1 /* 2 * Copyright (c) 2014-2020 Yubico AB 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are 7 * met: 8 * 9 * * Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * * Redistributions in binary form must reproduce the above 13 * copyright notice, this list of conditions and the following 14 * disclaimer in the documentation and/or other materials provided 15 * with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 20 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 21 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 23 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * 29 */ 30 31 /** 32 * @mainpage 33 * 34 * See ykpiv.h 35 * 36 * @file ykpiv.h 37 * libykpiv API 38 */ 39 #ifndef YKPIV_H 40 #define YKPIV_H 41 42 #include <stdint.h> 43 #include <stddef.h> 44 #include <stdbool.h> 45 46 #include "ykpiv-config.h" 47 48 #ifdef __cplusplus 49 extern "C" 50 { 51 #endif 52 53 typedef struct ykpiv_state ykpiv_state; 54 55 typedef enum { 56 YKPIV_OK = 0, 57 YKPIV_MEMORY_ERROR = -1, 58 YKPIV_PCSC_ERROR = -2, 59 YKPIV_SIZE_ERROR = -3, 60 YKPIV_APPLET_ERROR = -4, 61 YKPIV_AUTHENTICATION_ERROR = -5, 62 YKPIV_RANDOMNESS_ERROR = -6, 63 YKPIV_GENERIC_ERROR = -7, 64 YKPIV_KEY_ERROR = -8, 65 YKPIV_PARSE_ERROR = -9, 66 YKPIV_WRONG_PIN = -10, 67 YKPIV_INVALID_OBJECT = -11, 68 YKPIV_ALGORITHM_ERROR = -12, 69 YKPIV_PIN_LOCKED = -13, 70 71 YKPIV_ARGUMENT_ERROR = -14, //i.e. invalid input argument 72 YKPIV_RANGE_ERROR = -15, //i.e. value range error 73 YKPIV_NOT_SUPPORTED = -16 74 } ykpiv_rc; 75 76 typedef void* (*ykpiv_pfn_alloc)(void* alloc_data, size_t size); 77 typedef void* (*ykpiv_pfn_realloc)(void* alloc_data, void* address, size_t size); 78 typedef void (*ykpiv_pfn_free)(void* alloc_data, void* address); 79 typedef struct ykpiv_allocator { 80 ykpiv_pfn_alloc pfn_alloc; 81 ykpiv_pfn_realloc pfn_realloc; 82 ykpiv_pfn_free pfn_free; 83 void * alloc_data; 84 } ykpiv_allocator; 85 86 const char *ykpiv_strerror(ykpiv_rc err); 87 const char *ykpiv_strerror_name(ykpiv_rc err); 88 89 ykpiv_rc ykpiv_init(ykpiv_state **state, int verbose); 90 ykpiv_rc ykpiv_init_with_allocator(ykpiv_state **state, int verbose, const ykpiv_allocator *allocator); 91 ykpiv_rc ykpiv_done(ykpiv_state *state); 92 ykpiv_rc ykpiv_validate(ykpiv_state *state, const char *wanted); 93 ykpiv_rc ykpiv_connect(ykpiv_state *state, const char *wanted); 94 ykpiv_rc ykpiv_list_readers(ykpiv_state *state, char *readers, size_t *len); 95 ykpiv_rc ykpiv_disconnect(ykpiv_state *state); 96 ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const unsigned char *templ, 97 const unsigned char *in_data, long in_len, 98 unsigned char *out_data, unsigned long *out_len, int *sw); 99 ykpiv_rc ykpiv_authenticate(ykpiv_state *state, const unsigned char *key); 100 ykpiv_rc ykpiv_set_mgmkey(ykpiv_state *state, const unsigned char *new_key); 101 ykpiv_rc ykpiv_hex_decode(const char *hex_in, size_t in_len, 102 unsigned char *hex_out, size_t *out_len); 103 ykpiv_rc ykpiv_sign_data(ykpiv_state *state, const unsigned char *sign_in, 104 size_t in_len, unsigned char *sign_out, size_t *out_len, 105 unsigned char algorithm, unsigned char key); 106 ykpiv_rc ykpiv_decipher_data(ykpiv_state *state, const unsigned char *enc_in, 107 size_t in_len, unsigned char *enc_out, size_t *out_len, 108 unsigned char algorithm, unsigned char key); 109 ykpiv_rc ykpiv_get_version(ykpiv_state *state, char *version, size_t len); 110 ykpiv_rc ykpiv_verify(ykpiv_state *state, const char *pin, int *tries); 111 ykpiv_rc ykpiv_change_pin(ykpiv_state *state, const char * current_pin, size_t current_pin_len, 112 const char * new_pin, size_t new_pin_len, 113 int *tries); 114 ykpiv_rc ykpiv_change_puk(ykpiv_state *state, const char * current_puk, size_t current_puk_len, 115 const char * new_puk, size_t new_puk_len, 116 int *tries); 117 ykpiv_rc ykpiv_unblock_pin(ykpiv_state *state, const char * puk, size_t puk_len, 118 const char * new_pin, size_t new_pin_len, 119 int *tries); 120 ykpiv_rc ykpiv_fetch_object(ykpiv_state *state, int object_id, 121 unsigned char *data, unsigned long *len); 122 ykpiv_rc ykpiv_set_mgmkey2(ykpiv_state *state, const unsigned char *new_key, 123 const unsigned char touch); 124 ykpiv_rc ykpiv_save_object(ykpiv_state *state, int object_id, 125 unsigned char *indata, size_t len); 126 ykpiv_rc ykpiv_import_private_key(ykpiv_state *state, const unsigned char key, unsigned char algorithm, 127 const unsigned char *p, size_t p_len, 128 const unsigned char *q, size_t q_len, 129 const unsigned char *dp, size_t dp_len, 130 const unsigned char *dq, size_t dq_len, 131 const unsigned char *qinv, size_t qinv_len, 132 const unsigned char *ec_data, unsigned char ec_data_len, 133 const unsigned char pin_policy, const unsigned char touch_policy); 134 ykpiv_rc ykpiv_attest(ykpiv_state *state, const unsigned char key, unsigned char *data, size_t *data_len); 135 ykpiv_rc ykpiv_get_metadata(ykpiv_state *state, const unsigned char key, unsigned char *data, size_t *data_len); 136 137 /** 138 * Return the number of PIN attempts remaining before PIN is locked. 139 * 140 * **NOTE:** If PIN is already verified, calling ykpiv_get_pin_retries() will unverify the PIN. 141 * 142 * @param state State handle from ykpiv_init() 143 * @param tries [out] Number of attempts remaining 144 * 145 * @return Error code 146 */ 147 ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int *tries); 148 149 /** 150 * Set number of attempts before locking for PIN and PUK codes. 151 * 152 * **NOTE:** If either \p pin_tries or \p puk_tries is 0, ykpiv_set_pin_retries() immediately returns YKPIV_OK. 153 * 154 * @param state State handle from ykpiv_init() 155 * @param pin_tries Number of attempts to permit for PIN code 156 * @param puk_tries Number of attempts to permit for PUK code 157 * 158 * @return Error code 159 */ 160 ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries); 161 162 /** 163 * Variant of ykpiv_connect() that accepts a card context obtained externally. 164 * 165 * Not for generic use. Use ykpiv_connect() instead. 166 * 167 * @param state State handle 168 * @param context Card context returned from SCardConnect() or equivalent. 169 * @param card Card ID returned from SCardConnect() or equivalent. 170 * 171 * @return Error code 172 */ 173 ykpiv_rc ykpiv_connect_with_external_card(ykpiv_state *state, uintptr_t context, uintptr_t card); 174 175 /** 176 * Variant of ykpiv_done() for external cards connected with ykpiv_connect_with_external_card() 177 * 178 * Card is not disconnected, unlike with normal calls to ykpiv_done(). 179 * 180 * @param state State handle 181 * 182 * @return Error code 183 */ 184 ykpiv_rc ykpiv_done_with_external_card(ykpiv_state *state); 185 186 /** 187 * Variant of ykpiv_verify() that optionally selects the PIV applet first. 188 * 189 * @param state State handle 190 * @param pin PIN code to verify with 191 * @param pin_len Length of \p pin 192 * @param tries [out] Number of attempts remaining (if non-NULL) 193 * @param force_select Whether to select the PIV applet before verifying. 194 * 195 * @return Error code 196 */ 197 ykpiv_rc ykpiv_verify_select(ykpiv_state *state, const char *pin, const size_t pin_len, int *tries, bool force_select); 198 199 /** 200 * Get serial number 201 * 202 * The card must be connected to call this function. 203 * 204 * @param state [in] State handle 205 * @param p_serial [out] uint32 to store retrieved serial number 206 * 207 * @return ykpiv_rc error code 208 * 209 */ 210 ykpiv_rc ykpiv_get_serial(ykpiv_state *state, uint32_t* p_serial); 211 212 213 //////////////////////////////////////////////////////////////////////////////// 214 //////////////////////////////////////////////////////////////////////////////// 215 //////////////////////////////////////////////////////////////////////////////// 216 //// 217 //// 218 //// High-level Util API 219 //// 220 //// 221 //// Util api always allocates data on your behalf, if data = 0, *data != 0, 222 //// or data_len = 0 an invalid parameter will be returned; to free data, call 223 //// ykpiv_util_free(). 224 //// 225 //////////////////////////////////////////////////////////////////////////////// 226 //////////////////////////////////////////////////////////////////////////////// 227 //////////////////////////////////////////////////////////////////////////////// 228 229 typedef uint32_t ykpiv_devmodel; 230 231 /** 232 * Card identifier 233 */ 234 #define YKPIV_CARDID_SIZE 16 235 typedef struct { 236 uint8_t data[YKPIV_CARDID_SIZE]; 237 } ykpiv_cardid; 238 239 /** 240 * Card Capability 241 */ 242 #define YKPIV_CCCID_SIZE 14 243 typedef struct { 244 uint8_t data[YKPIV_CCCID_SIZE]; 245 } ykpiv_cccid; 246 247 #pragma pack(push, 1) 248 249 typedef struct _ykpiv_key { 250 uint8_t slot; 251 uint16_t cert_len; 252 uint8_t cert[1]; 253 } ykpiv_key; 254 255 typedef struct _ykpiv_container { 256 wchar_t name[40]; 257 uint8_t slot; 258 uint8_t key_spec; 259 uint16_t key_size_bits; 260 uint8_t flags; 261 uint8_t pin_id; 262 uint8_t associated_echd_container; 263 uint8_t cert_fingerprint[20]; 264 } ykpiv_container; 265 266 #pragma pack(pop) 267 268 typedef enum { 269 YKPIV_CONFIG_MGM_INVALID = -1, 270 YKPIV_CONFIG_MGM_MANUAL = 0, 271 YKPIV_CONFIG_MGM_DERIVED = 1, 272 YKPIV_CONFIG_MGM_PROTECTED = 2 273 } ykpiv_config_mgm_type; 274 275 #pragma pack(push, 1) 276 typedef struct _ykpiv_config { 277 uint8_t puk_blocked; 278 uint8_t puk_noblock_on_upgrade; 279 uint32_t pin_last_changed; 280 ykpiv_config_mgm_type mgm_type; 281 uint8_t mgm_key[24]; 282 } ykpiv_config; 283 284 typedef struct _ykpiv_mgm { 285 uint8_t data[24]; 286 } ykpiv_mgm; 287 #pragma pack(pop) 288 289 typedef struct _ykpiv_metadata { 290 uint8_t algorithm; 291 uint8_t pin_policy; 292 uint8_t touch_policy; 293 uint8_t origin; 294 size_t pubkey_len; 295 uint8_t pubkey[512]; 296 } ykpiv_metadata; 297 298 /** 299 * Free allocated data 300 * 301 * Frees a buffer previously allocated by one of the other \p ykpiv_util functions. 302 * 303 * @param state State handle 304 * @param data Buffer previously allocated by a \p ykpiv_util function 305 * 306 * @return ypiv_rc error code 307 */ 308 ykpiv_rc ykpiv_util_free(ykpiv_state *state, void *data); 309 310 /** 311 * Returns a list of all saved certificates. 312 * 313 * \p data should be freed with \p ykpiv_util_free() after use. 314 * 315 * @param state State handle 316 * @param key_count [out] Number of certificates returned 317 * @param data [out] Set to a dynamically allocated list of certificates. 318 * @param data_len [out] Set to size of \p data in bytes 319 * 320 * @return Error code 321 */ 322 ykpiv_rc ykpiv_util_list_keys(ykpiv_state *state, uint8_t *key_count, ykpiv_key **data, size_t *data_len); 323 324 /** 325 * Read a certificate stored in the given slot 326 * 327 * \p data should be freed with \p ykpiv_util_free() after use. 328 * 329 * @param state State handle 330 * @param slot Slot to read from 331 * @param data Pointer to buffer to store the read data 332 * @param data_len Pointer to size of input buffer, in bytes. Update to length of read data after call. 333 * 334 * @return Error code 335 */ 336 ykpiv_rc ykpiv_util_read_cert(ykpiv_state *state, uint8_t slot, uint8_t **data, size_t *data_len); 337 338 /** 339 * Write a certificate to a given slot 340 * 341 * \p certinfo should be \p YKPIV_CERTINFO_UNCOMPRESSED for uncompressed certificates, which is the most 342 * common case, or \p YKPIV_CERTINFO_GZIP if the certificate in \p data is already compressed with gzip. 343 * 344 * @param state State handle 345 * @param slot Slot to write to 346 * @param data Buffer of data to write 347 * @param data_len Number of bytes to write 348 * @param certinfo Hint about type of certificate. Use the \p YKPIV_CERTINFO* defines. 349 * 350 * @return Error code 351 */ 352 ykpiv_rc ykpiv_util_write_cert(ykpiv_state *state, uint8_t slot, uint8_t *data, size_t data_len, uint8_t certinfo); 353 354 /** 355 * Delete the certificate stored in the given slot 356 * 357 * @param state State handle 358 * @param slot Slot to delete certificate from 359 * 360 * @return Error code 361 */ 362 ykpiv_rc ykpiv_util_delete_cert(ykpiv_state *state, uint8_t slot); 363 364 /** 365 * Generate key in given slot with specified parameters 366 * 367 * \p modulus, \p exp, and \p point should be freed with \p ykpiv_util_free() after use. 368 * 369 * If algorithm is RSA1024 or RSA2048, the modulus, modulus_len, exp, and exp_len output parameters must be supplied. They are filled with with public modulus (big-endian), its size, the public exponent (big-endian), and its size respectively. 370 * 371 * If algorithm is ECCP256 or ECCP384, the point and point_len output parameters must be supplied. They are filled with the public point (uncompressed octet-string encoded per SEC1 section 2.3.4) 372 * 373 * If algorithm is ECCP256, the curve is always ANSI X9.62 Prime 256v1 374 * 375 * If algorithm is ECCP384, the curve is always secp384r1 376 * 377 * @param state State handle 378 * @param slot Slot to generate key in 379 * @param algorithm Key algorithm, specified as one of the \p YKPIV_ALGO_* options 380 * @param pin_policy Per-slot PIN policy, specified as one of the \p YKPIV_PINPOLICY_* options 381 * @param touch_policy Per-slot touch policy, specified as one of the \p YKPIV_TOUCHPOLICY_* options. 382 * @param modulus [out] RSA public modulus (RSA-only) 383 * @param modulus_len [out] Size of \p modulus (RSA-only) 384 * @param exp [out] RSA public exponent (RSA-only) 385 * @param exp_len [out] Size of \p exp (RSA-only) 386 * @param point [out] Public curve point (ECC-only) 387 * @param point_len [out] Size of \p point (ECC-only) 388 * 389 * @return ykpiv_rc error code 390 */ 391 ykpiv_rc ykpiv_util_generate_key(ykpiv_state *state, uint8_t slot, uint8_t algorithm, uint8_t pin_policy, uint8_t touch_policy, uint8_t **modulus, size_t *modulus_len, uint8_t **exp, size_t *exp_len, uint8_t **point, size_t *point_len); 392 393 /** 394 * Get current PIV applet administration configuration state 395 * 396 * @param state State handle 397 * @param config [out] ykpiv_config struct filled with current applet data 398 * 399 * @return ykpiv_rc error code 400 */ 401 ykpiv_rc ykpiv_util_get_config(ykpiv_state *state, ykpiv_config *config); 402 403 /** 404 * Set last pin changed time to current time 405 * 406 * The applet must be authenticated to call this function 407 * 408 * @param state State handle 409 * 410 * @return ykpiv_rc error code 411 */ 412 ykpiv_rc ykpiv_util_set_pin_last_changed(ykpiv_state *state); 413 414 /** 415 * Get Derived MGM key 416 * 417 * @param state State handle 418 * @param pin PIN used to derive mgm key 419 * @param pin_len Length of pin in bytes 420 * @param mgm [out] Protected MGM key 421 * 422 * @return ykpiv_rc error code 423 */ 424 ykpiv_rc ykpiv_util_get_derived_mgm(ykpiv_state *state, const uint8_t *pin, const size_t pin_len, ykpiv_mgm *mgm); 425 426 /** 427 * Get Protected MGM key 428 * 429 * The user pin must be verified to call this function 430 * 431 * @param state State handle 432 * @param mgm [out] Protected MGM key 433 * 434 * @return ykpiv_rc error code 435 */ 436 ykpiv_rc ykpiv_util_get_protected_mgm(ykpiv_state *state, ykpiv_mgm *mgm); 437 438 /** 439 * Set Protected MGM key 440 * 441 * The applet must be authenticated and the user pin verified to call this function 442 * 443 * If \p mgm is NULL or \p mgm.data is all zeroes, generate MGM, otherwise set specified key. 444 * 445 * @param state State handle 446 * @param mgm [in, out] Input: NULL or new MGM key. Output: Generated MGM key 447 * 448 * @return ykpiv_rc error code 449 */ 450 ykpiv_rc ykpiv_util_set_protected_mgm(ykpiv_state *state, ykpiv_mgm *mgm); 451 452 /** 453 * Reset PIV applet 454 * 455 * The user PIN and PUK must be blocked to call this function. 456 * 457 * @param state State handle 458 * 459 * @return ykpiv_rc error code 460 */ 461 ykpiv_rc ykpiv_util_reset(ykpiv_state *state); 462 463 /** 464 * Get card identifier 465 * 466 * Gets the card identifier from the Cardholder Unique Identifier (CHUID). 467 * 468 * ID can be set with \p ykpiv_util_set_cardid(). 469 * 470 * @param state State handle 471 * @param cardid [out] Unique Card ID stored in the CHUID 472 * 473 * @return ykpiv_rc error code 474 */ 475 ykpiv_rc ykpiv_util_get_cardid(ykpiv_state *state, ykpiv_cardid *cardid); 476 477 /** 478 * Set card identifier 479 * 480 * Set the card identifier in the Cardholder Unique Identifier (CHUID). 481 * 482 * The card must be authenticated to call this function. 483 * 484 * See also: \p ykpiv_util_set_cccid() 485 * 486 * @param state State handle 487 * @param cardid Unique Card ID to set. If NULL, randomly generate. 488 * 489 * @return ypiv_rc error code 490 * 491 */ 492 ykpiv_rc ykpiv_util_set_cardid(ykpiv_state *state, const ykpiv_cardid *cardid); 493 494 /** 495 * Get card capabilities identifier 496 * 497 * Gets the card identifier from the Card Capability Container (CCC). 498 * 499 * ID can be set with \p ykpiv_util_set_cccid(). 500 * 501 * @param state State handle 502 * @param ccc [out] Unique Card ID stored in the CCC 503 * 504 * @return ykpiv_rc error code 505 */ 506 ykpiv_rc ykpiv_util_get_cccid(ykpiv_state *state, ykpiv_cccid *ccc); 507 508 /** 509 * Set card capabilities identifier 510 * 511 * Sets the card identifier in the Card Capability Container (CCC). 512 * 513 * The card must be authenticated to call this function. 514 * 515 * See also: \p ykpiv_util_set_cardid() 516 * 517 * @param state state 518 * @param ccc Unique Card ID to set. If NULL, randomly generate. 519 * 520 * @return ykpiv_rc error code 521 * 522 */ 523 ykpiv_rc ykpiv_util_set_cccid(ykpiv_state *state, const ykpiv_cccid *ccc); 524 525 /** 526 * Get device model 527 * 528 * The card must be connected to call this function. 529 * 530 * @param state State handle 531 * 532 * @return Device model 533 * 534 */ 535 ykpiv_devmodel ykpiv_util_devicemodel(ykpiv_state *state); 536 537 /** 538 * Block PUK 539 * 540 * Utility function to block the PUK. 541 * 542 * To set the PUK blocked flag in the admin data, the applet must be authenticated. 543 * 544 * @param state State handle 545 * 546 * @return Error code 547 * 548 */ 549 ykpiv_rc ykpiv_util_block_puk(ykpiv_state *state); 550 551 /** 552 * Object ID of given slot. 553 * 554 * @param slot Key slot 555 */ 556 uint32_t ykpiv_util_slot_object(uint8_t slot); 557 558 ykpiv_rc ykpiv_util_read_mscmap(ykpiv_state *state, ykpiv_container **containers, size_t *n_containers); 559 ykpiv_rc ykpiv_util_write_mscmap(ykpiv_state *state, ykpiv_container *containers, size_t n_containers); 560 ykpiv_rc ykpiv_util_read_msroots(ykpiv_state *state, uint8_t **data, size_t *data_len); 561 ykpiv_rc ykpiv_util_write_msroots(ykpiv_state *state, uint8_t *data, size_t data_len); 562 ykpiv_rc ykpiv_util_parse_metadata(uint8_t *data, size_t data_len, ykpiv_metadata *metadata); 563 564 //////////////////////////////////////////////////////////////////////////////// 565 //////////////////////////////////////////////////////////////////////////////// 566 //////////////////////////////////////////////////////////////////////////////// 567 //// 568 //// 569 //// Defines 570 //// 571 //// 572 //////////////////////////////////////////////////////////////////////////////// 573 //////////////////////////////////////////////////////////////////////////////// 574 //////////////////////////////////////////////////////////////////////////////// 575 576 #define YKPIV_ALGO_TAG 0x80 577 #define YKPIV_ALGO_3DES 0x03 578 #define YKPIV_ALGO_RSA1024 0x06 579 #define YKPIV_ALGO_RSA2048 0x07 580 #define YKPIV_ALGO_ECCP256 0x11 581 #define YKPIV_ALGO_ECCP384 0x14 582 583 #define YKPIV_KEY_AUTHENTICATION 0x9a 584 #define YKPIV_KEY_CARDMGM 0x9b 585 #define YKPIV_KEY_SIGNATURE 0x9c 586 #define YKPIV_KEY_KEYMGM 0x9d 587 #define YKPIV_KEY_CARDAUTH 0x9e 588 #define YKPIV_KEY_RETIRED1 0x82 589 #define YKPIV_KEY_RETIRED2 0x83 590 #define YKPIV_KEY_RETIRED3 0x84 591 #define YKPIV_KEY_RETIRED4 0x85 592 #define YKPIV_KEY_RETIRED5 0x86 593 #define YKPIV_KEY_RETIRED6 0x87 594 #define YKPIV_KEY_RETIRED7 0x88 595 #define YKPIV_KEY_RETIRED8 0x89 596 #define YKPIV_KEY_RETIRED9 0x8a 597 #define YKPIV_KEY_RETIRED10 0x8b 598 #define YKPIV_KEY_RETIRED11 0x8c 599 #define YKPIV_KEY_RETIRED12 0x8d 600 #define YKPIV_KEY_RETIRED13 0x8e 601 #define YKPIV_KEY_RETIRED14 0x8f 602 #define YKPIV_KEY_RETIRED15 0x90 603 #define YKPIV_KEY_RETIRED16 0x91 604 #define YKPIV_KEY_RETIRED17 0x92 605 #define YKPIV_KEY_RETIRED18 0x93 606 #define YKPIV_KEY_RETIRED19 0x94 607 #define YKPIV_KEY_RETIRED20 0x95 608 #define YKPIV_KEY_ATTESTATION 0xf9 609 610 #define YKPIV_OBJ_CAPABILITY 0x5fc107 611 #define YKPIV_OBJ_CHUID 0x5fc102 612 #define YKPIV_OBJ_AUTHENTICATION 0x5fc105 /* cert for 9a key */ 613 #define YKPIV_OBJ_FINGERPRINTS 0x5fc103 614 #define YKPIV_OBJ_SECURITY 0x5fc106 615 #define YKPIV_OBJ_FACIAL 0x5fc108 616 #define YKPIV_OBJ_PRINTED 0x5fc109 617 #define YKPIV_OBJ_SIGNATURE 0x5fc10a /* cert for 9c key */ 618 #define YKPIV_OBJ_KEY_MANAGEMENT 0x5fc10b /* cert for 9d key */ 619 #define YKPIV_OBJ_CARD_AUTH 0x5fc101 /* cert for 9e key */ 620 #define YKPIV_OBJ_DISCOVERY 0x7e 621 #define YKPIV_OBJ_KEY_HISTORY 0x5fc10c 622 #define YKPIV_OBJ_IRIS 0x5fc121 623 #define YKPIV_OBJ_BITGT 0x7f61 624 #define YKPIV_OBJ_SM_SIGNER 0x5fc122 625 #define YKPIV_OBJ_PC_REF_DATA 0x5fc123 626 627 #define YKPIV_OBJ_RETIRED1 0x5fc10d 628 #define YKPIV_OBJ_RETIRED2 0x5fc10e 629 #define YKPIV_OBJ_RETIRED3 0x5fc10f 630 #define YKPIV_OBJ_RETIRED4 0x5fc110 631 #define YKPIV_OBJ_RETIRED5 0x5fc111 632 #define YKPIV_OBJ_RETIRED6 0x5fc112 633 #define YKPIV_OBJ_RETIRED7 0x5fc113 634 #define YKPIV_OBJ_RETIRED8 0x5fc114 635 #define YKPIV_OBJ_RETIRED9 0x5fc115 636 #define YKPIV_OBJ_RETIRED10 0x5fc116 637 #define YKPIV_OBJ_RETIRED11 0x5fc117 638 #define YKPIV_OBJ_RETIRED12 0x5fc118 639 #define YKPIV_OBJ_RETIRED13 0x5fc119 640 #define YKPIV_OBJ_RETIRED14 0x5fc11a 641 #define YKPIV_OBJ_RETIRED15 0x5fc11b 642 #define YKPIV_OBJ_RETIRED16 0x5fc11c 643 #define YKPIV_OBJ_RETIRED17 0x5fc11d 644 #define YKPIV_OBJ_RETIRED18 0x5fc11e 645 #define YKPIV_OBJ_RETIRED19 0x5fc11f 646 #define YKPIV_OBJ_RETIRED20 0x5fc120 647 648 #define YKPIV_OBJ_ATTESTATION 0x5fff01 649 650 #define YKPIV_OBJ_MAX_SIZE 3072 651 652 #define YKPIV_INS_VERIFY 0x20 653 #define YKPIV_INS_CHANGE_REFERENCE 0x24 654 #define YKPIV_INS_RESET_RETRY 0x2c 655 #define YKPIV_INS_GENERATE_ASYMMETRIC 0x47 656 #define YKPIV_INS_AUTHENTICATE 0x87 657 #define YKPIV_INS_GET_DATA 0xcb 658 #define YKPIV_INS_PUT_DATA 0xdb 659 #define YKPIV_INS_SELECT_APPLICATION 0xa4 660 #define YKPIV_INS_GET_RESPONSE_APDU 0xc0 661 662 /* sw is status words, see NIST special publication 800-73-4, section 5.6 */ 663 #define SW_SUCCESS 0x9000 664 #define SW_ERR_SECURITY_STATUS 0x6982 665 #define SW_ERR_AUTH_BLOCKED 0x6983 666 #define SW_ERR_CONDITIONS_OF_USE 0x6985 667 #define SW_ERR_INCORRECT_PARAM 0x6a80 668 #define SW_ERR_FILE_NOT_FOUND 0x6a82 669 #define SW_ERR_REFERENCE_NOT_FOUND 0x6a88 670 /* this is a custom sw for yubikey */ 671 #define SW_ERR_INCORRECT_SLOT 0x6b00 672 #define SW_ERR_NOT_SUPPORTED 0x6d00 673 674 /* Yubico vendor specific instructions */ 675 #define YKPIV_INS_SET_MGMKEY 0xff 676 #define YKPIV_INS_IMPORT_KEY 0xfe 677 #define YKPIV_INS_GET_VERSION 0xfd 678 #define YKPIV_INS_RESET 0xfb 679 #define YKPIV_INS_SET_PIN_RETRIES 0xfa 680 #define YKPIV_INS_ATTEST 0xf9 681 #define YKPIV_INS_GET_SERIAL 0xf8 682 #define YKPIV_INS_GET_METADATA 0xf7 683 684 #define YKPIV_PINPOLICY_TAG 0xaa 685 #define YKPIV_PINPOLICY_DEFAULT 0 686 #define YKPIV_PINPOLICY_NEVER 1 687 #define YKPIV_PINPOLICY_ONCE 2 688 #define YKPIV_PINPOLICY_ALWAYS 3 689 690 #define YKPIV_TOUCHPOLICY_TAG 0xab 691 #define YKPIV_TOUCHPOLICY_DEFAULT 0 692 #define YKPIV_TOUCHPOLICY_NEVER 1 693 #define YKPIV_TOUCHPOLICY_ALWAYS 2 694 #define YKPIV_TOUCHPOLICY_CACHED 3 695 696 #define YKPIV_METADATA_ALGORITHM_TAG 0x01 // See values for YKPIV_ALGO_TAG 697 698 #define YKPIV_METADATA_POLICY_TAG 0x02 // Two bytes, see values for YKPIV_PINPOLICY_TAG and YKPIV_TOUCHPOLICY_TAG 699 700 #define YKPIV_METADATA_ORIGIN_TAG 0x03 701 #define YKPIV_METADATA_ORIGIN_GENERATED 0x01 702 #define YKPIV_METADATA_ORIGIN_IMPORTED 0x02 703 704 #define YKPIV_METADATA_PUBKEY_TAG 0x04 // RSA: DER-encoded sequence N, E; EC: Uncompressed EC point X, Y 705 706 #define YKPIV_IS_EC(a) ((a == YKPIV_ALGO_ECCP256 || a == YKPIV_ALGO_ECCP384)) 707 #define YKPIV_IS_RSA(a) ((a == YKPIV_ALGO_RSA1024 || a == YKPIV_ALGO_RSA2048)) 708 709 #define YKPIV_MIN_PIN_LEN 6 710 #define YKPIV_MAX_PIN_LEN 8 711 #define YKPIV_MGM_KEY_LEN 48 712 713 #define YKPIV_RETRIES_DEFAULT 3 714 #define YKPIV_RETRIES_MAX 0xff 715 716 #define YKPIV_CERTINFO_UNCOMPRESSED 0 717 #define YKPIV_CERTINFO_GZIP 1 718 719 #define YKPIV_ATR_NEO_R3 "\x3b\xfc\x13\x00\x00\x81\x31\xfe\x15\x59\x75\x62\x69\x6b\x65\x79\x4e\x45\x4f\x72\x33\xe1" 720 #define YKPIV_ATR_NEO_R3_NFC "\x3b\x8c\x80\x01\x59\x75\x62\x69\x6b\x65\x79\x4e\x45\x4f\x72\x33\x58" 721 #define YKPIV_ATR_YK4 "\x3b\xf8\x13\x00\x00\x81\x31\xfe\x15\x59\x75\x62\x69\x6b\x65\x79\x34\xd4" 722 #define YKPIV_ATR_YK5_P1 "\x3b\xf8\x13\x00\x00\x81\x31\xfe\x15\x01\x59\x75\x62\x69\x4b\x65\x79\xc1" 723 #define YKPIV_ATR_YK5 "\x3b\xfd\x13\x00\x00\x81\x31\xfe\x15\x80\x73\xc0\x21\xc0\x57\x59\x75\x62\x69\x4b\x65\x79\x40" 724 #define YKPIV_ATR_YK5_NFC "\x3b\x8d\x80\x01\x80\x73\xc0\x21\xc0\x57\x59\x75\x62\x69\x4b\x65\x79\xf9" 725 726 #define DEVTYPE_UNKNOWN 0x00000000 727 #define DEVTYPE_NEO 0x4E450000 //"NE" 728 #define DEVTYPE_YK 0x594B0000 //"YK" 729 #define DEVTYPE_NEOr3 (DEVTYPE_NEO | 0x00007233) //"r3" 730 #define DEVTYPE_YK4 (DEVTYPE_YK | 0x00000034) // "4" 731 #define DEVTYPE_YK5 (DEVTYPE_YK | 0x00000035) // "5" 732 #define DEVYTPE_YK5 DEVTYPE_YK5 // Keep old typo for backwards compatibility 733 734 #ifdef __cplusplus 735 } 736 #endif 737 738 #endif 739