diff --git a/v2/piv/certs/gen.sh b/v2/piv/certs/gen.sh new file mode 100755 index 0000000..04bc2c3 --- /dev/null +++ b/v2/piv/certs/gen.sh @@ -0,0 +1,7 @@ +#!/bin/bash -e + +rm -f *.pem +curl -O https://developers.yubico.com/PKI/yubico-ca-certs.txt +curl -O https://developers.yubico.com/PKI/yubico-ca-1.pem +curl -O https://developers.yubico.com/PKI/yubico-intermediate.pem +echo "Timestamp: $( date -u )" > metadata.txt diff --git a/v2/piv/certs/metadata.txt b/v2/piv/certs/metadata.txt new file mode 100644 index 0000000..3286699 --- /dev/null +++ b/v2/piv/certs/metadata.txt @@ -0,0 +1 @@ +Timestamp: Fri Jun 20 19:56:19 UTC 2025 diff --git a/v2/piv/certs/yubico-ca-1.pem b/v2/piv/certs/yubico-ca-1.pem new file mode 100644 index 0000000..2a54d51 --- /dev/null +++ b/v2/piv/certs/yubico-ca-1.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIUXzeiEDJEOTt14F5n0o6Zf/bBwiUwDQYJKoZIhvcNAQEN +BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy +MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowJDEiMCAGA1UEAwwZWXViaWNvIEF0 +dGVzdGF0aW9uIFJvb3QgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMZ6/TxM8rIT+EaoPvG81ontMOo/2mQ2RBwJHS0QZcxVaNXvl12LUhBZ5LmiBScI +Zd1Rnx1od585h+/dhK7hEm7JAALkKKts1fO53KGNLZujz5h3wGncr4hyKF0G74b/ +U3K9hE5mGND6zqYchCRAHfrYMYRDF4YL0X4D5nGdxvppAy6nkEmtWmMnwO3i0TAu +csrbE485HvGM4r0VpgVdJpvgQjiTJCTIq+D35hwtT8QDIv+nGvpcyi5wcIfCkzyC +imJukhYy6KoqNMKQEdpNiSOvWyDMTMt1bwCvEzpw91u+msUt4rj0efnO9s0ZOwdw +MRDnH4xgUl5ZLwrrPkfC1/0CAwEAAaNmMGQwHQYDVR0OBBYEFNLu71oijTptXCOX +PfKF1SbxJXuSMB8GA1UdIwQYMBaAFNLu71oijTptXCOXPfKF1SbxJXuSMBIGA1Ud +EwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBDQUAA4IB +AQC3IW/sgB9pZ8apJNjxuGoX+FkILks0wMNrdXL/coUvsrhzsvl6mePMrbGJByJ1 +XnquB5sgcRENFxdQFma3mio8Upf1owM1ZreXrJ0mADG2BplqbJnxiyYa+R11reIF +TWeIhMNcZKsDZrFAyPuFjCWSQvJmNWe9mFRYFgNhXJKkXIb5H1XgEDlwiedYRM7V +olBNlld6pRFKlX8ust6OTMOeADl2xNF0m1LThSdeuXvDyC1g9+ILfz3S6OIYgc3i +roRcFD354g7rKfu67qFAw9gC4yi0xBTPrY95rh4/HqaUYCA/L8ldRk6H7Xk35D+W +Vpmq2Sh/xT5HiFuhf4wJb0bK +-----END CERTIFICATE----- diff --git a/v2/piv/certs/yubico-ca-certs.txt b/v2/piv/certs/yubico-ca-certs.txt new file mode 100644 index 0000000..654e73c --- /dev/null +++ b/v2/piv/certs/yubico-ca-certs.txt @@ -0,0 +1,189 @@ +Yubico Device Attestation CA +============================ + +Last Update: 2025-02-03 + +Yubico manufactures security keys that contain device attestation +certificates signed by a Yubico CA. This file contains the CA +certificates that Relying Parties (RP) need to configure their software +with in order to verify FIDO2, U2F, OpenPGP, PIV and Secure Domain +attestation certificates of Yubico devices. + +This file has been signed with OpenPGP and you should verify the +signature and the authenticity of the public key before trusting the +content. The signature is located next to the file: + + https://developers.yubico.com/PKI/yubico-ca-certs.txt + https://developers.yubico.com/PKI/yubico-ca-certs.txt.sig + +Signing keys and verification instructions are listed here: + + https://developers.yubico.com/Software_Projects/Software_Signing.html + +Each CA certificate in this file should, as required, be imported as a +trusted certificate into your certificate path verification routine. +Only one trusted certificate is needed for any one verification, but you +may safely import them all to cover all cases. + +Intermediate CA certificates are available in a separate file, with all +certificates concatenated. It does not have an OpenPGP signature since +each certificate is already signed by the issuing CA. The file should be +imported as an untrusted certificate store into your certificate path +verification routine: + + https://developers.yubico.com/PKI/yubico-intermediate.pem + +For example, use a command like the following to verify a YubiKey +attestation certificate in the file "yubikey-attestation.pem" using +OpenSSL: + + openssl verify -trusted yubico-fido-ca-1.pem + -trusted yubico-piv-ca-1.pem + -trusted yubico-opgp-ca-1.pem + -trusted yubico-fido-ca-2.pem + -trusted yubico-ca-1.pem + -untrusted 'https://developers.yubico.com/PKI/yubico-intermediate.pem' + yubikey-attestation.pem + +With OpenSSL you may also use this file directly as a source of trusted +certificates: + + openssl verify -trusted yubico-ca-certs.txt + -untrusted 'https://developers.yubico.com/PKI/yubico-intermediate.pem' + yubikey-attestation.pem + +We will update this file and the intermediate CAs file from time to time +when we publish more CA certificates. + + +Name: Yubico U2F Root CA Serial 457200631 +Issued: 2014-08-01 +Address: https://developers.yubico.com/PKI/yubico-fido-ca-1.pem + https://developers.yubico.com/PKI/yubico-fido-ca-1.pem.sig + +-----BEGIN CERTIFICATE----- +MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ +dWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw +MDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290 +IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk +5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep +8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw +nebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT +9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw +LvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ +hjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN +BgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4 +MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt +hX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k +LVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U +sG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc +U9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw== +-----END CERTIFICATE----- + + +Name: Yubico PIV Root CA Serial 263751 +Issued: 2016-03-14 +Address: https://developers.yubico.com/PKI/yubico-piv-ca-1.pem + https://developers.yubico.com/PKI/yubico-piv-ca-1.pem.sig + +-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIDBAZHMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIFl1 +YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAwMDAwMFoY +DzIwNTIwNDE3MDAwMDAwWjArMSkwJwYDVQQDDCBZdWJpY28gUElWIFJvb3QgQ0Eg +U2VyaWFsIDI2Mzc1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN2 +cMTNR6YCdcTFRxuPy31PabRn5m6pJ+nSE0HRWpoaM8fc8wHC+Tmb98jmNvhWNE2E +ilU85uYKfEFP9d6Q2GmytqBnxZsAa3KqZiCCx2LwQ4iYEOb1llgotVr/whEpdVOq +joU0P5e1j1y7OfwOvky/+AXIN/9Xp0VFlYRk2tQ9GcdYKDmqU+db9iKwpAzid4oH +BVLIhmD3pvkWaRA2H3DA9t7H/HNq5v3OiO1jyLZeKqZoMbPObrxqDg+9fOdShzgf +wCqgT3XVmTeiwvBSTctyi9mHQfYd2DwkaqxRnLbNVyK9zl+DzjSGp9IhVPiVtGet +X02dxhQnGS7K6BO0Qe8CAwEAAaNCMEAwHQYDVR0OBBYEFMpfyvLEojGc6SJf8ez0 +1d8Cv4O/MA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 +DQEBCwUAA4IBAQBc7Ih8Bc1fkC+FyN1fhjWioBCMr3vjneh7MLbA6kSoyWF70N3s +XhbXvT4eRh0hvxqvMZNjPU/VlRn6gLVtoEikDLrYFXN6Hh6Wmyy1GTnspnOvMvz2 +lLKuym9KYdYLDgnj3BeAvzIhVzzYSeU77/Cupofj093OuAswW0jYvXsGTyix6B3d +bW5yWvyS9zNXaqGaUmP3U9/b6DlHdDogMLu3VLpBB9bm5bjaKWWJYgWltCVgUbFq +Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8 +SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7 +-----END CERTIFICATE----- + + +Name: Yubico OpenPGP Attestation CA +Issued: 2019-08-01 +Address: https://developers.yubico.com/PKI/yubico-opgp-ca-1.pem + https://developers.yubico.com/PKI/yubico-opgp-ca-1.pem.sig + +-----BEGIN CERTIFICATE----- +MIIDOTCCAiGgAwIBAgIJAN0XtOvBoi4ZMA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV +BAMMHVl1YmljbyBPcGVuUEdQIEF0dGVzdGF0aW9uIENBMB4XDTE5MDgwMTAwMDAw +MFoXDTQ2MTIxNzAwMDAwMFowKDEmMCQGA1UEAwwdWXViaWNvIE9wZW5QR1AgQXR0 +ZXN0YXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClkKck ++NEH+iSVLjbOvvreMlvkK4DZ7aETLusDfkEDy5+cv8SHtKSVcYfKhkST1l/5kbyx +WAnxLRr+aYP52830qkDfYY1OE/IQG76BdWaGZJuMU4cdUPQR21Y7JB+ELHNMQHav +3CmregKVqIRB6vgwWq/6AM37VKqKNTsBUmrAyihX/vY/kS3L1cP/NCPhUC9Gqab2 +zohxXansjz92+4/dbN1cKDSGI8kVmoLpLbCf/CqGE4lWen0HxMCo/zIZo0nlGS7G +rEAqN+PRRwiemBZhwBzeYiCLkh7qaqO4O1eWCNLjkJeLwIZ/uyRTESbaFoXOxqFp +FjIyEjMYIdRXfaHVAgMBAAGjZjBkMB0GA1UdDgQWBBT7/MlvyfSnaal2RJH3cc8m +ZS4SSjAfBgNVHSMEGDAWgBT7/MlvyfSnaal2RJH3cc8mZS4SSjASBgNVHRMBAf8E +CDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAK+TP +HgYNIFTy+2PXpxmPVnNOcJRcVykAxaLJAAxey2BXy9xmU7lzHbl2x23Lw3kH7Crr +RqG67WGcwSZzvWWEcbq4zmX3vnu3FOFlqKFhU164tod4cXz1JGsTgfXaPRvoKJAo +XMotYH/u2UY/K8jmqycgEyHAFc9wx1v/q0H6p4WgbXLu2oBzRodHokgK/6EbIbR+ +Jok3xJ+5haGcMCCz2A8RBah4dxPDNeaz3tSkAjrtwLANV79hAZv2g9CZX6z0H2Zy +HhK6CLTg2MfwT0NxS3Am76k2opXSqbk8k5nnNFSYFuvgxunQxUOB+3M+gWHmVTh8 +7yaamyNndwmhhIAgeA== +-----END CERTIFICATE----- + + +Name: Yubico FIDO Root CA Serial 450203556 +Issued: 2024-05-01 +Address: https://developers.yubico.com/PKI/yubico-fido-ca-2.pem + https://developers.yubico.com/PKI/yubico-fido-ca-2.pem.sig + +-----BEGIN CERTIFICATE----- +MIIDMzCCAhugAwIBAgIUSOEjTf//yqRfPW7Qq8qtIyCrAg8wDQYJKoZIhvcNAQEL +BQAwLzEtMCsGA1UEAwwkWXViaWNvIEZJRE8gUm9vdCBDQSBTZXJpYWwgNDUwMjAz +NTU2MCAXDTI0MDUwMTAwMDAwMFoYDzIwNjAwNDMwMDAwMDAwWjAvMS0wKwYDVQQD +DCRZdWJpY28gRklETyBSb290IENBIFNlcmlhbCA0NTAyMDM1NTYwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdvl27w2gu1fPXeEFbIdqx0BalvVDVWrQP +J7HqviuEtZHlxSLxSFtcXpTolvLvof8f4tMerQTkVGzcmYzm1EBT4IJuMmoEqfkE +EhWpsADMFrjZkqlZY9EqxQzLoVEEonE5oGxSdVCxCcLIackpyR/CCXvj1Bt/hTgE +9hTlF4pRqxMkx3plF7y8dDZlRHWs7vbnhmBCGeI0ZPEQ6nl2mCg2r74adF2u6K9r +rLfhBC3QLE8EPrgqUsI+hkuq2tK4M2SMOp8uUVVkqUeu3h0kr3WVI0W02pkgrOgi +FKLFNkSrbYhdjMBDj5izmqfc9xJRKoDX612qd8ZGVHpT5AYFX+1hAgMBAAGjRTBD +MB0GA1UdDgQWBBTZyU5DiQ/a2UEgE7qBK0zhIsRNRjASBgNVHRMBAf8ECDAGAQH/ +AgEAMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXvnB4SLuUJfY +MSVGAhssL/SmWli3FSccgxydvKlACcidIIWKQqa3q/QSUEQzC9DgEfMgr7iC1BkT +ZbILboV6UZ5knNsvjEZWuMeogJ8tgZs1hVvKwZizwJ+mEcmsjhIrBYuoL1T6yrOJ +vKFg1jv+Cy4ZwA9Bpk/V3UOir1VyK8dCtyHu6vfosotAdYx8FAuR243gRTMV6Jx8 +Jdig2JDIAQMlzVeDpSUHX/K2HXRHxHwfgjbgUjjBu/72r8OfehyhzHXI3K8CFFdf +lO+8nEOJK3y8F1ivgS5uN/8SmcYw/STQYwhrxPuwz3nP8baMum4BB2nnYmpB60sX +3bl5k8QUSw== +-----END CERTIFICATE----- + + +Name: Yubico Attestation Root 1 +Issued: 2024-12-01 +Address: https://developers.yubico.com/PKI/yubico-ca-1.pem + https://developers.yubico.com/PKI/yubico-ca-1.pem.sig + +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIUXzeiEDJEOTt14F5n0o6Zf/bBwiUwDQYJKoZIhvcNAQEN +BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy +MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowJDEiMCAGA1UEAwwZWXViaWNvIEF0 +dGVzdGF0aW9uIFJvb3QgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMZ6/TxM8rIT+EaoPvG81ontMOo/2mQ2RBwJHS0QZcxVaNXvl12LUhBZ5LmiBScI +Zd1Rnx1od585h+/dhK7hEm7JAALkKKts1fO53KGNLZujz5h3wGncr4hyKF0G74b/ +U3K9hE5mGND6zqYchCRAHfrYMYRDF4YL0X4D5nGdxvppAy6nkEmtWmMnwO3i0TAu +csrbE485HvGM4r0VpgVdJpvgQjiTJCTIq+D35hwtT8QDIv+nGvpcyi5wcIfCkzyC +imJukhYy6KoqNMKQEdpNiSOvWyDMTMt1bwCvEzpw91u+msUt4rj0efnO9s0ZOwdw +MRDnH4xgUl5ZLwrrPkfC1/0CAwEAAaNmMGQwHQYDVR0OBBYEFNLu71oijTptXCOX +PfKF1SbxJXuSMB8GA1UdIwQYMBaAFNLu71oijTptXCOXPfKF1SbxJXuSMBIGA1Ud +EwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBDQUAA4IB +AQC3IW/sgB9pZ8apJNjxuGoX+FkILks0wMNrdXL/coUvsrhzsvl6mePMrbGJByJ1 +XnquB5sgcRENFxdQFma3mio8Upf1owM1ZreXrJ0mADG2BplqbJnxiyYa+R11reIF +TWeIhMNcZKsDZrFAyPuFjCWSQvJmNWe9mFRYFgNhXJKkXIb5H1XgEDlwiedYRM7V +olBNlld6pRFKlX8ust6OTMOeADl2xNF0m1LThSdeuXvDyC1g9+ILfz3S6OIYgc3i +roRcFD354g7rKfu67qFAw9gC4yi0xBTPrY95rh4/HqaUYCA/L8ldRk6H7Xk35D+W +Vpmq2Sh/xT5HiFuhf4wJb0bK +-----END CERTIFICATE----- diff --git a/v2/piv/certs/yubico-intermediate.pem b/v2/piv/certs/yubico-intermediate.pem new file mode 100644 index 0000000..69d8a07 --- /dev/null +++ b/v2/piv/certs/yubico-intermediate.pem @@ -0,0 +1,202 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjCgAwIBAgIUUcmMXzRIFOgGTK0Tb3gEuZYZkBIwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy +MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowLjEsMCoGA1UEAwwjWXViaWNvIEF0 +dGVzdGF0aW9uIEludGVybWVkaWF0ZSBBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDm555bWY9WW+tOY0rIWHldh+aNanoCZCFh7Gk3YZrQmPUw0hkS +G6qYHQtP+fZyS33VErvg+BQqnmumgNhfxFrkwEZELeidBcC8C4Ag4nqqiPWpzsvI +17NcxYlInLNLFcZY/+gOiN6ZOTihO5/vBZMbj9riaAcqliYmNGJPgTcMGaEAyMzE +MNy2nm6Ep+pjP5aF6gi21t/UQFsuJ1j2Rj/ynM/SdRt+ecal5OYotxHkFbL9vvv2 +A2Ov5ITZClw4bOS9npypQimOZ5QAYytmYaQpWl/pMYz6zSj8RqkVDNEJGqNfTKA2 +ivLYwX6lSttMPapg0J84l9X0voVN/FpS4VCVAgMBAAGjZjBkMB0GA1UdDgQWBBQg +KFAhG6RaW+hTy52dxeT8bC96HzAfBgNVHSMEGDAWgBTS7u9aIo06bVwjlz3yhdUm +8SV7kjASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG +9w0BAQsFAAOCAQEAYMzgLrJLIr0OovQnAZrRIGuabiHSUKSmbLRWpRkWeAtsChDE +HpXcJ/bgDNKYWoHqQ8xRUjB4CyepYevc3YlrG8o7zHxpfVcaoL5SeuJkzHxKn4bT +aSp9+Mvwamnp64kZMiNbFLknfP9kYKoRHkMWheRJ1UsP1z4ScmkCeILfsMs6vqov +qjWClFsJpBcsluYHWF7bBJ1n4Rwg+ATEopY4IgGv6Zvwc+A9r+AT2hqpoSkYoAl+ +ANYwgslOf9sJe0V+TA9YY/UlaBmPPTd0//r9wvcePWZkPjKoAC/zUNhfDbh4LV8G +Hs3lyX2XomL/LNc8JYzyIaDEhGQveoPhh/tr1g== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSDCCAjCgAwIBAgIUDqERw+4RnGSggxgUewJFEPDRZ3YwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy +MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowLjEsMCoGA1UEAwwjWXViaWNvIEF0 +dGVzdGF0aW9uIEludGVybWVkaWF0ZSBCIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDI7XnH+ZvDwMCQU8M8ZeV5qscublvVYaaRt3Ybaxn9godLx5sw +H0lXrdgjh5h7FpVgCgYYX7E4bl1vbzULemrMWT8N3WMGUe8QAJbBeioV7W/E+hTZ +P/0SKJVa3ewKBo6ULeMnfQZDrVORAk8wTLq2v5Llj5vMj7JtOotKa9J7nHS8kLmz +XXSaj0SwEPh5OAZUTNV4zs1bvoTAQQWrL4/J9QuKt6WCFE5nUNiRQcEbVF8mlqK2 +bx2z6okVltyDVLCxYbpUTELvY1usR3DTGPUoIClOm4crpwnDRLVHvjYePGBB//pE +yzxA/gcScxjwaH1ZUw9bnSbHyurKqbTa1KvjAgMBAAGjZjBkMB0GA1UdDgQWBBTq +t0KQngx7ZHrbVHwDunxOn9ihYTAfBgNVHSMEGDAWgBTS7u9aIo06bVwjlz3yhdUm +8SV7kjASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG +9w0BAQsFAAOCAQEAqQaCWMxTGqVVX7Sk7kkJmUueTSYKuU6+KBBSgwIRnlw9K7He +1IpxZ0hdwpPNikKjmcyFgFPzhImwHJgxxuT90Pw3vYOdcJJNktDg35PXOfzSn15c +FAx1RO0mPTmIb8dXiEWOpzoXvdwXDM41ZaCDYMT7w4IQtMyvE7xUBZq2bjtAnq/N +DUA7be4H8H3ipC+/+NKlUrcUh+j48K67WI0u1m6FeQueBA7n06j825rqDqsaLs9T +b7KAHAw8PmrWaNPG2kjKerxPEfecivlFawp2RWZvxrVtn3TV2SBxyCJCkXsND05d +CErVHSJIs+BdtTVNY9AwtyPmnyb0v4mSTzvWdw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIUTnbbGIR2NHvzqIKFAeQwG1XBis0wDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBB +IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMM +G1l1YmljbyBGSURPIEF0dGVzdGF0aW9uIEEgMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAOsXj3k04Ban4TYdtZKqD/OPJxyDyaPmCBUFUiaZIgTteZnj +3X25DhgpZZXsC4D0ydIcrlA6wNUInORL/L9zBbTEIMAVMGo6g7UKAmb2MF6AHbnh +YJd9eikupVNWShHNYNc4GBdO1YN6AfUqvJhHbe3V4SNMPmBREKJPVz7ThwgmggTe +8Ws2K0/wsqv2wSE7pbCBsUZhIX51bZM3pqDwJPTmRFEvt0/6tG5eO8F3j14OXqfE +hmjn1VvxKDYQOLZAxCwwgC0P4CdfWv3y8PSR8I354hO1Y+GzNjvIqX38NKLywuIY +HFerOxNlxEMBvFhYBuRuYAkkgUaPqN6UBhsILrsCAwEAAaNmMGQwHQYDVR0OBBYE +FCCoRHhiyNnbnXRWIL6ZBXoBX9YTMB8GA1UdIwQYMBaAFCAoUCEbpFpb6FPLnZ3F +5PxsL3ofMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqG +SIb3DQEBCwUAA4IBAQCQFafJI1/5Wg9CEEimE1RP54RgQwTNTOOQsLACTe+rItlF +QzC9ZDhrV828yX7jzy+AAsp3izK7T1th2dl7m+tu0sw2Pa/olc02nt6PyIw348ga +HzhI1+0KE45qxvFDeL2lMxbPfCYvyEEaYzjiQELU5951pXGWyKMa/4fLtO+ZKOXh +MuVeq4rXDPI54W6JHOiAaiKdiw+5e3c2kt/jFIQtM6vMXg9LNFzdjETNt20VX9Qe +vRpFZfucMG9wCaQDoFlPzpTMJKhPev/imJmZYhKfr0lLcemtqjIxLAoqZdOYfHBg +6+vAcdPI/iauGpUAv7X+UKNmDwjZ2BaH4sLwhB2m +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIUR38mq26Sf2szVV2BdG6WEN7kuWUwDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBC +IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMM +G1l1YmljbyBGSURPIEF0dGVzdGF0aW9uIEIgMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANY0Wb9oPoRoKoQyWPaJpz11vrWTg6zTtmNj2VoKRnyvKGRq +pzb83w5l6YA96UYkYBDQP0ilO2DPe6wWqVR5zDfRzdcH8bh+L7dGGvae6hRTZhkF +kCpXDs4HccknrDf8FClJ7He39Jf42/G1Qm2zz9WWmrPXtgiK/x05GjsQfGuDG1zf +5QTUUie8lwymK3TfdOvNeeJAAPe2pn7ItfRb+rVrNWiDzlRn2vNnZ2wPo4wH/WJ6 +dhXZG+rMWT+a6Bocg1UfIw6kdunG4bTpZzsvacFYyR0mpf+DeOnpSWAmywJWHvTl +f2YXxFyeXcTACdQlcMNGJ2VhZQ48xtP5/RBP/8kCAwEAAaNmMGQwHQYDVR0OBBYE +FChy42okiqcTS1iqa/HRWjkBn4H/MB8GA1UdIwQYMBaAFOq3QpCeDHtkettUfAO6 +fE6f2KFhMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqG +SIb3DQEBCwUAA4IBAQAn+RHIPbtMEDNdT1g8H/RitAkUdLgAt1tWGWnlj9knbv4/ +4GlX7C9p45efPO9/aZL6OV1XRKBi6KmtBW5K7nuYEnMx/5BqBSbLT7rhduC49TBe +Mb9PHdXsTlSVNYefr1dGidr4j0xVBQLb1rknDAbdWDzKfvnayKO8Frwe7Hx843MG +/rJ+c0XruUvbfVTCHLiIWhM7oNDhL8xob6xUo9KLKcSL+ItYsO3/9Wb8Q9GjsqL4 +FXsDcG1SaYh7KpfuMmOixqzJZO2nIicPYRg1I2SuiUfYO70tmdHcbl+kSQmSYt7r +q4viILg2Gx3j9rITuWTjbaUaSSQxgOmMSHuyzMAC +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIUeiO2o/ZVU5W/LKq1cbiQkK8vg3cwDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBB +IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMM +G1l1YmljbyBPUEdQIEF0dGVzdGF0aW9uIEEgMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALIepVHpsV1pQrtCcvRHY/lrQZXfScwEloSdFoC+Qxrm4Qmb +S8M/DhPUplhRXwdy2X8jNCHWQDjlPgWcpdt0Zh+VXzinOq9sNLOKCCXRZiTeydVG +Mraid8Vdexu/oOTFPw2wYpAwpWr1UgdFiqC7BOkFi2PWGVx2PLGVL5yr8gzfrtkU +/wPJzvUyL8AKO5lAlCJxqzh8oRs7y/jxX0UGs1dwokS3x0pznEfuAO4SjY6aEhZr +Gx2Lz9OEx282Kx4Op9uHe2Ywb3EUlkoP3eW+JHNeuqeH9XrZ72ddqLD7Vv4VnXDG +FIugUmYF2DTHN3l/xV10Lv8PYc0cBbMWpcgqjGMCAwEAAaNmMGQwHQYDVR0OBBYE +FEv7sTbdJXWBUhNYqN30ncMms8RoMB8GA1UdIwQYMBaAFCAoUCEbpFpb6FPLnZ3F +5PxsL3ofMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqG +SIb3DQEBCwUAA4IBAQAfLwUhIzy2Mp7JNKvD7eQmAUUIDYe616qbNlqrrJ7/H8s2 +ab4eRR0G7BiJfVrbkEXj24g7SJhV5HoD+LO0Gjdu88yKNXlWD4qTWZiZhaU9dhBC +FFClaWlST5pUhHdhBhJbz6ob7hW5VifVW8iA1cZl8zZN2oH/84u+NiTXc1ubyuR5 +Fx4AX2vkTX8aRXDiYjZvX5zesQoMW4JX5XAOyhX0T98jLXkBZHfNZYmxWIQUPG/M +DsMcMP+q28J/BzePOqTxGC5V7/96Q8pg1pF0I6CHIxW5lMLk+NEoDiTVFecZo0+y +zCkkSyBMkPlR3asYKUOsKBOcH929zAdYeU4vxyIz +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIUbeEhxjsv7XjQwdAQIi5G5i+4qhIwDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBC +IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMM +G1l1YmljbyBPUEdQIEF0dGVzdGF0aW9uIEIgMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMe9oJ6kuLQOlnUoyWzDaum4m23s3cR5jn0gVQSV6VPsQP8Q +d7wYiW/GiDUPAT4N/NqKdhcqX/5hazrbsKA+gCDU1E+zWunl0J0Fo5B0OCXQfxtA +0LhFHORvpJ1yz7HsRgEYScO7/rO2ip0bPbaKy4MG4UhyzKgzwmujOO7nmf6BcMil +8ZZRJbQOuEWsignM5EKuCrymyK3+R9Y+8NGjh/zb14Not9+JvwDgUYnHW+hip9si +UOzC2X8QYA/yBUCqTYGUePfC4ZOB0ZSi/HYtxhSnOTcDY6C+AcFnOCvCKD8t4Rdd +z6dFJINQgsATnfHycB22cUamIB9hBb9xXZYg36sCAwEAAaNmMGQwHQYDVR0OBBYE +FI1QCVLy1KcdxIkdZMMkn+wzyN0XMB8GA1UdIwQYMBaAFOq3QpCeDHtkettUfAO6 +fE6f2KFhMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqG +SIb3DQEBCwUAA4IBAQCRtalpNipOThRLO8o0/4WVLIjlC8yiPBLsVMuXHuXhTdhW +ubRUSazhHr7tTRShPJ/OeWiiap9aZtZe7FUgTIOdaR0oI4Tp5Cu4TUJTLQEUqtA9 +HSU6bP485aRJi26hDD+h2AYplmEeVNEWj8PUIAp3N8mKMMqIkjB7d0QN14fze/Nb +REzHU6SVvuJo11jfHpJTfpbpCqvcVl8bMPUbdtOvqc1ibkj7O7OmTDACqTT1f3yQ +Zj0PbreP1qN9jv7kDAxT9O2yVSgXNXbz/Ygl121TkGWjXRQ8B3PW2Z3+n7B8ETAd +8fJ0/5guPgvO2VQHQv8H9U3tsqSq/siosMJ8KtS5 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUSiefkiKiicP9B63XwO7fKqevCkQwDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBB +IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCUxIzAhBgNVBAMM +Gll1YmljbyBQSVYgQXR0ZXN0YXRpb24gQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAyGCyrZjNrdPfChdDe4JWd+4TMLr8nbugcKJz12egglWi7oy5 +L9GT99/if9i1OrONdpEt0YrCa+qMb+dJJ0WUa8M5zXYnUDpn72vhFjH+Anb9P9+v ++ZrRqaj/jnR/MYP7NpVpeLHiH2dRCe/PX/NH1XE41GvdUEncDtqUUGaXUea0DfDY +McRDpPT2Qn5e8rn9FjzDA37SbOVuws5VlFTDzDdqR0FnqeWeIW0DFu17rzCqXcaB +VRDnQLTc5EEPDTpiRrQE/Ag+7Wg9ieLrueos75YMQ1EIkfjL49OBVogU1A7kwRGv +OnG8l7sYaY8LZ2b5FROe2hKqmsIy600qjn6b/QIDAQABo2YwZDAdBgNVHQ4EFgQU +hAuLXXtpQVBkcsbqyFlj6LVAadgwHwYDVR0jBBgwFoAUIChQIRukWlvoU8udncXk +/Gwveh8wEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI +hvcNAQELBQADggEBAFxL/2oFjxkLh2KVnFKdhy7Nf7MmEfYXDDFSx1rFDn445jHO +UP5kxQPbZc9r53jdvL5W0SQBqBjqA95PYh0r1CPMFsFJdiFXli8Hf3NQ0bTkeFSN +G3LsQCOKMb+o2WjYU3vHkRVjKgKGLxysxxKxGfMUcXdJ0qM6ZVeRHehC2zy7XuI6 +TQn7/V0ZHXjk7So7dUV55xQde094/3cCTnh9Q3j2aqMjkGx6tDboCsz/+W+tne7W +nMHG92ZiAAmOkP2bABjan461Qty/qBXPHomkfjqNbjUTluPXiMLYKCXHIyKwdkX6 +cphouSMU3QOTsb35Y2PeWNk54xu+Eds/3nhRMso= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUWVf2oJG+t1qP8t8TicWgJ2KYan4wDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBC +IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCUxIzAhBgNVBAMM +Gll1YmljbyBQSVYgQXR0ZXN0YXRpb24gQiAxMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAv7WBL9/5AKxSpCMoL63183WqRtFrOHY7tdyuGtoidoYWQrxV +aV9S+ZwH0aynh0IzD5A/PvCtuxdtL5w2cAI3tgsborOlEert4IZ904CZQfq3ooar +1an/wssbtMpPOQkC3MQiqrUyHlFS2BTbuwbBXY66lSVX/tGRuUgnBdfBJtcQKS6M +O4bU5ndPQqhGPyzcyY1LvlfzK7KJ1r/bixCRFqjhJRnPs0Czpg6rkRrFgC6cd5bK +1UgTsJy+3wrIqkv4CeV3EhSVnhnQjZgIrdIcI5WZ8T1Oq3OhMlWmY0K0dy/oZdP/ +bpbG2qbyHLa6gprLT/qChQWLmffxn6D2DAB1zQIDAQABo2YwZDAdBgNVHQ4EFgQU +M0Nt3QHo7eGzaKMZn2SmXT74vpcwHwYDVR0jBBgwFoAU6rdCkJ4Me2R621R8A7p8 +Tp/YoWEwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI +hvcNAQELBQADggEBAI0HwoS84fKMUyIof1LdUXvyeAMmEwW7+nVETvxNNlTMuwv7 +zPJ4XZAm9Fv95tz9CqZBj6l1PAPQn6Zht9LQA92OF7W7buuXuxuusBTgLM0C1iX2 +CGXqY/k/uSNvi3ZYfrpd44TIrfrr8bCG9ux7B5ZCRqb8adDUm92Yz3lK1aX2M6Cw +jC9IZVTXQWhLyP8Ys3p7rb20CO2jJzV94deJ/+AsEb+bnCQImPat1GDKwrBosar+ +BxtU7k6kgkxZ0G384O59GFXqnwkbw2b5HhORvOsX7nhOUhePFufzi1vT1g8Tzbwr ++TUfTwo2biKHHcI762KGtp8o6Bcv5y8WgExFuWY= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDiDCCAnCgAwIBAgIUctm9Z8Xoe5SV7zFyLdXA5uQkTGQwDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBB +IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMM +GVl1YmljbyBTRCBBdHRlc3RhdGlvbiBBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQCxuLwF/2S7Kjj5HheMgUV0dZn+5eBSXuyYaXp3vGpvqKi8zbD3 +qkKIB/E8OZC2ZDbd481EfoX3sLryaNkZi32zoieMSyRsZxJNr88VpFh5nqpJTSsg +uSMkmuB5u42x7Ju3mvewffXVN+gWkZzrDPF+AqwHgLDgXfPcYcFJY12IifdHCqsV +aOdVIcggCJxk8F+Ke+RSA4ac1xy7/k9PXHGXmGccN1ZIkV0c7A32lO9fdgVxH6NU +i3YgoB9lBCI7lpzNEPEwj+vXOTBazZkFQ0qWr9AZrm5O3b2axAFND5yxtrcSljDd +7EJMhDjLvw4A8u92KFB6fFnoPlMDf2iTnZ7JAgMBAAGjgaUwgaIwHQYDVR0OBBYE +FFNCDtoWikRUfP2+7fCfZsme5BcyMBIGA1UdEwEB/wQIMAYBAf8CAQEwPAYDVR0g +AQH/BDIwMDAOBgwqhkiG/GtkAAoCAR4wDgYMKoZIhvxrZAAKAgEyMA4GDCqGSIb8 +a2QACgIBCjAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAUIChQIRukWlvoU8ud +ncXk/Gwveh8wDQYJKoZIhvcNAQELBQADggEBABK4n+QsjaOW7P2kCyuajGxVz5ea +EgL3ywGY43CKi0m0WzS+UR7EQrH4YMUvaGy3vWdUMgMPyEYJtgDg24WadtKR4F+G +kXSH/XZ5H8hhDF82UkitQWzXWUKi5zh31Amiftbp2wxTDSNtz2aCwGXcuttuJmq/ +9po/JwKoQg/YvqmoYpQDIpFhhq3icfhWxBXz2/c1TCHFXtqhJCVlg4vU4ynZYq5g +ek87LEme7c8u8oTibpQ7UcRFLhnof2FCXtuL86RDctiIlEeEFk95b92yj9hmzpE5 +M8AX+S2QRCxlFxCPlRYmJWnBIi0/nJzMsvIP/U1BK5XcI+ULWb7TbdWZwsw= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDiDCCAnCgAwIBAgIUNMnXoUJn5ZzmbP5XTm5QMlSYunMwDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBC +IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMM +GVl1YmljbyBTRCBBdHRlc3RhdGlvbiBCIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDPplSmdu7IGPUL3x5BqXa1T2X/Ldrp72xovlExLQ1EclTPzJse +7KX6+18eKbhVZZ6H06iaOYtHDnV/a/nI0YIhkxVKu+C9tJVoLsElCbvKEqGzuEkV +45TH28cKXNItAZ0toEpCFYmM0TR7ZqQFIsZQclw3jMY5ot00JkLLG5m1qNSftJwe +jlcO3XRwmiCBD1TAf1C0uBpQSQI+RmruaMJr2F0143ramCLPmRvqN6UvCUcCZ8un +U0w7tVLXRz5Zj6sJOuoHsYAlxftZr2fcz5F7bHJXlBhRTuKgpkP0LA81Iaz1fF9I +CyI70YP9AmIeYqf/KvME1AwPl+mcSkSHvmIvAgMBAAGjgaUwgaIwHQYDVR0OBBYE +FM5bfqu8aCjdFhM6WwCMOj8YX4riMBIGA1UdEwEB/wQIMAYBAf8CAQEwPAYDVR0g +AQH/BDIwMDAOBgwqhkiG/GtkAAoCAR4wDgYMKoZIhvxrZAAKAgEyMA4GDCqGSIb8 +a2QACgIBCjAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgwFoAU6rdCkJ4Me2R621R8 +A7p8Tp/YoWEwDQYJKoZIhvcNAQELBQADggEBAI3BS49G+1CoO7DaqdGQkCPkrpBA +SmPM6fT0B1kpDD+nFqt1CdmEWJ9rq1ms7CP1XiQeSWAkkbZN5RSifZvj5Wlj9cCM +ek4Vx6a/4bNS5IqYdZliBWFVT5a3TWr/G9+kBaJ+xIzYkFY9/WJVnHLqIC/R4/9J +9cIl+w5L5CeGd5WfJFsvYmrhggSvU9uX5I5RnKdK5lvnXNQXHYOZaGDeRb7StB55 +7MXa9HtCnMSPEEy6p4U3dBBfHAsEXkf4O5xxKg1XyI1EM4kx8GSoolTHf2WDE4K4 +CV2c5zRbvbtqF32mMnOVmA+7wzzBOLrt2FN5JBMNMXW+akbCO4b1Fx6bkNM= +-----END CERTIFICATE----- diff --git a/v2/piv/key.go b/v2/piv/key.go index 177d6ae..4cb55b9 100644 --- a/v2/piv/key.go +++ b/v2/piv/key.go @@ -34,6 +34,8 @@ import ( "strings" rsafork "github.com/go-piv/piv-go/v2/third_party/rsa" + + _ "embed" ) // errMismatchingAlgorithms is returned when a cryptographic operation @@ -228,15 +230,20 @@ type Verifier struct { func (v *Verifier) Verify(attestationCert, slotCert *x509.Certificate) (*Attestation, error) { o := x509.VerifyOptions{KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}} o.Roots = v.Roots + var intermediates *x509.CertPool if o.Roots == nil { - cas, err := yubicoCAs() + cas, in, err := yubicoCAs() if err != nil { return nil, fmt.Errorf("failed to load yubico CAs: %v", err) } o.Roots = cas + intermediates = in } - o.Intermediates = x509.NewCertPool() + if intermediates == nil { + intermediates = x509.NewCertPool() + } + o.Intermediates = intermediates // The attestation cert in some yubikey 4 does not encode X509v3 Basic Constraints. // This isn't valid as per https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9 @@ -344,21 +351,28 @@ sG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc U9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw== -----END CERTIFICATE-----` -func yubicoCAs() (*x509.CertPool, error) { +//go:embed certs/yubico-ca-1.pem +var yubicoAttestationCA2024 []byte + +//go:embed certs/yubico-intermediate.pem +var yubicoIntermediates []byte + +func yubicoCAs() (roots, intermediates *x509.CertPool, err error) { certPool := x509.NewCertPool() + intermediates = x509.NewCertPool() if !certPool.AppendCertsFromPEM([]byte(yubicoPIVCAPEMAfter2018)) { - return nil, fmt.Errorf("failed to parse yubico cert") + return nil, nil, fmt.Errorf("failed to parse yubico cert") } bU2F, _ := pem.Decode([]byte(yubicoPIVCAPEMU2F)) if bU2F == nil { - return nil, fmt.Errorf("failed to decode yubico pem data") + return nil, nil, fmt.Errorf("failed to decode yubico pem data") } certU2F, err := x509.ParseCertificate(bU2F.Bytes) if err != nil { - return nil, fmt.Errorf("failed to parse yubico cert: %v", err) + return nil, nil, fmt.Errorf("failed to parse yubico cert: %v", err) } // The U2F root cert has pathlen x509 basic constraint set to 0. @@ -371,7 +385,13 @@ func yubicoCAs() (*x509.CertPool, error) { certU2F.MaxPathLen = 1 certPool.AddCert(certU2F) - return certPool, nil + if !certPool.AppendCertsFromPEM(yubicoAttestationCA2024) { + return nil, nil, fmt.Errorf("failed to parse yubico attestation certificate") + } + if !intermediates.AppendCertsFromPEM(yubicoIntermediates) { + return nil, nil, fmt.Errorf("failed to parse yubico intermediates certificates") + } + return certPool, intermediates, nil } // Slot combinations pre-defined by this package.