Support new key types in Yubikey 5.7 firmware

[smlx]

Yubico have announced new firmware with expanded key type support. They've also added support to their tooling.

Would you accept PRs to add these new non-standard key types once hardware is available to test them?

[ericchiang]

Happy to add them! One note is that I don't have test hardware. If it's possible, it might be nice if Yubikey would consider contributing a device to development.

[phiekl]

piv-go/v2/piv/piv.go

Line 73 in 43b5a93

algEd25519 = 0x22

By changing 0x22 into 0xe0 (as found in the link above), I got piv-go to work with ed25519 keys on a YubiKey 5.7.3.

Of course, the final patch won't be as simple as just changing the value, but just wanted to let you know. 😄

[ericchiang]

This sounds like a slightly different issue, but would be happy to switch some of the ed25519 support over to whatever yubikeys use, particularly if that's spec supported. That feature was initially added for non-standard hardware

[smlx]

FYI Solo keys never actually implemented PIV and the project now seems to be abandoned. So that hardware never got beyond vapourware stage.

solokeys/solo2#88

[hslatman]

My colleague @maraino opened a PR: #157.

[maraino]

@smlx @ericchiang on #157, I've added support for the new algorithms included in 5.7.x: RSA-3072, RSA-4096, Ed25519, and X25519. This last one is only implemented if the Go version is 1.20 or newer, and it will return an error if not.

I'm implementing X25519 only in Go 1.20+ because I'm using the crypto/ecdh package to return the public key (or import a private key). It would be possible to support lower versions, but it will imply using a new type in the piv-go/piv package or using []byte. But for example, let's say you want to import a key using a type piv.X25519; generating the key is easy, but you probably also want to be able to get the public key or even do ECDH, then we will have to implement scalar multiplications, and I don't think this is something this package will need to support.