Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generating CSR #349

Open
Scarjit opened this issue Feb 10, 2022 · 5 comments
Open

Generating CSR #349

Scarjit opened this issue Feb 10, 2022 · 5 comments

Comments

@Scarjit
Copy link
Contributor

Scarjit commented Feb 10, 2022

I currently need to generate CSR's programmatically, but i can't find out how to do it, with yubikey.rs.

The "normal" workflow would be (According to the yubico docs:

yubico-piv-tool -a generate -s 9c -A RSA2048 -o pub.key
Successfully generated a new private key.

yubico-piv-tool -a verify-pin -a request-certificate -s 9c -S '/CN=digi_sign/OU=test/O=example.com/' -i pub.key -o csr.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a certificate request.

After sending the certificate request to the CA and getting a signed certificate:

yubico-piv-tool -a import-certificate -s 9c -i cert.pem
Successfully imported a new certificate.

I was able to reproduce the first step, using:

    let mut ykey = YubiKey::open_by_serial(Serial::from_str("17040128").unwrap()).unwrap();
    ykey.authenticate(MgmKey::default());
    ykey.verify_pin(b"123456");


    let generated_key = yubikey::piv::generate(&mut ykey,
                             SlotId::Retired(RetiredSlotId::R1),
                             AlgorithmId::Rsa2048,
                             PinPolicy::Default,
                             TouchPolicy::Default
    ).unwrap();

However the library only seems to expose a function to generate an self-signed certificate, instead of an csr.

Is there any function im missing, or is it not implemented ?
@tony-iqlusion
Copy link
Member

tony-iqlusion commented Feb 10, 2022
edited

FYI, we have a work-in-progress implementation of PKCS#10 (CSRs) going here:

https://github.com/RustCrypto/formats/tree/master/pkcs10

However to use that, we'll also need to switch over to the RustCrypto X.509 crate: #348

@npmccallum
Copy link

@Scarjit I'm working very hard to make it possible to publish a polished x509 crate right now because we need it too. Please come help with reviews because we have lots of open PRs. :)

@Scarjit
Copy link
Contributor Author

Scarjit commented Feb 11, 2022
edited

@npmccallum I will definitively do that !

@tony-iqlusion
Copy link
Member

FYI, we've migrated to x509-cert as of #495

@baloo
Copy link
Contributor

baloo commented Feb 3, 2024

I think that should be doable with https://docs.rs/x509-cert/latest/x509_cert/builder/struct.RequestBuilder.html and https://docs.rs/yubikey/latest/yubikey/certificate/yubikey_signer/struct.Signer.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@baloo @npmccallum @Scarjit @tony-iqlusion