ykcs11: disable rsa keygeneration for yk4 < 4.3.5

see https://yubi.co/ysa201701/
relates #127
This commit is contained in:
Klas Lindfors
2017-10-17 12:51:29 +02:00
parent b666922eda
commit bf9c09f9e8
+16
View File
@@ -93,6 +93,22 @@ static CK_RV COMMON_token_generate_key(ykpiv_state *state, CK_BBOOL rsa,
CK_RV rv; CK_RV rv;
if(rsa) {
char version[7];
if(ykpiv_get_version(state, version, sizeof(version)) == YKPIV_OK) {
int major, minor, build;
int match = sscanf(version, "%d.%d.%d", &major, &minor, &build);
if(match == 3 && major == 4 && (minor < 3 || (minor == 3 && build < 5))) {
DBG("On-chip RSA key generation on this YubiKey has been blocked.\n");
DBG("Please see https://yubi.co/ysa201701/ for details.\n");
return CKR_FUNCTION_FAILED;
}
} else {
DBG("Failed to communicate.\n");
return CKR_DEVICE_ERROR;
}
}
templ[3] = key; templ[3] = key;
*in_ptr++ = 0xac; *in_ptr++ = 0xac;