Add initial gpg support #140
Conversation
This is very useful to see what APDU's are being sent to a card.
This allows the card to be used in PIV mode, or in PGP mode. The Yubico cards can store PGP private keys and use them to sign/encrypt/decrypt data. These changes add support for the OpenPGP specification APDU apis for pgp support.
… understanding what the code is doing
Update with documentation and links to the OpenPGP and NIST Standards. Add the ability to get the OpenPGP attestation cert from the yubikey
Add clean target to Makefile
| go build ./... | ||
|
|
||
| .PHONY: clean | ||
| clean: | ||
| go clean ./... |
There was a problem hiding this comment.
These are in #139, and should be dropped from this PR in cleanup
| module github.com/go-piv/piv-go | ||
|
|
||
| go 1.16 |
There was a problem hiding this comment.
These are in #139, and should be dropped from this PR in cleanup
docs/NIST.SP.800-73-4.pdf
Outdated
There was a problem hiding this comment.
@ericchiang let me know how you feel about storing the pdf's with the code.
I can remove them if you would prefer, I found it easier to store them with the code.
Needs some cleanup and need to check on the whole pcsc interface
|
Thanks, but I'm going to preemptively say there's no way this package will ever support GPG/PGP. A large motivating factor for this project was leveraging more reasonable signing primitives on Yubikeys. See: https://blog.gtank.cc/modern-alternatives-to-pgp/. I defiantly do not want to carry any code for the PGP app, and that's beyond the scope of piv-go. In the future, it may be better to reach out to a maintainer before sending a large PR like this? Closing, since yeah... I don't see this as compatible with this project. You may want to fork if this is something you're looking to publish |
|
That’s fine I’ll separate out all the parts that allow me to use pgp support without rewriting the entire library to talk to the cards. piv-go has all of the apdu primitives. My issue is key size, I have constraints that require a 4096 bit key that the cards only support via pgp. |
|
I need 4096 bit hardware backed keys. I use S/MIME for email, and something else for signing commits (except on GitHub because reasons) |
|
Sure, I just want to make clear that "I defiantly do not want to carry any code for the PGP app" also applies to internal refactors for this kind of thing (I don't have unlimited review time for OSS). If you need to use or modify the smartcard code, please fork it |
|
That’s perfectly reasonable. I’ll make this into a fork. I already have one |
This PR adds support to use a Yubikey for GPG encryption and decryption.
There are still some large changes to be made based on the feedback in #138 and #137.
Once those are resolved, this code will be updated to reflect those.