From bf9c09f9e88cb8c165927208181be4a1b278f7a1 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Tue, 17 Oct 2017 12:51:29 +0200 Subject: [PATCH] ykcs11: disable rsa keygeneration for yk4 < 4.3.5 see https://yubi.co/ysa201701/ relates #127 --- ykcs11/token_vendors.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ykcs11/token_vendors.c b/ykcs11/token_vendors.c index 7ebf0b7..596d31c 100644 --- a/ykcs11/token_vendors.c +++ b/ykcs11/token_vendors.c @@ -93,6 +93,22 @@ static CK_RV COMMON_token_generate_key(ykpiv_state *state, CK_BBOOL rsa, CK_RV rv; + if(rsa) { + char version[7]; + if(ykpiv_get_version(state, version, sizeof(version)) == YKPIV_OK) { + int major, minor, build; + int match = sscanf(version, "%d.%d.%d", &major, &minor, &build); + if(match == 3 && major == 4 && (minor < 3 || (minor == 3 && build < 5))) { + DBG("On-chip RSA key generation on this YubiKey has been blocked.\n"); + DBG("Please see https://yubi.co/ysa201701/ for details.\n"); + return CKR_FUNCTION_FAILED; + } + } else { + DBG("Failed to communicate.\n"); + return CKR_DEVICE_ERROR; + } + } + templ[3] = key; *in_ptr++ = 0xac;