mirror of
https://github.com/Yubico/yubikey-ksm.git
synced 2024-12-12 03:08:54 +01:00
113 lines
3.1 KiB
Plaintext
113 lines
3.1 KiB
Plaintext
Key Provisioning Data Format
|
|
----------------------------
|
|
|
|
This file holds data used in the Yubikey personalization phase.
|
|
|
|
The file is an OpenPGP signed and encrypted text file. Readers should
|
|
support both CRLF and LF line endings. The values are text and
|
|
separated by comma ("," ASCII 0x2C). The first line of the file MUST
|
|
be as follows:
|
|
|
|
# ykksm 1
|
|
|
|
Each of the rest lines in the file follows the following format:
|
|
|
|
serialNr,publicName,internalName,aesKey,lockCode,created,accessed[,progflags] # comment
|
|
|
|
Any data after a # is treated as a comment and is ignored. Lines of
|
|
the following format:
|
|
|
|
# comment
|
|
|
|
are also treated as comments.
|
|
|
|
The meaning are as follows:
|
|
|
|
* serialNr:
|
|
|
|
the serial number of the device used for the barcode, decimal integer
|
|
|
|
* publicName:
|
|
|
|
encoding of the "external" yubikey prefix, 0-16 modhex characters, typically 12
|
|
modhex encoded data
|
|
|
|
* internalName:
|
|
|
|
encoding of the "internal" yubikey identity, always 6 binary bytes = 12 hex,
|
|
hex encoded data
|
|
|
|
* aesKey:
|
|
|
|
an aes key used for the device, length decides whether it is a 128, 192, or 256 bit keys.
|
|
hex encoded data
|
|
|
|
* lockCode:
|
|
|
|
the locking code, always 6 binary bytes = 12 hex,
|
|
hex encoded data
|
|
|
|
* created:
|
|
|
|
timestamp of when the key was created
|
|
for example 2009-02-24T17:41:57 or empty
|
|
|
|
* accessed:
|
|
|
|
timestamp of when the key was last accessed
|
|
for example 2009-02-24T17:41:57 or empty
|
|
|
|
* progflags:
|
|
|
|
optional field, integer with flags used during personalization
|
|
to enable, e.g., static key mode or cr output
|
|
|
|
Examples of valid data lines:
|
|
|
|
4711,dlcfffckrcde,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,
|
|
4712,,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40
|
|
4713,dlcfffckrcdedlcf,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40,0
|
|
4714,dlcfffckrcdedlcf,ca62baca62ba,ecde18dbe76fbd0c33330f1c354871db,be70aeca62ba,2009-01-22 00:25:11,2009-02-13 00:05:40,4711
|
|
|
|
Example of actual data using the password 'foobar' (normally it would
|
|
be encrypted to a particular OpenPGP key id):
|
|
|
|
....
|
|
-----BEGIN PGP MESSAGE-----
|
|
Version: GnuPG v1.4.9 (GNU/Linux)
|
|
|
|
jA0EAwMClfljrWYVfm5gycDMIpZXLnzKtUfeEsqXRp63IdAghBzAfdIt4aeJ2kdV
|
|
x8uvvHKeHfytjEo/U9Wg4NYqYoDnMeb4zXBmrRqWu558ldW75e5R2kPImuQnZIBQ
|
|
3WKRbElrLpQTlbdyDDAzlOnVLvTrmekZ8ByUrED3tyZKJw7OW5YsHi3z5N+QNFbZ
|
|
hpMWfDBiJRksQEXv3BbiWVojSS+ZlCBiDjqnbIGuk0nZlJSe3F3Jwdz22Y05aU2h
|
|
+2e6vWkqsbvZMVHnU6pauyaM1dh2owXsoHCPLM1fs7ztIh5dAnV9d0TuW4ufKEFQ
|
|
FdH5c4dNgl36CNM8dDlM3c8YpfjxlQ11e6ub7QZC1Eu3gqvfPIvYpczlwjkYOkcH
|
|
nu1Iq42VgUSJzBr36aL9lLySyT8WRizzmJLaGYX/YqKgBXt6RTSO984WsxE6cl80
|
|
paFvFOjybJ2V5GYc7pfdZAM2ySEhnS6PaxYAQXfrEhhtTTCCg1eCqKh4Yamv3u0v
|
|
DAkppMqXeprjpC4cNvrQsVOKGx7HissA5x4rECLC
|
|
=d54w
|
|
-----END PGP MESSAGE-----
|
|
....
|
|
|
|
Naming Scheme
|
|
-------------
|
|
|
|
The files should use the standard GnuPG output extension '.asc'.
|
|
|
|
If you want to store many keys in a one-key per file approach, we
|
|
suggest to create files named after the serial number. For example:
|
|
|
|
0.asc
|
|
1.asc
|
|
2.asc
|
|
3.asc
|
|
4.asc
|
|
5.asc
|
|
6.asc
|
|
7.asc
|
|
8.asc
|
|
9.asc
|
|
10.asc
|
|
11.asc
|
|
...
|