Merge pull request #10 from smallstep/yubikey-policies

Support for YubiKey pin policies
smallstep · Oct 7, 2022 · b0f74a5 · b0f74a5
2 parents 619c258 + 1ba12fa
commit b0f74a5
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 70 deletions.
diff --git a/cmd/create.go b/cmd/create.go
@@ -69,11 +69,14 @@ Keys in a PKCS #11 module requires an id in hexadecimal as well as a label
   # Create a key on Azure's Key Vault using az credentials:
   step-kms-plugin create 'azurekms:vault=my-key-vault;name=my-key'
 
-  # Create a key on AWS KMS with the name tag my-key, but return the value in JSON so we can get the key-id to access it.
+  # Create a key on AWS KMS with the name tag my-key, but return the value in JSON so we can get the key-id to access it:
   step-kms-plugin create --json --kms awskms:region=us-west-2 my-key
 
   # Create a 2048-bit RSA key on a YubiKey:
-  step-kms-plugin create --kty RSA --size 2048 yubikey:slot-id=82`,
+  step-kms-plugin create --kty RSA --size 2048 yubikey:slot-id=82
+
+  # Create an EC P-256 private key on a YubiKey with the touch policy "always" and pin policy "once":
+  step-kms-plugin create --touch-policy always --pin-policy once yubikey:slot-id=82`,
 
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if len(args) != 1 {
@@ -89,6 +92,8 @@ Keys in a PKCS #11 module requires an id in hexadecimal as well as a label
 		pss := flagutil.MustBool(flags, "pss")
 		extractable := flagutil.MustBool(flags, "extractable")
 		pl := flagutil.MustString(flags, "protection-level")
+		pinPolicy := pinPolicyMapping[flagutil.MustString(flags, "pin-policy")]
+		touchPolicy := touchPolicyMapping[flagutil.MustString(flags, "touch-policy")]
 
 		if kty != "RSA" {
 			size = 0
@@ -128,6 +133,8 @@ Keys in a PKCS #11 module requires an id in hexadecimal as well as a label
 			Bits:               size,
 			ProtectionLevel:    protectionLevel,
 			Extractable:        extractable,
+			PINPolicy:          pinPolicy,
+			TouchPolicy:        touchPolicy,
 		})
 		if err != nil {
 			return fmt.Errorf("failed to create key: %w", err)
@@ -189,6 +196,20 @@ var okpSignatureAlgorithmMapping = map[okpParams]apiv1.SignatureAlgorithm{
 	{"ED25519"}: apiv1.PureEd25519,
 }
 
+var pinPolicyMapping = map[string]apiv1.PINPolicy{
+	"":       0, // Use default on YubiKey kms (always)
+	"NEVER":  apiv1.PINPolicyNever,
+	"ALWAYS": apiv1.PINPolicyAlways,
+	"ONCE":   apiv1.PINPolicyOnce,
+}
+
+var touchPolicyMapping = map[string]apiv1.TouchPolicy{
+	"":       0, // Use default on YubiKey kms (never)
+	"NEVER":  apiv1.TouchPolicyNever,
+	"ALWAYS": apiv1.TouchPolicyAlways,
+	"CACHED": apiv1.TouchPolicyCached,
+}
+
 func getSignatureAlgorithm(kty, crv, alg string, pss bool) apiv1.SignatureAlgorithm {
 	switch strings.ToUpper(kty) {
 	case "EC":
@@ -224,12 +245,16 @@ func init() {
 	crv := flagutil.NormalizedValue("crv", []string{"P256", "P384", "P521", "Ed25519"}, "P256")
 	alg := flagutil.NormalizedValue("alg", []string{"SHA256", "SHA384", "SHA512"}, "SHA256")
 	protectionLevel := flagutil.UpperValue("protection-level", []string{"SOFTWARE", "HSM"}, "SOFTWARE")
+	pinPolicy := flagutil.UpperValue("pin-policy", []string{"NEVER", "ALWAYS", "ONCE"}, "")
+	touchPolicy := flagutil.UpperValue("touch-policy", []string{"NEVER", "ALWAYS", "CACHED"}, "")
 
 	flags.Var(kty, "kty", "The key `type` to build the certificate upon.\nOptions are EC, RSA or OKP")
 	flags.Var(crv, "crv", "The elliptic `curve` to use for EC and OKP key types.\nOptions are P256, P384, P521 or Ed25519 on OKP")
 	flags.Int("size", 3072, "The key size for an RSA key")
 	flags.Var(alg, "alg", "The hashing `algorithm` to use on RSA PKCS #1 and RSA-PSS signatures.\nOptions are SHA256, SHA384 or SHA512")
 	flags.Var(protectionLevel, "protection-level", "The protection `level` used on some Cloud KMSs.\nOptions are SOFTWARE or HSM")
+	flags.Var(pinPolicy, "pin-policy", "The pin `policy` used on YubiKey KMS.\nOptions are NEVER, ALWAYS or ONCE")
+	flags.Var(touchPolicy, "touch-policy", "The touch `policy` used on YubiKey KMS.\nOptions are NEVER, ALWAYS or CACHED")
 	flags.Bool("pss", false, "Use RSA-PSS signature scheme instead of PKCS #1")
 	flags.Bool("extractable", false, "Mark the new key as extractable")
 	flags.Bool("json", false, "Show the output using JSON")

diff --git a/go.mod b/go.mod
@@ -5,19 +5,19 @@ go 1.18
 require (
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
-	go.step.sm/crypto v0.19.0
+	go.step.sm/crypto v0.21.0
 	golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be
 )
 
 require (
-	cloud.google.com/go v0.100.2 // indirect
-	cloud.google.com/go/compute v1.6.1 // indirect
-	cloud.google.com/go/iam v0.1.0 // indirect
+	cloud.google.com/go v0.102.0 // indirect
+	cloud.google.com/go/compute v1.7.0 // indirect
+	cloud.google.com/go/iam v0.3.0 // indirect
 	cloud.google.com/go/kms v1.4.0 // indirect
-	filippo.io/edwards25519 v1.0.0-rc.1 // indirect
+	filippo.io/edwards25519 v1.0.0 // indirect
 	github.com/Azure/azure-sdk-for-go v65.0.0+incompatible // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.27 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.28 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
@@ -30,22 +30,20 @@ require (
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/aws/aws-sdk-go v1.44.37 // indirect
-	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
+	github.com/aws/aws-sdk-go v1.44.111 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/go-piv/piv-go v1.10.0 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa // indirect
-	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.5.1 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
@@ -55,16 +53,15 @@ require (
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	go.step.sm/cli-utils v0.7.3 // indirect
 	golang.org/x/net v0.0.0-20220927171203-f486391704dc // indirect
-	golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb // indirect
+	golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect
 	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
 	golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect
-	google.golang.org/api v0.84.0 // indirect
+	google.golang.org/api v0.98.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad // indirect
-	google.golang.org/grpc v1.47.0 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
+	google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252 // indirect
+	google.golang.org/grpc v1.49.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 )