-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new algorithms supported in firmware 5.7.x #157
Conversation
This commit supports the new algorithms supported on YubiKeys with a 5.7.x firmware. It adds support for RSA-3072, RSA-4096, Ed25519, and X25519. Generating or importing X25519 keys is only supported with Go 1.20+, which adds support for the crypto/ecdh package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! A couple of comments, but otherwise lgtm
v2/piv/key_legacy_test.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto: let's remove this and drop support for earlier versions of Go
Instead of adding a new exported type
type ECDHer interface {
ECDH(*ecdh.PublicKey) ([]byte, error)
}
|
@ericchiang what do you think about @AGWA proposal? My initial implementation was like that, but I noticed that ECDSA was using SharedKey, so I changed it. @AGWA I'm open to renaming SharedKey to ECDH if @ericchiang is ok with it. But it isn't necessary to add the interface here. The software using this package can create its own. |
I agree that we shouldn't create new interfaces here. At the point where you use the interface, you have to be aware of piv-go anyway. If this is going to be a common definition, it probably belongs in https://pkg.go.dev/crypto, similar to crypto.Signer. I'd prefer keeping "SharedKey" to be consistent within this package with ECDSAPrivateKey. Not thrilled with deprecating things for deprecation sake |
I agree that the interface doesn't need to be defined here, but I'm still hoping we can call the function ECDH for consistency with I suggested deprecating |
Thanks #158 is helpful! I didn't realize the proposal is to change the signature, not just the name. I'm fine with supporting the newer The parts of I'll merge #158. @maraino sorry for the flip flop, but the name "ECDH" does seem reasonable if we're accepting |
This commit removes the code to support Go 1.16 to 1.19, requiring now Go 1.20. With this requirement we can remove the build tags. It also renames the X25519 SharedKey to ECDH.
@ericchiang, I've fixed the issues with my latest commit cfec690. I didn't implement the |
@maraino no need to implement |
Thanks everyone for the feedback here! I've gone ahead and tagged v2.2.0 including these changes https://github.com/go-piv/piv-go/releases/tag/v2.2.0 |
This commit supports the new algorithms supported on YubiKeys with a 5.7.x firmware. It adds support for RSA-3072, RSA-4096, Ed25519, and X25519.
Generating X25519 keys is only supported with Go 1.20+, which adds support for the
crypto/ecdh
package.Note that this commit removes the support for Ed25519 on SoloKeys if the algorithm identifier is set to 0x22.
Fixes #143