def piv_change_pin(self, old_pin, new_pin):
with self._open_device([SmartCardConnection]) as conn:
session = PivSession(conn)
try:
session.change_pin(old_pin, new_pin)
logger.debug('PIN change successful!')
return success()
except InvalidPinError as e:
attempts = e.attempts_remaining
if attempts:
logger.debug("Failed to change PIN, %d tries left", attempts, exc_info=e)
return failure('wrong_pin', {'tries_left': attempts})
else:
logger.debug("PIN is blocked.", exc_info=e)
return failure('pin_blocked')
except ApduError as e:
if e.sw == SW.INCORRECT_PARAMETERS:
return failure('incorrect_parameters')
tries_left = e.attempts_remaining
logger.debug('PIN change failed. %s tries left.',
tries_left, exc_info=e)
return {
'success': False,
'tries_left': tries_left,
}
def pivman_change_pin(session: PivSession, old_pin: str, new_pin: str) -> None:
"""Change the PIN, while keeping PivmanData in sync."""
session.change_pin(old_pin, new_pin)
pivman = get_pivman_data(session)
if pivman.has_derived_key:
session.authenticate(
MANAGEMENT_KEY_TYPE.TDES,
derive_management_key(old_pin, cast(bytes, pivman.salt)),
)
session.verify_pin(new_pin)
new_salt = os.urandom(16)
new_key = derive_management_key(new_pin, new_salt)
session.set_management_key(MANAGEMENT_KEY_TYPE.TDES, new_key)
pivman.salt = new_salt
session.put_object(OBJECT_ID_PIVMAN_DATA, pivman.get_bytes())
def reset_piv(self):
'''Resets YubiKey PIV app and generates new key for GAM to use.'''
reply = str(
input(
'This will wipe all PIV keys and configuration from your YubiKey. Are you sure? (y/N) '
).lower().strip())
if reply != 'y':
sys.exit(1)
try:
conn = self._connect()
with conn:
piv = PivSession(conn)
piv.reset()
rnd = SystemRandom()
pin_puk_chars = string.ascii_letters + string.digits + string.punctuation
new_puk = ''.join(rnd.choice(pin_puk_chars) for _ in range(8))
new_pin = ''.join(rnd.choice(pin_puk_chars) for _ in range(8))
piv.change_puk('12345678', new_puk)
piv.change_pin('123456', new_pin)
print(f'PIN set to: {new_pin}')
piv.authenticate(MANAGEMENT_KEY_TYPE.TDES,
DEFAULT_MANAGEMENT_KEY)
piv.verify_pin(new_pin)
print('YubiKey is generating a non-exportable private key...')
pubkey = piv.generate_key(SLOT.AUTHENTICATION,
KEY_TYPE.RSA2048, PIN_POLICY.ALWAYS,
TOUCH_POLICY.NEVER)
now = datetime.datetime.utcnow()
valid_to = now + datetime.timedelta(days=36500)
subject = 'CN=GAM Created Key'
piv.authenticate(MANAGEMENT_KEY_TYPE.TDES,
DEFAULT_MANAGEMENT_KEY)
piv.verify_pin(new_pin)
cert = generate_self_signed_certificate(
piv, SLOT.AUTHENTICATION, pubkey, subject, now, valid_to)
piv.put_certificate(SLOT.AUTHENTICATION, cert)
piv.put_object(OBJECT_ID.CHUID, generate_chuid())
except ValueError as err:
controlflow.system_error_exit(8, f'YubiKey - {err}')
