PIV Attestation OID Arc
The attestation feature added to the PIV module in YubiKey 4.3 and 5. For actual commands to work with the attestation feature, see the yubico-piv-tool documentation.
The concept of attestation is used to show that a certain asymmetric key has been generated on device and not imported. Typically this would be used before creating a certificate.
The values in the table are added to the Yubico OID to identify the Yubico product type.
Attestation is implemented by creating a X.509 certificate for the key that is to be attested, this is only done if the key has been generated on device. This certificate should be used for the purpose of verifying that the key was generated in device. Additional information included in the Attestation Certificate can be used to provide information about the device the attested key was generated on.
Some features of the generated certificate:
- Serial will be a random 16 byte integer
- Issuer will be the subject of the attesting certificate
- Dates will be copied from the attesting certificate
- Subject will be the string “YubiKey PIV Attestation ” with the attested slot appended
- If the attesting key is RSA the signature will be SHA256-PKCS#1v1.5
- If the attesting key is EC the signature will be ECDSA-SHA256
The YubiKey comes with a pre-loaded attestation certificate signed by a Yubico PIV CA. This can be overwritten by loading a new key and certificate to slot f9. After the Yubico key is overwritten it can not be brought back. The attestation key and certificate will not be cleared out by a reset of the device.
If you have a YubiKey Preview device, the attestation certificate will instead be signed by our Yubico PIV Preview CA
The root cert for the Yubico PIV CA was updated on September 24, 2018. The prior PEM can be found here. YubiKey 4 Series manufactured prior to mid-2017 and some manufactured in 2018 were signed with Yubico’s U2F Attestation CA.
For more information on support added to the current root certificate, see PIV Attestation Verification Fails with OpenSSL 1.1.0.
PIV OID Attestation Certificate Arc Values
The PIV Attestation certificates issued by Yubico have additional OIDs, used as certificate extensions.
|1||Attestation data and signature|
|5||Serial number Batch start|
|6||Serial number Batch end|
|7||Serial number (specific)|
Sample OID with PIV Type
Extensions in the generated certificate.
Firmware version, encoded as 3 bytes, like:
040300 for 4.3.0
Serial number of the YubiKey, encoded as an
Two bytes, the first encoding pin policy and
the second touch policy
- Pin policy: 01 - never, 02 - once per session,
03 - always
- Touch policy: 01 - never, 02 - always,
03 - cached for 15s
Formfactor, encoded as one byte
- USB-A Keychain: 01 (81 for FIPS Devices)
- USB-A Nano: 02 (82 for FIPS Devices)
- USB-C Keychain: 03 (83 for FIPS Devices)
- USB-C Nano: 04 (84 for FIPS Devices)
- Lightning and USB-C: 05 (85 for FIPS Devices)
FIPS Certified YubiKey
CSPN Certified YubiKey