Joost van Dijk joostd
joostd
/ ssh-sk-attest.py
Last active
April 23, 2024 07:34
Verify an OpenSSH key attestation to cryptographically prove that a given key is hardware-backed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # verify attestation information to cryptographically prove that a given key is hardware-backed. | |
| # For instance: | |
| # | |
| # ./ssh-sk-attest.py --key id.pub --attestation attestation.bin --challenge challenge.bin --mds mds.jwt | |
| # To generate an SSH pubkey, a challenge, and an attestation: | |
| # openssl rand 128 > challenge.bin | |
| # ssh-keygen -t ${KEYTYPE} -f ./id -N "" -O challenge=challenge.bin -O write-attestation=attestation.bin |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # validate Yubico OTP | |
| # To get your API key: | |
| # https://upgrade.yubico.com/getapikey/ | |
| from sys import exit, stderr | |
| from argparse import ArgumentParser | |
| from requests import get |
joostd
/ attestation.b64
Created
January 17, 2024 14:36
Attestation data for my demo github signing key
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AAAAEXNzaC1zay1hdHRlc3QtdjAxAAAC3TCCAtkwggHBoAMCAQICCQDI54lFd4md | |
| /DANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0Eg | |
| U2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAw | |
| MFowbzELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1YmljbyBBQjEiMCAGA1UECwwZ | |
| QXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEoMCYGA1UEAwwfWXViaWNvIFUyRiBF | |
| RSBTZXJpYWwgMTE2NjY2NTY3MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHKW | |
| vRw3kwE/lp8mrPEzDdQvsLMcyuerIQl/Y7nSqNQMsKT5A1ITgvQ/r2l86jaYQVOe | |
| CBwvwKQNyD9n+vjtrt2jgYEwfzATBgorBgEEAYLECg0BBAUEAwUEAzAiBgkrBgEE | |
| AYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEuNzATBgsrBgEEAYLlHAIBAQQEAwIF | |
| IDAhBgsrBgEEAYLlHAEBBAQSBBDuiCh5chxJE5d1PfzOlwcqMAwGA1UdEwEB/wQC |
joostd
/ yubikey-sign-jwt.sh
Last active
May 26, 2025 10:39
Sign a JWT using a key generated on a YubiKey
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # step 1 - generate a new key pair on a YubiKey | |
| yubico-piv-tool -a generate -s 9c -A ECCP256 -o pub.pem | |
| # step 2 - generate data to be signed | |
| jo iss=issuer aud=audience > payload.json | |
| jo alg=ES256 typ=JWT > header.json |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run with a single argument: a /dev/hidrawX path. | |
| # If you don't have udev setup to allow access to U2F tokens, you may need to | |
| # chown the device to your user before running this script. | |
| # If you don't know which hidraw to use, try removing and reinserting your | |
| # token. Then the device with the most recent ctime is the one you want. | |
| # | |
| # Once running, press the token's button twice. The first press will trigger a | |
| # registration, the second an authentication. | |
| # | |
| # Python3 version of https://www.imperialviolet.org/binary/ctap1.py |
joostd
/ check_yubikey_attestation.py
Created
December 1, 2023 11:17
Show attributes for a YubiKey PIV attestation certificate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Show attributes for a YubiKey PIV attestation certificate | |
| # | |
| # Use ykman to generate a PIV attestation certificate for a slot (for instance 9a): | |
| # ykman piv keys attest 9a attestation.pem | |
| # | |
| # To show the attributes in the generated attestation certificate: | |
| # ykman script ./check_yubikey_attestation.py attestation.pem |
joostd
/ check_yubihsm_attestation.py
Last active
November 12, 2024 08:43
Python 3.10+ script that shows attributes from a YubiHSM2 attestation certificate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # NOTE: | |
| # requires cryptography (pip install cryptography) | |
| from cryptography import x509 | |
| from cryptography.hazmat.backends import default_backend | |
| import sys | |
| # NOTE: uses PEP 634: Structural Pattern Matching |
joostd
/ curl-smartcard.sh
Last active
July 6, 2023 09:17
Use a key and certificate stored on a smartcard to access a website that requires TLS client authentication from the command line on macos
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # use a key and certificate stored on a smartcard to access a website that requires TLS client authentication from the command line on macos | |
| # | |
| # uses curl compiled agains openssl with engine support | |
| # a pkcs11 engine is used together with a generic pkcs11 module for smartcards to interface with the smartcard | |
| # INSTALL | |
| echo installing required software... |
joostd
/ check_attested_csr.py
Last active
May 22, 2023 13:05
Check CSR with attestation to be generated on a YubiKey
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| from cryptography import x509 | |
| from cryptography.hazmat.backends import default_backend | |
| from cryptography.hazmat.primitives.asymmetric import padding | |
| def verify_signature(parent, child): | |
| parent.public_key().verify( | |
| child.signature, | |
| child.tbs_certificate_bytes, | |
| padding.PKCS1v15(), |
joostd
/ passkey.html
Created
May 3, 2023 09:51
Minimal demo of the WebAuthn API for registration and authentication using passkeys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
| <style> | |
| .button { | |
| color: white; | |
| background-color: teal; | |
| padding: 15px 15px; | |
| margin: 4px 2px; |