Merge pull request #831 from smallstep/mariano/yubico-intermediates

Support for YubiKey 5.7.4+

Author: maraino

kms/yubikey/yubikey.go

@@ -23,6 +23,7 @@ import (
 
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/uri"
+	"go.step.sm/crypto/pemutil"
 )
 
 // Scheme is the scheme used in uris, the string "yubikey".
@@ -32,6 +33,95 @@ const Scheme = string(apiv1.YubiKey)
 // https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
 var oidYubicoSerialNumber = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 41482, 3, 7}
 
+// A1 Intermediate certificates used in YubiKeys 5.7.4+
+// https://developers.yubico.com/PKI/yubico-intermediate.pem
+// https://developers.yubico.com/PKI/yubico-ca-certs.txt
+const yubicoPIVAttestationA1 = `
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUSiefkiKiicP9B63XwO7fKqevCkQwDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBB
+IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCUxIzAhBgNVBAMM
+Gll1YmljbyBQSVYgQXR0ZXN0YXRpb24gQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAyGCyrZjNrdPfChdDe4JWd+4TMLr8nbugcKJz12egglWi7oy5
+L9GT99/if9i1OrONdpEt0YrCa+qMb+dJJ0WUa8M5zXYnUDpn72vhFjH+Anb9P9+v
++ZrRqaj/jnR/MYP7NpVpeLHiH2dRCe/PX/NH1XE41GvdUEncDtqUUGaXUea0DfDY
+McRDpPT2Qn5e8rn9FjzDA37SbOVuws5VlFTDzDdqR0FnqeWeIW0DFu17rzCqXcaB
+VRDnQLTc5EEPDTpiRrQE/Ag+7Wg9ieLrueos75YMQ1EIkfjL49OBVogU1A7kwRGv
+OnG8l7sYaY8LZ2b5FROe2hKqmsIy600qjn6b/QIDAQABo2YwZDAdBgNVHQ4EFgQU
+hAuLXXtpQVBkcsbqyFlj6LVAadgwHwYDVR0jBBgwFoAUIChQIRukWlvoU8udncXk
+/Gwveh8wEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI
+hvcNAQELBQADggEBAFxL/2oFjxkLh2KVnFKdhy7Nf7MmEfYXDDFSx1rFDn445jHO
+UP5kxQPbZc9r53jdvL5W0SQBqBjqA95PYh0r1CPMFsFJdiFXli8Hf3NQ0bTkeFSN
+G3LsQCOKMb+o2WjYU3vHkRVjKgKGLxysxxKxGfMUcXdJ0qM6ZVeRHehC2zy7XuI6
+TQn7/V0ZHXjk7So7dUV55xQde094/3cCTnh9Q3j2aqMjkGx6tDboCsz/+W+tne7W
+nMHG92ZiAAmOkP2bABjan461Qty/qBXPHomkfjqNbjUTluPXiMLYKCXHIyKwdkX6
+cphouSMU3QOTsb35Y2PeWNk54xu+Eds/3nhRMso=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIUUcmMXzRIFOgGTK0Tb3gEuZYZkBIwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
+MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowLjEsMCoGA1UEAwwjWXViaWNvIEF0
+dGVzdGF0aW9uIEludGVybWVkaWF0ZSBBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDm555bWY9WW+tOY0rIWHldh+aNanoCZCFh7Gk3YZrQmPUw0hkS
+G6qYHQtP+fZyS33VErvg+BQqnmumgNhfxFrkwEZELeidBcC8C4Ag4nqqiPWpzsvI
+17NcxYlInLNLFcZY/+gOiN6ZOTihO5/vBZMbj9riaAcqliYmNGJPgTcMGaEAyMzE
+MNy2nm6Ep+pjP5aF6gi21t/UQFsuJ1j2Rj/ynM/SdRt+ecal5OYotxHkFbL9vvv2
+A2Ov5ITZClw4bOS9npypQimOZ5QAYytmYaQpWl/pMYz6zSj8RqkVDNEJGqNfTKA2
+ivLYwX6lSttMPapg0J84l9X0voVN/FpS4VCVAgMBAAGjZjBkMB0GA1UdDgQWBBQg
+KFAhG6RaW+hTy52dxeT8bC96HzAfBgNVHSMEGDAWgBTS7u9aIo06bVwjlz3yhdUm
+8SV7kjASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
+9w0BAQsFAAOCAQEAYMzgLrJLIr0OovQnAZrRIGuabiHSUKSmbLRWpRkWeAtsChDE
+HpXcJ/bgDNKYWoHqQ8xRUjB4CyepYevc3YlrG8o7zHxpfVcaoL5SeuJkzHxKn4bT
+aSp9+Mvwamnp64kZMiNbFLknfP9kYKoRHkMWheRJ1UsP1z4ScmkCeILfsMs6vqov
+qjWClFsJpBcsluYHWF7bBJ1n4Rwg+ATEopY4IgGv6Zvwc+A9r+AT2hqpoSkYoAl+
+ANYwgslOf9sJe0V+TA9YY/UlaBmPPTd0//r9wvcePWZkPjKoAC/zUNhfDbh4LV8G
+Hs3lyX2XomL/LNc8JYzyIaDEhGQveoPhh/tr1g==
+-----END CERTIFICATE-----`
+
+// B1 Intermediate certificates used in YubiKeys 5.7.4+
+// https://developers.yubico.com/PKI/yubico-intermediate.pem
+// https://developers.yubico.com/PKI/yubico-ca-certs.txt
+const yubicoPIVAttestationB1 = `-----BEGIN CERTIFICATE-----
+MIIDSTCCAjGgAwIBAgIUWVf2oJG+t1qP8t8TicWgJ2KYan4wDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBC
+IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCUxIzAhBgNVBAMM
+Gll1YmljbyBQSVYgQXR0ZXN0YXRpb24gQiAxMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAv7WBL9/5AKxSpCMoL63183WqRtFrOHY7tdyuGtoidoYWQrxV
+aV9S+ZwH0aynh0IzD5A/PvCtuxdtL5w2cAI3tgsborOlEert4IZ904CZQfq3ooar
+1an/wssbtMpPOQkC3MQiqrUyHlFS2BTbuwbBXY66lSVX/tGRuUgnBdfBJtcQKS6M
+O4bU5ndPQqhGPyzcyY1LvlfzK7KJ1r/bixCRFqjhJRnPs0Czpg6rkRrFgC6cd5bK
+1UgTsJy+3wrIqkv4CeV3EhSVnhnQjZgIrdIcI5WZ8T1Oq3OhMlWmY0K0dy/oZdP/
+bpbG2qbyHLa6gprLT/qChQWLmffxn6D2DAB1zQIDAQABo2YwZDAdBgNVHQ4EFgQU
+M0Nt3QHo7eGzaKMZn2SmXT74vpcwHwYDVR0jBBgwFoAU6rdCkJ4Me2R621R8A7p8
+Tp/YoWEwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI
+hvcNAQELBQADggEBAI0HwoS84fKMUyIof1LdUXvyeAMmEwW7+nVETvxNNlTMuwv7
+zPJ4XZAm9Fv95tz9CqZBj6l1PAPQn6Zht9LQA92OF7W7buuXuxuusBTgLM0C1iX2
+CGXqY/k/uSNvi3ZYfrpd44TIrfrr8bCG9ux7B5ZCRqb8adDUm92Yz3lK1aX2M6Cw
+jC9IZVTXQWhLyP8Ys3p7rb20CO2jJzV94deJ/+AsEb+bnCQImPat1GDKwrBosar+
+BxtU7k6kgkxZ0G384O59GFXqnwkbw2b5HhORvOsX7nhOUhePFufzi1vT1g8Tzbwr
++TUfTwo2biKHHcI762KGtp8o6Bcv5y8WgExFuWY=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIUDqERw+4RnGSggxgUewJFEPDRZ3YwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
+MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowLjEsMCoGA1UEAwwjWXViaWNvIEF0
+dGVzdGF0aW9uIEludGVybWVkaWF0ZSBCIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDI7XnH+ZvDwMCQU8M8ZeV5qscublvVYaaRt3Ybaxn9godLx5sw
+H0lXrdgjh5h7FpVgCgYYX7E4bl1vbzULemrMWT8N3WMGUe8QAJbBeioV7W/E+hTZ
+P/0SKJVa3ewKBo6ULeMnfQZDrVORAk8wTLq2v5Llj5vMj7JtOotKa9J7nHS8kLmz
+XXSaj0SwEPh5OAZUTNV4zs1bvoTAQQWrL4/J9QuKt6WCFE5nUNiRQcEbVF8mlqK2
+bx2z6okVltyDVLCxYbpUTELvY1usR3DTGPUoIClOm4crpwnDRLVHvjYePGBB//pE
+yzxA/gcScxjwaH1ZUw9bnSbHyurKqbTa1KvjAgMBAAGjZjBkMB0GA1UdDgQWBBTq
+t0KQngx7ZHrbVHwDunxOn9ihYTAfBgNVHSMEGDAWgBTS7u9aIo06bVwjlz3yhdUm
+8SV7kjASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
+9w0BAQsFAAOCAQEAqQaCWMxTGqVVX7Sk7kkJmUueTSYKuU6+KBBSgwIRnlw9K7He
+1IpxZ0hdwpPNikKjmcyFgFPzhImwHJgxxuT90Pw3vYOdcJJNktDg35PXOfzSn15c
+FAx1RO0mPTmIb8dXiEWOpzoXvdwXDM41ZaCDYMT7w4IQtMyvE7xUBZq2bjtAnq/N
+DUA7be4H8H3ipC+/+NKlUrcUh+j48K67WI0u1m6FeQueBA7n06j825rqDqsaLs9T
+b7KAHAw8PmrWaNPG2kjKerxPEfecivlFawp2RWZvxrVtn3TV2SBxyCJCkXsND05d
+CErVHSJIs+BdtTVNY9AwtyPmnyb0v4mSTzvWdw==
+-----END CERTIFICATE-----`
+
 // YubiKey implements the KMS interface on a YubiKey.
 type YubiKey struct {
 	yk            pivKey
@@ -364,9 +454,27 @@ func (k *YubiKey) CreateAttestation(req *apiv1.CreateAttestationRequest) (*apiv1
 		return nil, errors.Wrap(err, "error retrieving attestation certificate")
 	}
 
+	chain := []*x509.Certificate{cert, intermediate}
+
+	// Append intermediates on YubiKeys 5.7.4+
+	switch intermediate.Issuer.CommonName {
+	case "Yubico PIV Attestation A 1":
+		certs, err := pemutil.ParseCertificateBundle([]byte(yubicoPIVAttestationA1))
+		if err != nil {
+			return nil, fmt.Errorf("error parsing intermediate certificates: %w", err)
+		}
+		chain = append(chain, certs...)
+	case "Yubico PIV Attestation B 1":
+		certs, err := pemutil.ParseCertificateBundle([]byte(yubicoPIVAttestationB1))
+		if err != nil {
+			return nil, fmt.Errorf("error parsing intermediate certificates: %w", err)
+		}
+		chain = append(chain, certs...)
+	}
+
 	return &apiv1.CreateAttestationResponse{
 		Certificate:         cert,
-		CertificateChain:    []*x509.Certificate{cert, intermediate},
+		CertificateChain:    chain,
 		PublicKey:           cert.PublicKey,
 		PermanentIdentifier: getAttestedSerial(cert),
 	}, nil

kms/yubikey/yubikey_test.go

@@ -31,6 +31,7 @@ import (
 
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 )
 
@@ -1080,9 +1081,20 @@ func TestYubiKey_CreateDecrypter(t *testing.T) {
 func TestYubiKey_CreateAttestation(t *testing.T) {
 	yk := newStubPivKey(t, ECDSA)
 
+	ykA1 := newStubPivKey(t, ECDSA)
+	ykA1.attestCA.Intermediate.Issuer.CommonName = "Yubico PIV Attestation A 1"
+
+	ykB1 := newStubPivKey(t, ECDSA)
+	ykB1.attestCA.Intermediate.Issuer.CommonName = "Yubico PIV Attestation B 1"
+
 	ykFail := newStubPivKey(t, ECDSA)
 	delete(ykFail.certMap, slotAttestation)
 
+	a1Certs, err := pemutil.ParseCertificateBundle([]byte(yubicoPIVAttestationA1))
+	require.NoError(t, err)
+	b1Certs, err := pemutil.ParseCertificateBundle([]byte(yubicoPIVAttestationB1))
+	require.NoError(t, err)
+
 	type fields struct {
 		yk            pivKey
 		pin           string
@@ -1106,6 +1118,28 @@ func TestYubiKey_CreateAttestation(t *testing.T) {
 			PublicKey:           yk.attestMap[piv.SlotAuthentication].PublicKey,
 			PermanentIdentifier: "112233",
 		}, false},
+		{"ok A1", fields{ykA1, "123456", piv.DefaultManagementKey}, args{&apiv1.CreateAttestationRequest{
+			Name: "yubikey:slot-id=9a",
+		}}, &apiv1.CreateAttestationResponse{
+			Certificate: ykA1.attestMap[piv.SlotAuthentication],
+			CertificateChain: []*x509.Certificate{
+				ykA1.attestMap[piv.SlotAuthentication], ykA1.attestCA.Intermediate,
+				a1Certs[0], a1Certs[1],
+			},
+			PublicKey:           ykA1.attestMap[piv.SlotAuthentication].PublicKey,
+			PermanentIdentifier: "112233",
+		}, false},
+		{"ok B1", fields{ykB1, "123456", piv.DefaultManagementKey}, args{&apiv1.CreateAttestationRequest{
+			Name: "yubikey:slot-id=9a",
+		}}, &apiv1.CreateAttestationResponse{
+			Certificate: ykB1.attestMap[piv.SlotAuthentication],
+			CertificateChain: []*x509.Certificate{
+				ykB1.attestMap[piv.SlotAuthentication], ykB1.attestCA.Intermediate,
+				b1Certs[0], b1Certs[1],
+			},
+			PublicKey:           ykB1.attestMap[piv.SlotAuthentication].PublicKey,
+			PermanentIdentifier: "112233",
+		}, false},
 		{"fail getSlot", fields{yk, "123456", piv.DefaultManagementKey}, args{&apiv1.CreateAttestationRequest{
 			Name: "yubikey://:slot-id=9a",
 		}}, nil, true},
@@ -1340,3 +1374,71 @@ func Test_syncDecrypter_Decrypt(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, data, plain)
 }
+
+func TestYubicoNewRoots(t *testing.T) {
+	const rootPEM = `-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUXzeiEDJEOTt14F5n0o6Zf/bBwiUwDQYJKoZIhvcNAQEN
+BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
+MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowJDEiMCAGA1UEAwwZWXViaWNvIEF0
+dGVzdGF0aW9uIFJvb3QgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMZ6/TxM8rIT+EaoPvG81ontMOo/2mQ2RBwJHS0QZcxVaNXvl12LUhBZ5LmiBScI
+Zd1Rnx1od585h+/dhK7hEm7JAALkKKts1fO53KGNLZujz5h3wGncr4hyKF0G74b/
+U3K9hE5mGND6zqYchCRAHfrYMYRDF4YL0X4D5nGdxvppAy6nkEmtWmMnwO3i0TAu
+csrbE485HvGM4r0VpgVdJpvgQjiTJCTIq+D35hwtT8QDIv+nGvpcyi5wcIfCkzyC
+imJukhYy6KoqNMKQEdpNiSOvWyDMTMt1bwCvEzpw91u+msUt4rj0efnO9s0ZOwdw
+MRDnH4xgUl5ZLwrrPkfC1/0CAwEAAaNmMGQwHQYDVR0OBBYEFNLu71oijTptXCOX
+PfKF1SbxJXuSMB8GA1UdIwQYMBaAFNLu71oijTptXCOXPfKF1SbxJXuSMBIGA1Ud
+EwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBDQUAA4IB
+AQC3IW/sgB9pZ8apJNjxuGoX+FkILks0wMNrdXL/coUvsrhzsvl6mePMrbGJByJ1
+XnquB5sgcRENFxdQFma3mio8Upf1owM1ZreXrJ0mADG2BplqbJnxiyYa+R11reIF
+TWeIhMNcZKsDZrFAyPuFjCWSQvJmNWe9mFRYFgNhXJKkXIb5H1XgEDlwiedYRM7V
+olBNlld6pRFKlX8ust6OTMOeADl2xNF0m1LThSdeuXvDyC1g9+ILfz3S6OIYgc3i
+roRcFD354g7rKfu67qFAw9gC4yi0xBTPrY95rh4/HqaUYCA/L8ldRk6H7Xk35D+W
+Vpmq2Sh/xT5HiFuhf4wJb0bK
+-----END CERTIFICATE-----`
+
+	root, err := pemutil.ParseCertificate([]byte(rootPEM))
+	require.NoError(t, err)
+
+	a1Certs, err := pemutil.ParseCertificateBundle([]byte(yubicoPIVAttestationA1))
+	require.NoError(t, err)
+	require.Len(t, a1Certs, 2)
+
+	b1Certs, err := pemutil.ParseCertificateBundle([]byte(yubicoPIVAttestationB1))
+	require.NoError(t, err)
+	require.Len(t, b1Certs, 2)
+
+	assert.Equal(t, "Yubico PIV Attestation A 1", a1Certs[0].Subject.CommonName)
+	assert.Equal(t, "Yubico Attestation Intermediate A 1", a1Certs[1].Subject.CommonName)
+
+	assert.Equal(t, "Yubico PIV Attestation B 1", b1Certs[0].Subject.CommonName)
+	assert.Equal(t, "Yubico Attestation Intermediate B 1", b1Certs[1].Subject.CommonName)
+
+	assert.True(t, a1Certs[0].BasicConstraintsValid)
+	assert.True(t, a1Certs[0].IsCA)
+	assert.True(t, a1Certs[0].MaxPathLen == 1)
+	assert.True(t, a1Certs[1].BasicConstraintsValid)
+	assert.True(t, a1Certs[1].IsCA)
+	assert.True(t, a1Certs[1].MaxPathLen == 2)
+
+	assert.True(t, b1Certs[0].BasicConstraintsValid)
+	assert.True(t, b1Certs[0].IsCA)
+	assert.True(t, b1Certs[0].MaxPathLen == 1)
+	assert.True(t, b1Certs[1].BasicConstraintsValid)
+	assert.True(t, b1Certs[1].IsCA)
+	assert.True(t, b1Certs[1].MaxPathLen == 2)
+
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(root)
+	for _, chain := range [][]*x509.Certificate{a1Certs, b1Certs} {
+		intPool := x509.NewCertPool()
+		intPool.AddCert(chain[1])
+
+		_, err := chain[0].Verify(x509.VerifyOptions{
+			Roots:         rootPool,
+			Intermediates: intPool,
+		})
+		assert.NoError(t, err)
+	}
+
+}