• Stars
    star
    255
  • Rank 159,729 (Top 4 %)
  • Language
    C
  • License
    BSD 2-Clause "Sim...
  • Created almost 11 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Command line tool for the YubiKey PIV application

Yubico PIV Tool

Introduction

The Yubico PIV tool is used for interacting with the Personal Identity Verification (PIV) application on a YubiKey.

With it you may generate keys on the device, importing keys and certificates, and create certificate requests, and other operations. A shared library and a command-line tool is included.

Usage guides

For information and examples on what you can do with a PIV enabled YubiKey, see https://developers.yubico.com/PIV/

License

In general the project is covered by the following BSD license. The file ykcs11/pkcs11.h has additional copyright and licensing information, please see it for more information.

   Copyright (c) 2014-2020 Yubico AB
   All rights reserved.

   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions are
   met:

     * Redistributions of source code must retain the above copyright
       notice, this list of conditions and the following disclaimer.

     * Redistributions in binary form must reproduce the above
       copyright notice, this list of conditions and the following
       disclaimer in the documentation and/or other materials provided
       with the distribution.

   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Building on POSIX platforms

Either clone from Git or download and unpackage the tarball, then make sure you have the pre-requisites installed and build following the steps below from the yubico-piv-tool directory.

Please make sure to have recent versions of the following packages installed on your system.

cmake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man

Help2man is used to generate the manpages. Gengetopt version 2.22.6 or later is needed for command line parameter handling. The Vagrant VM has all these dependencies preinstalled.

Please note that these package names are debian based. Other POSIX plarforms might have different names. For example, libssl-dev can probably be replaced with openssl-devel and libpcsclite-dev can probably be replaced by pcsc-lite-devel on a Redhat platform. Also note that Gengetopt might not be available on all plarforms and might need to be built from source (See https://www.gnu.org/software/gengetopt/gengetopt.html#Installation)

After installation of all dependencies, run the following:

$ cd yubico-piv-tool
$ mkdir build; cd build
$ cmake ..
$ make
$ sudo make install

On macos, you might need to point out homebrew openssl version when running pkg-config.

$ PKG_CONFIG_PATH="/usr/local/opt/[email protected]/lib/pkgconfig" cmake ..

To statically link to OpenSSL (the libcrypto library), use the cmake option -DOPENSSL_STATIC_LINK=ON

Don’t forget you might need to be root for the last command. On Linux it might be needed to update your linked libraries after install

sudo ldconfig

The backend to use is decided at compile time, see the summary at the end of the cmake output. Use --with-backend=foo to choose backend, replacing foo with the backend you want to use. The backends available are "pcsc", "macscard" and "winscard" using the PCSC interface, with slightly different shared library linkage and header file names: "pcsc" is used under GNU-like systems, "macscard" under Mac OS X, and "winscard" is used under Windows. In most situations, running cmake should automatically find the proper backend to use.

Building on Windows

Building on Windows requires MSBuild or Visual Studio and the MSVC compiler. It also requires building the binaries from the source release package and not from the source checked out from the repository on GitHub. This is because some files that are part of the command line shell are generated but they cannot, currently, be generated on Windows. Those files are, however, included in the source release package.

On Windows, getopt is needed to read command line arguments. The easiest way to install getopt is with the vcpkg package manager. The path to getopt DLL library and include file need to be specified as a command line argument to cmake. Also the path to OpenSSL needs to be specified either as a command line argument to cmake or by setting the environment variable OPENSSL_ROOT_DIR

The command line examples bellow are for PowerShell and the prerequisites were installed from source (using vcpkg).

$ env:OPENSSL_ROOT_DIR ="PATH/TO/OPENSSL_DIR"
$ mkdir build; cd build
$ cmake -A <ARCH> -DGETOPT_LIB_DIR="PATH/TO/GETOPT_DIR/lib" -DGETOPT_INCLUDE_DIR="PATH/TO/GETOPT_DIR/include ..
$ cmake --build .

To run the tests, check is used. The path to the check directory needs to be specified as a command line argument to cmake. Also the path to check binaries, OpenSSL binaries, libykpiv.dll and libykcs11.dll need to be in the PATH

$ env:OPENSSL_ROOT_DIR ="PATH/TO/OPENSSL_DIR"
$ mkdir build; cd build
$ cmake -A <ARCH> -DGETOPT_LIB_DIR="PATH/TO/GETOPT_DIR/lib" -DGETOPT_INCLUDE_DIR="PATH/TO/GETOPT_DIR/include -DCHECK_PATH="PATH/TO/CHECK_DIR" ..
$ cmake --build .
$ $env:Path +=";PATH/TO//CHECK_DIR/bin;PATH/TO/OPENSSL_DIR/bin;PATH/TO/build\lib\Debug;PATH/TO/build\ykcs11\Debug"
$ ctest.exe -C Debug

For building on 32 bits system, use Win32 as ARCH. For building on 64 bits systems, use x64 as ARCH.

Coverage

Code coverage is provided courtesy of lcov and CMake-codecov. This currently only works with make.

Enable coverage with

$ cmake -DENABLE_COVERAGE=1 ..

You can then build the project normally and run some executables (for example running the tests with make test).

At this point coverage evaluation can be generated with gcov/lcov related targets. For example

$ make lcov

will generate a single HTML report in ./lcov/html/all_targets/index.html

Portability

The main development platform is Debian GNU/Linux. The project compiles on Windows using MSVC and the PCSC backend. It can also be built for Mac OS X, also using the PCSC backend.

Example Usage

For a list of all available options --help can be given. For more information on exactly what happens --verbose or --verbose=2 may be added.

Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:

$ yubico-piv-tool -s9a -AECCP256 -agenerate

Generate a certificate request with public key from stdin, will print the resulting request on stdout:

$ yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest

Generate a self-signed certificate with public key from stdin, will print the certificate, for later import, on stdout:

$ yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify -aselfsign

Import a certificate from stdin:

$ yubico-piv-tool -s9a -aimport-certificate

Set a random chuid, import a key and import a certificate from a PKCS12 file, into slot 9c:

$ yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \
  -aimport-cert

Change the management key used for administrative authentication:

$ yubico-piv-tool -aset-mgm-key

Delete a certificate in slot 9a, with management key being asked for:

$ yubico-piv-tool -adelete-certificate -s9a -k

Show some information on certificates and other data:

$ yubico-piv-tool -astatus

Read out the certificate from a slot and then run a signature test:

$ yubico-piv-tool -aread-cert -s9a
$ yubico-piv-tool -averify-pin -atest-signature -s9a

Import a key into slot 85 (only available on YubiKey 4 & 5) and set the touch policy (also only available on YubiKey 4 & 5):

$ yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem

More Repositories

1

yubioath-flutter

Yubico Authenticator for Desktop (Windows, macOS and Linux) and Android
Dart
832
star
2

yubikey-manager

Python library and command line tool for configuring any YubiKey over all USB interfaces.
Python
729
star
3

yubico-pam

Yubico Pluggable Authentication Module (PAM)
C
650
star
4

pam-u2f

Pluggable Authentication Module (PAM) for U2F and FIDO2
C
498
star
5

libfido2

Provides library functionality for FIDO2, including communication with a device over USB or NFC.
C
461
star
6

python-fido2

Provides library functionality for FIDO 2.0, including communication with a device over USB.
Python
362
star
7

java-webauthn-server

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
Scala
354
star
8

libu2f-host

Yubico Universal 2nd Factor (U2F) Host C Library
C
321
star
9

php-u2flib-server

(OBSOLETE) U2F library in PHP
PHP
292
star
10

python-u2flib-server

Python based U2F server library
Python
287
star
11

yubikey-personalization

YubiKey Personalization cross-platform library and tool
C
279
star
12

yubioath-android

Yubico Authenticator for Android
Kotlin
240
star
13

python-yubico

Python code to talk to YubiKeys
Python
220
star
14

ykneo-openpgp

OpenPGP applet for the YubiKey NEO
Java
214
star
15

yubikey-manager-qt

Cross-platform application for configuring any YubiKey over all USB interfaces.
QML
200
star
16

yubikey-personalization-gui

YubiKey Personalization GUI
C++
183
star
17

yubikit-ios

Yubico Mobile iOS SDK - YubiKit
Objective-C
171
star
18

php-yubico

PHP class for Yubico authentication
PHP
133
star
19

java-u2flib-server

(OBSOLETE) Java server-side library for U2F
Java
130
star
20

yubikey-val

YubiKey OTP validation server in PHP
PHP
130
star
21

Yubico.NET.SDK

A YubiKey SDK for .NET developers
C#
98
star
22

libu2f-server

Yubico Universal 2nd Factor (U2F) Server C Library
C
94
star
23

yubico-c

YubiKey C low-level library (libyubikey)
C
92
star
24

yubico-c-client

Yubico C client library
C
87
star
25

yubikit-android

Yubico Mobile Android SDK - YubiKit
Java
77
star
26

u2fval

Python based U2F Validation Server
Python
75
star
27

yubihsm-shell

yubihsm-shell and libyubihsm
C
73
star
28

python-pyhsm

Python code for YubiHSM
Python
67
star
29

ykneo-oath

OATH App for the YubiKey NEO
Java
63
star
30

yubico-java-client

Client library for verifying YubiKey one-time passwords (OTPs).
Java
62
star
31

webauthn-recovery-extension

Asynchronous delegated key generation without shared secrets (DRAFT)
Python
59
star
32

yubikey-neo-manager

Cross platform personalization tool for the YubiKey NEO
Python
57
star
33

yubico-windows-auth

YubiKey Logon for windows
C++
56
star
34

yubikey-ksm

YubiKey Key Storage Module
Perl
55
star
35

yubico-dotnet-client

Yubico validation protocol 2.0 client
C#
52
star
36

developers.yubico.com

Source code for generating our website
HTML
49
star
37

python-u2flib-host

Python based U2F host library
Python
47
star
38

wordpress-u2f

A Wordpress U2F plugin.
PHP
42
star
39

python-yubihsm

Python
42
star
40

yubiclip-android

YubiKey NEO OTP to clipboard app for Android
Java
41
star
41

yubikey-piv-manager

Tool for configuring your PIV-enabled YubiKey
Python
40
star
42

yubiauth

Authentication backend written in Python
Python
29
star
43

yubix

Yubico reference authentication software stack. This package installs and configures various packages contained in the YubiX stack.
Perl
29
star
44

yubihsm-connector

Go
28
star
45

yubioath-ios

Yubico Authenticator for iOS
Swift
27
star
46

ykneo-curves

Applet for testing ecc curves
Java
25
star
47

android-u2f-demo

U2F demo app for Android using NFC
Java
24
star
48

yubix-vm

Scripts for building a VM image for Yubi-X
Shell
18
star
49

u2fval-client-php

PHP connector library for communicating with a U2FVAL server
PHP
17
star
50

yubico-shibboleth-idp-multifactor-login-handler

Multi-factor Login Handler for Shibboleth IdP.
Java
16
star
51

yubico.github.com

Release artifacts for all projects.
HTML
15
star
52

u2fval-client-python

Python connector library for communicating with a U2FVAL server
Python
14
star
53

yubico-j

Low-level library for decrypting and parsing Yubikey One-Time Passwords (OTP), written in Java.
Java
14
star
54

yubikey-neo-demo

Android demo application for uses of the YubiKey NEO
Java
14
star
55

python-yubicommon

Common utility modules shared between various Python based Yubico projects.
Python
13
star
56

yubico-bitcoin-java

Java client library for communicating with the ykneo-bitcoin applet for the YubiKey NEO
Java
13
star
57

yubitotp-android

Android application for TOTP with YubiKey NEO
Java
13
star
58

yubico-dbus-notifier

Get D-Bus notifications when a YubiKey is inserted/removed
Python
12
star
59

libykneomgr

YubiKey NEO CCID Manager C Library
C
11
star
60

yubico-perl-client

AnyEvent based Perl extension for validating YubiKey OTPs against the Yubico Validation Protocol version 2.0
Perl
11
star
61

yubiadmin

Web based administration tool for Yubico software components including YK-VAL, YK-KSM and rlm_yubikey
Python
11
star
62

ifd-yubico

Yubico OS X libccid patcher
Python
10
star
63

yubikey-personalization-gui-dpkg

Debian packaging of yubico-personalization-gui
C++
8
star
64

yubihsmrs

rust wrapper for libyubihsm
Rust
8
star
65

yubico-pam-dpkg

Debian packaging of yubico-pam
Shell
7
star
66

yubikey-neo-manager-dpkg

Debian packaging for yubikey-neo-manager
Python
7
star
67

yubikey-salesforce-client

Apex classes for validating YubiKey one-time passwords
Apex
7
star
68

rlm-yubico

FreeRADIUS module for using YubiKeys for authentication
Perl
7
star
69

yubico-piv-tool-dpkg

Moved to https://salsa.debian.org/auth-team/yubico-piv-tool
C
7
star
70

yubikey-personalization-dpkg

Debian package of yubikey-personalization
C
6
star
71

yubioath-desktop-dpkg

Debian package for yubioath-desktop.
Python
6
star
72

yubikit-swift

Yubico Swift SDK - YubiKit
Swift
6
star
73

yubico-bitcoin-python

Python client library and command line tool for communicating with the ykneo-bitcoin applet for the YubiKey NEO
Python
6
star
74

python-yubico-client-dpkg

Debian package for python-yubico-client.
Python
5
star
75

gradle-gpg-signing-plugin

GnuPG signing backend for Gradle's Signing plugin
Java
5
star
76

python-yubico-dpkg

Debian packaging of python-yubico
Python
5
star
77

python-pyhsm-dpkg

Debian packaging of python-pyhsm
Python
4
star
78

yubihsm-setup

Rust
4
star
79

libu2f-server-dpkg

Debian packaging for libu2f-server
Shell
4
star
80

ykneo-ccid-tools

YubiKey NEO CCID Tools
Objective-C
4
star
81

arkg-rfc

Internet-Draft: The Asynchronous Remote Key Generation (ARKG) algorithm
Makefile
4
star
82

yubico-c-dpkg

Debian packaging of the Yubico C library (libyubikey)
Shell
4
star
83

webauthn-sign-kem-extensions

DRAFT: WebAuthn extension(s) for arbitrary signing and key encapsulation
4
star
84

pam-u2f-dpkg

Debian packaging for pam-u2f
Shell
3
star
85

php-yubico-dpkg

Debian packaging of php-yubico
PHP
3
star
86

yubikey-piv-manager-dpkg

Debian packaging for yubikey-piv-manager
Python
3
star
87

yubico-c-client-dpkg

Debian package of Yubico C Client
Shell
2
star
88

libu2f-host-dpkg

debian packaging of libu2f-host
Shell
2
star
89

yubikey-ksm-dpkg

Debian package of YubiKey KSM project
Perl
2
star
90

yubikey-val-dpkg

Debian package of YubiKey VAL project
PHP
2
star
91

globalplatform-dpkg

Debian packaging for globalplatform
C
2
star
92

rlm-yubico-dpkg

Debian package of rlm-yubico
Perl
2
star
93

gpshell-dpkg

Debian packaging for gpshell
C
2
star
94

gppcscconnectionplugin-dpkg

Debian packaging for gppcscconnectionplugin
Shell
2
star
95

yubiauth-dpkg

Debian package of the YubiAuth project
Python
2
star
96

yubico-perl-client-dpkg

Debian packaging for yubico-perl-client
Perl
2
star
97

yubiadmin-dpkg

Debian package for yubiadmin
Python
2
star
98

libykneomgr-dpkg

Debian packaging of libykneomgr
Shell
2
star