reset device only works if PIN is blocked

iqlusioninc / yubikey.rs

Pure Rust YubiKey host-side driver for PIV-based RSA/ECC key storage + signing/encryption support

BSD 2-Clause "Simplified" License

218 stars 26 forks source link

reset device only works if PIN is blocked #157

Open colemickens opened 4 years ago

colemickens commented 4 years ago

Per Yubico docs on the RESET command: https://developers.yubico.com/PIV/Introduction/Yubico_extensions.html

Do you want to have a force_reset_device that does something like this?

    let mut rng = rand::thread_rng();
    loop {
        let b: [u8; 8] = rand::Rng::gen(&mut rng);
        let v = yk.verify_pin(&b);
        if v.is_err() {
            if yk.get_pin_retries().unwrap() <= 0 {
                break;
            }
        }
    }
    ykpiv::yubikey::YubiKey::block_puk(&mut yk).unwrap();
    yk.reset_device().unwrap();

tarcieri commented 4 years ago

Some precedent for this in block_puk:

https://github.com/iqlusioninc/yubikey-piv.rs/blob/aaaf3b142e5556bbac7950d5f96befbe27efa132/src/yubikey.rs#L469

It sounds like a good feature, although I'd prefer a deterministic counter-based method like the one used in block_puk to one based on an RNG.

colemickens commented 4 years ago

Oh yeah, I had added that when I was making a different mistake and thought the PIN needed to change for it to count against retries, but that's obviously not the case. I can send a simpler version like you describe.