Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

piv: only call PINPrompt when required #37

Merged
merged 1 commit into from
Apr 26, 2020
Merged

piv: only call PINPrompt when required #37

merged 1 commit into from
Apr 26, 2020

Conversation

ericchiang
Copy link
Collaborator

Fixes #35

fyi @FiloSottile

For some reason this doesn't work:

% go test -v -run=TestPINPrompt . -wipe-yubikey
=== RUN   TestPINPrompt
    TestPINPrompt: key_test.go:124: expected PINPrompt to only be called once got: 2
--- FAIL: TestPINPrompt (1.96s)
FAIL
FAIL    github.com/go-piv/piv-go/piv    2.253s
FAIL

May PINPolicyOnce still only applies to the smartcard transaction? Will investigate.

@ericchiang
Copy link
Collaborator Author

ericchiang commented Apr 25, 2020

Okay yeah, the PINPolicy only applies to the smartcard transaction. Which implies that we'd have to hold a transaction to the smartcard for this to work.

Maybe we can refactor the YubiKey struct to hold a transaction instead of just a connection? It'd mean you couldn't have multiple open... but 🤷

@ericchiang ericchiang merged commit 4cecf31 into master Apr 26, 2020
@ericchiang ericchiang deleted the prompt branch April 26, 2020 01:14
FiloSottile added a commit to FiloSottile/yubikey-agent that referenced this pull request Apr 26, 2020
go-piv/piv-go#37, go-piv/piv-go#39, and go-piv/piv-go#44 add support for
"once" (per session) PIN policies.

Serial() causes the PIN cache to drop, so only call it once at the start
and replace the health check with AttestationCertificate().
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

PINPrompt should only be called if the PIN is needed
1 participant