piv-go icon indicating copy to clipboard operation
piv-go copied to clipboard

Published 20 hours ago verified publisher icon go-piv

Support AES Management keys

Open scj643 opened this issue 2 years ago • 2 comments

https://github.com/smallstep/crypto/issues/114

Currently this library doesn't support AES management keys as described in https://docs.yubico.com/hardware/yubikey/yk-5/tech-manual/yk5-piv-tech-desc.html#piv-aes-management-key

scj643 avatar Nov 01 '22 19:11 scj643

Thanks for opening!

The main issue looks like this package's signatures expect a 24 byte key:

func (yk *YubiKey) GenerateKey(key [24]byte, slot Slot, opts Key) (crypto.PublicKey, error)

Where as AES-128, AES-192, or AES-256 are 16, 24, and 32 bytes respectively.

Out of curiosity, is there a reason DES doesn't work for you? In most threat models I've worked in, the ability to generate a new key isn't as important, since it would have to be attested to be unexportable anyway.

ericchiang avatar Nov 02 '22 17:11 ericchiang

@ericchiang

Per Yubico tech :

PIV management key in AES format renders the YubiKey compatible with current or future FIPS-compliant CMS services.

udf2457 avatar Mar 31 '23 14:03 udf2457

Any updates on or progress on adding this?

EDIT: Just saw https://github.com/go-piv/piv-go/issues/146#issuecomment-2220738079

84adam avatar Jul 25 '24 19:07 84adam