Skip to content

Commit

Permalink
yubikey-agent: add support for Ed25519 keys
Browse files Browse the repository at this point in the history
  • Loading branch information
e-nomem committed Dec 5, 2024
1 parent 2e5376c commit d17275a
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 7 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module filippo.io/yubikey-agent
go 1.19

require (
github.com/go-piv/piv-go v1.10.0
github.com/go-piv/piv-go/v2 v2.3.0
github.com/twpayne/go-pinentry-minimal v0.0.0-20220113210447-2a5dc4396c2a
golang.org/x/crypto v0.4.0
golang.org/x/term v0.3.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
github.com/go-piv/piv-go v1.10.0 h1:P1Y1VjBI5DnXW0+YkKmTuh5opWnMIrKriUaIOblee9Q=
github.com/go-piv/piv-go v1.10.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM=
github.com/go-piv/piv-go/v2 v2.3.0 h1:kKkrYlgLQTMPA6BiSL25A7/x4CEh2YCG7rtb/aTkx+g=
github.com/go-piv/piv-go/v2 v2.3.0/go.mod h1:ShZi74nnrWNQEdWzRUd/3cSig3uNOcEZp+EWl0oewnI=
github.com/twpayne/go-pinentry-minimal v0.0.0-20220113210447-2a5dc4396c2a h1:a1bRrtgkiv0tytmDVXU5Dqse/WOTws7JvsY2WxPMZ6M=
github.com/twpayne/go-pinentry-minimal v0.0.0-20220113210447-2a5dc4396c2a/go.mod h1:ARJJXqNuaxVS84jX6ST52hQh0TtuQZWABhTe95a6BI4=
golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8=
Expand Down
4 changes: 3 additions & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"bytes"
"context"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rand"
"crypto/rsa"
"errors"
Expand All @@ -28,7 +29,7 @@ import (
"syscall"
"time"

"github.com/go-piv/piv-go/piv"
"github.com/go-piv/piv-go/v2/piv"
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/agent"
"golang.org/x/crypto/ssh/terminal"
Expand Down Expand Up @@ -249,6 +250,7 @@ func getPublicKey(yk *piv.YubiKey, slot piv.Slot) (ssh.PublicKey, error) {
}
switch cert.PublicKey.(type) {
case *ecdsa.PublicKey:
case ed25519.PublicKey:
case *rsa.PublicKey:
default:
return nil, fmt.Errorf("unexpected public key type: %T", cert.PublicKey)
Expand Down
32 changes: 29 additions & 3 deletions setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import (
"runtime/debug"
"time"

"github.com/go-piv/piv-go/piv"
"github.com/go-piv/piv-go/v2/piv"
"golang.org/x/crypto/ssh"
"golang.org/x/term"
)
Expand Down Expand Up @@ -100,7 +100,15 @@ func runSetup(yk *piv.YubiKey) {
fmt.Println("")
fmt.Println("🧪 Reticulating splines...")

var key [24]byte
var version = yk.Version()
var key []byte
if supportsVersion(&version, 5, 4, 0) {
// Yubikey Firmware >=5.4.0 supports AES256 management keys
key = make([]byte, 32)
} else {
key = make([]byte, 24)
}

if _, err := rand.Read(key[:]); err != nil {
log.Fatal(err)
}
Expand Down Expand Up @@ -137,8 +145,16 @@ func runSetup(yk *piv.YubiKey) {
log.Fatalln("use --really-delete-all-piv-keys ⚠️")
}

var alg piv.Algorithm
if supportsVersion(&version, 5, 7, 0) {
// For newer Yubikeys, upgrade the key automatically to Ed25519
alg = piv.AlgorithmEd25519
} else {
alg = piv.AlgorithmEC256
}

pub, err := yk.GenerateKey(key, piv.SlotAuthentication, piv.Key{
Algorithm: piv.AlgorithmEC256,
Algorithm: alg,
PINPolicy: piv.PINPolicyOnce,
TouchPolicy: piv.TouchPolicyAlways,
})
Expand Down Expand Up @@ -196,6 +212,16 @@ func runSetup(yk *piv.YubiKey) {
fmt.Println("💭 Remember: everything breaks, have a backup plan for when this YubiKey does.")
}

func supportsVersion(v *piv.Version, major, minor, patch int) bool {
if v.Major != major {
return v.Major > major
}
if v.Minor != minor {
return v.Minor > minor
}
return v.Patch >= patch
}

func randomSerialNumber() *big.Int {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
Expand Down

0 comments on commit d17275a

Please sign in to comment.