Using an Ubuntu VM with the YubiHSM connector running on the SSH client, tunneled over SSH:
$ ssh -i key.pem ubuntu@jammy -R 12345:localhost:12345
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-1031-aws x86_64)
...
Joost van Dijk joostd
joostd
/ Makefile.largeBlobs
Created
November 4, 2022 16:05
demo for storing SSH certificates on a FIDO security key using largeBlobs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # LargeBlog demo: storing an SSH certificate on a FIDO security key | |
| HID="$(shell fido2-token -L | head -1 | cut -d: -f1-2)" | |
| # uses the first key listed | |
| # note: this is probably specific to an M1 mac | |
| # check if largeBlobs are supported on your key | |
| # Use for instance a YubiKey with 5.5+ firmware | |
| check: | |
| fido2-token -I ${HID} | grep largeBlobs |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| let abortController; | |
| function start() { | |
| abortController = new AbortController(); | |
| // setTimeout(() => abortController.abort(), 5000); // automatically abort after 5 seconds | |
| abortController.signal.addEventListener( 'abort', () => { | |
| if(abortController.signal.aborted) console.log("event: signal aborted"); | |
| }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # install dependencies: | |
| # brew install step jq | |
| .PHONY: all | |
| all: aaguid.tsv | |
| cat aaguid.tsv | sort -k2 | |
| md.jwt: | |
| curl -Ls https://mds3.fidoalliance.org/ --output md.jwt |
joostd
/ YubiHSM2-pesign.md
Created
March 7, 2023 18:04
Signing EFI images with keys generated on a YubiHSM 2 device
joostd
/ passkey.html
Created
May 3, 2023 09:51
Minimal demo of the WebAuthn API for registration and authentication using passkeys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
| <style> | |
| .button { | |
| color: white; | |
| background-color: teal; | |
| padding: 15px 15px; | |
| margin: 4px 2px; |
joostd
/ check_attested_csr.py
Last active
May 22, 2023 13:05
Check CSR with attestation to be generated on a YubiKey
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| from cryptography import x509 | |
| from cryptography.hazmat.backends import default_backend | |
| from cryptography.hazmat.primitives.asymmetric import padding | |
| def verify_signature(parent, child): | |
| parent.public_key().verify( | |
| child.signature, | |
| child.tbs_certificate_bytes, | |
| padding.PKCS1v15(), |
joostd
/ curl-smartcard.sh
Last active
July 6, 2023 09:17
Use a key and certificate stored on a smartcard to access a website that requires TLS client authentication from the command line on macos
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # use a key and certificate stored on a smartcard to access a website that requires TLS client authentication from the command line on macos | |
| # | |
| # uses curl compiled agains openssl with engine support | |
| # a pkcs11 engine is used together with a generic pkcs11 module for smartcards to interface with the smartcard | |
| # INSTALL | |
| echo installing required software... |
joostd
/ check_yubihsm_attestation.py
Last active
November 12, 2024 08:43
Python 3.10+ script that shows attributes from a YubiHSM2 attestation certificate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # NOTE: | |
| # requires cryptography (pip install cryptography) | |
| from cryptography import x509 | |
| from cryptography.hazmat.backends import default_backend | |
| import sys | |
| # NOTE: uses PEP 634: Structural Pattern Matching |
joostd
/ check_yubikey_attestation.py
Created
December 1, 2023 11:17
Show attributes for a YubiKey PIV attestation certificate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Show attributes for a YubiKey PIV attestation certificate | |
| # | |
| # Use ykman to generate a PIV attestation certificate for a slot (for instance 9a): | |
| # ykman piv keys attest 9a attestation.pem | |
| # | |
| # To show the attributes in the generated attestation certificate: | |
| # ykman script ./check_yubikey_attestation.py attestation.pem |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run with a single argument: a /dev/hidrawX path. | |
| # If you don't have udev setup to allow access to U2F tokens, you may need to | |
| # chown the device to your user before running this script. | |
| # If you don't know which hidraw to use, try removing and reinserting your | |
| # token. Then the device with the most recent ctime is the one you want. | |
| # | |
| # Once running, press the token's button twice. The first press will trigger a | |
| # registration, the second an authentication. | |
| # | |
| # Python3 version of https://www.imperialviolet.org/binary/ctap1.py |