go-piv / go-ykpiv Goto Github PK

The following occurs if I run ykls while my laptop's ExpressCard smartcard reader is in:

$ dpkg -x /opt/deb/buildarea/golang-pault-go-ykpiv-dev_1.3.2-1_amd64.deb .
$ ./usr/bin/ykls --help
Reader:  Gemalto GemPC Express 00 00
panic: ykpiv ykpiv_connect: PKCS Error (-2) - Error in PCSC call

goroutine 1 [running]:
main.ohshit(...)
	pault.ag/go/ykpiv/cmd/ykls/ykls.go:31
main.main()
	pault.ag/go/ykpiv/cmd/ykls/ykls.go:44 +0x7cd

After removing the reader:

$ ./usr/bin/ykls 
Reader:  Yubico YubiKey FIDO+CCID 00 00
Version: 4.3.7
Serial:  6447364
Slot Authentication (9a): [email protected]

Hi @paultag, thanks a lot for this nice library!

In our current project, we sometimes use your package in an automated fashion and inject PIN/Management Key through the Options struct and that works perfectly.

However we also have a CLI/interactive tool where we prompt users for PIN entry. We only want to prompt when the PIN is required, so we can't set all the PIN, PUK, Management Key at start up. In such case it's a bit more difficult to integrate, we currently Close and New the card every-time so we can pass new options with new PINs, messy.

I am fine implementing a way to allow to request PIN entry more dynamically, but I'd like your opinion first on how this should look like.

I see several options:

• Take an interface as argument in New so we can replace GetPIN, GetPUK, etc and do all our PIN entry logic there, most people could still use the normal Options as before so it is fully backward compatible
• Ability to pass a *Options to New so we can change PIN, PUK, etc without having to recreate the whole key (not backward compatible and still fairly messy as we have to guess when you need the PIN, etc)
• Some other options I have missed?

Looking forward to your feedback!

I wanted to make libykpiv spit out the bytes it transmit to the yubikey, which it does at verbose >= 2. The Go wrapper's Options.Verbose should have let me do that.

i have YubiKey NEO, and I'm trying to make software authorization with this yubikey (if verified yubikey is plugged, there is some conditional from go-ykpiv)

and i have no idea where to start, i have no idea how to verify if yubico is plugged, and so on.

I'm trying to build executable for Win10 platform, and get errors like:

► iMac@ykpiv$ GOOS=windows GOARCH=amd64 go build -o ykls.exe ykls.go
# pault.ag/go/ykpiv
src/pault.ag/go/ykpiv/tls.go:29:12: undefined: Slot

Everything is ok when building for darwin:

► iMac@ykpiv$ GOOS=darwin GOARCH=amd64 go build -o ykls.osx  ykls.go

and it works like charm (standalone). Same when running go run ......

But my main target is Windows-platform, and cross-compiling for windows (within osx) is best for developing my project. So I need some newbie help !

Maybe I'm missing something :

• header files (#include <ykpiv.h>) ??
• dll :s ?? I have osx libykcs11.dylib in my project root
• some cgo flags ??

Can you help to figure my toolchain for this cross-compile.
Otherwise cross-compiling (osx -> win) is working very well (at least with std.libs).

But cgo or cross-compiling is new to me :(

The documentation is a little sparse on how to use slot.Decrypt to perform ECDH. I've got it "working" in that the correct value exists along the way, but the Decrypt function is failing because it is trying to run the output through pkcs1v15.Unpad. If I put a print in the Decrypt function that prints out the results of the C.GoBytes call, I can confirm it is generating the correct shared secret.

My program is something like this:

package main

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"fmt"

	"github.com/aead/ecdh"
	"pault.ag/go/ykpiv"
)

func main() {
	pin := "123456"
	yubikey, err := ykpiv.New(ykpiv.Options{
		Reader: "Yubikey",
		PIN:    &pin,
	})
	yubikey.Login()
	//The private EC P-256 key has been generated in this slot before
	slt, _ := yubikey.Slot(ykpiv.KeyManagement)

	//Create the other side for testing
	p256 := ecdh.Generic(elliptic.P256())
	privateAlice, publicAlice, _ := p256.GenerateKey(rand.Reader)
	yubiPublic := slt.Public().(*ecdsa.PublicKey)
	yubiPublicAsPoint := ecdh.Point{X: yubiPublic.X, Y: yubiPublic.Y}

	//Get secret as computed by Alice
	expectedSecret := p256.ComputeSecret(privateAlice, yubiPublicAsPoint)

	//Convert Alice's public key into the format required by ykpiv
	pt := publicAlice.(ecdh.Point)
	alicePubkeyOctet := elliptic.Marshal(elliptic.P256(), pt.X, pt.Y)

	computedSecret, err := slt.Decrypt(rand.Reader, alicePubkeyOctet, nil)
	if err != nil {
		panic(err)
	}
	if bytes.Equal(expectedSecret, computedSecret) {
		fmt.Printf("the secrets matched!!!!\n")
	} else {
		fmt.Printf("failed to get the right ECDH answer\n")
	}
}

When I run it, I get the error "ykpiv: pkcs1v15: Input does not appear to be in PKCS#1 v 1.5 padded format" but as I say, the bytes returned by libykpiv are actually correct, just not in PKCS#1

Perhaps we need a function that looks like Decrypt but doesn't treat the result as PKCS#1 ?

It looks like the SSL certificate has expired for https://pault.ag.

This means a go get fails a la:

package pault.ag/go/ykpiv: unrecognized import path "pault.ag/go/ykpiv" (https fetch: Get https://pault.ag/go/ykpiv?go-get=1: x509: certificate has expired or is not yet valid)

I think this may be a compatibility problem between libykpiv-dev and this package? I'm using version 1.4.2-2 on Ubuntu 18.04.

vendor/pault.ag/go/ykpiv/ykpiv.go:336:21: could not determine kind of name for C.ykpiv_attest

Simple tool to set up a token:

• Reset the applet if the PIN isn't known or stock
• Set the PIN, PUK and Management Key (including derived management key)
• Write back a self-signed Certificate or output a CSR for a given slot.

Sorry, but I don't know how else to get in contact with you. :O

Basically: hylang/hy#1198

You're the one who has admin access...

Is there a properly defined use in centos systems? I see package "yubico-piv-tool" (https://centos.pkgs.org/7/epel-x86_64/yubico-piv-tool-devel-2.0.0-1.el7.x86_64.rpm.html) availability in centos but I can't get it work with go-ykpiv.
Any advice?

The method VerifyAttestation takes two certs as input but I don't see where 'attestedCert' is used, should it be here?:

Right now it's not possible to use go-ykpiv to set the Management key to the derived key, since there's no helper to write and store the pivman tokens. The interface is fairly low-level, maybe a simple "Config" or "Set management key" function.

Go modules are all cool now :) https://github.com/golang/go/wiki/Modules

Any final feedback, @jessfraz @tianon ?