Crates.io | openpgp-piv-sequoia |
lib.rs | openpgp-piv-sequoia |
version | 0.1.0 |
source | src |
created_at | 2023-06-15 18:18:02.161158 |
updated_at | 2023-06-24 09:08:17.712567 |
description | A library for using PIV devices in an OpenPGP context. |
homepage | |
repository | https://codeberg.org/heiko/openpgp-piv |
max_upload_size | |
id | 891320 |
size | 27,939 |
A library to use PIV devices in an OpenPGP context.
PIV ("Personal Identity Verification", also known as FIPS 201) is a United States federal government standard for cryptographic smart cards.
PIV devices are widely available, and it is possible to use them to perform cryptographic operations in OpenPGP contexts.
The PIV standard specifies use of RSA 2048, NIST P-256 or NIST P-384. Other asymmetric algorithms are not part of the official standard.
Some devices implement additional cryptographic mechanisms. However, these are currently proprietary extensions.
The widely available YubiKey 4 and 5 devices support multiple protocols. Among those is PIV.
The PIV application on YubiKey devices is independent of the OpenPGP card application that the devices also offer (that is, the two applications are separate, and can contain different key material).
One feature of the YubiKey PIV application is that it offers 20 additional slots for "retired" decryption keys.
It's possible to access the PIV application on the YubiKey 4/5 via two different interfaces:
ykcs11
library).Both interfaces allow using the same key material. The interfaces are in a sense interchangeable.
These implementations are
https://github.com/arekinath/PivApplet
The Canokey secure key can be run on the host computer as a simulator
https://github.com/canokeys/canokey-core/
https://github.com/makinako/OpenFIPS201 https://github.com/makinako/OpenFIPS201-jc22
A companion project offers containerized software PIV implementations, for CI testing.
https://csrc.nist.gov/Projects/piv/piv-standards-and-supporting-documentation