Skip to content

Yk9#32

Merged
obelisk merged 15 commits into
mainfrom
yk9
Apr 30, 2026
Merged

Yk9#32
obelisk merged 15 commits into
mainfrom
yk9

Conversation

@timweri
Copy link
Copy Markdown
Collaborator

@timweri timweri commented Apr 30, 2026
edited
Loading

Building on top of #27.

The bump to 8 was blocked due to conflicting RustCrypto crates. That issue is gone in Yk8 so we are skipping Yk8.

By default, Yubikey unlock will read the firmware to derive the default management key algorithm. But we will also expose unlock_with_management_key_algorithm to allow caller to specify a custom key algorithm if the default doesn't work.

TLDR: If your management key algorithm is not the factory default, you need to specify it.

Tests

Firmware 5.4.3 using TDES (default)

Pass

cargo run --example yk-provision --features yubikey-support -- \
  --slot R3 --subject "my-test-key" --type p384
cargo run --example yk-generate-csr --features yubikey-support -- -s R3
cargo run --example yk-provision --features yubikey-support -- \
  --slot R3 --subject "my-test-key" --type p256
cargo run --example yk-generate-csr --features yubikey-support -- -s R3

Firmware 5.7.1 using AES192 (default)

Pass

cargo run --example yk-provision --features yubikey-support -- \
  --slot R3 --subject "my-test-key" --type p384
cargo run --example yk-generate-csr --features yubikey-support -- -s R3
cargo run --example yk-provision --features yubikey-support -- \
  --slot R3 --subject "my-test-key" --type p256
cargo run --example yk-generate-csr --features yubikey-support -- -s R3

Firmware 5.7.1 using TDES (non-default)

Pass

cargo run --example yk-provision --features yubikey-support -- --mgmkey-alg 3des \
  --slot R3 --subject "my-test-key" --type p384
cargo run --example yk-generate-csr --features yubikey-support -- --mgmkey-alg 3des -s R3
cargo run --example yk-provision --features yubikey-support -- --mgmkey-alg 3des \
  --slot R3 --subject "my-test-key" --type p256
cargo run --example yk-generate-csr --features yubikey-support -- --mgmkey-alg 3des -s R3

obelisk and others added 12 commits April 15, 2025 18:57
@obelisk
builds
a5611ca
@obelisk
Works but not good
f532486
@obelisk
More tested
5809ba5
@obelisk
Bump authentictor-rs
4feae31
@obelisk
Remove x509-parser from piv management module
92e3c4f
@obelisk
Clean up test
3382bf5
@timweri
Merge branch 'main' into yk8
83857d6
@timweri
Clean up yk8 branch (#28)
d84039b 
* Port x509/mod.rs

* WIP PIV verification

* Revert x509-parser -> x509-cert migration

* Create nongeneric yk::provision variants

* Add generate csr example

* Resolve conflict

* cargo

* undo

* Update API

* First attempt at keytype

* fmt

* Remove macro

* Fix test

* Fix generate csr test fail

* Minimize diff

* Remove debug

* New CTAP2 API

* Check all PRs

* Support AES

* Use API to fetch mgm key algorithm

* breaking yk.unlock

* unbreak

* unbreak
@obelisk
Merge branch 'main' into yk8
7553679
@timweri
bump to 0.15.0
1d7d335
@timweri
Bump to yk9
45730a6
@timweri
Merge branch 'main' into yk9
f3e90c6
@timweri timweri marked this pull request as ready for review April 30, 2026 20:42
@timweri timweri requested review from Copilot and obelisk April 30, 2026 20:42
Copilot AI reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the crate’s YubiKey PIV integration to newer YubiKey library APIs (skipping the prior “Yk8” step) and adds support for selecting the management key algorithm explicitly, which is needed for newer YubiKeys that default to AES management keys.

Changes:

  • Bump YubiKey-related dependencies and adjust PIV code to the new certificate/SPKI APIs.
  • Add ManagementKeyAlgorithm plus unlock_with_management_key_algorithm, and expose default management key algorithm detection.
  • Add a new KeyType implementation layer (keytype.rs) and update examples/bench to the new APIs (including a new CSR example).

Reviewed changes

Copilot reviewed 10 out of 12 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
src/yubikey/piv/mod.rs Exposes new keytype module and re-exports types/enums for callers.
src/yubikey/piv/management.rs Updates PIV management/signing/provisioning logic to new yubikey/x509-cert APIs; adds management key algorithm support.
src/yubikey/piv/keytype.rs Introduces KeyType impls and supporting signature/key wrappers for P-256/P-384.
src/fido/generate/ctap2_hid.rs Adapts to updated attestation flag field layout.
examples/yk-provision.rs Adds CLI support for explicit management key algorithm and updated provisioning methods.
examples/yk-generate-csr.rs New example for CSR generation and signature verification.
examples/sign-cert-with-yubikey.rs Adds PIN/mgmt key CLI options and unlock path before signing.
benches/certs_per_second.rs Updates imports to match the new yubikey APIs.
Cargo.toml Version bump + dependency/feature updates for yubikey 0.9 pre and related crates.
Cargo.lock Adds lockfile content corresponding to the dependency updates.
.gitignore Stops ignoring Cargo.lock.
.github/workflows/rust.yml Adjusts PR workflow trigger scope/formatting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/rust.yml
Comment thread src/yubikey/piv/management.rs Outdated
Comment thread src/yubikey/piv/management.rs
Comment thread src/yubikey/piv/management.rs Outdated
Comment thread src/yubikey/piv/management.rs
Comment thread src/yubikey/piv/management.rs
Comment thread src/yubikey/piv/management.rs
@timweri timweri requested a review from Copilot April 30, 2026 21:12
@obelisk obelisk merged commit bc18692 into main Apr 30, 2026
8 checks passed
Copilot AI reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the YubiKey PIV integration to support newer YubiKey firmware defaults (AES management keys) by detecting/overriding the management key algorithm, and adapts the code to newer yubikey crate APIs.

Changes:

  • Bump YubiKey/RustCrypto-related dependencies and wire in new PIV certificate/key handling (yubikey 0.9 pre).
  • Add ManagementKeyAlgorithm + unlock_with_management_key_algorithm and update examples to accept --mgmkey-alg.
  • Introduce a KeyType implementation module and adjust provisioning/CSR generation accordingly.

Reviewed changes

Copilot reviewed 10 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/yubikey/piv/mod.rs Exposes new keytype module and additional error variants / re-exports.
src/yubikey/piv/management.rs Core PIV API changes: management key algorithm handling, CSR generation updates, provisioning refactor.
src/yubikey/piv/keytype.rs New KeyType implementations for P-256/P-384 to support YubiKey certificate signing integration.
src/fido/generate/ctap2_hid.rs Updates to new CTAP2 attestation flag field layout.
examples/yk-provision.rs Adds CLI option for management key algorithm and switches provisioning calls to curve-specific helpers.
examples/yk-generate-csr.rs New example for generating/verifying a CSR using a YubiKey-backed key.
examples/sign-cert-with-yubikey.rs Adds PIN/mgmt key CLI args and optional management key algorithm selection for signing flow.
benches/certs_per_second.rs Adjusts imports for updated YubiKey module layout.
Cargo.toml Dependency/feature updates for new YubiKey + RustCrypto ecosystem crates.
Cargo.lock New lockfile committed to repo.
.gitignore Stops ignoring Cargo.lock so it can be checked in.
.github/workflows/rust.yml Small workflow trigger/formatting adjustment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/yubikey/piv/management.rs
Comment on lines +54 to +55
let mut yk = super::Yubikey::open(serial)
.map_err(|e| Error::InternalYubiKeyError(e.to_string()))?;
Comment thread src/yubikey/piv/management.rs
Comment on lines +294 to +296
SerialNumber::new(&[0; 20]).unwrap(),
Validity::from_now(std::time::Duration::new(3600 * 24 * 3650, 0)).unwrap(),
Name::from_str(&format!("CN={}", common_name)).unwrap(),
Comment thread src/yubikey/piv/management.rs
Ok(_) => (AlgorithmId::Rsa2048, &digest::SHA256), // RSAish
Err(_) => return Err(Error::Unprovisioned),
let cert = self.configured(&slot)
.map_err(|e| Error::InternalYubiKeyError(format!("failed to read certificate for CSR generation: {}", e)))?;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@obelisk obelisk obelisk approved these changes

Assignees

No one assigned

Labels

breaking

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@timweri @obelisk