, 0x00, 0x00, 0x03, 0x08, 0x00, 0x00, 0x10, 0x00}
AID is the PIV Application ID
var Keys = []KeyInfo{ KeyInfo{AuthenticationKey, "auth", "Authentication", 0x5FC105}, KeyInfo{SigningKey, "sign", "Signing", 0x5FC10A}, KeyInfo{KeyManagementKey, "encryption", "Encryption (Key Management Key)", 0x5FC10B}, KeyInfo{CardAuthenticationKey, "cardauth", "Card Authentication", 0x5FC101}, KeyInfo{YubicoAttestationKey, "yk-attestation", "Certificate Attestation", 0x5FFF01}, }
Functions ¶
func GenerateKey ¶
GenerateKey generates a new key on the card, returning the new publc key. The returned public key is not stored anywhere - you must store it somewhere (e.g. by using the card to self sign a certificate and storing that!)
func Login ¶
Login attempts a card login. If pin is empty, will return an error indicating the number of PIN attempts remaining
func NewSigner ¶
func NewSigner( card *card.Card, pubKey crypto.PublicKey, key KeyID, prompt func(c *card.Card) error, ) (crypto.Signer, error)
NewSigner creates a signer which is backed by the card
pubKey is the public key of the key that will be used for signing key is the key slot of said key prompt will be called if an authentication required error is returned and may be used to prompt the cardholder for a PIN
func SetCertificate ¶
func SetCertificate(c *card.Card, key KeyID, cert Certificate) error
SetCertificate stores the specified certificate on the card
Types ¶
type AlgorithmID ¶
type AlgorithmID byte
Algorithm encodes a PIV cryptographic algorithm
const ( TripleDES AlgorithmID = 0x00 TripleDES_B AlgorithmID = 0x03 RSA_1024 AlgorithmID = 0x06 RSA_2048 AlgorithmID = 0x07 AES_128 AlgorithmID = 0x08 AES_192 AlgorithmID = 0x0A AES_256 AlgorithmID = 0x0C ECC_P256 AlgorithmID = 0x11 ECC_P384 AlgorithmID = 0x14 SM_CS2 AlgorithmID = 0x27 SM_CS7 AlgorithmID = 0x2E )
func AlgorithmFromPublicKey ¶
func AlgorithmFromPublicKey(k crypto.PublicKey) (AlgorithmID, error)
AlgorithmFromPublicKey returns a card algorithm for a public key
func GetAlgorithmID ¶
func GetAlgorithmID(name string) (AlgorithmID, error)
GetAlgorithmID returns the ID of a named algorihm
func (AlgorithmID) GetInfo ¶
func (a AlgorithmID) GetInfo() AlgorithmInfo
GetInfo returns the info on this algorithm
func (AlgorithmID) ParsePublicKey ¶
func (a AlgorithmID) ParsePublicKey(buf []byte) (crypto.PublicKey, error)
ParsePublicKey parses a buffer into a public key for this algorithm
type AlgorithmInfo ¶
type AlgorithmInfo struct { // ID is the PIV algorithm identifier ID AlgorithmID // Name is a human readable name of the algorithm Name string // Asymmetric is whether this is an asymemetric algorithm Asymmetric bool // For asymmetric keys, x509 Public Key Algorithm PublicKeyAlgorithm x509.PublicKeyAlgorithm }
AlgorithmInfo is information about an Algorithm
func GetAlgorithmInfo ¶
func GetAlgorithmInfo(name string) (AlgorithmInfo, error)
GetAlgorithmInfo returns the information for a named algorithm
type Certificate ¶
type Certificate struct { // Certificate contains the X.509 certificate Certificate []byte `ber:"70"` // CertInfo contains the certificate info byte CertInfo []byte `ber:"71"` // MSCUID returns the MSCUUD MSCUID []byte `ber:"72"` // EDC contains the error detection code (should be 0 on PIV cards) EDC []byte `ber:"FE"` }
Certificate represents a PIV certificate structure
func GetCertificate ¶
func GetCertificate(card *card.Card, key KeyID) (*Certificate, error)
GetCertificate retrieves the certificate associated with the specified key ID from the card
func (Certificate) MarshalBinary ¶
func (c Certificate) MarshalBinary() ([]byte, error)
func (Certificate) ParseX509Certificate ¶
func (c Certificate) ParseX509Certificate() (*x509.Certificate, error)
ParseX509Certificate parses the certificate blob as an X.509 certificate
func (*Certificate) UnmarshalBinary ¶
func (c *Certificate) UnmarshalBinary(buf []byte) error
type DynamicAuthentication ¶
type DynamicAuthentication struct { Witness *[]byte `ber:"80"` Response *[]byte `ber:"82"` Challenge *[]byte `ber:"81"` Exponentiation *[]byte `ber:"85"` }
Witness '80' C Demonstration of knowledge of a fact without revealing the fact. An empty witness is a request for a witness. Challenge '81' C One or more random numbers or byte sequences to be used in the authentication protocol. Response '82' C A sequence of bytes encoding a response step in an authentication protocol. Exponentiation '85' C A parameter used in ECDH key agreement protocol
func GeneralAuthenticate ¶
func GeneralAuthenticate(c *card.Card, alg AlgorithmID, key KeyID, req DynamicAuthentication) (*DynamicAuthentication, error)
func (*DynamicAuthentication) Pack ¶
func (r *DynamicAuthentication) Pack() ([]byte, error)
func (*DynamicAuthentication) Unpack ¶
func (r *DynamicAuthentication) Unpack(buf []byte) error
type KeyID ¶
type KeyID byte
KeyID represents a key identifier
const ( // User authentication key (For signing challenges, login required) AuthenticationKey KeyID = 0x9A // Signing key (For signing documents, PIN required) SigningKey KeyID = 0x9C // Encryption key KeyManagementKey KeyID = 0x9D // Card holder authentication key (login *not* required) CardAuthenticationKey KeyID = 0x9E // Yubico attestation key slot // For YubiKey 4s, this slot contains the key which will be used to // sign card generated keys. YubicoAttestationKey KeyID = 0xF9 ManagementKey KeyID = 0x9B )
func RetiredKeyManagementKey ¶
RetiredKeyManagementKey returns the ID of one of the 20 retired key management keys
type KeyInfo ¶
KeyInfo represents information about a key
func GetKeyInfo ¶
GetKeyInfo gets information about the named key