joostd

"""
Register a resident FIDO credential, using USB
Insert a FIDO2 security key in a USB port, and run with:
	ykman script register.py
"""

from fido2.hid import CtapHidDevice
from fido2.ctap2 import Ctap2, ClientPin
from fido2.utils import sha256, hmac_sha256
from secrets import token_bytes

joostd

FROM ubuntu:24.04
USER root
ENV YUBIHSM_PKCS11_CONF="/opt/yubihsm.conf"
WORKDIR /opt
COPY <<EOF yubihsm.conf
connector=http://host.docker.internal:12345
EOF
COPY <<EOF openssl.conf
HOME = .
openssl_conf = openssl_init

joostd

Signing EFI images with keys generated on a YubiHSM 2 device.

Using an Ubuntu VM with the YubiHSM connector running on the SSH client, tunneled over SSH:

$ ssh -i key.pem ubuntu@jammy -R 12345:localhost:12345
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-1031-aws x86_64)
...

joostd

#!/bin/bash

# step 1 - generate a new key pair on a YubiKey

yubico-piv-tool -a generate -s 9c -A ECCP256 -o pub.pem 

# step 2 - generate data to be signed

jo iss=issuer aud=audience > payload.json
jo alg=ES256 typ=JWT > header.json

joostd

FROM ubuntu:22.04
ARG user
RUN apt-get update && apt-get install -y openssh-server
RUN mkdir /var/run/sshd
EXPOSE 22
RUN useradd -ms /bin/bash "$user"
COPY id_userca.pub /etc/ssh/user_ca.pub
RUN echo "TrustedUserCAKeys /etc/ssh/user_ca.pub" >> /etc/ssh/sshd_config
CMD ["/usr/sbin/sshd", "-D"]

joostd

#!/bin/bash

# extend PATH with location of yubihsm-parse-attestation tool
PATH=$PATH:~/go/bin

# check for installed tools
command -v curl >/dev/null 2>&1 \
  || { echo >&2 "please install curl - see https://github.com/curl/curl"; exit 1; }
command -v openssl >/dev/null 2>&1 \
  || { echo >&2 "please install openssl - see https://github.com/openssl/openssl"; exit 1; }

joostd

#!/bin/bash

# Generate a Certificate Signing Request (CSR) for an asymmetric key stored in a YubiHSM 2

# Usage:
# ./gencsr.sh <id> <cn>
#
# where <id> is the object ID of the asymmetric key,
# and <cn> is the Common Name of the subject DN in the generated CSR.

joostd

#include <assert.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <pkcs11y.h>

/*
 * Generate an RSA key in slot 9a of a YubiKey

joostd

#!/usr/bin/env python3

# NOTE:
# requires cryptography (pip install cryptography)

from cryptography import x509
from cryptography.hazmat.backends import default_backend
import sys

# NOTE: uses PEP 634: Structural Pattern Matching

joostd

# recover RSA private key file using public key (n,e) and private exponent d
# python recover.py | openssl asn1parse -genconf - -out key.der

from math import gcd

# example Private-Key (512 bit, 2 primes)
modulus=0x00bacb716af4a701ea525c1fc45c7798598a966432a44a347d53054c691bd5a7c60fe717b5f55de46ea8afd1525a4b08b098b7eb0f51d58daf690ae85fcb9254b9
publicExponent=0x10001
privateExponent=0x217051f9679a8e09387d2d62a57af356f42c3ffba0d577d80788a74919a681c5f02b3e8422e79737fd9aff15046a91509788023aad60c39492ceddb301f0bcd1