Support Ed25519 keys in setup

FiloSottile · May 18, 2020 · fbedeaf · fbedeaf
1 parent 8781bc0
commit fbedeaf
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -7,3 +7,5 @@ require (
 	github.com/gopasspw/gopass v1.9.1
 	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
 )
+
+replace github.com/go-piv/piv-go => github.com/nickray/piv-go v1.5.1-0.20200518194817-2d52ab58f01e
diff --git a/go.sum b/go.sum
@@ -85,6 +85,8 @@ github.com/muesli/crunchy v0.4.0 h1:qdiml8gywULHBsztiSAf6rrE6EyuNasNKZ104mAaahM=
 github.com/muesli/crunchy v0.4.0/go.mod h1:9k4x6xdSbb7WwtAVy0iDjaiDjIk6Wa5AgUIqp+HqOpU=
 github.com/muesli/goprogressbar v0.0.0-20190807022807-e540249d2ac1 h1:NROB7UaQ4VVE0mDQKHWhkmwL3YLXLEcmDbpLB99oc8Y=
 github.com/muesli/goprogressbar v0.0.0-20190807022807-e540249d2ac1/go.mod h1:19yRWZtJozyS7m+fyTUK0rE76LABdnU7zp0BuyeDwLc=
+github.com/nickray/piv-go v1.5.1-0.20200518194817-2d52ab58f01e h1:NG2wetbhkTpdE8C+uGCwtVOst/ZhvmSEJy/qIv5sN44=
+github.com/nickray/piv-go v1.5.1-0.20200518194817-2d52ab58f01e/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/main.go b/main.go
@@ -9,6 +9,7 @@ package main
 import (
 	"bytes"
 	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/rand"
 	"crypto/rsa"
 	"errors"
@@ -47,6 +48,7 @@ func main() {
 	}
 
 	socketPath := flag.String("l", "", "agent: path of the UNIX socket to listen on")
+	ed25519Flag := flag.Bool("ed25519", false, "setup: generate Ed25519 key")
 	resetFlag := flag.Bool("really-delete-all-piv-keys", false, "setup: reset the PIV applet")
 	setupFlag := flag.Bool("setup", false, "setup: configure a new YubiKey")
 	flag.Parse()
@@ -61,7 +63,7 @@ func main() {
 		if *resetFlag {
 			runReset(yk)
 		}
-		runSetup(yk)
+		runSetup(yk, *ed25519Flag)
 	} else {
 		if *socketPath == "" {
 			flag.Usage()
@@ -226,6 +228,7 @@ func getPublicKey(yk *piv.YubiKey, slot piv.Slot) (ssh.PublicKey, error) {
 	}
 	switch cert.PublicKey.(type) {
 	case *ecdsa.PublicKey:
+	case ed25519.PublicKey:
 	case *rsa.PublicKey:
 	default:
 		return nil, fmt.Errorf("unexpected public key type: %T", cert.PublicKey)

diff --git a/setup.go b/setup.go
@@ -65,7 +65,7 @@ func runReset(yk *piv.YubiKey) {
 	}
 }
 
-func runSetup(yk *piv.YubiKey) {
+func runSetup(yk *piv.YubiKey, ed25519 bool) {
 	if _, err := yk.Certificate(piv.SlotAuthentication); err == nil {
 		log.Println("‼️  This YubiKey looks already setup")
 		log.Println("")
@@ -136,8 +136,13 @@ func runSetup(yk *piv.YubiKey) {
 		log.Fatalln("use --really-delete-all-piv-keys ⚠️")
 	}
 
+	alg := piv.AlgorithmEC256
+	if ed25519 {
+		// hack it in, this relies on the piv-go patch
+		alg = piv.AlgorithmEd25519
+	}
 	pub, err := yk.GenerateKey(key, piv.SlotAuthentication, piv.Key{
-		Algorithm:   piv.AlgorithmEC256,
+		Algorithm:   alg,
 		PINPolicy:   piv.PINPolicyOnce,
 		TouchPolicy: piv.TouchPolicyAlways,
 	})