From 5ddfedf24adbfa677454bee87e4d60207d368a73 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 6 Aug 2025 19:49:28 +0200 Subject: scd:openpgp: Support Yubikey attestion generation. * scd/app-openpgp.c (data_objects): Add more v3 DOs. (do_setattr): New name GEN-ATTST as pseudo attribute to generate a Yubikey attestation certificate. -- Alhough this command seems to work, I am only able to get the OPENPGP.3 cert back. This might be related to the bug described in the commit 37b1c5c2004c1147a13b388863aaa8f0caf7d71f which implemented the select data functionality and showed that it did not work on a Yubikey. This time the test target was a Yubikey 5.4.3. --- scd/app-openpgp.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) (limited to 'scd') diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c index 888e23739..4df88694f 100644 --- a/scd/app-openpgp.c +++ b/scd/app-openpgp.c @@ -40,6 +40,19 @@ that error counter is set to 0. After setting the RC the error counter will be initialized to 3. + OPGP Attestation on Yubikeys: + @@ -119,8 +132,16 @@ static struct { { 0x00D6, 0, 0x6E, 1, 0, 0, 0, 0, "UIF for Signature"}, { 0x00D7, 0, 0x6E, 1, 0, 0, 0, 0, "UIF for Decryption"}, { 0x00D8, 0, 0x6E, 1, 0, 0, 0, 0, "UIF for Authentication"}, + { 0x00D9, 0, 0x6E, 1, 0, 0, 0, 0, "UIF for Attestation"}, + { 0x00DA, 0, 0x6E, 1, 0, 0, 0, 0, "Algorithm Attributes Attestation"}, + { 0x00DB, 0, 0x6E, 1, 0, 0, 0, 0, "Key Fingerprint Attestation"}, + { 0x00DC, 0, 0x6E, 1, 0, 0, 0, 0, "CA Fingerprint Attestation"}, + { 0x00DA, 0, 0x6E, 1, 0, 0, 0, 0, "Key Generation Date Attestation"}, + { 0x00DE, 1, 0, 1, 0, 0, 0, 0, "Key information" }, { 0x00F9, 1, 0, 1, 0, 0, 0, 0, "KDF data object"}, { 0x00FA, 1, 0, 1, 0, 0, 0, 2, "Algorithm Information"}, + { 0x00FB, 1, 0, 1, 0, 0, 0, 2, "Secure Messaging Certificate"}, + { 0x00FC, 1, 0, 1, 0, 0, 0, 2, "Attestation Certificate"}, { 0 } }; @@ -3077,6 +3098,7 @@ do_setattr (app_t app, ctrl_t ctrl, const char *name, { "UIF-2", 0x00D7, 0, 3, 5, 1 }, { "UIF-3", 0x00D8, 0, 3, 5, 1 }, { "KDF", 0x00F9, 0, 0, 4, 1 }, + { "GEN-ATTST", 0, 0, 3,21, 1 }, /* Yubikey specific */ { NULL, 0 } }; int exmode; @@ -3125,7 +3147,7 @@ do_setattr (app_t app, ctrl_t ctrl, const char *name, else exmode = 0; - if (table[idx].special == 4) + if (table[idx].special == 4) /* KDF */ { if (APP_CARD(app)->cardtype == CARDTYPE_YUBIKEY || APP_CARD(app)->cardtype == CARDTYPE_GNUK) @@ -3227,6 +3249,31 @@ do_setattr (app_t app, ctrl_t ctrl, const char *name, iso7816_select_data (app_get_slot (app), 0, table[idx].tag); } } + else if (table[idx].special == 21) + { + /* Generate attestation. This will write the attestation to the + * respective cert slot and thus delete an existsing certificate + * stored there. The expected value is "OPENPGP.". The APDU + * is: CLA=0x80, INS=0xFB, P1=1 (SIG) or 2 (DEC) or 3 (AUT), + * P2=0x00, Lc=0x00, Data=None, Le=0x00 + */ + unsigned char apdu[5]; + + apdu[0] = 0x80; + apdu[1] = 0xfb; + if (!ascii_strncasecmp (value, "OPENPGP.1", valuelen)) + apdu[2] = 0x01; + else if (!ascii_strncasecmp (value, "OPENPGP.2", valuelen)) + apdu[2] = 0x02; + else if (!ascii_strncasecmp (value, "OPENPGP.3", valuelen)) + apdu[2] = 0x03; + else + return gpg_error (GPG_ERR_INV_ID); + apdu[3] = 0; + + rc = iso7816_apdu_direct (app_get_slot (app), apdu, 4, 0, + NULL, NULL, NULL); + } else /* Standard. */ rc = iso7816_put_data (app_get_slot (app), exmode, table[idx].tag, value, valuelen); -- cgit v1.2.3