New open authentication standards, FIDO2 and WebAuthn, have been getting a lot of attention lately with tech giants like Apple joining industry adoption. As a core creator of these standards, we celebrate these milestones, but our mission here at Yubico is to make a safer internet for all. In addition to driving new open web standards, our teams are also continuously working to support other authentication use cases or needs.
Today, we released Yubico PIV Tool 2.0. Many large companies and government agencies deploy YubiKeys as a user-friendly alternative to smart cards for public key infrastructure (PKI), and the PIV Tool helps with programming and managing YubiKeys. It allows users to import keys and certificates and generate keys on the device, among other operations.
If you are an enterprise or individual working with YubiKeys and PKI, the PKCS#11 module of the PIV Tool has a number of new capabilities that may help you with programming and managing YubiKeys. As a result, the 2.0 release is now compatible with:
- The Firefox browser
- The pkcs11-tool from OpenSC
- Java’s keytool (including jarsigner)
- SSH (see the YubiKey SSH guide)
- The Fortify application
The new functionality in PIV Tool 2.0 is primarily in the PKCS#11 module (YKCS11). With these new additions, developers can now:
- Open multiple parallel PKCS#11 sessions and the module is thread safe.
- Receive an attestation certificate for keys stored on the YubiKey PIV interface using standard PKCS#11 function calls.
- Utilize new padding options for RSA operations, specifically PSS padding for signatures/verification and OAEP padding for encryption/decryption.
The YKCS11 module updates also support a number of new functions to talk to a YubiKey:
- Encryption – EncryptInit, Encrypt, EncryptUpdate, EncryptFinal
- Decryption – DecryptInit, Decrypt, DecryptUpdate, DecryptFinal
- Digest – DigestInit, Digest, DigestUpdate, DigestFinal
- Signatures – SignUpdate, SignFinal (SignInit/Sign were already supported)
- Signature Verification – VerifyInit, Verify, VerifyUpdate, VerifyFinal
- Other Functions – InitToken, GetObjectSize, SeedRandom, GenerateRandom
A complete list of all the supported functions in Yubico PIV Tool 2.0, as well as new YKCS11 attributes, can be found here. Download Yubico PIV Tool 2.0 here, or learn more about the PIV (smart card) functionality of the YubiKey, and its varying use cases.
