def piv_change_mgm_key(self, pin, current_key_hex, new_key_hex, key_type, store_on_device=False): with self._open_device([SmartCardConnection]) as conn: session = PivSession(conn) pivman = get_pivman_data(session) if pivman.has_protected_key or store_on_device: pin_failed = self._piv_verify_pin( session, pin=pin) if pin_failed: return pin_failed with PromptTimeout(): auth_failed = self._piv_ensure_authenticated( session, pin=pin, mgm_key_hex=current_key_hex) if auth_failed: return auth_failed try: new_key = a2b_hex(new_key_hex) if new_key_hex else None except Exception as e: logger.debug('Failed to parse new management key', exc_info=e) return failure('new_mgm_key_bad_hex') if new_key is not None and len(new_key) != MANAGEMENT_KEY_TYPE(key_type).key_len: logger.debug('Wrong length for new management key: %d', len(new_key)) return failure('new_mgm_key_bad_length') pivman_set_mgm_key( session, new_key, MANAGEMENT_KEY_TYPE(key_type), touch=False, store_on_device=store_on_device ) return success()
def test_set_stored_mgm_key_does_not_destroy_key_if_pin_not_verified(self, session): session.authenticate(MANAGEMENT_KEY_TYPE.TDES, DEFAULT_MANAGEMENT_KEY) with pytest.raises(ApduError): pivman_set_mgm_key( session, NON_DEFAULT_MANAGEMENT_KEY, MANAGEMENT_KEY_TYPE.TDES, store_on_device=True, ) assert_mgm_key_is(session, DEFAULT_MANAGEMENT_KEY)
def test_set_stored_mgm_key_succeeds_if_pin_is_verified(self, session): session.verify_pin(DEFAULT_PIN) session.authenticate(MANAGEMENT_KEY_TYPE.TDES, DEFAULT_MANAGEMENT_KEY) pivman_set_mgm_key( session, NON_DEFAULT_MANAGEMENT_KEY, MANAGEMENT_KEY_TYPE.TDES, store_on_device=True, ) assert_mgm_key_is_not(session, DEFAULT_MANAGEMENT_KEY) assert_mgm_key_is(session, NON_DEFAULT_MANAGEMENT_KEY) pivman_prot = get_pivman_protected_data(session) assert pivman_prot.key == NON_DEFAULT_MANAGEMENT_KEY pivman_prot = get_pivman_protected_data(session) assert_mgm_key_is(session, pivman_prot.key)
def test_reset_resets_has_stored_key_flag(self, session): pivman = get_pivman_data(session) assert not pivman.has_stored_key session.verify_pin(DEFAULT_PIN) session.authenticate(MANAGEMENT_KEY_TYPE.TDES, DEFAULT_MANAGEMENT_KEY) pivman_set_mgm_key( session, NON_DEFAULT_MANAGEMENT_KEY, MANAGEMENT_KEY_TYPE.TDES, store_on_device=True, ) pivman = get_pivman_data(session) assert pivman.has_stored_key reset_state(session) session.reset() pivman = get_pivman_data(session) assert not pivman.has_stored_key