# openpgp-piv-sequoia

[![crates.io openpgp-piv-sequoia](https://img.shields.io/crates/v/openpgp-piv-sequoia.svg)](https://crates.io/crates/openpgp-piv-sequoia)
[![docs.rs openpgp-piv-sequoia](https://img.shields.io/badge/docs.rs-openpgp--piv--sequoia-66c2a5?logo=docs.rs)](https://docs.rs/openpgp-piv-sequoia)
[![status-badge](https://ci.codeberg.org/api/badges/heiko/openpgp-piv/status.svg)](https://ci.codeberg.org/heiko/openpgp-piv)
[![Mastodon](https://img.shields.io/badge/mastodon-read-5da168.svg)](https://fosstodon.org/@hko)
[![Matrix: #openpgp-card:matrix.org](https://matrix.to/img/matrix-badge.svg)](https://matrix.to/#/#openpgp-card:matrix.org)

A library to use PIV devices in an OpenPGP context.

[PIV ("Personal Identity Verification", also known as FIPS 201)](https://en.wikipedia.org/wiki/FIPS_201)
is a United States federal government standard for cryptographic smart cards.

PIV devices are widely available, and it is possible to use them to perform
cryptographic operations in OpenPGP contexts.

## Supported algorithms

The PIV standard specifies use of RSA 2048, NIST P-256 or NIST P-384.
Other asymmetric algorithms are not part of the official standard.

Some devices implement additional cryptographic mechanisms. However,
these are currently proprietary extensions.

## YubiKey 4/5

The widely available YubiKey 4 and 5 devices support multiple protocols.
Among those is PIV.

The PIV application on YubiKey devices is independent of the OpenPGP card
application that the devices also offer (that is, the two applications are
separate, and can contain different key material).

One feature of the YubiKey PIV application is that it offers 20 additional
slots for "retired" decryption keys.

### PIV vs. PKCS #&#8203;11 with YubiKey 4/5

It's possible to access the PIV application on the YubiKey 4/5 via two
different interfaces:

- directly using the PIV protocol, or
- via a PKCS #&#8203;11 driver module (using the
  [`ykcs11`](https://developers.yubico.com/yubico-piv-tool/YKCS11/) library).

Both interfaces allow using the same key material. The interfaces are in a
sense interchangeable.

## Software PIV implementations

These implementations are 

### PivApplet

https://github.com/arekinath/PivApplet

### Canokey

The Canokey secure key can be run on the host computer as a simulator

https://github.com/canokeys/canokey-core/

### OpenFIPS201

https://github.com/makinako/OpenFIPS201
https://github.com/makinako/OpenFIPS201-jc22

## Virtual PIV devices for CI testing

A [companion project](https://gitlab.com/hkos/virtual-piv/) offers
containerized software PIV implementations, for CI testing.

# PIV specification

https://csrc.nist.gov/Projects/piv/piv-standards-and-supporting-documentation