-
Notifications
You must be signed in to change notification settings - Fork 0
/
card.go
212 lines (187 loc) · 5.68 KB
/
card.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
// YubiKey
// For the full copyright and license information, please view the LICENSE.txt file.
package yubikey
import (
"crypto/ecdsa"
"crypto/elliptic"
"fmt"
"sort"
"strings"
"github.com/go-piv/piv-go/piv"
)
// Card represents a YubiKey smart card.
// For more information see https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html
type Card struct {
name string
serial string
version piv.Version
pin string
puk string
manKey [24]byte
keyAuth piv.KeyAuth
}
// Name returns the card name.
func (card *Card) Name() string {
return card.name
}
// Serial returns the card serial number.
func (card *Card) Serial() string {
return card.serial
}
// Version returns the card firmware version.
func (card *Card) Version() string {
return fmt.Sprintf("%d.%d.%d", card.version.Major, card.version.Minor, card.version.Patch)
}
// SetPIN sets the card pin.
func (card *Card) SetPIN(pin string) {
card.pin = pin
}
// SetPUK sets the card puk.
func (card *Card) SetPUK(puk string) {
card.puk = puk
}
// SetManKey sets the management key
func (card *Card) SetManKey(manKey []byte) {
copy(card.manKey[:], manKey)
}
// SlotKeys returns the card slot keys.
func (card *Card) SlotKeys() []string {
var slotKeys []string
for k := range slotMap {
slotKeys = append(slotKeys, k)
}
return slotKeys
}
// Slots returns the card slots.
func (card *Card) Slots() ([]*Slot, error) {
return card.SlotsByKey(card.SlotKeys())
}
// SlotsByKey returns the card slots by the given slot keys.
func (card *Card) SlotsByKey(slotKeys []string) ([]*Slot, error) {
openMu.Lock()
defer openMu.Unlock()
// Connect to the smart card
yk, err := piv.Open(card.name)
if err != nil {
return nil, fmt.Errorf("couldn't connect to the YubiKey smart card (%s): %s", card.serial, err)
}
defer yk.Close()
// Iterate over the slots and initialize the slot instances
var slots []*Slot
for _, slotKey := range slotKeys {
// Check the slot name
smv, ok := slotMap[slotKey]
if !ok {
continue
}
// Init the slot instance
slot := Slot{key: slotKey, card: card, slot: smv}
// Attest method checks keys which have been generated, not imported
cert, err := yk.Attest(slot.slot)
if err != nil {
if strings.Contains(err.Error(), "data object or application not found") {
// Certificate method checks imported keys/certificates which may not be secured
certImp, err := yk.Certificate(slot.slot)
if err != nil {
if strings.Contains(err.Error(), "data object or application not found") {
// No cert found
} else {
return nil, fmt.Errorf("couldn't access to the key slot (%s): %s", slotKey, err)
}
} else {
slot.isImported = true
cert = certImp
}
} else {
return nil, fmt.Errorf("couldn't access to the key slot (%s): %s", slotKey, err)
}
} else {
slot.isGenerated = true
}
if cert == nil {
slots = append(slots, &slot)
continue
} else if cert != nil && cert.PublicKey == nil {
return nil, fmt.Errorf("slot certificate has no public key (%s): %s", slotKey, err)
}
slot.hasKey = true
// Determine the slot PIN and touch policies
aCert, err := yk.AttestationCertificate()
if err != nil {
return nil, fmt.Errorf("couldn't access to the key attestation certificate (%s): %s", slotKey, err)
}
sAttestation, err := piv.Verify(aCert, cert)
if err != nil {
return nil, fmt.Errorf("couldn't access to the slot attestation (%s): %s", slotKey, err)
}
// We could simply cast PIN and touch policies but that would be bad if the upstream ever changes
switch sAttestation.PINPolicy {
case piv.PINPolicyAlways:
slot.pinPolicy = PINPolicyAlways
case piv.PINPolicyNever:
slot.pinPolicy = PINPolicyNever
case piv.PINPolicyOnce:
slot.pinPolicy = PINPolicyOnce
}
switch sAttestation.TouchPolicy {
case piv.TouchPolicyAlways:
slot.touchPolicy = TouchPolicyAlways
case piv.TouchPolicyCached:
slot.touchPolicy = TouchPolicyCached
case piv.TouchPolicyNever:
slot.touchPolicy = TouchPolicyNever
}
// Get the private key object
privateKey, err := yk.PrivateKey(slot.slot, cert.PublicKey, card.keyAuth)
if err != nil {
return nil, fmt.Errorf("couldn't get the slot key (%s): %s", slotKey, err)
}
privateKeyECDSA, ok := privateKey.(*piv.ECDSAPrivateKey)
if !ok {
// For now only ECDSA keys are allowed
continue
}
// Set the public key
slot.publicKeyECDSA, ok = privateKeyECDSA.Public().(*ecdsa.PublicKey)
if !ok {
// This shouldn't happen since private key is checked above
continue
}
slot.publicKey = elliptic.MarshalCompressed(slot.publicKeyECDSA.Curve, slot.publicKeyECDSA.X, slot.publicKeyECDSA.Y)
switch slot.publicKeyECDSA.Curve {
case elliptic.P256():
slot.publicKeyAlg = AlgorithmEC256
case elliptic.P384():
slot.publicKeyAlg = AlgorithmEC384
default:
slot.publicKeyAlg = AlgorithmUnknown
}
slots = append(slots, &slot)
}
sort.Slice(slots, func(i, j int) bool { return slots[i].key < slots[j].key })
return slots, nil
}
// VerifyPIN attempts to authenticate against the card with the provided PIN.
func (card *Card) VerifyPIN(pin string) error {
// Connect to the smart card
openMu.Lock()
defer openMu.Unlock()
yk, err := piv.Open(card.name)
if err != nil {
return fmt.Errorf("couldn't connect to the YubiKey smart card (%s): %s", card.name, err)
}
defer yk.Close()
return yk.VerifyPIN(pin)
}
// Unblock unblocks the PIN, setting it to a new value.
func (card *Card) Unblock(puk, newPIN string) error {
// Connect to the smart card
openMu.Lock()
defer openMu.Unlock()
yk, err := piv.Open(card.name)
if err != nil {
return fmt.Errorf("couldn't connect to the YubiKey smart card (%s): %s", card.name, err)
}
defer yk.Close()
return yk.Unblock(puk, newPIN)
}