Comments (14)
Mind expanding on what the change would look like to this package? I'm testing on 10.15.4 and haven't had any issues :)
from piv-go.
I believe that it is an insGetData and insPutData similar to getting / storing certificates.
They would be implemented as SetCHUID/GetCHUID and SetCCC/GetCCC.
when you insert a key do you see the dialog asking to pair it ? or does it show in the list of smartcards ? This is on a vanilla install without opensc.
Also, another issue is that the key/certs are not showing in the keychain.
If you install opensc, then you cannot use your library because it requires exclusive access.
from piv-go.
you can try the following steps
$ yubico-piv-tool -a status
Version: 4.4.5
Serial Number: xxxxxxxx
CHUID: No data available
CCC: No data available
Slot 9a:
Algorithm: RSA2048
$ security list-smartcards
No smartcards found.
$ yubico-piv-tool -k -a set-chuid
Enter management key:
Successfully set new CHUID.
$ security list-smartcards
com.apple.pivtoken:1234567890ABCDEF1234567890ABCDEF
from piv-go.
when you insert a key do you see the dialog asking to pair it ? or does it show in the list of smartcards ? This is on a vanilla install without opensc.
Also, another issue is that the key/certs are not showing in the keychain.
Per https://github.com/go-piv/piv-go#installation I don't have anything installed that's not out of the box. I've just plugged in my YubiKey and everything's worked :)
I don't actually know what CHUID or CCC are. So more context would be helpful to understand what the request here is. Does this have something to do with the CryptoTokenKit API? Can you paste a small program using piv-go that shows what you expect to happen and what actually happens? If you're attempting to propose new APIs could you paste an example of what you'd want the new API to look like?
from piv-go.
CHUID and CCC are defined in NIST SP 800-73-4 : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf
You can read all the details there in section 3.1 Mandatory Data Elements.
the Program would look like:
pivKey, err := piv.Open(cardName)
if err != nil {
....
}
defer pivKey.Close()
cardID, err := pivKey.CardId()
if err != nil {
...
}
if len(cardID) < piv.CardIdSize {
if err := pivKey.SetCardId(randomNumber); err != nil {
....
}
}
same model for CCC
you can see the API for in yubico-piv-tool here:
https://github.com/Yubico/yubico-piv-tool/blob/39582701465d1fadfac17e85ebe835a5864fb226/lib/ykpiv.h#L462-L522
from piv-go.
If you'd like to send a PR with associated that adds the following API I'd be happy to take it.
func (y *YubiKey) ID() (string, error)
func (y *YubiKey) SetID(id string) error
(or []byte or [N]byte instead of string if that's more appropriate)
If not I can take a look to add it later.
from piv-go.
I'm less clear about what CCC would be used for. Will have to read more.
from piv-go.
Also would CHUID be better in the Metadata struct? I always imagined that would expand to hold a lot of these optional fields that aren't required to actually use the key.
from piv-go.
I'll see if i can finish these functions - see #67
from piv-go.
Thanks for all the great work you've done! I can't really explain why CHUID/CCC are needed, but in my case Google Chrome and Safari refuse to use a client certificate stored in any PIV slot until those fields are set. They don't even prompt for certificate choice or PIN. Current workaround is to generate them using yubikey manager CLI, but I'd really love to see this functionality implemented in this package
ykman piv objects generate CHUID
ykman piv objects generate CCC
Do let me know if you need a test example or any help to finalise and merge #67
from piv-go.
I have tested CHUID as implemented in #67 - I had the same problem with Apple MacOS not accepting cards without CHUID. Did you try with just the CHUID ? It was sufficient in my use case.
I've not seen any movement on this repo in a while. Maybe @ericchiang can chime in.
from piv-go.
Sorry for ghosting #67 :( I don't have a ton of bandwidth for this project but I should have left a comment.
I'm a little lost on what CHUID/CCC are. There's signatures and unique IDs, but I'm not clear who's supposed to generate those signatures or IDs, and how you'd actually validate them (or when you need to validate them). Are they just ways to name the slot? Or would an organization actually set them to a proper signed value using a CA? If it's the later, the API probably needs to accept a CA or be named "Insecure" like our method for setting a private key.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf#page=17
https://pkg.go.dev/github.com/go-piv/piv-go/piv?utm_source=godoc#YubiKey.SetPrivateKeyInsecure
While #67 has a pre-generated value, I don't understand how it was generated.
Is there anything someone can point me to that explains CHUID that'd be really helpful. It's hard to review and API without that context.
from piv-go.
Did you try with just the CHUID?
Just tried it one more time and yep, it did work with only CHUID set.
Here are some bits and pieces I was able to find
For the application to be usable in windows the object CHUID (Card Holder Unique Identifier) has to be set and unique. The card contents are also aggressively cached so the CHUID has to be changed if the card contents change.
Although, as I've already mentioned, it didn't work for me on macOS as well.
- Yubikey manager automatically updates CHUID on each of the following operations:
import_certificate: https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L795
generate_certificate (self-signed): https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L877
delete_certificate: https://github.com/Yubico/yubikey-manager/blob/257e2ace7beec672ac867700d3305c035520e174/ykman/cli/piv.py#L946
- There was a discussion on signed CHUIDs, which ended up with Yubikey Manager API having a method for setting arbitrary objects, so that if it's really needed, you could implement it on your own. Otherwise, the CHUID is set to semi-random value as shown in (2) and (4)
- Here is a reference piece of code responsible for generating CHUIDs
from piv-go.
While #67 has a pre-generated value, I don't understand how it was generated.
@ericchiang the explanation is in the comment in the PR. If we need to support different (like signed CHUIDs) I would recommend that we do like the yubico tool and allow to directly pass in the encoded value instead of using the template.
from piv-go.
Related Issues (20)
- Reordering the TouchPolicy in #74 makes the strictness order wrong HOT 2
- Build failure on arm FreeBSD HOT 2
- Possibility of cutting a new release to include OpenBSD support? HOT 3
- Support AES Management keys HOT 2
- NFC and ISO 7816 support HOT 3
- Expose keyRSA and keyEd25519 type HOT 2
- Incompatibility with Go 1.20rc1 HOT 3
- Support for linux armv7 HOT 3
- Pivot
- Error: Unable to open the Yubikey card: connecting to smart card: the smart card cannot be accessed because of other connections outstanding HOT 1
- rsassa-pss signatures not supported HOT 3
- Bump go.mod version HOT 1
- Unable to build on macOS HOT 6
- Cross compile linux amd64 -> darwin amd64 issues with CGO (`<angled> include; use "quotes" instead`) HOT 2
- PIV Emulation? HOT 2
- Private key decryption on Yubikey by ECDSA HOT 2
- Support GET METADATA command and use it to derive default PIN policy HOT 1
- Cross-compiling requirements HOT 2
- Windows: the Smart card resource manager is not running HOT 4
- Go PIV do not give Shared access to multiple processes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from piv-go.