piv-go icon indicating copy to clipboard operation
piv-go copied to clipboard

Published 20 hours ago verified publisher icon go-piv

YubiKey 5.7.4+ versions not supported - new Yubico Root CA

Open Joerger opened this issue 5 months ago • 4 comments

From https://developers.yubico.com/PIV/Introduction/PIV_attestation.html:

Yubico Root CA Update Yubico is updating the root CA in 2025, and YubiKeys with firmware version 5.7.4 and later will be signed by our new root CA. These certificates are linked to the Root Certificate Authority (Root CA) through intermediate certificates, ensuring the integrity and trustworthiness of the YubiKey.

Error on YubiKey 5.7.4 from piv.Verify:

error verifying attestation certificate: x509: certificate signed by unknown authority

Note: simply adding the new Root CA to the cert pool for verification did not resolve the issue.

Joerger avatar Jun 20 '25 16:06 Joerger

Thanks for the note! So you're saying that adding that CA to the function here didn't work? Do you get the same error?

https://github.com/go-piv/piv-go/blob/0383b0aa884b2b642e9e3446ea01ba22ccadc83a/v2/piv/key.go#L347

I have a 5.7.1 and attestation appears to work with the existing codebase:

% go test -test.v -test.run=TestYubiKeyAttestation --wipe-yubikey
=== RUN   TestYubiKeyAttestation
--- PASS: TestYubiKeyAttestation (0.61s)
PASS
ok  	github.com/go-piv/piv-go/v2/piv	0.778s

We do support passing in custom root CAs. Is there a different CA that we'd need?

https://pkg.go.dev/github.com/go-piv/piv-go/v2/piv#Verifier

I'll probably send a change to add that Root CA anyway

ericchiang avatar Jun 20 '25 19:06 ericchiang

Would it be possible to try https://github.com/go-piv/piv-go/pull/176 ?

ericchiang avatar Jun 20 '25 19:06 ericchiang

Hey @ericchiang 👋 The error @Joerger reported actually came from my environment. I just tried with #176 and it's still the same behavior:

error verifying attestation certificate: x509: certificate signed by unknown authority

We had also tried passing in custom root CAs using the Verifier and similarly had no luck, same error message.

eriktate avatar Jun 20 '25 22:06 eriktate

Would you be able to provide the certificate that's not validating? Without that, it's hard to debug what's happening

ericchiang avatar Jun 21 '25 04:06 ericchiang

Here's an example slot cert and its attestation cert: yubi_slot.txt yubi_attestation.txt

eriktate avatar Jul 08 '25 16:07 eriktate

Hey @ericchiang! I just confirmed #176 does seem to fix the issue. Sorry for the confusion, I must have had something else wrong with my environment when I tested this before. After getting a minimal repro working I was also able to confirm with our actual integration.

eriktate avatar Jul 22 '25 17:07 eriktate

Perfect! I went ahead and merged that one. Will cut a release when I get a sec

ericchiang avatar Jul 22 '25 17:07 ericchiang

Any idea when this might land in a release @ericchiang? We've had a couple of customers report running into this now and I assume this will probably start showing up more often as more folks start getting new yubikeys

eriktate avatar Jul 23 '25 19:07 eriktate

Tagged https://github.com/go-piv/piv-go/releases/tag/v2.4.0

ericchiang avatar Jul 25 '25 20:07 ericchiang