yubikey.rs icon indicating copy to clipboard operation
yubikey.rs copied to clipboard

Published 20 hours ago verified publisher icon iqlusioninc

reset device only works if PIN is blocked

Open colemickens opened this issue 4 years ago • 2 comments

Per Yubico docs on the RESET command: https://developers.yubico.com/PIV/Introduction/Yubico_extensions.html

Do you want to have a force_reset_device that does something like this?

    let mut rng = rand::thread_rng();
    loop {
        let b: [u8; 8] = rand::Rng::gen(&mut rng);
        let v = yk.verify_pin(&b);
        if v.is_err() {
            if yk.get_pin_retries().unwrap() <= 0 {
                break;
            }
        }
    }
    ykpiv::yubikey::YubiKey::block_puk(&mut yk).unwrap();
    yk.reset_device().unwrap();

colemickens avatar Aug 08 '20 02:08 colemickens

Some precedent for this in block_puk:

https://github.com/iqlusioninc/yubikey-piv.rs/blob/aaaf3b142e5556bbac7950d5f96befbe27efa132/src/yubikey.rs#L469

It sounds like a good feature, although I'd prefer a deterministic counter-based method like the one used in block_puk to one based on an RNG.

tarcieri avatar Aug 10 '20 14:08 tarcieri

Oh yeah, I had added that when I was making a different mistake and thought the PIN needed to change for it to count against retries, but that's obviously not the case. I can send a simpler version like you describe.

colemickens avatar Aug 10 '20 14:08 colemickens