The Yubico PIV tool is used for interacting with the Privilege and Identification Card (PIV) application on a YubiKey.
With it you may generate keys on the device, importing keys and certificates, and create certificate requests, and other operations. A shared library and a command-line tool is included.
For information and examples on what you can do with a PIV enabled YubiKey, see https://developers.yubico.com/PIV/
In general the project is covered by the following BSD license. The file ykcs11/pkcs11.h has additional copyright and licensing information, please see it for more information. Some other files (e.g., m4/*) have other licenses too but are only part of the build infrastructure.
Copyright (c) 2014-2016 Yubico AB
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Either clone from Git or download and unpackage the tarball, then make sure you have the pre-requisites installed and build following the steps below.
Please make sure to have recent versions of the following packages installed on your system.
autoconf automake libtool libssl pkg-config check libpcsc gengetopt help2man
Help2man is used to generate the manpages. Gengetopt version 2.22.6 or later is needed for command line parameter handling. The Vagrant VM has all these dependencies preinstalled.
$ autoreconf --install $ ./configure $ make $ sudo make install
On macos you might need to point out homebrew openssl version when running pkg-config.
$ PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig" ./configure
Don’t forget you might need to be root for the last command. On Linux it might be needed to update your linked libraries after install
sudo ldconfig
The backend to use is decided at compile time, see the summary at the end of the ./configure output. Use --with-backend=foo to chose backend, replacing foo with the backend you want to use. The backends available are "pcsc", "macscard", and "winscard" using the PCSC interface, with slightly different shared library linkage and header file names: "pcsc" is used under GNU-like systems, "macscard" under Mac OS X, and "winscard" is used under Windows. In most situations, running ./configure should automatically find the proper backend to use. To turn on all warnings add --enable-gcc-warnings to ./configure
The main development platform is Debian GNU/Linux. The project is cross-compiled to Windows using MinGW (see windows.mk) using the PCSC backend. It may also be built for Mac OS X (see mac.mk), also using the PCSC backend.
For a list of all available options --help can be given. For more information on exactly what happens --verbose or --verbose=2 may be added.
Generate a new ECC-P256 key on device in slot 9a, will print the public key on stdout:
$ yubico-piv-tool -s9a -AECCP256 -agenerate
Generate a certificate request with public key from stdin, will print the resulting request on stdout:
$ yubico-piv-tool -s9a -S'/CN=foo/OU=test/O=example.com/' -averify -arequest
Generate a self-signed certificate with public key from stdin, will print the certificate, for later import, on stdout:
$ yubico-piv-tool -s9a -S'/CN=bar/OU=test/O=example.com/' -averify -aselfsign
Import a certificate from stdin:
$ yubico-piv-tool -s9a -aimport-certificate
Set a random chuid, import a key and import a certificate from a PKCS12 file, into slot 9c:
$ yubico-piv-tool -s9c -itest.pfx -KPKCS12 -aset-chuid -aimport-key \ -aimport-cert
Change the management key used for administrative authentication:
$ yubico-piv-tool -aset-mgm-key
Delete a certificate in slot 9a, with management key being asked for:
$ yubico-piv-tool -adelete-certificate -s9a -k
Show some information on certificates and other data:
$ yubico-piv-tool -astatus
Read out the certificate from a slot and then run a signature test:
$ yubico-piv-tool -aread-cert -s9a $ yubico-piv-tool -averify-pin -atest-signature -s9a
Import a key into slot 85 (only available on YubiKey 4 & 5) and set the touch policy (also only available on YubiKey 4 & 5):
$ yubico-piv-tool -aimport-key -s85 --touch-policy=always -ikey.pem