Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Import RSA public key #521

Open
yota9 opened this issue Dec 16, 2024 · 3 comments
Open

Import RSA public key #521

yota9 opened this issue Dec 16, 2024 · 3 comments

Comments

@yota9
Copy link
Contributor

yota9 commented Dec 16, 2024

Hello!
As I understand yubico can only import private keys and certificates. May I ask why public keys are deprived in this case? I don't even speak about CKO_DATA, it would be cool if these tokens have an ability to store some data securely.
Thank you!

@qpernil
Copy link
Contributor

qpernil commented Dec 16, 2024

The PIV standard specifies that data slots shall contain certificates. One way to represent 'just a public key' is to create a self-signed certificate, something that you can do in YubiKey Authenticator or yubico-piv-tool. That said, the YubiKey doesn't care what data you store in data slots so you could store just a public key if you wanted to, but other PIV applications would expect to find certificates. Regarding secure storage the YubiKey PIV application is designed to work with clients that follow the PIV specification, which specifies how the data slots are to be accessed.

@yota9
Copy link
Contributor Author

yota9 commented Dec 30, 2024

Hello! Thank you for your reply @qpernil !
It is a bit pity. Storing as self-signed certificate is possible, but you would be lack of encryption/verify functionality :(
It would be great if yubico had pkcs11 standard library with storing keys, data objects, managing objects by USER & etc.. But anyway thank you for your answer, appreciate that!

@qpernil
Copy link
Contributor

qpernil commented Dec 30, 2024

Let me clarify - The above was about what the YubiKey actually stores; a private key and a data slot, which should contain a DER-coded X.509 certificate. But when you enumerate all objects through libykcs11 it will actually use attestation, metadata or the stored certificates (in that order) to find public keys corresponding to the private keys in the yubikey, and expose them as CKO_PUBLIC_KEY objects that you can use to perform encryption or signature verification. The corresponding CKO_PRIVATE_KEY objects will call into the yubikey to perform decryption or signature creation. For each key there will also be an extra CKO_CERTIFICATE object holding the attestation for that key. The attestations are created when the first pkcs11 session is opened to the yubikey. Since these certificates are not actually stored they present as session objects, and you can filter them out by specifying CKA_TOKEN = CK_TRUE when searching for objects. According to the pkcs11 spec related objects have a common CKA_ID. Those id's have been chosen to match what the pkcs11-tools pkcs11 module uses, for compatibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants
@yota9 @qpernil and others