From 6bd6e19ef61556f75f238e05e88502167df2c26c Mon Sep 17 00:00:00 2001 From: Nicolas Stalder Date: Mon, 18 May 2020 00:16:11 +0200 Subject: [PATCH] Support Ed25519 keys in setup --- go.mod | 2 ++ go.sum | 2 ++ main.go | 5 ++++- setup.go | 9 +++++++-- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5c54a2d..d7f0dc8 100644 --- a/go.mod +++ b/go.mod @@ -7,3 +7,5 @@ require ( github.com/gopasspw/gopass v1.9.1 golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79 ) + +replace github.com/go-piv/piv-go => github.com/go-piv/piv-go v1.5.1-0.20200518213843-e6548dd11f02 diff --git a/go.sum b/go.sum index b2eb04e..06d24fa 100644 --- a/go.sum +++ b/go.sum @@ -28,6 +28,8 @@ github.com/gdamore/tcell v1.3.0 h1:r35w0JBADPZCVQijYebl6YMWWtHRqVEGt7kL2eBADRM= github.com/gdamore/tcell v1.3.0/go.mod h1:Hjvr+Ofd+gLglo7RYKxxnzCBmev3BzsS67MebKS4zMM= github.com/go-piv/piv-go v1.5.0 h1:UtHPfrJsZKY+Z3UIjmJLh6DY+KtmNOl/9b/zt4N81pM= github.com/go-piv/piv-go v1.5.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk= +github.com/go-piv/piv-go v1.5.1-0.20200518213843-e6548dd11f02 h1:gPojWOKTZxwWuNoQw/004S5U+/ECewLZAwJqZQocRYI= +github.com/go-piv/piv-go v1.5.1-0.20200518213843-e6548dd11f02/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk= github.com/godbus/dbus v0.0.0-20190623212516-8a1682060722 h1:NNKZiuNXd6lpZRyoFM/uhssj5W9Ps1DbhGHxT49Pm9I= github.com/godbus/dbus v0.0.0-20190623212516-8a1682060722/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= github.com/gokyle/twofactor v1.0.1 h1:uRhvx0S4Hb82RPIDALnf7QxbmPL49LyyaCkJDpWx+Ek= diff --git a/main.go b/main.go index 717b7f0..b4486af 100644 --- a/main.go +++ b/main.go @@ -9,6 +9,7 @@ package main import ( "bytes" "crypto/ecdsa" + "crypto/ed25519" "crypto/rand" "crypto/rsa" "errors" @@ -47,6 +48,7 @@ func main() { } socketPath := flag.String("l", "", "agent: path of the UNIX socket to listen on") + ed25519Flag := flag.Bool("ed25519", false, "setup: generate Ed25519 key") resetFlag := flag.Bool("really-delete-all-piv-keys", false, "setup: reset the PIV applet") setupFlag := flag.Bool("setup", false, "setup: configure a new YubiKey") flag.Parse() @@ -61,7 +63,7 @@ func main() { if *resetFlag { runReset(yk) } - runSetup(yk) + runSetup(yk, *ed25519Flag) } else { if *socketPath == "" { flag.Usage() @@ -226,6 +228,7 @@ func getPublicKey(yk *piv.YubiKey, slot piv.Slot) (ssh.PublicKey, error) { } switch cert.PublicKey.(type) { case *ecdsa.PublicKey: + case ed25519.PublicKey: case *rsa.PublicKey: default: return nil, fmt.Errorf("unexpected public key type: %T", cert.PublicKey) diff --git a/setup.go b/setup.go index 7cba085..2b508fd 100644 --- a/setup.go +++ b/setup.go @@ -65,7 +65,7 @@ func runReset(yk *piv.YubiKey) { } } -func runSetup(yk *piv.YubiKey) { +func runSetup(yk *piv.YubiKey, ed25519 bool) { if _, err := yk.Certificate(piv.SlotAuthentication); err == nil { log.Println("‼️ This YubiKey looks already setup") log.Println("") @@ -136,8 +136,13 @@ func runSetup(yk *piv.YubiKey) { log.Fatalln("use --really-delete-all-piv-keys ⚠️") } + alg := piv.AlgorithmEC256 + if ed25519 { + // hack it in, this relies on the piv-go patch + alg = piv.AlgorithmEd25519 + } pub, err := yk.GenerateKey(key, piv.SlotAuthentication, piv.Key{ - Algorithm: piv.AlgorithmEC256, + Algorithm: alg, PINPolicy: piv.PINPolicyOnce, TouchPolicy: piv.TouchPolicyAlways, })