openpgp-piv-sequoia

A library to use PIV devices in an OpenPGP context.

PIV ("Personal Identity Verification", also known as FIPS 201) is a United States federal government standard for cryptographic smart cards.

PIV devices are widely available, and it is possible to use them to perform cryptographic operations in OpenPGP contexts.

Supported algorithms

The PIV standard specifies use of RSA 2048, NIST P-256 or NIST P-384. Other asymmetric algorithms are not part of the official standard.

Some devices implement additional cryptographic mechanisms. However, these are currently proprietary extensions.

YubiKey 4/5

The widely available YubiKey 4 and 5 devices support multiple protocols. Among those is PIV.

The PIV application on YubiKey devices is independent of the OpenPGP card application that the devices also offer (that is, the two applications are separate, and can contain different key material).

One feature of the YubiKey PIV application is that it offers 20 additional slots for "retired" decryption keys.

PIV vs. PKCS #​11 with YubiKey 4/5

It's possible to access the PIV application on the YubiKey 4/5 via two different interfaces:

• directly using the PIV protocol, or
• via a PKCS #​11 driver module (using the ykcs11 library).

Both interfaces allow using the same key material. The interfaces are in a sense interchangeable.

Software PIV implementations

These implementations are

PivApplet

https://github.com/arekinath/PivApplet

Canokey

The Canokey secure key can be run on the host computer as a simulator

https://github.com/canokeys/canokey-core/

OpenFIPS201

https://github.com/makinako/OpenFIPS201 https://github.com/makinako/OpenFIPS201-jc22

Virtual PIV devices for CI testing

A companion project offers containerized software PIV implementations, for CI testing.

PIV specification

https://csrc.nist.gov/Projects/piv/piv-standards-and-supporting-documentation