Require PIN for registering an hotp credential

Motivation: Nitrokey/nitrokey-hotp-verification#30
Nitrokey · Apr 24, 2024 · 674b981 · 674b981
1 parent 6eff6f9
commit 674b981
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/src/authenticator.rs b/src/authenticator.rs
@@ -20,6 +20,7 @@ use crate::command::CredentialData::HmacData;
 use crate::command::{Credential, EncryptionKeyType, ListCredentials, VerifyCode, YkGetHmac};
 use crate::credential::CredentialFlat;
 
+use crate::oath::Kind;
 use crate::{
     command, ensure, oath,
     state::{CommandState, State},
@@ -626,6 +627,12 @@ where
         // 2. Generate a filename for the credential
         let filename = self.filename_for_label(&credential.label);
 
+        // 2.5 Require PIN to have been verified before creating an ReverseHOTP credential
+        if credential.kind == Kind::HotpReverse && !self.state.runtime.client_authorized {
+            warn_now!("Attempt to create ReverseHOTP credential without authentication");
+            return Err(Status::SecurityStatusNotSatisfied);
+        }
+
         // 3. Serialize the credential (implicitly) and store it
         let write_res = self.state.try_write_file(
             &mut self.trussed,

diff --git a/src/credential.rs b/src/credential.rs
@@ -213,6 +213,12 @@ impl CredentialFlat {
 
     /// Update credential fields with new values, and save
     pub fn update_from(&mut self, update_req: UpdateCredential) -> Result<(), Status> {
+        // Updating ReverseHOTP is disabled without PIN
+        if matches!(self.kind, Kind::HotpReverse) {
+            warn_now!("Attempt to update ReverseHOTP credential");
+            return Err(Status::ConditionsOfUseNotSatisfied);
+        }
+
         if let Some(new_label) = update_req.new_label {
             self.label = ShortData::from_slice(new_label).map_err(|_| Status::NotEnoughMemory)?;
         }