ykman.piv

Attributes

OBJECT_ID_PIVMAN_DATA

OBJECT_ID_PIVMAN_PROTECTED_DATA

Classes

PivmanData

PivmanProtectedData

Functions

parse_rfc4514_string(value)

Parse an RFC 4514 string into a x509.Name.

derive_management_key(pin, salt)

Derive a management key from the users PIN and a salt.

generate_random_management_key(algorithm)

Generate a new random management key.

get_pivman_data(session)

Read out the Pivman data from a YubiKey.

get_pivman_protected_data(session)

Read out the Pivman protected data from a YubiKey.

pivman_set_mgm_key(session, new_key, algorithm[, ...])

Set a new management key, while keeping PivmanData in sync.

pivman_change_pin(session, old_pin, new_pin)

Change the PIN, while keeping PivmanData in sync.

pivman_set_pin_attempts(session, pin_attempts, ...)

Set the number of PIN and PUK retry attempts, while keeping PivmanData in sync.

list_certificates(session)

Read out and parse stored certificates.

check_key(session, slot, public_key)

Check that a given public key corresponds to the private key in a slot.

generate_chuid()

Generate a CHUID (Cardholder Unique Identifier).

generate_ccc()

Generate a CCC (Card Capability Container).

get_piv_info(session)

Get human readable information about the PIV configuration.

sign_certificate_builder(session, slot, key_type, builder)

Sign a Certificate.

sign_csr_builder(session, slot, public_key, builder[, ...])

Sign a CSR.

generate_self_signed_certificate(session, slot, ...[, ...])

Generate a self-signed certificate using a private key in a slot.

generate_csr(session, slot, public_key, subject_str[, ...])

Generate a CSR using a private key in a slot.

Module Contents

ykman.piv.OBJECT_ID_PIVMAN_DATA = 6291200
ykman.piv.OBJECT_ID_PIVMAN_PROTECTED_DATA
ykman.piv.parse_rfc4514_string(value)[source]

Parse an RFC 4514 string into a x509.Name.

See: https://tools.ietf.org/html/rfc4514.html

Parameters:

value (str) – An RFC 4514 string.

Return type:

cryptography.x509.Name

ykman.piv.derive_management_key(pin, salt)[source]

Derive a management key from the users PIN and a salt.

NOTE: This method of derivation is deprecated! Protect the management key using PivmanProtectedData instead.

Parameters:
  • pin (str) – The PIN.

  • salt (bytes) – The salt.

Return type:

bytes

ykman.piv.generate_random_management_key(algorithm)[source]

Generate a new random management key.

Parameters:

algorithm (yubikit.piv.MANAGEMENT_KEY_TYPE) – The algorithm for the management key.

Return type:

bytes

class ykman.piv.PivmanData(raw_data=Tlv(128))[source]
Parameters:

raw_data (bytes)

salt
pin_timestamp
property puk_blocked: bool
Return type:

bool

property mgm_key_protected: bool
Return type:

bool

property has_protected_key: bool
Return type:

bool

property has_derived_key: bool
Return type:

bool

property has_stored_key: bool
Return type:

bool

get_bytes()[source]
Return type:

bytes

class ykman.piv.PivmanProtectedData(raw_data=Tlv(136))[source]
Parameters:

raw_data (bytes)

key
get_bytes()[source]
Return type:

bytes

ykman.piv.get_pivman_data(session)[source]

Read out the Pivman data from a YubiKey.

Parameters:

session (yubikit.piv.PivSession) – The PIV session.

Return type:

PivmanData

ykman.piv.get_pivman_protected_data(session)[source]

Read out the Pivman protected data from a YubiKey.

This function requires PIN verification prior to being called.

Parameters:

session (yubikit.piv.PivSession) – The PIV session.

Return type:

PivmanProtectedData

ykman.piv.pivman_set_mgm_key(session, new_key, algorithm, touch=False, store_on_device=False)[source]

Set a new management key, while keeping PivmanData in sync.

Parameters:
Return type:

None

ykman.piv.pivman_change_pin(session, old_pin, new_pin)[source]

Change the PIN, while keeping PivmanData in sync.

Parameters:
Return type:

None

ykman.piv.pivman_set_pin_attempts(session, pin_attempts, puk_attempts)[source]

Set the number of PIN and PUK retry attempts, while keeping PivmanData in sync.

Parameters:
Return type:

None

ykman.piv.list_certificates(session)[source]

Read out and parse stored certificates.

Only certificates which are successfully parsed are returned.

Parameters:

session (yubikit.piv.PivSession) – The PIV session.

Return type:

Mapping[yubikit.piv.SLOT, Optional[cryptography.x509.Certificate]]

ykman.piv.check_key(session, slot, public_key)[source]

Check that a given public key corresponds to the private key in a slot.

This will create a signature using the private key, so the PIN must be verified prior to calling this function if the PIN policy requires it.

Parameters:
Return type:

bool

ykman.piv.generate_chuid()[source]

Generate a CHUID (Cardholder Unique Identifier).

Return type:

bytes

ykman.piv.generate_ccc()[source]

Generate a CCC (Card Capability Container).

Return type:

bytes

ykman.piv.get_piv_info(session)[source]

Get human readable information about the PIV configuration.

Parameters:

session (yubikit.piv.PivSession) – The PIV session.

ykman.piv.sign_certificate_builder(session, slot, key_type, builder, hash_algorithm=hashes.SHA256)[source]

Sign a Certificate.

Parameters:
Return type:

cryptography.x509.Certificate

ykman.piv.sign_csr_builder(session, slot, public_key, builder, hash_algorithm=hashes.SHA256)[source]

Sign a CSR.

Parameters:
Return type:

cryptography.x509.CertificateSigningRequest

ykman.piv.generate_self_signed_certificate(session, slot, public_key, subject_str, valid_from, valid_to, hash_algorithm=hashes.SHA256)[source]

Generate a self-signed certificate using a private key in a slot.

Parameters:
Return type:

cryptography.x509.Certificate

ykman.piv.generate_csr(session, slot, public_key, subject_str, hash_algorithm=hashes.SHA256)[source]

Generate a CSR using a private key in a slot.

Parameters:
Return type:

cryptography.x509.CertificateSigningRequest