sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

Yubikey enhancement: adds feature set to support multiple slots

Open bsingh-kpt opened this issue 1 month ago • 3 comments

Following features are implemented:

  1. Multiple slots of yubikey can be used
  2. Algorithm support include: RSA2048 and RSA3072 for yubikey type only
  3. --keytype options enhancement. For yubikey and for each key type SB hierarchy algorithm and slot can be specified. For example, to create a RSA3072 key in slot 9a, --keytype yubikey:RSA3072:9a can be used. Different algorithm and slot can be chosen for each SB key type
  4. Subject DN in openssl style can also be specified for certificate generation for each key type
  5. KeyConfig is enahanced to support Algorithm and slot for yubikey type only
  6. Added key file existence check so that only missing keys are created with create-keys command and avoids unintentional key overwrite
  7. Check key certificate first in yubikey and then fallback to its attestation cert if key cert is missing
  8. Also supports yubikey retired key slots
  9. Adds --prompt option to enable pin prompt for yubikey
  10. Adds custom management key support when default is replaced

bsingh-kpt avatar Nov 01 '25 02:11 bsingh-kpt

Generally, this is one large PR to support multiple features. Splitting things would be much easier to review.

Foxboron avatar Nov 01 '25 13:11 Foxboron

@Foxboron Did you had the time to test the changes?

bsingh-kpt avatar Nov 15 '25 08:11 bsingh-kpt

I haven't had time. Sorry.

The PR is not super high on my list as the code is a big hard to review and the commit is doing several things. The description is also point list which is not great.

It would be nicer if there where multiple commits describing each atomic change.

Foxboron avatar Nov 30 '25 20:11 Foxboron