Documentation
¶
Overview ¶
Package yubiattest contains the functions to do PIV attestation. It has some temporary workarounds for YubiKeys with firmware older than 4.3.3.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ModHex ¶
func ModHex(cert *x509.Certificate) (modhex string, err error)
ModHex extract serial number from attestation certificate and convert it to ModHex format. Ref: https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
func ParseCertificate ¶
func ParseCertificate(asn1Data []byte) (*x509.Certificate, error)
ParseCertificate parses a single certificate from the given ASN.1 DER data. This function will fill a NULL parameter to the certificate, thus will work well with Go 1.8 which enforcing RFC 3279 2.3.1 standard. More details can be found in
RFC 3279 2.3.1 RSA Keys: https://tools.ietf.org/html/rfc3279#section-2.3.1 Related Go commit: https://github.com/golang/go/commit/59aeac20c0412442848982a9287b4bab66c25682
Types ¶
type Attestor ¶
type Attestor struct {
// contains filtered or unexported fields
}
Attestor is the struct that performs attestation on a Yubikey.
func NewAttestor ¶
NewAttestor returns a new Attestor struct.
func NewAttestorWithCAPool ¶
NewAttestorWithCAPool returns a new Attestor struct.
func (*Attestor) Attest ¶
func (a *Attestor) Attest(f9Cert *x509.Certificate, attestCert *x509.Certificate) error
Attest perform attestation on a YubiKey. It requires the attestation certificate (attestCert) in attested slot and the certificate in the attestation key slot. Attestation verifies such a certificate chain: YubicoPIVCA or YubicoU2FCA signs a f9 (attestation slot) cert, then the f9 cert signs attestCert. Note: the private key of an attestCert is backed in 9a or 9e key slot. Ref: https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
Source Files