Skip to content

Commit 38bbcae

Browse files
GregBowyerGregBowyer
committed
PIV: Support AES management keys
This commit adds support for setting and getting the AES management keys, these are available in firmwars 5.4 and later, and are now the default in firmwares 5.7. The key is handled via being generic on a limit number of allowed alogrithms, using implementations of those from rust-crypto crates. Right now support in PIV MGM keys is for: * TripleDes (`0x03`) - The key type originally used * AES128 (`0x08`) - The new key type using a 128 bit key * AES192 (`0x0A`) - The new key type using a 192 bit key, this also doubles as the algorithm for firmwares 5.7 and later, where the default key is the same as the original TripleDes key. * AES256 (`0x0C`) - The new key type using a 256 bit key Suitable type aliases are provided for each of these key types. The rationale here for exposing the key as a generic type parameter is to largely use the original logic, but avoid scattered enums and provide the end user with some degree of control over the key types at compile time (it should, for instance be relatively easy make 3Des keys uncompileable). See: https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/auth-mgmt.html
1 parent 0a90dc3 commit 38bbcae

File tree

8 files changed

+334
-173
lines changed

8 files changed

+334
-173
lines changed

Cargo.lock

Lines changed: 16 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ x509-cert = { version = "0.2.5", features = [ "builder", "hazmat" ] }
2525
[dependencies]
2626
der = "0.7.1"
2727
des = "0.8"
28+
aes = { version = "0.8.4", features = ["zeroize"] }
2829
elliptic-curve = "0.13"
2930
hex = { package = "base16ct", version = "0.2", features = ["alloc"] }
3031
hmac = "0.12"
@@ -48,6 +49,8 @@ subtle = "2"
4849
uuid = { version = "1.2", features = ["v4"] }
4950
x509-cert.workspace = true
5051
zeroize = "1"
52+
cipher = "0.4.4"
53+
crypto-common = { version = "0.1.6", features = ["rand_core"] }
5154

5255
[dev-dependencies]
5356
env_logger = "0.10"

src/lib.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ pub use crate::{
7171
chuid::ChuId,
7272
config::Config,
7373
error::{Error, Result},
74-
mgm::{MgmKey, MgmType},
74+
mgm::{MgmKey, MgmType, MgmKeyAlgorithm, MgmKey3Des, MgmKeyAes128, MgmKeyAes192, MgmKeyAes256},
7575
piv::Key,
7676
policy::{PinPolicy, TouchPolicy},
7777
reader::Context,

0 commit comments

Comments
 (0)