Add new algorithms supported in firmware 5.7.x

This commit supports the new algorithms supported on YubiKeys with a 5.7.x firmware. It adds support for RSA-3072, RSA-4096, Ed25519, and X25519. Generating or importing X25519 keys is only supported with Go 1.20+, which adds support for the crypto/ecdh package.
go-piv · Oct 3, 2024 · 33d0d46 · 33d0d46
1 parent 7988525
commit 33d0d46
Show file tree

Hide file tree

Showing 8 changed files with 565 additions and 48 deletions.
diff --git a/v2/piv/key.go b/v2/piv/key.go
@@ -449,6 +449,9 @@ const (
 	AlgorithmEd25519
 	AlgorithmRSA1024
 	AlgorithmRSA2048
+	AlgorithmRSA3072
+	AlgorithmRSA4096
+	AlgorithmX25519
 )
 
 // PINPolicy represents PIN requirements when signing or decrypting with an
@@ -532,6 +535,9 @@ var algorithmsMap = map[Algorithm]byte{
 	AlgorithmEd25519: algEd25519,
 	AlgorithmRSA1024: algRSA1024,
 	AlgorithmRSA2048: algRSA2048,
+	AlgorithmRSA3072: algRSA3072,
+	AlgorithmRSA4096: algRSA4096,
+	AlgorithmX25519:  algX25519,
 }
 
 var algorithmsMapInv = map[byte]Algorithm{
@@ -540,6 +546,9 @@ var algorithmsMapInv = map[byte]Algorithm{
 	algEd25519: AlgorithmEd25519,
 	algRSA1024: AlgorithmRSA1024,
 	algRSA2048: AlgorithmRSA2048,
+	algRSA3072: AlgorithmRSA3072,
+	algRSA4096: AlgorithmRSA4096,
+	algX25519:  AlgorithmX25519,
 }
 
 // AttestationCertificate returns the YubiKey's attestation certificate, which
@@ -847,7 +856,7 @@ func ykGenerateKey(tx *scTx, slot Slot, o Key) (crypto.PublicKey, error) {
 func decodePublic(b []byte, alg Algorithm) (crypto.PublicKey, error) {
 	var curve elliptic.Curve
 	switch alg {
-	case AlgorithmRSA1024, AlgorithmRSA2048:
+	case AlgorithmRSA1024, AlgorithmRSA2048, AlgorithmRSA3072, AlgorithmRSA4096:
 		pub, err := decodeRSAPublic(b)
 		if err != nil {
 			return nil, fmt.Errorf("decoding rsa public key: %v", err)
@@ -863,6 +872,12 @@ func decodePublic(b []byte, alg Algorithm) (crypto.PublicKey, error) {
 			return nil, fmt.Errorf("decoding ed25519 public key: %v", err)
 		}
 		return pub, nil
+	case AlgorithmX25519:
+		pub, err := decodeX25519Public(b)
+		if err != nil {
+			return nil, fmt.Errorf("decoding X25519 public key: %v", err)
+		}
+		return pub, nil
 	default:
 		return nil, fmt.Errorf("unsupported algorithm")
 	}
@@ -992,7 +1007,7 @@ func (yk *YubiKey) PrivateKey(slot Slot, public crypto.PublicKey, auth KeyAuth)
 	case *rsa.PublicKey:
 		return &keyRSA{yk, slot, pub, auth, pp}, nil
 	default:
-		return nil, fmt.Errorf("unsupported public key type: %T", public)
+		return yk.privateKey(slot, public, auth, pp)
 	}
 }
 
@@ -1025,6 +1040,12 @@ func (yk *YubiKey) SetPrivateKeyInsecure(key []byte, slot Slot, private crypto.P
 		case 2048:
 			policy.Algorithm = AlgorithmRSA2048
 			elemLen = 128
+		case 3072:
+			policy.Algorithm = AlgorithmRSA3072
+			elemLen = 192
+		case 4096:
+			policy.Algorithm = AlgorithmRSA4096
+			elemLen = 256
 		default:
 			return errUnsupportedKeySize
 		}
@@ -1056,9 +1077,22 @@ func (yk *YubiKey) SetPrivateKeyInsecure(key []byte, slot Slot, private crypto.P
 		padding := len(privateKey) - len(valueBytes)
 		copy(privateKey[padding:], valueBytes)
 
+		params = append(params, privateKey)
+	case ed25519.PrivateKey:
+		paramTag = 0x07
+		elemLen = ed25519.SeedSize
+
+		// seed
+		privateKey := make([]byte, elemLen)
+		copy(privateKey, priv[:32])
 		params = append(params, privateKey)
 	default:
-		return errors.New("unsupported private key type")
+		// Add support for ecdh.PrivateKey using build tags
+		var err error
+		params, paramTag, elemLen, err = yk.setPrivateKeyInsecure(private)
+		if err != nil {
+			return err
+		}
 	}
 
 	elemLenASN1 := marshalASN1Length(uint64(elemLen))
@@ -1404,6 +1438,10 @@ func rsaAlg(pub *rsa.PublicKey) (byte, error) {
 		return algRSA1024, nil
 	case 2048:
 		return algRSA2048, nil
+	case 3072:
+		return algRSA3072, nil
+	case 4096:
+		return algRSA4096, nil
 	default:
 		return 0, fmt.Errorf("unsupported rsa key size: %d", size)
 	}

diff --git a/v2/piv/key_go120.go b/v2/piv/key_go120.go
@@ -0,0 +1,116 @@
+//go:build go1.20
+// +build go1.20
+
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package piv
+
+import (
+	"crypto"
+	"crypto/ecdh"
+	"errors"
+	"fmt"
+)
+
+type X25519PrivateKey struct {
+	yk   *YubiKey
+	slot Slot
+	pub  *ecdh.PublicKey
+	auth KeyAuth
+	pp   PINPolicy
+}
+
+func (k *X25519PrivateKey) Public() crypto.PublicKey {
+	return k.pub
+}
+
+// SharedKey performs an ECDH exchange and returns the shared secret.
+//
+// Peer's public key must use the same algorithm as the key in this slot, or an
+// error will be returned.
+func (k *X25519PrivateKey) SharedKey(peer *ecdh.PublicKey) ([]byte, error) {
+	return k.auth.do(k.yk, k.pp, func(tx *scTx) ([]byte, error) {
+		return ykECDHX25519(tx, k.slot, k.pub, peer)
+	})
+}
+
+func (yk *YubiKey) privateKey(slot Slot, public crypto.PublicKey, auth KeyAuth, pp PINPolicy) (crypto.PrivateKey, error) {
+	switch pub := public.(type) {
+	case *ecdh.PublicKey:
+		if crv := pub.Curve(); crv != ecdh.X25519() {
+			return nil, fmt.Errorf("unsupported ecdh curve: %v", crv)
+		}
+		return &X25519PrivateKey{yk, slot, pub, auth, pp}, nil
+	default:
+		return nil, fmt.Errorf("unsupported public key type: %T", public)
+	}
+}
+
+func (yk *YubiKey) setPrivateKeyInsecure(private crypto.PrivateKey) ([][]byte, byte, int, error) {
+	switch priv := private.(type) {
+	case *ecdh.PrivateKey:
+		if priv.Curve() != ecdh.X25519() {
+			return nil, 0, 0, errors.New("unsupported private key type")
+		}
+		// seed
+		params := make([][]byte, 0)
+		params = append(params, priv.Bytes())
+		return params, 0x08, 32, nil
+	default:
+		return nil, 0, 0, errors.New("unsupported private key type")
+	}
+}
+
+func decodeX25519Public(b []byte) (*ecdh.PublicKey, error) {
+	// Adaptation of
+	// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf#page=95
+	p, _, err := unmarshalASN1(b, 2, 0x06)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshal points: %v", err)
+	}
+	return ecdh.X25519().NewPublicKey(p)
+}
+
+func ykECDHX25519(tx *scTx, slot Slot, pub *ecdh.PublicKey, peer *ecdh.PublicKey) ([]byte, error) {
+	if crv := pub.Curve(); crv != ecdh.X25519() {
+		return nil, fmt.Errorf("unsupported ecdh curve: %v", crv)
+	}
+	if pub.Curve() != peer.Curve() {
+		return nil, errMismatchingAlgorithms
+	}
+	cmd := apdu{
+		instruction: insAuthenticate,
+		param1:      algX25519,
+		param2:      byte(slot.Key),
+		data: marshalASN1(0x7c,
+			append([]byte{0x82, 0x00},
+				marshalASN1(0x85, peer.Bytes())...)),
+	}
+	resp, err := tx.Transmit(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("command failed: %w", err)
+	}
+
+	sig, _, err := unmarshalASN1(resp, 1, 0x1c) // 0x7c
+	if err != nil {
+		return nil, fmt.Errorf("unmarshal response: %v", err)
+	}
+	sharedSecret, _, err := unmarshalASN1(sig, 2, 0x02) // 0x82
+	if err != nil {
+		return nil, fmt.Errorf("unmarshal response signature: %v", err)
+	}
+
+	return sharedSecret, nil
+}
diff --git a/v2/piv/key_go120_test.go b/v2/piv/key_go120_test.go
@@ -0,0 +1,120 @@
+//go:build go1.20
+// +build go1.20
+
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package piv
+
+import (
+	"bytes"
+	"crypto/ecdh"
+	"crypto/rand"
+	"errors"
+	"reflect"
+	"testing"
+)
+
+func TestYubiKeyX25519ImportKey(t *testing.T) {
+	importKey, err := ecdh.X25519().GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatalf("error geneating X25519 key: %v", err)
+	}
+
+	yk, close := newTestYubiKey(t)
+	defer close()
+
+	slot := SlotAuthentication
+
+	err = yk.SetPrivateKeyInsecure(DefaultManagementKey, slot, importKey, Key{AlgorithmX25519, PINPolicyNever, TouchPolicyNever})
+	if err != nil {
+		t.Fatalf("error importing key: %v", err)
+	}
+	want := KeyInfo{
+		Algorithm:   AlgorithmX25519,
+		PINPolicy:   PINPolicyNever,
+		TouchPolicy: TouchPolicyNever,
+		Origin:      OriginImported,
+		PublicKey:   importKey.Public(),
+	}
+
+	got, err := yk.KeyInfo(slot)
+	if err != nil {
+		t.Fatalf("KeyInfo() = _, %v", err)
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("KeyInfo() = %#v, want %#v", got, want)
+	}
+}
+
+func TestYubiKeyX25519SharedKey(t *testing.T) {
+	yk, close := newTestYubiKey(t)
+	defer close()
+
+	slot := SlotAuthentication
+
+	key := Key{
+		Algorithm:   AlgorithmX25519,
+		TouchPolicy: TouchPolicyNever,
+		PINPolicy:   PINPolicyNever,
+	}
+	pubKey, err := yk.GenerateKey(DefaultManagementKey, slot, key)
+	if err != nil {
+		t.Fatalf("generating key: %v", err)
+	}
+	pub, ok := pubKey.(*ecdh.PublicKey)
+	if !ok {
+		t.Fatalf("public key is not an ecdh key")
+	}
+	priv, err := yk.PrivateKey(slot, pub, KeyAuth{})
+	if err != nil {
+		t.Fatalf("getting private key: %v", err)
+	}
+	privX25519, ok := priv.(*X25519PrivateKey)
+	if !ok {
+		t.Fatalf("expected private key to be X25519 private key")
+	}
+
+	t.Run("good", func(t *testing.T) {
+		peer, err := ecdh.X25519().GenerateKey(rand.Reader)
+		if err != nil {
+			t.Fatalf("cannot generate key: %v", err)
+		}
+
+		secret1, err := privX25519.SharedKey(peer.PublicKey())
+		if err != nil {
+			t.Fatalf("key agreement failed: %v", err)
+		}
+		secret2, err := peer.ECDH(pub)
+		if err != nil {
+			t.Fatalf("key agreement failed: %v", err)
+		}
+		if !bytes.Equal(secret1, secret2) {
+			t.Errorf("key agreement didn't match")
+		}
+	})
+
+	t.Run("bad", func(t *testing.T) {
+		t.Run("curve", func(t *testing.T) {
+			peer, err := ecdh.P256().GenerateKey(rand.Reader)
+			if err != nil {
+				t.Fatalf("cannot generate key: %v", err)
+			}
+			_, err = privX25519.SharedKey(peer.PublicKey())
+			if !errors.Is(err, errMismatchingAlgorithms) {
+				t.Fatalf("unexpected error value: wanted errMismatchingAlgorithms: %v", err)
+			}
+		})
+	})
+}
diff --git a/v2/piv/key_legacy.go b/v2/piv/key_legacy.go
@@ -0,0 +1,36 @@
+//go:build !go1.20
+// +build !go1.20
+
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package piv
+
+import (
+	"crypto"
+	"errors"
+	"fmt"
+)
+
+func (yk *YubiKey) privateKey(slot Slot, public crypto.PublicKey, auth KeyAuth, pp PINPolicy) (crypto.PrivateKey, error) {
+	return nil, fmt.Errorf("unsupported public key type: %T", public)
+}
+
+func (yk *YubiKey) setPrivateKeyInsecure(private crypto.PrivateKey) ([][]byte, byte, int, error) {
+	return nil, 0, 0, errors.New("unsupported private key type")
+}
+
+func decodeX25519Public(b []byte) (crypto.PublicKey, error) {
+	return nil, fmt.Errorf("unsupported algorithm")
+}