Automatically verify PIN in sign_data to support always-auth keys

[qpernil]

Verify PIN in sign_data to be able to use always-authenticate keys in commands that perform more than one operation, potential fix for https://github.com/Yubico/yubico-piv-tool/issues/321. This means -averify-pin is not needed any more, any command that signs will verify (and prompt for if not given already) the PIN automatically. The action is retained in case someone wants to just verify the PIN.

[mouse07410]

Could you please confirm that this PR would automatically prompt for PIN only when the token returns NOT_LOGGED_IN, as opposed to when the driver thinks it should...?

[qpernil]

This is a simplistic solution, simply verifying pin everytime something tries to perform a signature. The pin will be taken from the command line if given, otherwise it will be requested (once). Previously there was no automatic pin verification, you had to specify -averify-pin on the command line to actually verify the pin. The --pin option would only specify the pin value to be used by -averify-pin, not verify it on it's own. So -averify-pin would seem to be able to solve the problem, but the issue was that other commands would perform more than one command with the YubiKey, invalidating the PIN again for always-auth keys. With this solution there will be too many PIN verifications for normal keys, but that is not really a problem as the pin will be kept in memory. This whole reasoning only applies to yubico-piv-tool and not libykcs11.

[qpernil]

See also https://github.com/Yubico/yubico-piv-tool/pull/338. Still considering security implications of that one.