Documentation
¶
Overview ¶
Package piv implements a provider that derives a 32-byte secret from a PIV-compatible hardware token (e.g., YubiKey) using the go-piv library.
During enrollment, an ECC P-256 key is generated on the token in the chosen slot. A deterministic challenge is signed, and the signature is run through HKDF-SHA256 to produce the 32-byte secret. Because the private key never leaves the device, the secret is hardware-bound.
Requires: PC/SC (pcscd on Linux, CryptoTokenKit on macOS).
Index ¶
- func CardSerial(cardName string) string
- func ListCards() ([]string, error)
- func SlotHasKey(cardName string, slot gopiv.Slot) (*ecdsa.PublicKey, error)
- type PIV
- func (p *PIV) Derive(ctx context.Context, params map[string]string) ([]byte, error)
- func (p *PIV) DeriveTimeout() time.Duration
- func (p *PIV) Description() string
- func (p *PIV) Enroll(ctx context.Context, id string) (*provider.EnrollResult, error)
- func (p *PIV) EnrollOptions() []provider.EnrollOption
- func (p *PIV) InteractiveDerive() bool
- func (p *PIV) PreDerive(ctx context.Context, _ map[string]string) (context.Context, error)
- func (p *PIV) Type() string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CardSerial ¶
CardSerial opens a card by name and returns its serial number as a string. Returns "unknown" if the serial cannot be read.
func SlotHasKey ¶
SlotHasKey checks if a PIV slot already has key material on the given card. Returns the public key if found, nil if empty. Uses the Yubico GET METADATA extension (KeyInfo), which is the same source `ykman piv info` reads, so cryptkey and ykman agree on slot occupancy.
Types ¶
type PIV ¶
type PIV struct{}
PIV is the PIV smart card provider.
func (*PIV) DeriveTimeout ¶
func (*PIV) Description ¶
func (*PIV) EnrollOptions ¶
func (p *PIV) EnrollOptions() []provider.EnrollOption
Source Files