From 5c6aeceac2cf0f0cb960979bfa331488df5bc13f Mon Sep 17 00:00:00 2001
From: Steffen Vogel <post@steffenvogel.de>
Date: Fri, 24 May 2024 17:29:13 +0200
Subject: [PATCH] Support touch requirement for management key

Signed-off-by: Steffen Vogel <post@steffenvogel.de>
---
 auth.go      |  9 ++++-----
 auth_test.go | 10 +++++-----
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/auth.go b/auth.go
index 0e87676..eac9f7c 100644
--- a/auth.go
+++ b/auth.go
@@ -109,14 +109,13 @@ func (c *Card) authenticateWithPIN(pin string) error {
 //	if err := c.SetManagementKey(piv.DefaultManagementKey, newKey); err != nil {
 //		// ...
 //	}
-func (c *Card) SetManagementKey(oldKey, newKey ManagementKey) error {
+func (c *Card) SetManagementKey(oldKey, newKey ManagementKey, requireTouch bool) error {
 	if err := c.authenticate(oldKey); err != nil {
 		return fmt.Errorf("failed to authenticate with old key: %w", err)
 	}
 
 	p2 := byte(0xff)
-	touch := false // TODO
-	if touch {
+	if requireTouch {
 		p2 = 0xfe
 	}
 
@@ -131,7 +130,7 @@ func (c *Card) SetManagementKey(oldKey, newKey ManagementKey) error {
 
 // https://docs.yubico.com/yesdk/users-manual/application-piv/pin-only.html
 // https://docs.yubico.com/yesdk/users-manual/application-piv/piv-objects.html#pinprotecteddata
-func (c *Card) SetManagementKeyPinProtected(oldKey ManagementKey, pin string) error {
+func (c *Card) SetManagementKeyPinProtected(oldKey ManagementKey, pin string, requireTouch bool) error {
 	var newKey ManagementKey
 
 	if n, err := c.Rand.Read(newKey[:]); err != nil {
@@ -153,7 +152,7 @@ func (c *Card) SetManagementKeyPinProtected(oldKey ManagementKey, pin string) er
 		return err
 	}
 
-	return c.SetManagementKey(oldKey, newKey)
+	return c.SetManagementKey(oldKey, newKey, requireTouch)
 }
 
 // SetPIN updates the PIN to a new value. For compatibility, PINs should be 1-8
diff --git a/auth_test.go b/auth_test.go
index a2e80e1..7191947 100644
--- a/auth_test.go
+++ b/auth_test.go
@@ -57,13 +57,13 @@ func TestSetManagementKey(t *testing.T) {
 		_, err := io.ReadFull(c.Rand, mgmtKey[:])
 		require.NoError(t, err, "Failed to generate management key")
 
-		err = c.SetManagementKey(DefaultManagementKey, mgmtKey)
+		err = c.SetManagementKey(DefaultManagementKey, mgmtKey, false)
 		require.NoError(t, err, "Failed to set management key")
 
 		err = c.authenticate(mgmtKey)
 		assert.NoError(t, err, "Failed to authenticate with new management key")
 
-		err = c.SetManagementKey(mgmtKey, DefaultManagementKey)
+		err = c.SetManagementKey(mgmtKey, DefaultManagementKey, false)
 		require.NoError(t, err, "Failed to reset management key")
 	})
 }
@@ -134,13 +134,13 @@ func TestChangeManagementKey(t *testing.T) {
 			}
 		}
 
-		err = c.SetManagementKey(newKey, newKey)
+		err = c.SetManagementKey(newKey, newKey, false)
 		assert.Error(t, err, "Successfully changed management key with invalid key, expected error")
 
-		err = c.SetManagementKey(DefaultManagementKey, newKey)
+		err = c.SetManagementKey(DefaultManagementKey, newKey, false)
 		require.NoError(t, err, "Failed to change management key")
 
-		err = c.SetManagementKey(newKey, DefaultManagementKey)
+		err = c.SetManagementKey(newKey, DefaultManagementKey, false)
 		require.NoError(t, err, "Failed to reset management key")
 	})
 }