From 58d3e8ce3cd80347669d874c0a07c764dfc7644b Mon Sep 17 00:00:00 2001 From: Greg Bowyer Date: Mon, 5 Aug 2024 21:06:26 -0700 Subject: [PATCH] PIV: remove additional PIV MGM methods `Yubikey` hosts methods to do authentication with the MGM key in a one shot method, and via broken out methods (`get_auth_challenge` and `verify_auth_response`). These methods are a little hard to make work with AES or 3DES keys and currently have no integration tests. Rather than having duplicate logic (and subsequently duplicating error tests), these methods are being removed. --- src/yubikey.rs | 50 -------------------------------------------------- 1 file changed, 50 deletions(-) diff --git a/src/yubikey.rs b/src/yubikey.rs index 1214999d..bc64c707 100644 --- a/src/yubikey.rs +++ b/src/yubikey.rs @@ -66,9 +66,6 @@ use { /// Flag for PUK blocked pub(crate) const ADMIN_FLAGS_1_PUK_BLOCKED: u8 = 0x01; -/// 3DES authentication -pub(crate) const ALGO_3DES: u8 = 0x03; - /// Card management key pub(crate) const KEY_CARDMGM: u8 = 0x9b; @@ -629,53 +626,6 @@ impl YubiKey { txn.save_object(object_id, indata) } - /// Get an auth challenge. - #[cfg(feature = "untested")] - pub fn get_auth_challenge(&mut self) -> Result<[u8; 8]> { - let txn = self.begin_transaction()?; - - let response = Apdu::new(Ins::Authenticate) - .params(ALGO_3DES, KEY_CARDMGM) - .data([0x7c, 0x02, 0x81, 0x00]) - .transmit(&txn, 261)?; - - if !response.is_success() { - return Err(Error::AuthenticationError); - } - - Ok(response - .data() - .get(4..12) - .ok_or(Error::SizeError)? - .try_into()?) - } - - /// Verify an auth response. - #[cfg(feature = "untested")] - pub fn verify_auth_response(&mut self, response: [u8; 8]) -> Result<()> { - let mut data = [0u8; 12]; - data[0] = 0x7c; - data[1] = 0x0a; - data[2] = 0x82; - data[3] = 0x08; - data[4..12].copy_from_slice(&response); - - let txn = self.begin_transaction()?; - - // send the response to the card and a challenge of our own. - let status_words = Apdu::new(Ins::Authenticate) - .params(ALGO_3DES, KEY_CARDMGM) - .data(data) - .transmit(&txn, 261)? - .status_words(); - - if !status_words.is_success() { - return Err(Error::AuthenticationError); - } - - Ok(()) - } - /// Reset YubiKey. /// /// WARNING: this is a destructive operation which will destroy all keys!