turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'heiko/pin-validity' into 'main'

Browse source 
opgpcard: only the SIG slot has configurable validity mechanism for PIN verification

See merge request openpgp-card/openpgp-card!28
This commit is contained in:
Nora Widdecke 2022-10-28 11:56:46 +00:00
commit 538dc16165
2 changed files with 16 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
tools/src/bin/opgpcard/commands/status.rs
View file

@ -100,10 +100,6 @@ pub fn print_status(
signature_key.status(format!("{}", ks)); signature_key.status(format!("{}", ks));
} }
if pws.pw1_cds_valid_once() {
signature_key.pin_valid_once();
}
if command.pkm { if command.pkm {
if let Ok(pkm) = card.public_key(KeyType::Signing) { if let Ok(pkm) = card.public_key(KeyType::Signing) {
signature_key.public_key_material(pkm.to_string()); signature_key.public_key_material(pkm.to_string());
@ -195,6 +191,8 @@ pub fn print_status(
output.attestation_key(attestation_key); output.attestation_key(attestation_key);
// technical details about the card's state // technical details about the card's state
output.user_pin_valid_for_only_one_signature(pws.pw1_cds_valid_once());
output.user_pin_remaining_attempts(pws.err_count_pw1()); output.user_pin_remaining_attempts(pws.err_count_pw1());
output.admin_pin_remaining_attempts(pws.err_count_pw3()); output.admin_pin_remaining_attempts(pws.err_count_pw3());
output.reset_code_remaining_attempts(pws.err_count_rc()); output.reset_code_remaining_attempts(pws.err_count_rc());

24
tools/src/bin/opgpcard/output/status.rs
View file

@ -19,6 +19,7 @@ pub struct Status {
decryption_key: KeySlotInfo, decryption_key: KeySlotInfo,
authentication_key: KeySlotInfo, authentication_key: KeySlotInfo,
attestation_key: Option<KeySlotInfo>, attestation_key: Option<KeySlotInfo>,
user_pin_valid_for_only_one_signature: bool,
user_pin_remaining_attempts: u8, user_pin_remaining_attempts: u8,
admin_pin_remaining_attempts: u8, admin_pin_remaining_attempts: u8,
reset_code_remaining_attempts: u8, reset_code_remaining_attempts: u8,
@ -71,6 +72,10 @@ impl Status {
self.attestation_key = Some(key); self.attestation_key = Some(key);
} }
pub fn user_pin_valid_for_only_one_signature(&mut self, sign_pin_valid_once: bool) {
self.user_pin_valid_for_only_one_signature = sign_pin_valid_once;
}
pub fn user_pin_remaining_attempts(&mut self, count: u8) { pub fn user_pin_remaining_attempts(&mut self, count: u8) {
self.user_pin_remaining_attempts = count; self.user_pin_remaining_attempts = count;
} }
@ -130,6 +135,13 @@ impl Status {
for line in self.signature_key.format(self.verbose) { for line in self.signature_key.format(self.verbose) {
s.push_str(&format!(" {}\n", line)); s.push_str(&format!(" {}\n", line));
} }
if self.verbose {
if self.user_pin_valid_for_only_one_signature {
s.push_str(" User PIN presentation valid for one signature\n");
} else {
s.push_str(" User PIN presentation valid for unlimited signatures\n");
}
}
s.push_str(&format!(" Signatures made: {}\n", self.signature_count)); s.push_str(&format!(" Signatures made: {}\n", self.signature_count));
s.push('\n'); s.push('\n');
@ -186,6 +198,7 @@ impl Status {
decryption_key: self.decryption_key.clone(), decryption_key: self.decryption_key.clone(),
authentication_key: self.authentication_key.clone(), authentication_key: self.authentication_key.clone(),
attestation_key: self.attestation_key.clone(), attestation_key: self.attestation_key.clone(),
user_pin_valid_for_only_one_signature: self.user_pin_valid_for_only_one_signature,
user_pin_remaining_attempts: self.user_pin_remaining_attempts, user_pin_remaining_attempts: self.user_pin_remaining_attempts,
admin_pin_remaining_attempts: self.admin_pin_remaining_attempts, admin_pin_remaining_attempts: self.admin_pin_remaining_attempts,
reset_code_remaining_attempts: self.reset_code_remaining_attempts, reset_code_remaining_attempts: self.reset_code_remaining_attempts,
@ -234,6 +247,7 @@ pub struct StatusV0 {
decryption_key: KeySlotInfo, decryption_key: KeySlotInfo,
authentication_key: KeySlotInfo, authentication_key: KeySlotInfo,
attestation_key: Option<KeySlotInfo>, attestation_key: Option<KeySlotInfo>,
user_pin_valid_for_only_one_signature: bool,
user_pin_remaining_attempts: u8, user_pin_remaining_attempts: u8,
admin_pin_remaining_attempts: u8, admin_pin_remaining_attempts: u8,
reset_code_remaining_attempts: u8, reset_code_remaining_attempts: u8,
@ -253,7 +267,6 @@ pub struct KeySlotInfo {
touch_policy: Option<String>, touch_policy: Option<String>,
touch_features: Option<String>, touch_features: Option<String>,
status: Option<String>, status: Option<String>,
pin_valid_once: bool,
public_key_material: Option<String>, public_key_material: Option<String>,
} }
@ -282,10 +295,6 @@ impl KeySlotInfo {
self.status = Some(status); self.status = Some(status);
} }
pub fn pin_valid_once(&mut self) {
self.pin_valid_once = true;
}
pub fn public_key_material(&mut self, material: String) { pub fn public_key_material(&mut self, material: String) {
self.public_key_material = Some(material); self.public_key_material = Some(material);
} }
@ -312,11 +321,6 @@ impl KeySlotInfo {
if let Some(status) = &self.status { if let Some(status) = &self.status {
lines.push(format!("Key Status: {}", status)); lines.push(format!("Key Status: {}", status));
} }
if self.pin_valid_once {
lines.push("User PIN presentation valid for one signature".into());
} else {
lines.push("User PIN presentation valid for unlimited signatures".into());
}
} }
if let Some(material) = &self.public_key_material { if let Some(material) = &self.public_key_material {
lines.push(format!("Public key material: {}", material)); lines.push(format!("Public key material: {}", material));