Skip to content

Draft: PKCS #11 backend implementation for Yubikey 4/5 via ykcs11 driver

Heiko requested to merge hkos/sequoia-keystore:pkcs11-yk into main

An initial implementation of the keystore backend based on the https://crates.io/crates/openpgp-pkcs11-sequoia library.

This implementation assumes:

  • that IDs follow the ykcs11 convention to detect which role a key should be used for
  • that the X.509 certificate on the card contains relevant metadata to derive the OpenPGP Key

Possible future work: the keystore could add a mechanism to query the backend about the public key material in slots, and optionally provide OpenPGP certificates to the backend as an alternate source of OpenPGP key metadata (fingerprint, creation time, KEK/KDF parameters).

Edited by Heiko

Merge request reports