Initial Yubikey support#5
Open
tomberek wants to merge 13 commits intocgzones:developfrom
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Provides the prompts and backend to use Yubikeys and other PKCS11 devices. The core functionality uses only the pkcs11 engine in openssl, but initializing the keys are vendor specific. That is located in
./functionsand can be rewritten for non-yubikey (WIP).The most complicated part is using a Yubikey for the root CA and creating a sub-CA on a Yubikey as well. Restrictions on the use of various slots requires the CA's to be in slot 9c and on DIFFERENT keys. This makes the creation of a sub-CA a juggling act of plugging and switching physical keys error-prone. Follow the in-terminal warnings carefully. I also added checks to confirm anything changing a Yubikey is confirmed at least twice by the user and takes a management key.
Creating client or server certs in PIV mode (slot 9a) is possible, but not recommended for servers.