From c96b50bcecffe93387d07b9642c10290a35ce3f4 Mon Sep 17 00:00:00 2001 From: "Tony Arcieri (iqlusion)" Date: Mon, 15 Dec 2025 11:59:48 -0700 Subject: [PATCH] mgm: extract `MgmAlgorithmId::default_for_version` (#633) Adds a private method for determining the MGM key algorithm to use for a given YubiKey `Version` --- src/mgm.rs | 57 +++++++++++++++++++++++++----------------------------- 1 file changed, 26 insertions(+), 31 deletions(-) diff --git a/src/mgm.rs b/src/mgm.rs index de26082..584e7e3 100644 --- a/src/mgm.rs +++ b/src/mgm.rs @@ -141,6 +141,26 @@ impl From for u8 { } impl MgmAlgorithmId { + /// Get the default MGM key algorithm for the given YubiKey version. + fn default_for_version(version: Version) -> Self { + match version { + // Initial firmware versions default to 3DES. + Version { major: ..=4, .. } + | Version { + major: 5, + minor: ..=6, + .. + } => Self::ThreeDes, + // Firmware 5.7.0 and above default to AES-192. + Version { + major: 5, + minor: 7.., + .. + } + | Version { major: 6.., .. } => Self::Aes192, + } + } + /// Looks up the algorithm for the given Yubikey's current management key. fn query(txn: &Transaction<'_>) -> Result { match txn.get_metadata(crate::piv::SlotId::Management(ManagementSlotId::Management)) { @@ -204,22 +224,8 @@ impl MgmKey { /// Generates a random MGM key using the preferred algorithm for the given Yubikey's /// firmware version. pub fn generate_for(yubikey: &YubiKey, rng: &mut impl TryCryptoRng) -> Result { - match yubikey.version() { - // Initial firmware versions default to 3DES. - Version { major: ..=4, .. } - | Version { - major: 5, - minor: ..=6, - .. - } => Self::generate(MgmAlgorithmId::ThreeDes, rng), - // Firmware 5.7.0 and above default to AES-192. - Version { - major: 5, - minor: 7.., - .. - } - | Version { major: 6.., .. } => Self::generate(MgmAlgorithmId::Aes192, rng), - } + let alg = MgmAlgorithmId::default_for_version(yubikey.version()); + Self::generate(alg, rng) } /// Parses an MGM key from the given byte slice. @@ -242,21 +248,10 @@ impl MgmKey { /// /// Returns an error if the Yubikey's default algorithm is unsupported. pub fn get_default(yubikey: &YubiKey) -> Result { - match yubikey.version() { - // Initial firmware versions default to 3DES. - Version { major: ..=4, .. } - | Version { - major: 5, - minor: ..=6, - .. - } => Ok(Self(MgmKeyKind::Tdes(DEFAULT_MGM_KEY.into()))), - // Firmware 5.7.0 and above default to AES-192. - Version { - major: 5, - minor: 7.., - .. - } - | Version { major: 6.., .. } => Ok(Self(MgmKeyKind::Aes192(DEFAULT_MGM_KEY.into()))), + match MgmAlgorithmId::default_for_version(yubikey.version()) { + MgmAlgorithmId::ThreeDes => Ok(Self(MgmKeyKind::Tdes(DEFAULT_MGM_KEY.into()))), + MgmAlgorithmId::Aes192 => Ok(Self(MgmKeyKind::Aes192(DEFAULT_MGM_KEY.into()))), + _ => Err(Error::NotSupported), } }