Skip to content

Instantly share code, notes, and snippets.

View joostd's full-sized avatar

Joost van Dijk joostd

27 followers · 56 following
  • Utrecht, the Netherlands
View GitHub Profile
@joostd
joostd / ykcs11_generate_rsa.c
Last active November 13, 2024 21:28
Generate an RSA key in slot 9a of a YubiKey using YKCS11
#include <assert.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pkcs11y.h>
/*
* Generate an RSA key in slot 9a of a YubiKey
@joostd
joostd / get-rsa-wrapped-key.sh
Last active September 3, 2024 18:35
Wrap and Unwrap keys using RSA_AES_KEY_WRAP_SHA256 with YubiHSM and OpenSSL
# generate and wrap target key on YubiHSM (firmware 2.4), unwrap using OpenSSL 3.3.1.
# Wrapping Algorithm = RSA_AES_KEY_WRAP_SHA256 (OAEP Padding - SHA256 digest + 256 bit AES-KWP)
HSM=yhusb://
TARGET_KEYID=0x1234
WRAP_KEYID=0xabcd
yubihsm="./yubihsm-shell -C $HSM -p password"
# generate target key
$yubihsm --action generate-asymmetric-key --object-id $TARGET_KEYID --domain 1 --capabilities exportable-under-wrap -A ecp256
@joostd
joostd / openssl-pkcs11-provider.md
Last active July 18, 2024 13:45
An example setup using OpenSSL v3.x with a PKCS#11 engine using a YubiHSM

YubiHSM with OpenSSL v3 and pkcs11-provider

OpenSSL v1.x uses the engine API to support HSMs. The OpenSC project provides a PKCS#11 engine, suitable for using HSMs that provide a PKCS#11 module. OpenSSL v1 is however deprecated, and in OpenSSL v3 the engine concept is replaced with that of a provider

Instead of using OpenSC's PKCS#11 engine, you can use pkcs11-provider with OpenSSL v3.x

@joostd
joostd / recoverRSA.py
Last active September 6, 2024 10:04
Recover RSA key from modulus and private exponent
# recover RSA private key file using public key (n,e) and private exponent d
# python recover.py | openssl asn1parse -genconf - -out key.der
from math import gcd
# example Private-Key (512 bit, 2 primes)
modulus=0x00bacb716af4a701ea525c1fc45c7798598a966432a44a347d53054c691bd5a7c60fe717b5f55de46ea8afd1525a4b08b098b7eb0f51d58daf690ae85fcb9254b9
publicExponent=0x10001
privateExponent=0x217051f9679a8e09387d2d62a57af356f42c3ffba0d577d80788a74919a681c5f02b3e8422e79737fd9aff15046a91509788023aad60c39492ceddb301f0bcd1
@joostd
joostd / Makefile
Created February 9, 2024 12:58
Use the FIDO hmac-secret extension to generate a secret
# DEMO for hmac-secret - generate a static secret based on a FIDO credential and a salt
# Uses libfido2 tools: https://github.com/Yubico/libfido2
HID="$(shell fido2-token -L | head -1 | cut -d: -f1-2)"
all: secret
cred.in:
# challenge:
cat /dev/urandom | head -c32 | base64 > cred.in
@joostd
joostd / build-libsk-libfido2.sh
Last active February 11, 2024 13:35
build libsk-libfido2 for use with Apple's build of OpenSSH on MacOS
# See https://gist.github.com/thelastlin/c45b96cf460919e39ab5807b6d20ac2a
set -e
# get source
if [[ ! -d openssh-portable ]] ; then
git clone https://github.com/openssh/openssh-portable.git
fi
cd openssh-portable
@joostd
joostd / ssh-sk-attest.py
Last active April 23, 2024 07:34
Verify an OpenSSH key attestation to cryptographically prove that a given key is hardware-backed.
#!/usr/bin/env python
# verify attestation information to cryptographically prove that a given key is hardware-backed.
# For instance:
#
# ./ssh-sk-attest.py --key id.pub --attestation attestation.bin --challenge challenge.bin --mds mds.jwt
# To generate an SSH pubkey, a challenge, and an attestation:
# openssl rand 128 > challenge.bin
# ssh-keygen -t ${KEYTYPE} -f ./id -N "" -O challenge=challenge.bin -O write-attestation=attestation.bin
@joostd
joostd / validate_otp.py
Last active June 3, 2024 12:14
Validate a YubiOTP value
#!/usr/bin/env python
# validate Yubico OTP
# To get your API key:
# https://upgrade.yubico.com/getapikey/
from sys import exit, stderr
from argparse import ArgumentParser
from requests import get
@joostd
joostd / attestation.b64
Created January 17, 2024 14:36
Attestation data for my demo github signing key
AAAAEXNzaC1zay1hdHRlc3QtdjAxAAAC3TCCAtkwggHBoAMCAQICCQDI54lFd4md
/DANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0Eg
U2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAw
MFowbzELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1YmljbyBBQjEiMCAGA1UECwwZ
QXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEoMCYGA1UEAwwfWXViaWNvIFUyRiBF
RSBTZXJpYWwgMTE2NjY2NTY3MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHKW
vRw3kwE/lp8mrPEzDdQvsLMcyuerIQl/Y7nSqNQMsKT5A1ITgvQ/r2l86jaYQVOe
CBwvwKQNyD9n+vjtrt2jgYEwfzATBgorBgEEAYLECg0BBAUEAwUEAzAiBgkrBgEE
AYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwIF
IDAhBgsrBgEEAYLlHAEBBAQSBBDuiCh5chxJE5d1PfzOlwcqMAwGA1UdEwEB/wQC
@joostd
joostd / yubikey-sign-jwt.sh
Created December 19, 2023 11:26
Sign a JWT using a key generated on a YubiKey
#!/bin/bash
# step 1 - generate a new key pair on a YubiKey
yubico-piv-tool -a generate -s 9c -A ECCP256 -o pub.pem
# step 2 - generate data to be signed
jo iss=issuer aud=audience > payload.json
jo alg=ES256 typ=JWT > header.json