ykman.piv
Attributes
Classes
Functions
|
Parse an RFC 4514 string into a x509.Name. |
|
Derive a management key from the users PIN and a salt. |
|
Generate a new random management key. |
|
Read out the Pivman data from a YubiKey. |
|
Read out the Pivman protected data from a YubiKey. |
|
Set a new management key, while keeping PivmanData in sync. |
|
Change the PIN, while keeping PivmanData in sync. |
|
Set the number of PIN and PUK retry attempts, while keeping PivmanData in sync. |
|
Read out and parse stored certificates. |
|
Check that a given public key corresponds to the private key in a slot. |
Generate a CHUID (Cardholder Unique Identifier). |
|
Generate a CCC (Card Capability Container). |
|
|
Get human readable information about the PIV configuration. |
|
Sign a Certificate. |
|
Sign a CSR. |
|
Generate a self-signed certificate using a private key in a slot. |
|
Generate a CSR using a private key in a slot. |
Module Contents
- ykman.piv.OBJECT_ID_PIVMAN_DATA = 6291200
- ykman.piv.OBJECT_ID_PIVMAN_PROTECTED_DATA
- ykman.piv.parse_rfc4514_string(value)[source]
Parse an RFC 4514 string into a x509.Name.
See: https://tools.ietf.org/html/rfc4514.html
- Parameters:
value (str) – An RFC 4514 string.
- Return type:
- ykman.piv.derive_management_key(pin, salt)[source]
Derive a management key from the users PIN and a salt.
NOTE: This method of derivation is deprecated! Protect the management key using PivmanProtectedData instead.
- ykman.piv.generate_random_management_key(algorithm)[source]
Generate a new random management key.
- Parameters:
algorithm (yubikit.piv.MANAGEMENT_KEY_TYPE) – The algorithm for the management key.
- Return type:
- class ykman.piv.PivmanData(raw_data=Tlv(128))[source]
- Parameters:
raw_data (bytes)
- salt
- pin_timestamp
- ykman.piv.get_pivman_data(session)[source]
Read out the Pivman data from a YubiKey.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
- Return type:
- ykman.piv.get_pivman_protected_data(session)[source]
Read out the Pivman protected data from a YubiKey.
This function requires PIN verification prior to being called.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
- Return type:
- ykman.piv.pivman_set_mgm_key(session, new_key, algorithm, touch=False, store_on_device=False)[source]
Set a new management key, while keeping PivmanData in sync.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
new_key (bytes) – The new management key.
algorithm (yubikit.piv.MANAGEMENT_KEY_TYPE) – The algorithm for the management key.
touch (bool) – If set, touch is required.
store_on_device (bool) – If set, the management key is stored on device.
- Return type:
None
- ykman.piv.pivman_change_pin(session, old_pin, new_pin)[source]
Change the PIN, while keeping PivmanData in sync.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
old_pin (str) – The old PIN.
new_pin (str) – The new PIN.
- Return type:
None
- ykman.piv.pivman_set_pin_attempts(session, pin_attempts, puk_attempts)[source]
Set the number of PIN and PUK retry attempts, while keeping PivmanData in sync.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
pin_attempts (int) – The PIN attempts.
puk_attempts (int) – The PUK attempts.
- Return type:
None
- ykman.piv.list_certificates(session)[source]
Read out and parse stored certificates.
Only certificates which are successfully parsed are returned.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
- Return type:
Mapping[yubikit.piv.SLOT, Optional[cryptography.x509.Certificate]]
- ykman.piv.check_key(session, slot, public_key)[source]
Check that a given public key corresponds to the private key in a slot.
This will create a signature using the private key, so the PIN must be verified prior to calling this function if the PIN policy requires it.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
slot (yubikit.piv.SLOT) – The slot.
public_key (Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey]) – The public key.
- Return type:
- ykman.piv.get_piv_info(session)[source]
Get human readable information about the PIV configuration.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
- ykman.piv.sign_certificate_builder(session, slot, key_type, builder, hash_algorithm=hashes.SHA256)[source]
Sign a Certificate.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
slot (yubikit.piv.SLOT) – The slot.
key_type (yubikit.piv.KEY_TYPE) – The key type.
builder (cryptography.x509.CertificateBuilder) – The x509 certificate builder object.
hash_algorithm (type[_AllowedHashTypes]) – The hash algorithm, ignored for Curve 25519.
- Return type:
- ykman.piv.sign_csr_builder(session, slot, public_key, builder, hash_algorithm=hashes.SHA256)[source]
Sign a CSR.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
slot (yubikit.piv.SLOT) – The slot.
public_key (Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey]) – The public key.
builder (cryptography.x509.CertificateSigningRequestBuilder) – The x509 certificate signing request builder object.
hash_algorithm (type[_AllowedHashTypes]) – The hash algorithm, ignored for Curve 25519.
- Return type:
- ykman.piv.generate_self_signed_certificate(session, slot, public_key, subject_str, valid_from, valid_to, hash_algorithm=hashes.SHA256)[source]
Generate a self-signed certificate using a private key in a slot.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
slot (yubikit.piv.SLOT) – The slot.
public_key (Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey]) – The public key.
subject_str (str) – The subject RFC 4514 string.
valid_from (datetime.datetime) – The date from when the certificate is valid.
valid_to (datetime.datetime) – The date when the certificate expires.
hash_algorithm (type[_AllowedHashTypes]) – The hash algorithm.
- Return type:
- ykman.piv.generate_csr(session, slot, public_key, subject_str, hash_algorithm=hashes.SHA256)[source]
Generate a CSR using a private key in a slot.
- Parameters:
session (yubikit.piv.PivSession) – The PIV session.
slot (yubikit.piv.SLOT) – The slot.
public_key (Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey]) – The public key.
subject_str (str) – The subject RFC 4514 string.
hash_algorithm (type[_AllowedHashTypes]) – The hash algorithm.
- Return type: