Skip to content

Commit

Permalink
PIV: added support for Yubikey's PIN policy
Browse files Browse the repository at this point in the history 
fixes #1769
  • Loading branch information
@frankmorgner
frankmorgner committed Mar 14, 2024
1 parent 13ee069 commit a17451c
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 2 deletions.
11 changes: 11 additions & 0 deletions src/libopensc/card-piv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4386,6 +4386,14 @@ static int piv_get_pin_preference(sc_card_t *card, int *pin_ref)
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}

static int piv_yk_pin_policy(sc_card_t *card, u8 *pin_policy)
{
piv_private_data_t * priv = PIV_DATA(card);

*pin_policy = priv->yk_metadata.pin.pin_policy;
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}

static int piv_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
{
piv_private_data_t * priv = PIV_DATA(card);
Expand Down Expand Up @@ -4423,6 +4431,9 @@ static int piv_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
case SC_CARDCTL_PIV_OBJECT_PRESENT:
return piv_is_object_present(card, ptr);
break;
case SC_CARDCTL_PIV_YK_PIN_POLICY:
return piv_yk_pin_policy(card, ptr);
break;
}

LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
Expand Down
1 change: 1 addition & 0 deletions src/libopensc/cardctl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,7 @@ enum {
SC_CARDCTL_PIV_GENERATE_KEY,
SC_CARDCTL_PIV_PIN_PREFERENCE,
SC_CARDCTL_PIV_OBJECT_PRESENT,
SC_CARDCTL_PIV_YK_PIN_POLICY,

/*
* CAC specific calls
Expand Down
20 changes: 18 additions & 2 deletions src/libopensc/pkcs15-piv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1166,8 +1166,24 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
prkey_obj.flags = prkeys[i].obj_flags;
prkey_obj.user_consent = prkeys[i].user_consent; /* only Sign key */

if (prkeys[i].auth_id)
sc_pkcs15_format_id(prkeys[i].auth_id, &prkey_obj.auth_id);
if (prkeys[i].auth_id) {
/* The default behaviour for that key is used */
u8 pin_policy = 0x00;

if (strcmp("01", prkeys[i].auth_id) == 0) {
sc_card_ctl(p15card->card, SC_CARDCTL_PIV_YK_PIN_POLICY, &pin_policy);
if (pin_policy == 0x02)
/* PIN is checked once for the session */
prkey_obj.user_consent = 0;
else if (pin_policy == 0x03)
/* PIN is verified just before operation */
prkey_obj.user_consent = 1;
}

/* PIN is never checked for operations if PIN policy is set to 0x01 */
if (pin_policy != 0x01)
sc_pkcs15_format_id(prkeys[i].auth_id, &prkey_obj.auth_id);
}

/*
* When no cert is present and a pubkey in a file was found,
Expand Down

0 comments on commit a17451c

Please sign in to comment.