`untested` functionality tracking issue

[tony-iqlusion]

This is a tracking issue for all functionality currently gated under the untested feature.

Please leave a comment here if you were able to use the functionality successfully and/or are interested in writing tests.

• [ ] Ccc::set: set Cardholder Capability Container (CCC) ID
• [ ] Certificate::delete: delete X.509 certificate
• [ ] ChuId::set: set Cardholder Unique Identifier (CHUID)
• [ ] Metadata: metadata stored in a YubiKey
  • [ ] Metadata::delete: delete metadata
  • [ ] Metadata::set_item: set metadata item
  • [ ] Metadata::write: write metadata
• [ ] MgmKey: management key
  • [ ] MgmKey::get_derived: get derived management key (MGM) for a provided PIN
  • [ ] MgmKey::get_protected: get protected management key (MGM)
  • [ ] MgmKey::set_default: resets the management key for the given YubiKey to the default value
  • [ ] MgmKey::set_protected: configure a PIN-protected management key
• [ ] MsContainer::*: MS Container Map records
• [ ] MsRoots::*: PKCS#7-formatted certificate store for enterprise trust roots
• [ ] RsaKeyData::*: data that makes up an RSA key
• [ ] YubiKey: YubiKey device
  • [ ] YubiKey::block_puk: permanently prevent the PIN from becoming unblocked by blocking PUK
  • [ ] YubiKey::change_pin: change the Personal Identification Number (PIN)
  • [ ] YubiKey::change_puk: change PIN Unblocking Key (PUK)
  • [ ] YubiKey::deauthenticate: deauthenticate from a YubiKey
  • [ ] YubiKey::get_auth_challenge: get an authentication challenge
  • [ ] YubiKey::fetch_object: fetch an object with a given ID from the YubiKey
  • [ ] YubiKey::reconnect: reconnect to a YubiKey
  • [ ] YubiKey::reset_device: reset YubiKey to factory state
  • [ ] YubiKey::save_object: save an object to the given object ID of a YubiKey
  • [ ] YubiKey::set_pin_last_changed: set pin last changed
  • [ ] YubiKey::set_pin_retries: set the number of PIN retries
  • [ ] YubiKey::unblock_pin: unblock PIN using PUK
  • [ ] YubiKey::verify_auth_response: verify an authentication response
• [ ] piv: Personal Identity Verification (PIV) cryptographic keys
  • [ ] piv::attest: generate an attestation certificate for a stored key
  • [ ] piv::decrypt_data: decrypt data using a PIV key (see also #258)
  • [ ] piv::import_ecc_key: imports a private ECC encryption or signing key into the YubiKey
  • [ ] piv::import_rsa_key: imports a private RSA encryption or signing key into the YubiKey

[ghost]

I am curious about whether yubikey.rs would support managing the oauth TOTP credentials on a Yubikey (ykman oath). Do the various _object methods cover this behavior or the low-level building blocks?

[tony-iqlusion]

This library is a translation of yubico-piv-tool, and as far as I know that has no support for obtaining OATH-TOTP codes from the OTP applet.

It's something we'd be happy to add. There's some very basic support for interacting with the OTP applet for obtaining version information, but that's it.

I believe there was some support for this in earlier versions of the yubikey crate which had a completely different codebase. If so, perhaps some of that work can be extracted and re-integrated.

[tony-iqlusion]

I went ahead and gisted the source code of the earlier yubikey crate which has OTP support. Here is the relevant function:

https://gist.github.com/tarcieri/3dfb1628a48d39651f313b76d61d5cb2#file-yubikey-rs-L317-L325

The code is written using the (now defunct) libusb crate which is quite a bit different from how this crate works, as we use a portable PC/SC abstraction library. So it'd need to be rewritten to use that instead.

[ghost]

@tony-iqlusion wow, thank you for the detailed guidance! I'll note that gist and explore as I have freer time.