From 30b6b1c8a54f629d4734febaa276432e6f3bea3e Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Tue, 31 May 2016 09:35:08 +0200 Subject: [PATCH] add text about verifying an attestation --- doc/Attestation.adoc | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/doc/Attestation.adoc b/doc/Attestation.adoc index a1a4280..ed0a3b5 100644 --- a/doc/Attestation.adoc +++ b/doc/Attestation.adoc @@ -4,7 +4,8 @@ Using Attestation == Introduction This feature is only available in YubiKey 4.3 and newer. -A high level description of the thinking and how this can be used can be found link:/PIV/Introduction/PIV_attestation.html[here]. +A high level description of the thinking and how this can be used can be found +at https://developers.yubico.com/PIV/Introduction/PIV_attestation.html == Usage Attestation works through a special key slot called “f9” this comes @@ -18,3 +19,19 @@ special key, this can be realised by using the yubico-piv-tool action attest: $ yubico-piv-tool --action=attest --slot=9a The output of this is a PEM encoded certificate, signed by the key in slot f9. + +== Verifying +To verify an attestation step 1 is to build the certificate chain. Put the +attestation root certificate in a file (or if you trust several put all +of them in said file). The Yubico root certificate can be found at +https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem + +Then add the keys attestation certificate to that file: + + $ yubico-piv-tool --action=read-certificate --slot=f9 > certs.pem + +Now we're ready to verify the attestation: + + $ yubico-piv-tool --action=attest --slot=f9 > attestation.pem + $ openssl verify -CAfile certs.pem attestation.pem + attestation.pem: OK