Yubikey updates. Fixes #1862

This commit is contained in:
Jay Lee
2025-11-26 12:14:59 -05:00
parent d86be2014c
commit 8782865da4

View File

@@ -19,12 +19,11 @@
"""YubiKey""" """YubiKey"""
import base64 import base64
from datetime import datetime, timedelta
from secrets import SystemRandom from secrets import SystemRandom
import string import string
import sys import sys
import arrow
from gam import mplock from gam import mplock
from gam import systemErrorExit from gam import systemErrorExit
@@ -41,7 +40,6 @@ from ykman.piv import generate_self_signed_certificate, generate_chuid
from yubikit.piv import DEFAULT_MANAGEMENT_KEY, \ from yubikit.piv import DEFAULT_MANAGEMENT_KEY, \
InvalidPinError, \ InvalidPinError, \
KEY_TYPE, \ KEY_TYPE, \
MANAGEMENT_KEY_TYPE, \
PIN_POLICY, \ PIN_POLICY, \
PivSession, \ PivSession, \
OBJECT_ID, \ OBJECT_ID, \
@@ -149,17 +147,17 @@ class YubiKey():
piv.change_puk('12345678', new_puk) piv.change_puk('12345678', new_puk)
piv.change_pin('123456', new_pin) piv.change_pin('123456', new_pin)
writeStdout(Msg.YUBIKEY_PIN_SET_TO.format(new_pin)) writeStdout(Msg.YUBIKEY_PIN_SET_TO.format(new_pin))
piv.authenticate(MANAGEMENT_KEY_TYPE.TDES, DEFAULT_MANAGEMENT_KEY) piv.authenticate(piv.management_key_type, DEFAULT_MANAGEMENT_KEY)
piv.verify_pin(new_pin) piv.verify_pin(new_pin)
writeStdout(Msg.YUBIKEY_GENERATING_NONEXPORTABLE_PRIVATE_KEY) writeStdout(Msg.YUBIKEY_GENERATING_NONEXPORTABLE_PRIVATE_KEY)
pubkey = piv.generate_key(SLOT.AUTHENTICATION, pubkey = piv.generate_key(SLOT.AUTHENTICATION,
KEY_TYPE.RSA2048, KEY_TYPE.RSA2048,
PIN_POLICY.ALWAYS, PIN_POLICY.ALWAYS,
TOUCH_POLICY.NEVER) TOUCH_POLICY.NEVER)
now = arrow.utcnow() now = datetime.utcnow()
valid_to = now.shift(days=36500) valid_to = now + timedelta(days=3650)
subject = 'CN=GAM Created Key' subject = 'CN=GAM Created Key'
piv.authenticate(MANAGEMENT_KEY_TYPE.TDES, DEFAULT_MANAGEMENT_KEY) piv.authenticate(piv.management_key_type, DEFAULT_MANAGEMENT_KEY)
piv.verify_pin(new_pin) piv.verify_pin(new_pin)
cert = generate_self_signed_certificate(piv, cert = generate_self_signed_certificate(piv,
SLOT.AUTHENTICATION, SLOT.AUTHENTICATION,