openpgp-piv-tools

This crate implements opgpiv, an exploratory CLI tool that exposes the functionality in openpgp-piv-sequoia to use PIV devices in an OpenPGP context.

Uploading OpenPGP component keys to the YubiKey PIV application

Import of key material to cards is possible via the PIV interface.

The upload command automatically chooses the appropriate subkey from the OpenPGP key (assuming exactly one subkey exists for the requested function) and uploads it to the appropriate key slot in the YubiKey PIV application:

• Authentication subkey: PIV Authentication key 9A
• Signing subkey: PIV Digital signature key 9C
• Encryption subkey: PIV Key management key 9D

shell $ cargo run --bin opgpiv -- upload --serial 16019180 --slot dec --key /tmp/janus.pgp

Currently supported slot identifiers: sig, dec, aut, ret01, ret02, ret03, ret04, ret05 (the slots for retired keys ["retXX"] can be used for decryption keys).

After also uploading the sig subkey:

shell $ cargo run --bin opgpiv -- upload --serial 16019180 --slot sig --key /tmp/janus.pgp

we can inspect that status of the PIV application:

```shell $ cargo run --bin opgpiv -- status --serial 16019180 Slot: Signature Serial: d6:e3:18:27:2c:af:ae:16:13:f1:7f:b7:e0:c4:2e:12:af:35:37:ae Issuer: CN=Janus janus@example.org Subject: CN=Janus janus@example.org Subject PKI: PublicKeyInfo(EccP384)

Slot: KeyManagement Serial: 7b:3b:b1:f2:1b:d2:27:be:dc:7a:24:fa:50:3c:02:6c:84:4c:23:8a Issuer: CN=Janus janus@example.org Subject: CN=Janus janus@example.org Subject PKI: PublicKeyInfo(EccP384) ```

(Adding the -v flag additionally outputs the full X.509 certificate information.)