Prevent changing the default PIN to itself

Closes str4d/age-plugin-yubikey#120.
This commit is contained in:
Jack Grigg
2023-02-11 02:45:30 +00:00
parent 80e8072624
commit d2132b4ac2
3 changed files with 24 additions and 14 deletions
+2
View File
@@ -11,6 +11,8 @@ to 0.3.0 are beta releases.
- When `age-plugin-yubikey` assists the user in changing their PIN from the - When `age-plugin-yubikey` assists the user in changing their PIN from the
default PIN, it no longer tells the user that PINs shorter than 6 characters default PIN, it no longer tells the user that PINs shorter than 6 characters
are allowed, and instead loops until the user enters a PIN of valid length. are allowed, and instead loops until the user enters a PIN of valid length.
It also now prevents the user from setting their PIN to the default PIN, to
avoid creating a cycle.
- More kinds of SmartCard readers are ignored when they have no SmartCard - More kinds of SmartCard readers are ignored when they have no SmartCard
inserted. inserted.
+1
View File
@@ -135,6 +135,7 @@ mgr-enter-current-puk = Enter current PUK (default is {$default_puk})
mgr-choose-new-pin = Choose a new PIN/PUK mgr-choose-new-pin = Choose a new PIN/PUK
mgr-repeat-new-pin = Repeat the PIN/PUK mgr-repeat-new-pin = Repeat the PIN/PUK
mgr-pin-mismatch = PINs don't match mgr-pin-mismatch = PINs don't match
mgr-nope-default-pin = You entered the default PIN again. You need to change it.
mgr-changing-mgmt-key = mgr-changing-mgmt-key =
✨ Your {-yubikey} is using the default management key. ✨ Your {-yubikey} is using the default management key.
+21 -14
View File
@@ -284,20 +284,27 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
let current_puk = Password::new() let current_puk = Password::new()
.with_prompt(fl!("mgr-enter-current-puk", default_puk = DEFAULT_PUK)) .with_prompt(fl!("mgr-enter-current-puk", default_puk = DEFAULT_PUK))
.interact()?; .interact()?;
let new_pin = request_pin( let new_pin = loop {
|prev_error| { let pin = request_pin(
if let Some(err) = prev_error { |prev_error| {
eprintln!("{}", err); if let Some(err) = prev_error {
} eprintln!("{}", err);
Password::new() }
.with_prompt(fl!("mgr-choose-new-pin")) Password::new()
.with_confirmation(fl!("mgr-repeat-new-pin"), fl!("mgr-pin-mismatch")) .with_prompt(fl!("mgr-choose-new-pin"))
.interact() .with_confirmation(fl!("mgr-repeat-new-pin"), fl!("mgr-pin-mismatch"))
.map(|pin| Result::<_, Infallible>::Ok(SecretString::new(pin))) .interact()
}, .map(|pin| Result::<_, Infallible>::Ok(SecretString::new(pin)))
yubikey.serial(), },
)? yubikey.serial(),
.unwrap(); )?
.unwrap();
if pin.expose_secret() == DEFAULT_PIN {
eprintln!("{}", fl!("mgr-nope-default-pin"));
} else {
break pin;
}
};
let new_pin = new_pin.expose_secret(); let new_pin = new_pin.expose_secret();
yubikey.change_puk(current_puk.as_bytes(), new_pin.as_bytes())?; yubikey.change_puk(current_puk.as_bytes(), new_pin.as_bytes())?;
yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?; yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?;