Merge pull request #81 from alexandrebrg/feat_yk_2025_certs

joemiller · web-flow · commit d84ec2c78722 · 2025-11-01T11:11:52.000-07:00
Use yubico 2025 Root CA
diff --git a/pkg/pgp/verify.go b/pkg/pgp/verify.go
@@ -72,6 +72,7 @@ func (v *verifier) verify(req VerificationRequest) (*Attestation, error) {
 
 	root := v.Root
 	if root == nil {
+		// Try verifying with the old root CA first
 		ca, err := yubicoCA()
 		if err != nil {
 			errs = append(errs, fmt.Errorf("parsing YubiCo Root CA: %v", err))
@@ -82,9 +83,24 @@ func (v *verifier) verify(req VerificationRequest) (*Attestation, error) {
 
 	// Verify signatures:
 	// The Attestation Signer Cert from the yubikey must be signed by YubiCo's attestation root
-	if err := verifySignature(root, req.AttestSignerCert); err != nil {
-		errs = append(errs, fmt.Errorf("attestation signer certificate is not signed by the YubiCo OpenPGP Root CA: %v", err))
+	// Try old root first, then new root with intermediates
+	err := verifySignature(root, req.AttestSignerCert)
+	if err == nil {
+		// Old chain verification succeeded
+		goto verifyCert
 	}
+
+	// If old root fails, try the new certificate chain:
+	// Root -> Attestation Intermediate B 1 -> OPGP Attestation B 1 -> Device Signer
+	if err := v.tryNewCertChain(req.AttestSignerCert); err == nil {
+		// New chain verification succeeded
+		goto verifyCert
+	}
+
+	// Both chains failed
+	errs = append(errs, fmt.Errorf("attestation signer certificate is not signed by the YubiCo OpenPGP Root CA: %v", err))
+
+verifyCert:
 	// The Attestation Cert must be signed by the Attestation Signer Cert
 	if err := verifySignature(req.AttestSignerCert, req.AttestCert); err != nil {
 		errs = append(errs, fmt.Errorf("attestation certificate not signed by device's attestation signer key: %v", err))
@@ -161,7 +177,41 @@ func verifySignature(parent, c *x509.Certificate) error {
 	return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
 }
 
-// yubicoPGPCAPEM is the PEM encoded attestation certificate used by Yubico for OpenPGP keys.
+// tryNewCertChain attempts to verify the attestation signer cert using the new (2024+) certificate chain.
+// Returns nil if verification succeeds, error otherwise.
+func (v *verifier) tryNewCertChain(signerCert *x509.Certificate) error {
+	// Load all certificates in the new chain
+	newRoot, err := yubicoNewRootCA()
+	if err != nil {
+		return err
+	}
+
+	attestInt, err := yubicoAttestationIntermediateB()
+	if err != nil {
+		return err
+	}
+
+	opgpInt, err := yubicoOPGPIntermediate()
+	if err != nil {
+		return err
+	}
+
+	// Verify: new root -> attestation intermediate B
+	if err := verifySignature(newRoot, attestInt); err != nil {
+		return err
+	}
+
+	// Verify: attestation intermediate B -> OPGP intermediate
+	if err := verifySignature(attestInt, opgpInt); err != nil {
+		return err
+	}
+
+	// Verify: OPGP intermediate -> attestation signer cert
+	return verifySignature(opgpInt, signerCert)
+}
+
+// yubicoPGPCAPEM is the legacy PEM encoded attestation certificate used by Yubico for OpenPGP keys.
+// This is the original root CA used by older YubiKeys (pre-2024).
 //
 // https://developers.yubico.com/PGP/Attestation.html
 // https://github.com/Yubico/developers.yubico.com/blob/master/content/PGP/Attestation.adoc
@@ -187,10 +237,110 @@ HhK6CLTg2MfwT0NxS3Am76k2opXSqbk8k5nnNFSYFuvgxunQxUOB+3M+gWHmVTh8
 7yaamyNndwmhhIAgeA==
 -----END CERTIFICATE-----`
 
+// yubicoNewRootCAPEM is the new Yubico Attestation Root 1 issued on 2024-12-01.
+// Newer YubiKeys (2024+) use a new certificate chain with this root.
+//
+// https://developers.yubico.com/PKI/yubico-ca-1.pem
+const yubicoNewRootCAPEM = `-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUXzeiEDJEOTt14F5n0o6Zf/bBwiUwDQYJKoZIhvcNAQEN
+BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
+MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowJDEiMCAGA1UEAwwZWXViaWNvIEF0
+dGVzdGF0aW9uIFJvb3QgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMZ6/TxM8rIT+EaoPvG81ontMOo/2mQ2RBwJHS0QZcxVaNXvl12LUhBZ5LmiBScI
+Zd1Rnx1od585h+/dhK7hEm7JAALkKKts1fO53KGNLZujz5h3wGncr4hyKF0G74b/
+U3K9hE5mGND6zqYchCRAHfrYMYRDF4YL0X4D5nGdxvppAy6nkEmtWmMnwO3i0TAu
+csrbE485HvGM4r0VpgVdJpvgQjiTJCTIq+D35hwtT8QDIv+nGvpcyi5wcIfCkzyC
+imJukhYy6KoqNMKQEdpNiSOvWyDMTMt1bwCvEzpw91u+msUt4rj0efnO9s0ZOwdw
+MRDnH4xgUl5ZLwrrPkfC1/0CAwEAAaNmMGQwHQYDVR0OBBYEFNLu71oijTptXCOX
+PfKF1SbxJXuSMB8GA1UdIwQYMBaAFNLu71oijTptXCOXPfKF1SbxJXuSMBIGA1Ud
+EwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBDQUAA4IB
+AQC3IW/sgB9pZ8apJNjxuGoX+FkILks0wMNrdXL/coUvsrhzsvl6mePMrbGJByJ1
+XnquB5sgcRENFxdQFma3mio8Upf1owM1ZreXrJ0mADG2BplqbJnxiyYa+R11reIF
+TWeIhMNcZKsDZrFAyPuFjCWSQvJmNWe9mFRYFgNhXJKkXIb5H1XgEDlwiedYRM7V
+olBNlld6pRFKlX8ust6OTMOeADl2xNF0m1LThSdeuXvDyC1g9+ILfz3S6OIYgc3i
+roRcFD354g7rKfu67qFAw9gC4yi0xBTPrY95rh4/HqaUYCA/L8ldRk6H7Xk35D+W
+Vpmq2Sh/xT5HiFuhf4wJb0bK
+-----END CERTIFICATE-----`
+
+// yubicoAttestationIntermediateBPEM is the middle intermediate in the new cert chain.
+// Chain: Root -> Attestation Intermediate B 1 -> OPGP Attestation B 1 -> Device Signer
+//
+// https://developers.yubico.com/PKI/yubico-intermediate.pem
+const yubicoAttestationIntermediateBPEM = `-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIUDqERw+4RnGSggxgUewJFEPDRZ3YwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
+MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowLjEsMCoGA1UEAwwjWXViaWNvIEF0
+dGVzdGF0aW9uIEludGVybWVkaWF0ZSBCIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDI7XnH+ZvDwMCQU8M8ZeV5qscublvVYaaRt3Ybaxn9godLx5sw
+H0lXrdgjh5h7FpVgCgYYX7E4bl1vbzULemrMWT8N3WMGUe8QAJbBeioV7W/E+hTZ
+P/0SKJVa3ewKBo6ULeMnfQZDrVORAk8wTLq2v5Llj5vMj7JtOotKa9J7nHS8kLmz
+XXSaj0SwEPh5OAZUTNV4zs1bvoTAQQWrL4/J9QuKt6WCFE5nUNiRQcEbVF8mlqK2
+bx2z6okVltyDVLCxYbpUTELvY1usR3DTGPUoIClOm4crpwnDRLVHvjYePGBB//pE
+yzxA/gcScxjwaH1ZUw9bnSbHyurKqbTa1KvjAgMBAAGjZjBkMB0GA1UdDgQWBBTq
+t0KQngx7ZHrbVHwDunxOn9ihYTAfBgNVHSMEGDAWgBTS7u9aIo06bVwjlz3yhdUm
+8SV7kjASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
+9w0BAQsFAAOCAQEAqQaCWMxTGqVVX7Sk7kkJmUueTSYKuU6+KBBSgwIRnlw9K7He
+1IpxZ0hdwpPNikKjmcyFgFPzhImwHJgxxuT90Pw3vYOdcJJNktDg35PXOfzSn15c
+FAx1RO0mPTmIb8dXiEWOpzoXvdwXDM41ZaCDYMT7w4IQtMyvE7xUBZq2bjtAnq/N
+DUA7be4H8H3ipC+/+NKlUrcUh+j48K67WI0u1m6FeQueBA7n06j825rqDqsaLs9T
+b7KAHAw8PmrWaNPG2kjKerxPEfecivlFawp2RWZvxrVtn3TV2SBxyCJCkXsND05d
+CErVHSJIs+BdtTVNY9AwtyPmnyb0v4mSTzvWdw==
+-----END CERTIFICATE-----`
+
+// yubicoOPGPIntermediatePEM contains the intermediate certificate used in the new cert chain.
+// This intermediate is signed by Yubico Attestation Intermediate B 1 which is signed by
+// Yubico Attestation Root 1, and signs the device attestation signers.
+//
+// https://developers.yubico.com/PKI/yubico-intermediate.pem
+const yubicoOPGPIntermediatePEM = `-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIUbeEhxjsv7XjQwdAQIi5G5i+4qhIwDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBC
+IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMM
+G1l1YmljbyBPUEdQIEF0dGVzdGF0aW9uIEIgMTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMe9oJ6kuLQOlnUoyWzDaum4m23s3cR5jn0gVQSV6VPsQP8Q
+d7wYiW/GiDUPAT4N/NqKdhcqX/5hazrbsKA+gCDU1E+zWunl0J0Fo5B0OCXQfxtA
+0LhFHORvpJ1yz7HsRgEYScO7/rO2ip0bPbaKy4MG4UhyzKgzwmujOO7nmf6BcMil
+8ZZRJbQOuEWsignM5EKuCrymyK3+R9Y+8NGjh/zb14Not9+JvwDgUYnHW+hip9si
+UOzC2X8QYA/yBUCqTYGUePfC4ZOB0ZSi/HYtxhSnOTcDY6C+AcFnOCvCKD8t4Rdd
+z6dFJINQgsATnfHycB22cUamIB9hBb9xXZYg36sCAwEAAaNmMGQwHQYDVR0OBBYE
+FI1QCVLy1KcdxIkdZMMkn+wzyN0XMB8GA1UdIwQYMBaAFOq3QpCeDHtkettUfAO6
+fE6f2KFhMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqG
+SIb3DQEBCwUAA4IBAQCRtalpNipOThRLO8o0/4WVLIjlC8yiPBLsVMuXHuXhTdhW
+ubRUSazhHr7tTRShPJ/OeWiiap9aZtZe7FUgTIOdaR0oI4Tp5Cu4TUJTLQEUqtA9
+HSU6bP485aRJi26hDD+h2AYplmEeVNEWj8PUIAp3N8mKMMqIkjB7d0QN14fze/Nb
+REzHU6SVvuJo11jfHpJTfpbpCqvcVl8bMPUbdtOvqc1ibkj7O7OmTDACqTT1f3yQ
+Zj0PbreP1qN9jv7kDAxT9O2yVSgXNXbz/Ygl121TkGWjXRQ8B3PW2Z3+n7B8ETAd
+8fJ0/5guPgvO2VQHQv8H9U3tsqSq/siosMJ8KtS5
+-----END CERTIFICATE-----`
+
 func yubicoCA() (*x509.Certificate, error) {
 	b, _ := pem.Decode([]byte(yubicoPGPCAPEM))
 	if b == nil {
 		return nil, fmt.Errorf("failed to decode yubico pem data")
 	}
 	return x509.ParseCertificate(b.Bytes)
 }
+
+func yubicoNewRootCA() (*x509.Certificate, error) {
+	b, _ := pem.Decode([]byte(yubicoNewRootCAPEM))
+	if b == nil {
+		return nil, fmt.Errorf("failed to decode new yubico root CA pem data")
+	}
+	return x509.ParseCertificate(b.Bytes)
+}
+
+func yubicoAttestationIntermediateB() (*x509.Certificate, error) {
+	b, _ := pem.Decode([]byte(yubicoAttestationIntermediateBPEM))
+	if b == nil {
+		return nil, fmt.Errorf("failed to decode yubico attestation intermediate B pem data")
+	}
+	return x509.ParseCertificate(b.Bytes)
+}
+
+func yubicoOPGPIntermediate() (*x509.Certificate, error) {
+	b, _ := pem.Decode([]byte(yubicoOPGPIntermediatePEM))
+	if b == nil {
+		return nil, fmt.Errorf("failed to decode yubico OPGP intermediate pem data")
+	}
+	return x509.ParseCertificate(b.Bytes)
+}
diff --git a/pkg/piv/verify.go b/pkg/piv/verify.go
@@ -101,9 +101,24 @@ func (v *verifier) verify(req VerificationRequest) (*Attestation, error) {
 
 	// Verify signatures:
 	// The Attestation Signer Cert from the yubikey must be signed by YubiCo's attestation root
-	if err := verifySignature(root, req.AttestSignerCert); err != nil {
-		errs = append(errs, fmt.Errorf("attestation signer certificate is not signed by YubiCo PIV Root CA: %v", err))
+	// Try old root first, then new root with intermediates
+	err := verifySignature(root, req.AttestSignerCert)
+	if err == nil {
+		// Old chain verification succeeded
+		goto verifyCert
 	}
+
+	// If old root fails, try the new certificate chain:
+	// Root -> Attestation Intermediate B 1 -> PIV Attestation B 1 -> Device Signer
+	if err := v.tryNewCertChain(req.AttestSignerCert); err == nil {
+		// New chain verification succeeded
+		goto verifyCert
+	}
+
+	// Both chains failed
+	errs = append(errs, fmt.Errorf("attestation signer certificate is not signed by YubiCo PIV Root CA: %v", err))
+
+verifyCert:
 	// The Attestation Cert must be signed by the Attestation Signer Cert
 	if err := verifySignature(req.AttestSignerCert, req.AttestCert); err != nil {
 		errs = append(errs, fmt.Errorf("attestation certificate not signed by device's attestation signer key: %v", err))
@@ -167,7 +182,41 @@ func verifySignature(parent, c *x509.Certificate) error {
 	return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
 }
 
-// yubicoPIVCAPEM is the PEM encoded attestation certificate used by Yubico for PIV keys.
+// tryNewCertChain attempts to verify the attestation signer cert using the new (2024+) certificate chain.
+// Returns nil if verification succeeds, error otherwise.
+func (v *verifier) tryNewCertChain(signerCert *x509.Certificate) error {
+	// Load all certificates in the new chain
+	newRoot, err := yubicoNewRootCA()
+	if err != nil {
+		return err
+	}
+
+	attestInt, err := yubicoAttestationIntermediateB()
+	if err != nil {
+		return err
+	}
+
+	pivInt, err := yubicoPIVIntermediate()
+	if err != nil {
+		return err
+	}
+
+	// Verify: new root -> attestation intermediate B
+	if err := verifySignature(newRoot, attestInt); err != nil {
+		return err
+	}
+
+	// Verify: attestation intermediate B -> PIV intermediate
+	if err := verifySignature(attestInt, pivInt); err != nil {
+		return err
+	}
+
+	// Verify: PIV intermediate -> attestation signer cert
+	return verifySignature(pivInt, signerCert)
+}
+
+// yubicoPIVCAPEM is the legacy PEM encoded attestation certificate used by Yubico for PIV keys.
+// This is the original root CA used by older YubiKeys (pre-2024).
 //
 // https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
 // https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem
@@ -191,10 +240,110 @@ Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8
 SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7
 -----END CERTIFICATE-----`
 
+// yubicoNewRootCAPEM is the new Yubico Attestation Root 1 issued on 2024-12-01.
+// Newer YubiKeys (2024+) use a new certificate chain with this root.
+//
+// https://developers.yubico.com/PKI/yubico-ca-1.pem
+const yubicoNewRootCAPEM = `-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUXzeiEDJEOTt14F5n0o6Zf/bBwiUwDQYJKoZIhvcNAQEN
+BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
+MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowJDEiMCAGA1UEAwwZWXViaWNvIEF0
+dGVzdGF0aW9uIFJvb3QgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMZ6/TxM8rIT+EaoPvG81ontMOo/2mQ2RBwJHS0QZcxVaNXvl12LUhBZ5LmiBScI
+Zd1Rnx1od585h+/dhK7hEm7JAALkKKts1fO53KGNLZujz5h3wGncr4hyKF0G74b/
+U3K9hE5mGND6zqYchCRAHfrYMYRDF4YL0X4D5nGdxvppAy6nkEmtWmMnwO3i0TAu
+csrbE485HvGM4r0VpgVdJpvgQjiTJCTIq+D35hwtT8QDIv+nGvpcyi5wcIfCkzyC
+imJukhYy6KoqNMKQEdpNiSOvWyDMTMt1bwCvEzpw91u+msUt4rj0efnO9s0ZOwdw
+MRDnH4xgUl5ZLwrrPkfC1/0CAwEAAaNmMGQwHQYDVR0OBBYEFNLu71oijTptXCOX
+PfKF1SbxJXuSMB8GA1UdIwQYMBaAFNLu71oijTptXCOXPfKF1SbxJXuSMBIGA1Ud
+EwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBDQUAA4IB
+AQC3IW/sgB9pZ8apJNjxuGoX+FkILks0wMNrdXL/coUvsrhzsvl6mePMrbGJByJ1
+XnquB5sgcRENFxdQFma3mio8Upf1owM1ZreXrJ0mADG2BplqbJnxiyYa+R11reIF
+TWeIhMNcZKsDZrFAyPuFjCWSQvJmNWe9mFRYFgNhXJKkXIb5H1XgEDlwiedYRM7V
+olBNlld6pRFKlX8ust6OTMOeADl2xNF0m1LThSdeuXvDyC1g9+ILfz3S6OIYgc3i
+roRcFD354g7rKfu67qFAw9gC4yi0xBTPrY95rh4/HqaUYCA/L8ldRk6H7Xk35D+W
+Vpmq2Sh/xT5HiFuhf4wJb0bK
+-----END CERTIFICATE-----`
+
+// yubicoAttestationIntermediateBPEM is the middle intermediate in the new cert chain.
+// Chain: Root -> Attestation Intermediate B 1 -> PIV Attestation B 1 -> Device Signer
+//
+// https://developers.yubico.com/PKI/yubico-intermediate.pem
+const yubicoAttestationIntermediateBPEM = `-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIUDqERw+4RnGSggxgUewJFEPDRZ3YwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
+MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowLjEsMCoGA1UEAwwjWXViaWNvIEF0
+dGVzdGF0aW9uIEludGVybWVkaWF0ZSBCIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDI7XnH+ZvDwMCQU8M8ZeV5qscublvVYaaRt3Ybaxn9godLx5sw
+H0lXrdgjh5h7FpVgCgYYX7E4bl1vbzULemrMWT8N3WMGUe8QAJbBeioV7W/E+hTZ
+P/0SKJVa3ewKBo6ULeMnfQZDrVORAk8wTLq2v5Llj5vMj7JtOotKa9J7nHS8kLmz
+XXSaj0SwEPh5OAZUTNV4zs1bvoTAQQWrL4/J9QuKt6WCFE5nUNiRQcEbVF8mlqK2
+bx2z6okVltyDVLCxYbpUTELvY1usR3DTGPUoIClOm4crpwnDRLVHvjYePGBB//pE
+yzxA/gcScxjwaH1ZUw9bnSbHyurKqbTa1KvjAgMBAAGjZjBkMB0GA1UdDgQWBBTq
+t0KQngx7ZHrbVHwDunxOn9ihYTAfBgNVHSMEGDAWgBTS7u9aIo06bVwjlz3yhdUm
+8SV7kjASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
+9w0BAQsFAAOCAQEAqQaCWMxTGqVVX7Sk7kkJmUueTSYKuU6+KBBSgwIRnlw9K7He
+1IpxZ0hdwpPNikKjmcyFgFPzhImwHJgxxuT90Pw3vYOdcJJNktDg35PXOfzSn15c
+FAx1RO0mPTmIb8dXiEWOpzoXvdwXDM41ZaCDYMT7w4IQtMyvE7xUBZq2bjtAnq/N
+DUA7be4H8H3ipC+/+NKlUrcUh+j48K67WI0u1m6FeQueBA7n06j825rqDqsaLs9T
+b7KAHAw8PmrWaNPG2kjKerxPEfecivlFawp2RWZvxrVtn3TV2SBxyCJCkXsND05d
+CErVHSJIs+BdtTVNY9AwtyPmnyb0v4mSTzvWdw==
+-----END CERTIFICATE-----`
+
+// yubicoPIVIntermediatePEM contains the PIV intermediate certificate used in the new cert chain.
+// This intermediate is signed by Yubico Attestation Intermediate B 1 which is signed by
+// Yubico Attestation Root 1, and signs the device attestation signers.
+//
+// https://developers.yubico.com/PKI/yubico-intermediate.pem
+const yubicoPIVIntermediatePEM = `-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUWVf2oJG+t1qP8t8TicWgJ2KYan4wDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBC
+IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCUxIzAhBgNVBAMM
+Gll1YmljbyBQSVYgQXR0ZXN0YXRpb24gQiAxMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAv7WBL9/5AKxSpCMoL63183WqRtFrOHY7tdyuGtoidoYWQrxV
+aV9S+ZwH0aynh0IzD5A/PvCtuxdtL5w2cAI3tgsborOlEert4IZ904CZQfq3ooar
+1an/wssbtMpPOQkC3MQiqrUyHlFS2BTbuwbBXY66lSVX/tGRuUgnBdfBJtcQKS6M
+O4bU5ndPQqhGPyzcyY1LvlfzK7KJ1r/bixCRFqjhJRnPs0Czpg6rkRrFgC6cd5bK
+1UgTsJy+3wrIqkv4CeV3EhSVnhnQjZgIrdIcI5WZ8T1Oq3OhMlWmY0K0dy/oZdP/
+bpbG2qbyHLa6gprLT/qChQWLmffxn6D2DAB1zQIDAQABo2YwZDAdBgNVHQ4EFgQU
+M0Nt3QHo7eGzaKMZn2SmXT74vpcwHwYDVR0jBBgwFoAU6rdCkJ4Me2R621R8A7p8
+Tp/YoWEwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI
+hvcNAQELBQADggEBAI0HwoS84fKMUyIof1LdUXvyeAMmEwW7+nVETvxNNlTMuwv7
+zPJ4XZAm9Fv95tz9CqZBj6l1PAPQn6Zht9LQA92OF7W7buuXuxuusBTgLM0C1iX2
+CGXqY/k/uSNvi3ZYfrpd44TIrfrr8bCG9ux7B5ZCRqb8adDUm92Yz3lK1aX2M6Cw
+jC9IZVTXQWhLyP8Ys3p7rb20CO2jJzV94deJ/+AsEb+bnCQImPat1GDKwrBosar+
+BxtU7k6kgkxZ0G384O59GFXqnwkbw2b5HhORvOsX7nhOUhePFufzi1vT1g8Tzbwr
++TUfTwo2biKHHcI762KGtp8o6Bcv5y8WgExFuWY=
+-----END CERTIFICATE-----`
+
 func yubicoCA() (*x509.Certificate, error) {
 	b, _ := pem.Decode([]byte(yubicoPIVCAPEM))
 	if b == nil {
 		return nil, fmt.Errorf("failed to decode yubico pem data")
 	}
 	return x509.ParseCertificate(b.Bytes)
 }
+
+func yubicoNewRootCA() (*x509.Certificate, error) {
+	b, _ := pem.Decode([]byte(yubicoNewRootCAPEM))
+	if b == nil {
+		return nil, fmt.Errorf("failed to decode new yubico root CA pem data")
+	}
+	return x509.ParseCertificate(b.Bytes)
+}
+
+func yubicoAttestationIntermediateB() (*x509.Certificate, error) {
+	b, _ := pem.Decode([]byte(yubicoAttestationIntermediateBPEM))
+	if b == nil {
+		return nil, fmt.Errorf("failed to decode yubico attestation intermediate B pem data")
+	}
+	return x509.ParseCertificate(b.Bytes)
+}
+
+func yubicoPIVIntermediate() (*x509.Certificate, error) {
+	b, _ := pem.Decode([]byte(yubicoPIVIntermediatePEM))
+	if b == nil {
+		return nil, fmt.Errorf("failed to decode yubico PIV intermediate pem data")
+	}
+	return x509.ParseCertificate(b.Bytes)
+}
