Slot access code management

Docs/Commands/Set-YubiKeyOTPSlotAccessCode.md

@@ -0,0 +1,179 @@
+---
+external help file: powershellYK.dll-Help.xml
+Module Name: powershellYK
+online version:
+schema: 2.0.0
+---
+
+# Set-YubiKeyOTPSlotAccessCode
+
+## SYNOPSIS
+Sets, changes or removes the OTP slot access code for a YubiKey.
+he access code protects OTP slot configurations from unauthorized modifications.
+
+## SYNTAX
+
+### SetNewAccessCode
+```
+Set-YubiKeyOTPSlotAccessCode -Slot <Slot> [-AccessCode <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
+```
+
+### ChangeAccessCode
+```
+Set-YubiKeyOTPSlotAccessCode -Slot <Slot> -AccessCode <String> -CurrentAccessCode <String> [-WhatIf] [-Confirm]
+ [<CommonParameters>]
+```
+
+### RemoveAccessCode
+```
+Set-YubiKeyOTPSlotAccessCode -Slot <Slot> -CurrentAccessCode <String> [-RemoveAccessCode] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
+```
+
+## DESCRIPTION
+Sets, changes or removes the OTP slot access code for a YubiKey.
+The access code protects OTP slot configurations from unauthorized modifications.
+Access codes are 6 bytes in length, provided as 12-character hex strings.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> Set-YubiKeySlotAccessCode -Slot LongPress -AccessCode "010203040506"
+```
+
+Set a new access code for a slot (when no access code exists)
+
+### Example 2
+```powershell
+PS C:\> Set-YubiKeyOTPSlotAccessCode -Slot ShortPress -CurrentAccessCode "010203040506" -AccessCode "060504030201"
+```
+
+Change an existing slot access code
+
+### Example 3
+```powershell
+PS C:\> Set-YubiKeyOTPSlotAccessCode -Slot LongPress -CurrentAccessCode "010203040506" -RemoveAccessCode
+```
+
+Remove slot access code protection (set to all zeros)
+
+## PARAMETERS
+
+### -AccessCode
+New access code (12-character hex string)
+
+```yaml
+Type: String
+Parameter Sets: SetNewAccessCode
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+```yaml
+Type: String
+Parameter Sets: ChangeAccessCode
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CurrentAccessCode
+Current access code (12-character hex string)
+
+```yaml
+Type: String
+Parameter Sets: ChangeAccessCode, RemoveAccessCode
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RemoveAccessCode
+Remove access code protection
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: RemoveAccessCode
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Slot
+Yubikey OTP Slot
+
+```yaml
+Type: Slot
+Parameter Sets: (All)
+Aliases:
+Accepted values: None, ShortPress, LongPress
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### None
+
+## OUTPUTS
+
+### System.Object
+## NOTES
+
+## RELATED LINKS

Docs/Commands/powershellYK.md

@@ -120,7 +120,7 @@ Removes a FIDO2 credential from the YubiKey.
 ### [Remove-YubikeyOATHAccount](Remove-YubikeyOATHAccount.md)
 Removes an account from the YubiKey OATH application.
 
-### [Remove-YubikeyOTP](Remove-YubikeyOTP.md)
+### [Remove-YubiKeyOTP](Remove-YubiKeyOTP.md)
 Remove YubiKey OTP slot.
 
 ### [Remove-YubikeyPIVKey](Remove-YubikeyPIVKey.md)
@@ -162,9 +162,13 @@ Set the PIN for the FIDO2 application on the YubiKey.
 ### [Set-YubiKeyOATHPassword](Set-YubiKeyOATHPassword.md)
 Set the password for the YubiKey OATH application.
 
-### [Set-YubikeyOTP](Set-YubikeyOTP.md)
+### [Set-YubiKeyOTP](Set-YubiKeyOTP.md)
 Configure OTP slots
 
+### [Set-YubiKeyOTPSlotAccessCode](Set-YubiKeyOTPSlotAccessCode.md)
+Sets, changes or removes the OTP slot access code for a YubiKey.
+he access code protects OTP slot configurations from unauthorized modifications.
+
 ### [Set-YubikeyPIV](Set-YubikeyPIV.md)
 Allows the updating of PIV settings
 

Module/Cmdlets/OTP/RemoveYubikeyOTP.cs

@@ -8,8 +8,9 @@
 /// Removes the OTP configuration from the short-press slot
 /// 
 /// .EXAMPLE
-/// Remove-YubiKeyOTP -Slot LongPress
-/// Removes the OTP configuration from the long-press slot
+/// Remove-YubiKeyOTP -Slot LongPress -CurrentAccessCode "010203040506"
+/// Removes the OTP configuration from the long-press slot when a slot access code is set
+/// 
 /// </summary>
 
 // Imports
@@ -29,6 +30,11 @@ public class RemoveYubikeyOTPCommand : Cmdlet
         [Parameter(Mandatory = true, ValueFromPipeline = false, HelpMessage = "YubiOTP Slot", ParameterSetName = "Remove")]
         public Slot Slot { get; set; }
 
+        // The current access code (12-character hex string) if the slot is protected
+        [Parameter(Mandatory = false, ValueFromPipeline = false, HelpMessage = "Current access code (12-character hex string)", ParameterSetName = "Remove")]
+        [ValidateCount(12, 12)]
+        public string? CurrentAccessCode { get; set; }
+
         // Connect to YubiKey when cmdlet starts
         protected override void BeginProcessing()
         {
@@ -69,8 +75,28 @@ protected override void ProcessRecord()
 
                     // Delete the slot configuration
                     var deleteSlot = otpSession.DeleteSlotConfiguration(Slot);
-                    deleteSlot.Execute(); // Note: Deletion may return an error even when successful
-                    WriteInformation($"Removed OTP configuration from slot {Slot.ToString("d")}", new string[] { "OTP", "Info" });
+                    // If CurrentAccessCode is provided, use it
+                    if (CurrentAccessCode != null)
+                    {
+                        // Convert hex string to byte array using Hex helper class
+                        var currentAccessCodeBytes = powershellYK.support.Hex.Decode(CurrentAccessCode);
+                        var slotAccessCode = new SlotAccessCode(currentAccessCodeBytes);
+                        deleteSlot = deleteSlot.UseCurrentAccessCode(slotAccessCode);
+                    }
+                    try
+                    {
+                        deleteSlot.Execute(); // Note: Deletion may return an error even when successful
+                        WriteInformation($"Removed OTP configuration from slot {Slot.ToString("d")}", new string[] { "OTP", "Info" });
+                    }
+                    catch (Exception ex)
+                    {
+                        // Show a message to guide the user into providing or correcting a slot access code
+                        // if (ex.Message.Contains("YubiKey Operation Failed") && ex.Message.Contains("state of non-volatile memory is unchanged"))
+                        // {
+                        //     WriteWarning("The requested slot is protected with a slot access code. Either no access code was provided, or the provided code was incorrect. Please call the cmdlet again using -CurrentAccessCode with the correct code.");
+                        // }
+                        WriteError(new ErrorRecord(ex, "RemoveYubiKeyOTPError", ErrorCategory.InvalidOperation, null));
+                    }
                 }
             }
         }