Skip to content

Commit

Permalink
Merge pull request #604 from smallstep/herman/upgrade-go-piv-v2
Browse files Browse the repository at this point in the history
Upgrade `go-piv` to `v2.2.0`
  • Loading branch information
hslatman authored Oct 3, 2024
2 parents 47febcd + aca4766 commit d1392f2
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 26 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ require (
github.com/aws/aws-sdk-go-v2/config v1.27.39
github.com/aws/aws-sdk-go-v2/service/kms v1.36.3
github.com/go-jose/go-jose/v3 v3.0.3
github.com/go-piv/piv-go v1.11.0
github.com/go-piv/piv-go/v2 v2.2.0
github.com/golang/mock v1.6.0
github.com/google/go-tpm v0.9.1
github.com/google/go-tpm-tools v0.4.4
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -303,8 +303,8 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg=
github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM=
github.com/go-piv/piv-go/v2 v2.2.0 h1:kOcyd7+JiKLF1BtGUO6vg7XlDJLhchinoMuksOpWBEI=
github.com/go-piv/piv-go/v2 v2.2.0/go.mod h1:ShZi74nnrWNQEdWzRUd/3cSig3uNOcEZp+EWl0oewnI=
github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM=
github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
Expand Down
11 changes: 6 additions & 5 deletions kms/yubikey/yubikey.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,9 @@ import (
"strings"
"sync"

"github.com/go-piv/piv-go/piv"
"github.com/go-piv/piv-go/v2/piv"
"github.com/pkg/errors"

"go.step.sm/crypto/kms/apiv1"
"go.step.sm/crypto/kms/uri"
)
Expand All @@ -34,13 +35,13 @@ type YubiKey struct {
yk pivKey
pin string
card string
managementKey [24]byte
managementKey []byte
}

type pivKey interface {
Certificate(slot piv.Slot) (*x509.Certificate, error)
SetCertificate(key [24]byte, slot piv.Slot, cert *x509.Certificate) error
GenerateKey(key [24]byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error)
SetCertificate(key []byte, slot piv.Slot, cert *x509.Certificate) error
GenerateKey(key []byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error)
PrivateKey(slot piv.Slot, public crypto.PublicKey, auth piv.KeyAuth) (crypto.PrivateKey, error)
Attest(slot piv.Slot) (*x509.Certificate, error)
Serial() (uint32, error)
Expand Down Expand Up @@ -122,7 +123,7 @@ func New(_ context.Context, opts apiv1.Options) (*YubiKey, error) {
if len(b) != 24 {
return nil, errors.New("invalid managementKey: length is not 24 bytes")
}
copy(managementKey[:], b[:24])
copy(managementKey, b[:24])
}

if opts.Pin != "" {
Expand Down
1 change: 1 addition & 0 deletions kms/yubikey/yubikey_no_cgo.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"path/filepath"

"github.com/pkg/errors"

"go.step.sm/crypto/kms/apiv1"
)

Expand Down
37 changes: 19 additions & 18 deletions kms/yubikey/yubikey_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,10 @@ import (
"sync"
"testing"

"github.com/go-piv/piv-go/piv"
"github.com/go-piv/piv-go/v2/piv"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

"go.step.sm/crypto/kms/apiv1"
"go.step.sm/crypto/minica"
)
Expand Down Expand Up @@ -147,16 +148,16 @@ func (s *stubPivKey) Certificate(slot piv.Slot) (*x509.Certificate, error) {
return cert, nil
}

func (s *stubPivKey) SetCertificate(key [24]byte, slot piv.Slot, cert *x509.Certificate) error {
if !bytes.Equal(piv.DefaultManagementKey[:], key[:]) {
func (s *stubPivKey) SetCertificate(key []byte, slot piv.Slot, cert *x509.Certificate) error {
if !bytes.Equal(piv.DefaultManagementKey, key) {
return errors.New("missing or invalid management key")
}
s.certMap[slot] = cert
return nil
}

func (s *stubPivKey) GenerateKey(key [24]byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error) {
if !bytes.Equal(piv.DefaultManagementKey[:], key[:]) {
func (s *stubPivKey) GenerateKey(key []byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error) {
if !bytes.Equal(piv.DefaultManagementKey, key) {
return nil, errors.New("missing or invalid management key")
}

Expand Down Expand Up @@ -306,7 +307,7 @@ func TestNew(t *testing.T) {
pivMap = sync.Map{}
pivCards = okMultiplePivCards
pivOpen = okPivOpen
}, &YubiKey{yk: yk, pin: "111111", card: "Yubico YubiKey OTP+FIDO+CCID", managementKey: [24]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33}}, false},
}, &YubiKey{yk: yk, pin: "111111", card: "Yubico YubiKey OTP+FIDO+CCID", managementKey: []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33}}, false},
{"ok with uri and serial", args{ctx, apiv1.Options{
URI: "yubikey:serial=112233?pin-value=123456",
}}, func() {
Expand All @@ -329,7 +330,7 @@ func TestNew(t *testing.T) {
pivMap = sync.Map{}
pivCards = okPivCards
pivOpen = okPivOpen
}, &YubiKey{yk: yk, pin: "123456", card: "Yubico YubiKey OTP+FIDO+CCID", managementKey: [24]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33}}, false},
}, &YubiKey{yk: yk, pin: "123456", card: "Yubico YubiKey OTP+FIDO+CCID", managementKey: []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33}}, false},
{"fail uri", args{ctx, apiv1.Options{URI: "badschema:"}}, func() {
pivMap = sync.Map{}
pivCards = okPivCards
Expand Down Expand Up @@ -390,7 +391,7 @@ func TestYubiKey_LoadCertificate(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
type args struct {
req *apiv1.LoadCertificateRequest
Expand Down Expand Up @@ -450,7 +451,7 @@ func TestYubiKey_StoreCertificate(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
type args struct {
req *apiv1.StoreCertificateRequest
Expand All @@ -472,7 +473,7 @@ func TestYubiKey_StoreCertificate(t *testing.T) {
Name: "slot-id=9c",
Certificate: cert,
}}, true},
{"fail setCertificate", fields{yk, "123456", [24]byte{}}, args{&apiv1.StoreCertificateRequest{
{"fail setCertificate", fields{yk, "123456", []byte{}}, args{&apiv1.StoreCertificateRequest{
Name: "yubikey:slot-id=9c",
Certificate: cert,
}}, true},
Expand All @@ -497,7 +498,7 @@ func TestYubiKey_GetPublicKey(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
type args struct {
req *apiv1.GetPublicKeyRequest
Expand Down Expand Up @@ -544,7 +545,7 @@ func TestYubiKey_CreateKey(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
type args struct {
req *apiv1.CreateKeyRequest
Expand Down Expand Up @@ -680,7 +681,7 @@ func TestYubiKey_CreateKey(t *testing.T) {
Name: "yubikey:foo=82",
SignatureAlgorithm: apiv1.ECDSAWithSHA256,
}}, func() *apiv1.CreateKeyResponse { return nil }, true},
{"fail generateKey", fields{yk, "123456", [24]byte{}}, args{&apiv1.CreateKeyRequest{
{"fail generateKey", fields{yk, "123456", []byte{}}, args{&apiv1.CreateKeyRequest{
Name: "yubikey:slot-id=82",
SignatureAlgorithm: apiv1.ECDSAWithSHA256,
}}, func() *apiv1.CreateKeyResponse { return nil }, true},
Expand Down Expand Up @@ -711,7 +712,7 @@ func TestYubiKey_CreateKey_policies(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
type args struct {
req *apiv1.CreateKeyRequest
Expand Down Expand Up @@ -867,7 +868,7 @@ func TestYubiKey_CreateSigner(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
type args struct {
req *apiv1.CreateSignerRequest
Expand Down Expand Up @@ -929,7 +930,7 @@ func TestYubiKey_CreateDecrypter(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
type args struct {
req *apiv1.CreateDecrypterRequest
Expand Down Expand Up @@ -991,7 +992,7 @@ func TestYubiKey_CreateAttestation(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
type args struct {
req *apiv1.CreateAttestationRequest
Expand Down Expand Up @@ -1079,7 +1080,7 @@ func TestYubiKey_Close(t *testing.T) {
type fields struct {
yk pivKey
pin string
managementKey [24]byte
managementKey []byte
}
tests := []struct {
name string
Expand Down

0 comments on commit d1392f2

Please sign in to comment.