-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import RSA public key #521
Comments
The PIV standard specifies that data slots shall contain certificates. One way to represent 'just a public key' is to create a self-signed certificate, something that you can do in YubiKey Authenticator or yubico-piv-tool. That said, the YubiKey doesn't care what data you store in data slots so you could store just a public key if you wanted to, but other PIV applications would expect to find certificates. Regarding secure storage the YubiKey PIV application is designed to work with clients that follow the PIV specification, which specifies how the data slots are to be accessed. |
Hello! Thank you for your reply @qpernil ! |
Let me clarify - The above was about what the YubiKey actually stores; a private key and a data slot, which should contain a DER-coded X.509 certificate. But when you enumerate all objects through libykcs11 it will actually use attestation, metadata or the stored certificates (in that order) to find public keys corresponding to the private keys in the yubikey, and expose them as CKO_PUBLIC_KEY objects that you can use to perform encryption or signature verification. The corresponding CKO_PRIVATE_KEY objects will call into the yubikey to perform decryption or signature creation. For each key there will also be an extra CKO_CERTIFICATE object holding the attestation for that key. The attestations are created when the first pkcs11 session is opened to the yubikey. Since these certificates are not actually stored they present as session objects, and you can filter them out by specifying CKA_TOKEN = CK_TRUE when searching for objects. According to the pkcs11 spec related objects have a common CKA_ID. Those id's have been chosen to match what the pkcs11-tools pkcs11 module uses, for compatibility. |
Hello!
As I understand yubico can only import private keys and certificates. May I ask why public keys are deprived in this case? I don't even speak about CKO_DATA, it would be cool if these tokens have an ability to store some data securely.
Thank you!
The text was updated successfully, but these errors were encountered: