138 lines
4.6 KiB
Plaintext
138 lines
4.6 KiB
Plaintext
Yubico PIV Tool
|
|
===============
|
|
|
|
Introduction
|
|
------------
|
|
|
|
The Yubico PIV tool is used for interacting with the Privilege and
|
|
Identification Card (PIV) application on a https://www.yubico.com[YubiKey].
|
|
|
|
With it you may generate keys on the device, importing keys and
|
|
certificates, and create certificate requests, and other operations.
|
|
A shared library and a command-line tool is included.
|
|
|
|
License
|
|
-------
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted provided that the following conditions are
|
|
met:
|
|
|
|
* Redistributions of source code must retain the above copyright
|
|
notice, this list of conditions and the following disclaimer.
|
|
|
|
* Redistributions in binary form must reproduce the above
|
|
copyright notice, this list of conditions and the following
|
|
disclaimer in the documentation and/or other materials provided
|
|
with the distribution.
|
|
|
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
Building
|
|
--------
|
|
|
|
After downloading and unpacking the package tarball, you build it as
|
|
follows.
|
|
|
|
./configure
|
|
make
|
|
sudo make install
|
|
|
|
The backend to use is decided at compile time, see the summary at the
|
|
end of the ./configure output. Use --with-backend=foo to chose
|
|
backend, replacing foo with the backend you want to use. The backends
|
|
available are "pcsc", "macscard", and "winscard" using the PCSC
|
|
interface, with slightly different shared library linkage and
|
|
header file names: "pcsc" is used under GNU-like systems, "macscard"
|
|
under Mac OS X, and "winscard" is used under Windows. In most
|
|
situations, running ./configure should automatically find the proper
|
|
backend to use.
|
|
|
|
Building from Git
|
|
-----------------
|
|
|
|
Recent versions of autoconf, automake, pkg-config and libtool must
|
|
be installed. Help2man is used to generate the manpages. Gengetopt
|
|
version 2.22.6 or later is needed for command line parameter handling.
|
|
|
|
Generate the build system using:
|
|
|
|
autoreconf --install
|
|
|
|
Then you follow the normal build instructions, see above.
|
|
To turn on all warnings add --enable-gcc-warnings to ./configure
|
|
|
|
Portability
|
|
-----------
|
|
|
|
The main development platform is Debian GNU/Linux. The project is
|
|
cross-compiled to Windows using MinGW (see windows.mk) using the PCSC
|
|
backend. It may also be built for Mac OS X (see mac.mk), also using
|
|
the PCSC backend.
|
|
|
|
Example Usage
|
|
-------------
|
|
|
|
For a list of all available options --help can be given. For more information
|
|
on exactly what happens --verbose or --verbose=2 may be added.
|
|
|
|
Generate a new ECC-P256 key on device in slot 9a, will print the public
|
|
key on stdout:
|
|
|
|
yubico-piv-tool -s 9a -A ECCP256 -a generate
|
|
|
|
Generate a certificate request with public key from stdin, will print
|
|
the resulting request on stdout:
|
|
|
|
yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \
|
|
-a verify -a request
|
|
|
|
Generate a self-signed certificate with public key from stdin, will print
|
|
the certificate, for later import, on stdout:
|
|
|
|
yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \
|
|
-a verify -a selfsign
|
|
|
|
Import a certificate from stdin:
|
|
|
|
yubico-piv-tool -s 9a -a import-certificate
|
|
|
|
Set a random chuid, import a key and import a certificate from a PKCS12
|
|
file with password test, into slot 9c:
|
|
|
|
yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \
|
|
-a import-key -a import-cert
|
|
|
|
Change the management key used for administrative authentication:
|
|
|
|
yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \
|
|
-a set-mgm-key
|
|
|
|
Delete a certificate in slot 9a:
|
|
|
|
yubico-piv-tool -a delete-certificate -s 9a
|
|
|
|
Show some information on certificates and other data:
|
|
|
|
yubico-piv-tool -a status
|
|
|
|
Read out the certificate from a slot and then run a signature test:
|
|
|
|
yubico-piv-tool -a read-cert -s 9a
|
|
yubico-piv-tool -a verify-pin -P 123456 -a test-signature -s 9a
|
|
|
|
Import a key into slot 85 (only available on YubiKey 4) and set the
|
|
touch policy (also only available on YubiKey 4):
|
|
|
|
yubico-piv-tool -a import-key -s 85 --touch-policy=always -i key.pem
|