1
0
mirror of https://github.com/Yubico/yubikey-ksm.git synced 2024-12-04 15:24:15 +01:00
yubikey-ksm/doc/Key_Provisioning_Format.adoc
2014-10-29 13:55:36 +01:00

109 lines
3.0 KiB
Plaintext

Key Provisioning Data Format
----------------------------
This file holds data used in the Yubikey personalization phase.
The file is an OpenPGP signed and encrypted text file. Readers should
support both CRLF and LF line endings. The values are text and
separated by comma ("," ASCII 0x2C). The first line of the file MUST
be as follows:
# ykksm 1
Each of the rest lines in the file follows the following format:
serialNr,publicName,internalName,aesKey,lockCode,created,accessed[,progflags] # comment
Any data after a # is treated as a comment and is ignored. Lines of
the following format:
# comment
are also treated as comments.
The meaning are as follows:
serialNr::
the serial number of the device used for the barcode, decimal integer
publicName::
encoding of the "external" yubikey prefix, 0-16 modhex characters, typically 12
modhex encoded data
internalName::
encoding of the "internal" yubikey identity, always 6 binary bytes = 12 hex,
hex encoded data
aesKey::
an aes key used for the device, length decides whether it is a 128, 192, or 256 bit keys.
hex encoded data
lockCode::
the locking code, always 6 binary bytes = 12 hex,
hex encoded data
created::
timestamp of when the key was created
for example 2009-02-24T17:41:57 or empty
accessed::
timestamp of when the key was last accessed
for example 2009-02-24T17:41:57 or empty
progflags::
optional field, integer with flags used during personalization
to enable, e.g., static key mode or cr output
Examples of valid data lines:
....
4711,dlcfffckrcde,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,
4712,,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40
4713,dlcfffckrcdedlcf,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40,0
4714,dlcfffckrcdedlcf,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40,4711
....
Example of actual data using the password 'foobar' (normally it would
be encrypted to a particular OpenPGP key id):
....
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (GNU/Linux)
jA0EAwMClfljrWYVfm5gycDMIpZXLnzKtUfeEsqXRp63IdAghBzAfdIt4aeJ2kdV
x8uvvHKeHfytjEo/U9Wg4NYqYoDnMeb4zXBmrRqWu558ldW75e5R2kPImuQnZIBQ
3WKRbElrLpQTlbdyDDAzlOnVLvTrmekZ8ByUrED3tyZKJw7OW5YsHi3z5N+QNFbZ
hpMWfDBiJRksQEXv3BbiWVojSS+ZlCBiDjqnbIGuk0nZlJSe3F3Jwdz22Y05aU2h
+2e6vWkqsbvZMVHnU6pauyaM1dh2owXsoHCPLM1fs7ztIh5dAnV9d0TuW4ufKEFQ
FdH5c4dNgl36CNM8dDlM3c8YpfjxlQ11e6ub7QZC1Eu3gqvfPIvYpczlwjkYOkcH
nu1Iq42VgUSJzBr36aL9lLySyT8WRizzmJLaGYX/YqKgBXt6RTSO984WsxE6cl80
paFvFOjybJ2V5GYc7pfdZAM2ySEhnS6PaxYAQXfrEhhtTTCCg1eCqKh4Yamv3u0v
DAkppMqXeprjpC4cNvrQsVOKGx7HissA5x4rECLC
=d54w
-----END PGP MESSAGE-----
....
Naming Scheme
~~~~~~~~~~~~~
The files should use the standard GnuPG output extension '.asc'.
If you want to store many keys in a one-key per file approach, we
suggest to create files named after the serial number. For example:
....
0.asc
1.asc
2.asc
3.asc
4.asc
5.asc
6.asc
7.asc
8.asc
9.asc
10.asc
11.asc
...
....