Figure out what version of YubiKeys support PIN caching

[ericchiang]

Currently we're assuming > 4.3.0 since I only have a v4.3.7 and v3.4.9 key to test with

piv-go/piv/piv_test.go

Lines 137 to 152 in 2184bb6

	func TestYubiKeyLoginNeeded(t *testing.T) {
	yk, close := newTestYubiKey(t)
	defer close()
	testRequiresVersion(t, yk, 4, 3, 0)
	if !ykLoginNeeded(yk.tx) {
	t.Errorf("expected login needed")
	}
	if err := ykLogin(yk.tx, DefaultPIN); err != nil {
	t.Fatalf("login: %v", err)
	}
	if ykLoginNeeded(yk.tx) {
	t.Errorf("expected no login needed")
	}
	}

If someone can confirm that that test passes with an older version of a YubiKey (e.g. 4.2.X), we can support PIN caching and PINPolicyOnce for those versions.

To test against a YubiKey, comment out the version and run (this will destroy all data on your PIV applet but leave GPG and U2F/WebAuthN data unaffected):

go test -v -run=^TestYubiKeyReset$ . -wipe-yubikey
go test -v -run=^TestYubiKeyLoginNeeded$ . -wipe-yubikey

[ericchiang]

Note that Yubico doesn't sell older keys so I can't buy test hardware for this.

https://www.yubico.com/store/

[russelldavies]

For a v3.4.3 YubiKey:

• TestYubiKeyLoginNeeded test always passes.
• TestYubiKeyReset: it fails 4 times then passes. Subsequent runs repeat the same way.
  • FAIL: resetting yubikey: blocking pin: verify pin: smart card error 6302
  • FAIL: resetting yubikey: blocking pin: verify pin: smart card error 6301
  • FAIL: resetting yubikey: blocking puk: smart card error 6302
  • FAIL: resetting yubikey: blocking puk: smart card error 6301
  • PASS

[joneskoo]

Is it because I saw one doc that says that reset can only be done after out of retries? @russelldavies can you test by first trying with wrong pin enough times to make sure both PIN and PUK are unlocked and then run the test? My hypothesis is that you basically only need wrong pin attempts to enable reset on older devices.

Resetting a device
If an incorrect PIN is given 3 times consecutively, the PIN will become disabled. If you’ve set a PUK, then you can use that PUK to reset the PIN to a new value, and it will become enabled and usable again. If an incorrect PUK is given 3 times consecutively, it will become blocked as well. When both the PIN and the PUK are blocked, the device can be reset. This returns the PIV functionality of the YubiKey to a factory setting, setting the default PIN, PUK and Management Key values, as well as removing any stored keys and certificates. Once reset, the device is ready to be re-initialized.

[russelldavies]

That seems to be what is happening. If the PIN and PUK are blocked then the test passes. The ykReset function tries the wrong PIN and PUK multiple times to block them before attempting a reset so I'm not sure why it fails.

[ericchiang]

6302 is odd. It should be 63c2. I can send a fix anyway though.

https://cardwerk.com/smart-card-standard-iso7816-4-section-5-basic-organizations/#table14

[ericchiang]

#64 fixes the "blocking pin: verify pin: smart card error" message