Files
yubikey.rs/doc/Attestation.adoc
T
2016-03-31 13:34:54 +02:00

21 lines
965 B
Plaintext

Using Attestation
-----------------
Attestation works through a special key slot called “f9” this comes
pre-loaded from factory with a key and cert signed by Yubico, but can be
overwritten.
After a key has been generated in a normal slot it can be attested by this
special key, this can be realised by using the yubico-piv-tool action attest:
$ yubico-piv-tool --action=generate --slot=9a
...
$ yubico-piv-tool --action=attest --slot=9a
The output of this is a PEM encoded certificate, signed by the key in slot f9. There are a couple of special extensions on this certificate:
* +1.3.6.1.4.1.41482.3.3+: Firmware version, encoded as 3 bytes, like: 040300 for 4.3.0
* +1.3.6.1.4.1.41482.3.7+: Serial number, encoded as an integer.
* +1.3.6.1.4.1.41482.3.8+: Two bytes, the first encoding pin policy and the second touch policy
** Pin policy: 01 - never, 02 - once per session, 03 - always
** Touch policy: 01 - never, 02 - always, 03 - cached for 15s