Skip to content

Commit

Permalink
PIV: Support AES management keys
Browse files Browse the repository at this point in the history 
This commit adds support for setting and getting the AES management
keys, these are available in firmwars 5.4 and later, and are now
the default in firmwares 5.7.

The key is handled via being generic on a limit number of allowed alogrithms,
using implementations of those from rust-crypto crates.

Right now support in PIV MGM keys is for:

* TripleDes (`0x03`) - The key type originally used
* AES128 (`0x08`) - The new key type using a 128 bit key
* AES192 (`0x0A`) - The new key type using a 192 bit key, this
    also doubles as the algorithm for firmwares 5.7 and later,
    where the default key is the same as the original TripleDes key.
* AES256 (`0x0C`) - The new key type using a 256 bit key

Suitable type aliases are provided for each of these key types.

The rationale here for exposing the key as a generic type parameter is
to largely use the original logic, but avoid scattered enums and provide
the end user with some degree of control over the key types at compile
time (it should, for instance be relatively easy make 3Des keys
uncompileable).

See: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/auth-mgmt.html
  • Loading branch information
@GregBowyer
GregBowyer committed Aug 6, 2024
1 parent 0a90dc3 commit 48305cc
Show file tree
Hide file tree
Showing 8 changed files with 334 additions and 174 deletions.
16 changes: 16 additions & 0 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ x509-cert = { version = "0.2.5", features = [ "builder", "hazmat" ] }
[dependencies]
der = "0.7.1"
des = "0.8"
aes = { version = "0.8.4", features = ["zeroize"] }
elliptic-curve = "0.13"
hex = { package = "base16ct", version = "0.2", features = ["alloc"] }
hmac = "0.12"
Expand All @@ -48,6 +49,8 @@ subtle = "2"
uuid = { version = "1.2", features = ["v4"] }
x509-cert.workspace = true
zeroize = "1"
cipher = "0.4.4"
crypto-common = { version = "0.1.6", features = ["rand_core"] }

[dev-dependencies]
env_logger = "0.10"
Expand Down
2 changes: 1 addition & 1 deletion src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ pub use crate::{
chuid::ChuId,
config::Config,
error::{Error, Result},
mgm::{MgmKey, MgmType},
mgm::{MgmKey, MgmType, MgmKeyAlgorithm, MgmKey3Des, MgmKeyAes128, MgmKeyAes192, MgmKeyAes256},
piv::Key,
policy::{PinPolicy, TouchPolicy},
reader::Context,
Expand Down
Loading

0 comments on commit 48305cc

Please sign in to comment.