libyubi

package
v0.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 17, 2025 License: MIT Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var SlotMax = proto.YubiSlot(0x95)
View Source 
var SlotMin = proto.YubiSlot(0x82)

Functions

func GetRealForce 

func GetRealForce() bool

func ImportManagementKey 

func ImportManagementKey(b []byte) (*proto.YubiManagementKey, error)

func IsDefaultPIN 

func IsDefaultPIN(pin proto.YubiPIN) bool

func SenseCard 

func SenseCard() bool

Types

type Bus 

type Bus interface {
	Cards(ctx context.Context, filter bool) ([]proto.YubiCardName, error)
	Handle(ctx context.Context, n proto.YubiCardName) (*Handle, error)
	Slot(proto.YubiSlot) (piv.Slot, error)
	Type() BusType
	ClearSecrets()
	// contains filtered or unexported methods
}

type BusBase 

type BusBase struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*BusBase) ClearSecrets 

func (b *BusBase) ClearSecrets()

type BusType 

type BusType int
const (
	BusTypeNone BusType = 0
	BusTypeReal BusType = 1
	BusTypeMock BusType = 2
)

type Card 

type Card interface {
	Serial() (proto.YubiSerial, error)
	PrivateKey(piv.Slot, crypto.PublicKey, piv.KeyAuth) (crypto.PrivateKey, error)
	Attest(piv.Slot) (*x509.Certificate, error)
	Close() error
	GenerateKey([]byte, piv.Slot, piv.Key) (crypto.PublicKey, error)
	SharedKey(priv crypto.PrivateKey, pub *ecdsa.PublicKey) ([]byte, error)

	// PIN/PUK etc:
	ValidatePIN(pin proto.YubiPIN) error
	ValidatePUK(puk proto.YubiPUK) error
	SetPIN(old, new proto.YubiPIN) error
	SetPUK(old, new proto.YubiPUK) error

	HasDefaultManagementKey() (bool, error)
	GetManagementKey(pin proto.YubiPIN) (*proto.YubiManagementKey, error)
	SetManagementKey(old *proto.YubiManagementKey, new proto.YubiManagementKey) error

	// SetOrGetManagement key is a mix of both Get and Set above, but keeps a lock
	// between the two operations. Return true if made a new key, and false if
	// just returning the existing key.
	SetOrGetManagementKey(pin proto.YubiPIN) (*proto.YubiManagementKey, bool, error)

	// Resets the PIN and PUK
	SetRetries(proto.YubiManagementKey, int, int) error
}

type Dispatch 

type Dispatch struct {
	// contains filtered or unexported fields
}

func AllocDispatch 

func AllocDispatch(
	seed MockYubiSeed,
) (
	*Dispatch,
	error,
)

func AllocDispatchTest 

func AllocDispatchTest() (*Dispatch, error)

func (*Dispatch) AccessPQKey 

func (d *Dispatch) AccessPQKey(
	ctx context.Context,
	i proto.YubiKeyInfo,
) (
	*KeySuitePQ,
	error,
)

AccessPQKey uses a preexsiting ECDSA key as a PQ KEM seed slot. It should not be used to create new keys, since that would imply reusing an ECDSA key as a PQKey, which is dangerous. However, it can be used safely in "yubi provision", which accesses a previously-allocated PQKey.

func (*Dispatch) ClearSecrets 

func (d *Dispatch) ClearSecrets()

func (*Dispatch) Explore 

func (d *Dispatch) Explore(
	ctx context.Context,
	i proto.YubiCardID,
) (*proto.YubiCardInfo, error)

func (*Dispatch) FindCardBySerial 

func (d *Dispatch) FindCardBySerial(
	ctx context.Context,
	serial proto.YubiSerial,
) (*proto.YubiCardInfo, error)

func (*Dispatch) FindCardIDBySerial 

func (d *Dispatch) FindCardIDBySerial(
	ctx context.Context,
	serial proto.YubiSerial,
) (*proto.YubiCardID, error)

func (*Dispatch) GenerateKey 

func (d *Dispatch) GenerateKey(
	ctx context.Context,
	i proto.YubiCardID,
	slot proto.YubiSlot,
	r proto.Role,
	h proto.HostID,
	opts *GenerateKeyOpts,
) (
	*KeySuite,
	error,
)

func (*Dispatch) GenerateKeyHybrid 

func (d *Dispatch) GenerateKeyHybrid(
	ctx context.Context,
	i proto.YubiCardID,
	slot proto.YubiSlot,
	kemSlot proto.YubiSlot,
	r proto.Role,
	h proto.HostID,
	opts *GenerateKeyOpts,
) (
	*KeySuiteHybrid,
	error,
)

func (*Dispatch) GenerateKeyPQ 

func (d *Dispatch) GenerateKeyPQ(
	ctx context.Context,
	i proto.YubiCardID,
	slot proto.YubiSlot,
	opts *GenerateKeyOpts,
) (
	*KeySuitePQ,
	error,
)

func (*Dispatch) GetBusType 

func (d *Dispatch) GetBusType() BusType

func (*Dispatch) GetManagementKey 

func (d *Dispatch) GetManagementKey(
	ctx context.Context,
	i proto.YubiCardID,
) (
	*proto.YubiManagementKey,
	error,
)

func (*Dispatch) HasDefaultManagementKey 

func (d *Dispatch) HasDefaultManagementKey(
	ctx context.Context,
	id proto.YubiCardID,
) (bool, error)

func (*Dispatch) InputPIN 

func (d *Dispatch) InputPIN(
	ctx context.Context,
	id proto.YubiCardID,
	pin proto.YubiPIN,
) (
	proto.ManagementKeyState,
	error,
)

func (*Dispatch) ListCards 

func (d *Dispatch) ListCards(
	ctx context.Context,
) ([]proto.YubiCardID, error)

func (*Dispatch) Load 

func (d *Dispatch) Load(
	ctx context.Context,
	i proto.YubiKeyInfo,
	r proto.Role,
	h proto.HostID,
) (
	*KeySuite,
	error,
)

func (*Dispatch) LoadHybrid 

func (d *Dispatch) LoadHybrid(
	ctx context.Context,
	i proto.YubiKeyInfoHybrid,
	r proto.Role,
	h proto.HostID,
) (
	*KeySuiteHybrid,
	error,
)

func (*Dispatch) LoadPQ 

func (d *Dispatch) LoadPQ(
	ctx context.Context,
	i proto.YubiKeyInfoHybrid,
) (
	*KeySuitePQ,
	error,
)

func (*Dispatch) NextTestKey 

func (d *Dispatch) NextTestKey(
	ctx context.Context,
	t *testing.T,
	role proto.Role,
	h proto.HostID,
) *KeySuiteHybrid

func (*Dispatch) ResetPINandPUK 

func (d *Dispatch) ResetPINandPUK(
	ctx context.Context,
	id proto.YubiCardID,
	mk proto.YubiManagementKey,
	pin proto.YubiPIN,
	puk proto.YubiPUK,
) error

func (*Dispatch) SenseCard 

func (d *Dispatch) SenseCard() bool

func (*Dispatch) SetManagementKey 

func (d *Dispatch) SetManagementKey(
	ctx context.Context,
	id proto.YubiCardID,
	old *proto.YubiManagementKey,
	new proto.YubiManagementKey,
) error

func (*Dispatch) SetOrGetManagementKey 

func (d *Dispatch) SetOrGetManagementKey(
	ctx context.Context,
	id proto.YubiCardID,
	pin proto.YubiPIN,
) (
	*proto.YubiManagementKey,
	bool,
	error,
)

func (*Dispatch) SetPIN 

func (d *Dispatch) SetPIN(
	ctx context.Context,
	id proto.YubiCardID,
	old proto.YubiPIN,
	new proto.YubiPIN,
) error

func (*Dispatch) SetPUK 

func (d *Dispatch) SetPUK(
	ctx context.Context,
	id proto.YubiCardID,
	old proto.YubiPUK,
	new proto.YubiPUK,
) error

func (*Dispatch) ValidatePIN 

func (d *Dispatch) ValidatePIN(
	ctx context.Context,
	id proto.YubiCardID,
	pin proto.YubiPIN,
	doUnlock bool,
) error

func (*Dispatch) ValidatePUK 

func (d *Dispatch) ValidatePUK(
	ctx context.Context,
	id proto.YubiCardID,
	puk proto.YubiPUK,
) error

type ECDSAKeypair 

type ECDSAKeypair struct {
	// contains filtered or unexported fields
}

func NewECDSAKeyPair 

func NewECDSAKeyPair(pp piv.PINPolicy) (*ECDSAKeypair, error)

type GenerateKeyOpts 

type GenerateKeyOpts struct {
	LockWithPIN bool
}

func (*GenerateKeyOpts) PINPolicy 

func (o *GenerateKeyOpts) PINPolicy() piv.PINPolicy

type Handle 

type Handle struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*Handle) Bus 

func (h *Handle) Bus() Bus

func (*Handle) Card 

func (h *Handle) Card(ctx context.Context) (Card, func(), error)

func (*Handle) ManagementKey 

func (h *Handle) ManagementKey() *proto.YubiManagementKey

func (*Handle) SetManagementKey 

func (h *Handle) SetManagementKey(mk *proto.YubiManagementKey)

func (*Handle) SetPIN 

func (h *Handle) SetPIN(pin proto.YubiPIN)

type KeyLoc 

type KeyLoc struct {
	Serial proto.YubiSerial
	Slot   proto.YubiSlot
}

type KeySuite 

type KeySuite struct {
	KeySuiteCore
	// contains filtered or unexported fields
}

func NewKeySuite 

func NewKeySuite(ksc *KeySuiteCore, h proto.HostID, r proto.Role) *KeySuite

func (*KeySuite) BoxFor 

func (k *KeySuite) BoxFor(o core.CryptoPayloader, r core.PublicBoxer, opts core.BoxOpts) (*proto.Box, error)

func (*KeySuite) CertSigner 

func (k *KeySuite) CertSigner() (core.EntityPrivate, error)

func (*KeySuite) DHType 

func (k *KeySuite) DHType() proto.DHType

func (*KeySuite) EntityID 

func (k *KeySuite) EntityID() (proto.EntityID, error)

func (*KeySuite) EntityPublic 

func (k *KeySuite) EntityPublic() (core.EntityPublic, error)

func (*KeySuite) ExportDHPublicKey 

func (k *KeySuite) ExportDHPublicKey(inContextOfSigKey bool) proto.DHPublicKey

func (*KeySuite) ExportHEPK 

func (k *KeySuite) ExportHEPK() (*proto.HEPK, error)

func (*KeySuite) ExportKeySuite 

func (k *KeySuite) ExportKeySuite() (*proto.KeySuite, error)

func (*KeySuite) ExportToMember 

func (k *KeySuite) ExportToMember(h proto.HostID) (*proto.Member, error)

func (*KeySuite) Fuse 

func (k *KeySuite) Fuse(kks *KeySuitePQ) *KeySuiteHybrid

func (*KeySuite) GetRole 

func (k *KeySuite) GetRole() proto.Role

func (*KeySuite) HasSubkey 

func (k *KeySuite) HasSubkey() bool

func (*KeySuite) HostID 

func (k *KeySuite) HostID() proto.HostID

func (*KeySuite) ID 

func (k *KeySuite) ID() proto.YubiID

func (*KeySuite) PrivateKeyForCert 

func (k *KeySuite) PrivateKeyForCert() (crypto.PrivateKey, error)

func (*KeySuite) Publicize 

func (k *KeySuite) Publicize(hostID *proto.HostID) (core.PublicSuiter, error)

func (*KeySuite) PublicizeToBoxer 

func (k *KeySuite) PublicizeToBoxer() (core.PublicBoxer, error)

func (*KeySuite) Role 

func (k *KeySuite) Role() proto.Role

func (*KeySuite) RollingEntityID 

func (k *KeySuite) RollingEntityID() (proto.EntityID, error)

func (*KeySuite) Sign 

func (k *KeySuite) Sign(obj core.Verifiable) (*proto.Signature, error)

func (*KeySuite) UnboxFor 

func (k *KeySuite) UnboxFor(
	o core.CryptoPayloader,
	box proto.Box,
	sender core.PublicBoxer,
) (
	core.DHPublicKey,
	error,
)

func (*KeySuite) UnboxForEphemeral 

func (k *KeySuite) UnboxForEphemeral(
	o core.CryptoPayloader,
	box proto.Box,
	sender proto.DHPublicKey,
) error

func (*KeySuite) UnboxForIncludedEphemeral 

func (k *KeySuite) UnboxForIncludedEphemeral(
	o core.CryptoPayloader,
	box proto.Box,
) error

func (*KeySuite) Verify 

func (k *KeySuite) Verify(s proto.Signature, obj core.Verifiable) error

type KeySuiteCore 

type KeySuiteCore struct {
	// contains filtered or unexported fields
}

func (*KeySuiteCore) ExportToYubiKeyInfo 

func (k *KeySuiteCore) ExportToYubiKeyInfo(ctx context.Context) (*proto.YubiKeyInfoHybrid, error)

func (*KeySuiteCore) GenerateSelfSecret 

func (k *KeySuiteCore) GenerateSelfSecret(ctx context.Context) (*proto.SecretSeed32, error)

Outputs g^x^2, which is roughly as secret as x if g^x isn't used anywhere else. We can in turn use this 32-byte secret as a seed for a PQ key. I wish there were a better way to put/get a secret to a yubikey, but so far, this is the best bet. The issue here is that this key might be used down the line somewhere else, opening existing FOKS data to quantum attacks. But the hope here is that all necessary FOKS information is contained on the yubikey, and never written down to storage locally, so this is a reasonable compromise, for now. Once yubikeys support PQ algorithms, we can do way better.

type KeySuiteHybrid 

type KeySuiteHybrid struct {
	KeySuite
	Pq KeySuitePQ
}

func (*KeySuiteHybrid) BoxFor 

func (k *KeySuiteHybrid) BoxFor(o core.CryptoPayloader, rec core.PublicBoxer, opts core.BoxOpts) (*proto.Box, error)

func (*KeySuiteHybrid) ExportHEPK 

func (k *KeySuiteHybrid) ExportHEPK() (*proto.HEPK, error)

func (*KeySuiteHybrid) ExportKeySuite 

func (k *KeySuiteHybrid) ExportKeySuite() (*proto.KeySuite, error)

func (*KeySuiteHybrid) ExportToMember 

func (k *KeySuiteHybrid) ExportToMember(h proto.HostID) (*proto.Member, error)

func (*KeySuiteHybrid) ExportToYubiKeyInfo 

func (k *KeySuiteHybrid) ExportToYubiKeyInfo(ctx context.Context) (*proto.YubiKeyInfoHybrid, error)

func (*KeySuiteHybrid) KemDecap 

func (k *KeySuiteHybrid) KemDecap() proto.KemDecapKey

func (*KeySuiteHybrid) Publicize 

func (k *KeySuiteHybrid) Publicize(hostID *proto.HostID) (core.PublicSuiter, error)

func (*KeySuiteHybrid) PublicizeToBoxer 

func (k *KeySuiteHybrid) PublicizeToBoxer() (core.PublicBoxer, error)

func (*KeySuiteHybrid) UnboxFor 

func (k *KeySuiteHybrid) UnboxFor(
	o core.CryptoPayloader,
	box proto.Box,
	sender core.PublicBoxer,
) (
	core.DHPublicKey,
	error,
)

func (*KeySuiteHybrid) UnboxForEphemeral 

func (k *KeySuiteHybrid) UnboxForEphemeral(
	o core.CryptoPayloader,
	box proto.Box,
	sender proto.DHPublicKey,
) error

type KeySuitePQ 

type KeySuitePQ struct {
	KeySuiteCore
	// contains filtered or unexported fields
}

func NewKeySuitePQ 

func NewKeySuitePQ(ksc *KeySuiteCore, ss *proto.SecretSeed32) (*KeySuitePQ, error)

func (*KeySuitePQ) ExportToYubiSlotAndPQKey 

func (k *KeySuitePQ) ExportToYubiSlotAndPQKey() (*proto.YubiSlotAndPQKeyID, error)

func (*KeySuitePQ) PQKeyID 

func (k *KeySuitePQ) PQKeyID() (*proto.YubiPQKeyID, error)

type MockBus 

type MockBus struct {
	*BusBase
	// contains filtered or unexported fields
}

func NewMockBus 

func NewMockBus() (*MockBus, error)

func NewMockBusWithSeed 

func NewMockBusWithSeed(seed MockYubiSeed, cardCount int) (*MockBus, error)

func (*MockBus) Cards 

func (m *MockBus) Cards(ctx context.Context, filter bool) ([]proto.YubiCardName, error)

func (*MockBus) Handle 

func (m *MockBus) Handle(ctx context.Context, nm proto.YubiCardName) (*Handle, error)

func (*MockBus) Slot 

func (m *MockBus) Slot(s proto.YubiSlot) (piv.Slot, error)

func (*MockBus) Type 

func (b *MockBus) Type() BusType

type MockCard 

type MockCard struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*MockCard) Attest 

func (m *MockCard) Attest(slot piv.Slot) (*x509.Certificate, error)

func (*MockCard) ClearPIN 

func (c *MockCard) ClearPIN()

func (*MockCard) Close 

func (m *MockCard) Close() error

func (*MockCard) GenerateKey 

func (m *MockCard) GenerateKey(mks []byte, slot piv.Slot, desc piv.Key) (crypto.PublicKey, error)

func (*MockCard) GetManagementKey 

func (c *MockCard) GetManagementKey(pin proto.YubiPIN) (*proto.YubiManagementKey, error)

func (*MockCard) HasDefaultManagementKey 

func (c *MockCard) HasDefaultManagementKey() (bool, error)

func (*MockCard) Name 

func (k *MockCard) Name() string

func (*MockCard) PrivateKey 

func (m *MockCard) PrivateKey(slot piv.Slot, pub crypto.PublicKey, auth piv.KeyAuth) (crypto.PrivateKey, error)

func (*MockCard) Serial 

func (m *MockCard) Serial() (proto.YubiSerial, error)

func (*MockCard) SetManagementKey 

func (c *MockCard) SetManagementKey(old *proto.YubiManagementKey, key proto.YubiManagementKey) error

func (*MockCard) SetOrGetManagementKey 

func (c *MockCard) SetOrGetManagementKey(pin proto.YubiPIN) (*proto.YubiManagementKey, bool, error)

func (*MockCard) SetPIN 

func (c *MockCard) SetPIN(old, new proto.YubiPIN) error

func (*MockCard) SetPUK 

func (c *MockCard) SetPUK(old, new proto.YubiPUK) error

func (*MockCard) SetRetries 

func (c *MockCard) SetRetries(
	mk proto.YubiManagementKey,
	pin int,
	puk int,
) error

func (*MockCard) SharedKey 

func (m *MockCard) SharedKey(priv crypto.PrivateKey, pub *ecdsa.PublicKey) ([]byte, error)

func (*MockCard) ValidatePIN 

func (c *MockCard) ValidatePIN(p proto.YubiPIN) error

func (*MockCard) ValidatePUK 

func (c *MockCard) ValidatePUK(puk proto.YubiPUK) error

type MockYubiSeed 

type MockYubiSeed []byte

func NewMockYubiSeed 

func NewMockYubiSeed() (MockYubiSeed, error)

func (MockYubiSeed) String 

func (s MockYubiSeed) String() string

type Prepper 

type Prepper struct {
	// input
	Host        proto.HostID
	Role        proto.Role
	Serial      proto.YubiSerial
	Slot        proto.YubiSlot
	PQSlot      proto.YubiSlot
	Disp        *Dispatch
	Pin         proto.YubiPIN
	LockWithPIN bool
	// contains filtered or unexported fields
}

func (*Prepper) Run 

func (y *Prepper) Run(ctx context.Context) (*KeySuiteHybrid, error)

type RealBus 

type RealBus struct {
	*BusBase
}

func NewRealBus 

func NewRealBus() *RealBus

func (*RealBus) Cards 

func (b *RealBus) Cards(ctx context.Context, filter bool) ([]proto.YubiCardName, error)

func (*RealBus) Handle 

func (r *RealBus) Handle(ctx context.Context, nm proto.YubiCardName) (*Handle, error)

func (*RealBus) Slot 

func (b *RealBus) Slot(s proto.YubiSlot) (piv.Slot, error)

func (*RealBus) Type 

func (r *RealBus) Type() BusType

type RealCard 

type RealCard struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*RealCard) Attest 

func (c *RealCard) Attest(slot piv.Slot) (*x509.Certificate, error)

func (*RealCard) Close 

func (c *RealCard) Close() error

func (*RealCard) GenerateKey 

func (c *RealCard) GenerateKey(mgmtKey []byte, slot piv.Slot, key piv.Key) (crypto.PublicKey, error)

func (*RealCard) GetManagementKey 

func (c *RealCard) GetManagementKey(pin proto.YubiPIN) (*proto.YubiManagementKey, error)

func (*RealCard) HasDefaultManagementKey 

func (c *RealCard) HasDefaultManagementKey() (bool, error)

func (*RealCard) PrivateKey 

func (c *RealCard) PrivateKey(slot piv.Slot, pk crypto.PublicKey, auth piv.KeyAuth) (crypto.PrivateKey, error)

func (*RealCard) Serial 

func (c *RealCard) Serial() (proto.YubiSerial, error)

func (*RealCard) SetManagementKey 

func (c *RealCard) SetManagementKey(
	oldp *proto.YubiManagementKey,
	new proto.YubiManagementKey,
) error

func (*RealCard) SetOrGetManagementKey 

func (c *RealCard) SetOrGetManagementKey(
	pin proto.YubiPIN,
) (*proto.YubiManagementKey, bool, error)

func (*RealCard) SetPIN 

func (c *RealCard) SetPIN(old, new proto.YubiPIN) error

func (*RealCard) SetPUK 

func (c *RealCard) SetPUK(old, new proto.YubiPUK) error

func (*RealCard) SetRetries 

func (c *RealCard) SetRetries(
	mk proto.YubiManagementKey,
	pinRetries,
	pukRetries int,
) error

func (*RealCard) SharedKey 

func (c *RealCard) SharedKey(priv crypto.PrivateKey, receiver *ecdsa.PublicKey) ([]byte, error)

Abstract this out since it's different for a mock yubikey that's running raw crypto.ECDSA. Note that we don't access piv.YubiKey here.

func (*RealCard) ValidatePIN 

func (c *RealCard) ValidatePIN(pin proto.YubiPIN) error

func (*RealCard) ValidatePUK 

func (c *RealCard) ValidatePUK(puk proto.YubiPUK) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.