go-piv / go-ykpiv Goto Github PK
View Code? Open in Web Editor NEWGolang interface to manage Yubikeys, including a crypto.Signer & crypto.Decrypter interface
License: MIT License
Golang interface to manage Yubikeys, including a crypto.Signer & crypto.Decrypter interface
License: MIT License
The following occurs if I run ykls
while my laptop's ExpressCard smartcard reader is in:
$ dpkg -x /opt/deb/buildarea/golang-pault-go-ykpiv-dev_1.3.2-1_amd64.deb .
$ ./usr/bin/ykls --help
Reader: Gemalto GemPC Express 00 00
panic: ykpiv ykpiv_connect: PKCS Error (-2) - Error in PCSC call
goroutine 1 [running]:
main.ohshit(...)
pault.ag/go/ykpiv/cmd/ykls/ykls.go:31
main.main()
pault.ag/go/ykpiv/cmd/ykls/ykls.go:44 +0x7cd
After removing the reader:
$ ./usr/bin/ykls
Reader: Yubico YubiKey FIDO+CCID 00 00
Version: 4.3.7
Serial: 6447364
Slot Authentication (9a): [email protected]
Hi @paultag, thanks a lot for this nice library!
In our current project, we sometimes use your package in an automated fashion and inject PIN/Management Key through the Options
struct and that works perfectly.
However we also have a CLI/interactive tool where we prompt users for PIN entry. We only want to prompt when the PIN is required, so we can't set all the PIN, PUK, Management Key at start up. In such case it's a bit more difficult to integrate, we currently Close
and New
the card every-time so we can pass new options with new PINs, messy.
I am fine implementing a way to allow to request PIN entry more dynamically, but I'd like your opinion first on how this should look like.
I see several options:
New
so we can replace GetPIN
, GetPUK
, etc and do all our PIN entry logic there, most people could still use the normal Options
as before so it is fully backward compatible*Options
to New
so we can change PIN
, PUK
, etc without having to recreate the whole key (not backward compatible and still fairly messy as we have to guess when you need the PIN, etc)Looking forward to your feedback!
I wanted to make libykpiv spit out the bytes it transmit to the yubikey, which it does at verbose >= 2. The Go wrapper's Options.Verbose should have let me do that.
i have YubiKey NEO, and I'm trying to make software authorization with this yubikey (if verified yubikey is plugged, there is some conditional from go-ykpiv)
and i have no idea where to start, i have no idea how to verify if yubico is plugged, and so on.
I'm trying to build executable for Win10 platform, and get errors like:
► iMac@ykpiv$ GOOS=windows GOARCH=amd64 go build -o ykls.exe ykls.go
# pault.ag/go/ykpiv
src/pault.ag/go/ykpiv/tls.go:29:12: undefined: Slot
Everything is ok when building for darwin:
► iMac@ykpiv$ GOOS=darwin GOARCH=amd64 go build -o ykls.osx ykls.go
and it works like charm (standalone). Same when running go run .....
.
But my main target is Windows-platform, and cross-compiling for windows (within osx) is best for developing my project. So I need some newbie help !
Maybe I'm missing something :
Can you help to figure my toolchain for this cross-compile.
Otherwise cross-compiling (osx -> win) is working very well (at least with std.libs).
But cgo or cross-compiling is new to me :(
The documentation is a little sparse on how to use slot.Decrypt
to perform ECDH. I've got it "working" in that the correct value exists along the way, but the Decrypt function is failing because it is trying to run the output through pkcs1v15.Unpad
. If I put a print in the Decrypt function that prints out the results of the C.GoBytes
call, I can confirm it is generating the correct shared secret.
My program is something like this:
package main
import (
"bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"fmt"
"github.com/aead/ecdh"
"pault.ag/go/ykpiv"
)
func main() {
pin := "123456"
yubikey, err := ykpiv.New(ykpiv.Options{
Reader: "Yubikey",
PIN: &pin,
})
yubikey.Login()
//The private EC P-256 key has been generated in this slot before
slt, _ := yubikey.Slot(ykpiv.KeyManagement)
//Create the other side for testing
p256 := ecdh.Generic(elliptic.P256())
privateAlice, publicAlice, _ := p256.GenerateKey(rand.Reader)
yubiPublic := slt.Public().(*ecdsa.PublicKey)
yubiPublicAsPoint := ecdh.Point{X: yubiPublic.X, Y: yubiPublic.Y}
//Get secret as computed by Alice
expectedSecret := p256.ComputeSecret(privateAlice, yubiPublicAsPoint)
//Convert Alice's public key into the format required by ykpiv
pt := publicAlice.(ecdh.Point)
alicePubkeyOctet := elliptic.Marshal(elliptic.P256(), pt.X, pt.Y)
computedSecret, err := slt.Decrypt(rand.Reader, alicePubkeyOctet, nil)
if err != nil {
panic(err)
}
if bytes.Equal(expectedSecret, computedSecret) {
fmt.Printf("the secrets matched!!!!\n")
} else {
fmt.Printf("failed to get the right ECDH answer\n")
}
}
When I run it, I get the error "ykpiv: pkcs1v15: Input does not appear to be in PKCS#1 v 1.5 padded format" but as I say, the bytes returned by libykpiv are actually correct, just not in PKCS#1
Perhaps we need a function that looks like Decrypt but doesn't treat the result as PKCS#1 ?
It looks like the SSL certificate has expired for https://pault.ag
.
This means a go get fails a la:
package pault.ag/go/ykpiv: unrecognized import path "pault.ag/go/ykpiv" (https fetch: Get https://pault.ag/go/ykpiv?go-get=1: x509: certificate has expired or is not yet valid)
I think this may be a compatibility problem between libykpiv-dev
and this package? I'm using version 1.4.2-2
on Ubuntu 18.04.
vendor/pault.ag/go/ykpiv/ykpiv.go:336:21: could not determine kind of name for C.ykpiv_attest
Simple tool to set up a token:
Sorry, but I don't know how else to get in contact with you. :O
Basically: hylang/hy#1198
You're the one who has admin access...
Is there a properly defined use in centos systems? I see package "yubico-piv-tool" (https://centos.pkgs.org/7/epel-x86_64/yubico-piv-tool-devel-2.0.0-1.el7.x86_64.rpm.html) availability in centos but I can't get it work with go-ykpiv.
Any advice?
Right now it's not possible to use go-ykpiv
to set the Management key to the derived key, since there's no helper to write and store the pivman tokens. The interface is fairly low-level, maybe a simple "Config" or "Set management key" function.
Go modules are all cool now :) https://github.com/golang/go/wiki/Modules
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.