Support touch requirement for management key

Signed-off-by: Steffen Vogel <[email protected]>
cunicu · Dec 10, 2024 · 8eb07ca · 8eb07ca
1 parent 5ddd0b9
commit 8eb07ca
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 10 deletions.
diff --git a/auth.go b/auth.go
@@ -109,14 +109,13 @@ func (c *Card) authenticateWithPIN(pin string) error {
 //	if err := c.SetManagementKey(piv.DefaultManagementKey, newKey); err != nil {
 //		// ...
 //	}
-func (c *Card) SetManagementKey(oldKey, newKey ManagementKey) error {
+func (c *Card) SetManagementKey(oldKey, newKey ManagementKey, requireTouch bool) error {
 	if err := c.authenticate(oldKey); err != nil {
 		return fmt.Errorf("failed to authenticate with old key: %w", err)
 	}
 
 	p2 := byte(0xff)
-	touch := false // TODO
-	if touch {
+	if requireTouch {
 		p2 = 0xfe
 	}
 
@@ -131,7 +130,7 @@ func (c *Card) SetManagementKey(oldKey, newKey ManagementKey) error {
 
 // https://docs.yubico.com/yesdk/users-manual/application-piv/pin-only.html
 // https://docs.yubico.com/yesdk/users-manual/application-piv/piv-objects.html#pinprotecteddata
-func (c *Card) SetManagementKeyPinProtected(oldKey ManagementKey, pin string) error {
+func (c *Card) SetManagementKeyPinProtected(oldKey ManagementKey, pin string, requireTouch bool) error {
 	var newKey ManagementKey
 
 	if n, err := c.Rand.Read(newKey[:]); err != nil {
@@ -153,7 +152,7 @@ func (c *Card) SetManagementKeyPinProtected(oldKey ManagementKey, pin string) er
 		return err
 	}
 
-	return c.SetManagementKey(oldKey, newKey)
+	return c.SetManagementKey(oldKey, newKey, requireTouch)
 }
 
 // SetPIN updates the PIN to a new value. For compatibility, PINs should be 1-8

diff --git a/auth_test.go b/auth_test.go
@@ -57,13 +57,13 @@ func TestSetManagementKey(t *testing.T) {
 		_, err := io.ReadFull(c.Rand, mgmtKey[:])
 		require.NoError(t, err, "Failed to generate management key")
 
-		err = c.SetManagementKey(DefaultManagementKey, mgmtKey)
+		err = c.SetManagementKey(DefaultManagementKey, mgmtKey, false)
 		require.NoError(t, err, "Failed to set management key")
 
 		err = c.authenticate(mgmtKey)
 		assert.NoError(t, err, "Failed to authenticate with new management key")
 
-		err = c.SetManagementKey(mgmtKey, DefaultManagementKey)
+		err = c.SetManagementKey(mgmtKey, DefaultManagementKey, false)
 		require.NoError(t, err, "Failed to reset management key")
 	})
 }
@@ -134,13 +134,13 @@ func TestChangeManagementKey(t *testing.T) {
 			}
 		}
 
-		err = c.SetManagementKey(newKey, newKey)
+		err = c.SetManagementKey(newKey, newKey, false)
 		assert.Error(t, err, "Successfully changed management key with invalid key, expected error")
 
-		err = c.SetManagementKey(DefaultManagementKey, newKey)
+		err = c.SetManagementKey(DefaultManagementKey, newKey, false)
 		require.NoError(t, err, "Failed to change management key")
 
-		err = c.SetManagementKey(newKey, DefaultManagementKey)
+		err = c.SetManagementKey(newKey, DefaultManagementKey, false)
 		require.NoError(t, err, "Failed to reset management key")
 	})
 }