-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkey_auth.go
67 lines (55 loc) · 1.71 KB
/
key_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
// SPDX-FileCopyrightText: 2020 Google LLC
// SPDX-License-Identifier: Apache-2.0
package piv
import (
"fmt"
iso "cunicu.li/go-iso7816"
)
// KeyAuth is used to authenticate against the card on each signing and
// decryption request.
type KeyAuth struct {
// PIN, if provided, is a static PIN used to authenticate against the key.
// If provided, PINPrompt is ignored.
PIN string
// PINPrompt can be used to interactively request the PIN from the user. The
// method is only called when needed. For example, if a key specifies
// PINPolicyOnce, PINPrompt will only be called once per card struct.
PINPrompt func() (pin string, err error)
// PINPolicy can be used to specify the PIN caching strategy for the slot. If
// not provided, this will be inferred from the attestation certificate.
//
// This field is required on older (<4.3.0) YubiKeys when using PINPrompt,
// as well as for keys imported to the card.
PINPolicy PINPolicy
}
func (k KeyAuth) authTx(c *Card, pp PINPolicy) error {
// PINPolicyNever shouldn't require a PIN.
if pp == PINPolicyNever {
return nil
}
// PINPolicyAlways should always prompt a PIN even if the key says that
// login isn't needed.
//
// https://github.com/go-piv/piv-go/issues/49
if pp != PINPolicyAlways && !loginNeeded(c.tx) {
return nil
}
pin := k.PIN
if pin == "" && k.PINPrompt != nil {
p, err := k.PINPrompt()
if err != nil {
return fmt.Errorf("failed to get PIN from prompt: %w", err)
}
pin = p
}
if pin == "" {
return errMissingPIN
}
return login(c.tx, pin)
}
func (k KeyAuth) do(c *Card, pp PINPolicy, f func(tx *iso.Transaction) ([]byte, error)) ([]byte, error) {
if err := k.authTx(c, pp); err != nil {
return nil, err
}
return f(c.tx)
}