Implement --generate command

Includes logic to help users manage their keys:

- If the key is using a default PIN, we require the user to change it.
- We set the PUK equal to the PIN so the user doesn't need to remember
  them separately.
- We migrate the default management key to a new PIN-protected key.
This commit is contained in:
Jack Grigg
2021-01-03 19:47:10 +00:00
parent eedf9fa997
commit 850f96cd2c
7 changed files with 341 additions and 4 deletions
+20 -2
View File
@@ -4,9 +4,27 @@ use yubikey_piv::{
Key, YubiKey,
};
use crate::{p256::Recipient, yubikey::Stub, PLUGIN_NAME};
use crate::{error::Error, p256::Recipient, yubikey::Stub, PLUGIN_NAME};
const POLICY_EXTENSION_OID: &[u64] = &[1, 3, 6, 1, 4, 1, 41482, 3, 8];
pub(crate) const POLICY_EXTENSION_OID: &[u64] = &[1, 3, 6, 1, 4, 1, 41482, 3, 8];
pub(crate) fn pin_policy_from_string(s: String) -> Result<PinPolicy, Error> {
match s.as_str() {
"always" => Ok(PinPolicy::Always),
"once" => Ok(PinPolicy::Once),
"never" => Ok(PinPolicy::Never),
_ => Err(Error::InvalidPinPolicy(s)),
}
}
pub(crate) fn touch_policy_from_string(s: String) -> Result<TouchPolicy, Error> {
match s.as_str() {
"always" => Ok(TouchPolicy::Always),
"cached" => Ok(TouchPolicy::Cached),
"never" => Ok(TouchPolicy::Never),
_ => Err(Error::InvalidTouchPolicy(s)),
}
}
pub(crate) fn pin_policy_to_str(policy: Option<PinPolicy>) -> &'static str {
match policy {