1# Copyright (c) 2018 Yubico AB
2# All rights reserved.
3#
4#   Redistribution and use in source and binary forms, with or
5#   without modification, are permitted provided that the following
6#   conditions are met:
7#
8#    1. Redistributions of source code must retain the above copyright
9#       notice, this list of conditions and the following disclaimer.
10#    2. Redistributions in binary form must reproduce the above
11#       copyright notice, this list of conditions and the following
12#       disclaimer in the documentation and/or other materials provided
13#       with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
23# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
25# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26# POSSIBILITY OF SUCH DAMAGE.
27
28import time
29import struct
30from yubikit.core.fido import FidoConnection
31from yubikit.core.smartcard import SW
32from fido2.ctap1 import Ctap1, ApduError
33
34from typing import Optional
35
36
37U2F_VENDOR_FIRST = 0x40
38
39# FIPS specific INS values
40INS_FIPS_VERIFY_PIN = U2F_VENDOR_FIRST + 3
41INS_FIPS_SET_PIN = U2F_VENDOR_FIRST + 4
42INS_FIPS_RESET = U2F_VENDOR_FIRST + 5
43INS_FIPS_VERIFY_FIPS_MODE = U2F_VENDOR_FIRST + 6
44
45
46def is_in_fips_mode(fido_connection: FidoConnection) -> bool:
47    """Check if a YubiKey FIPS is in FIPS approved mode."""
48    try:
49        ctap = Ctap1(fido_connection)
50        ctap.send_apdu(ins=INS_FIPS_VERIFY_FIPS_MODE)
51        return True
52    except ApduError as e:
53        # 0x6a81: Function not supported (PIN not set - not FIPS Mode)
54        if e.code == SW.FUNCTION_NOT_SUPPORTED:
55            return False
56        raise
57
58
59def fips_change_pin(
60    fido_connection: FidoConnection, old_pin: Optional[str], new_pin: str
61):
62    """Change the PIN on a YubiKey FIPS.
63
64    If no PIN is set, pass None or an empty string as old_pin.
65    """
66    ctap = Ctap1(fido_connection)
67
68    old_pin_bytes = old_pin.encode() if old_pin else b""
69    new_pin_bytes = new_pin.encode()
70    new_length = len(new_pin_bytes)
71
72    data = struct.pack("B", new_length) + old_pin_bytes + new_pin_bytes
73
74    ctap.send_apdu(ins=INS_FIPS_SET_PIN, data=data)
75
76
77def fips_verify_pin(fido_connection: FidoConnection, pin: str):
78    """Unlock the YubiKey FIPS U2F module for credential creation."""
79    ctap = Ctap1(fido_connection)
80    ctap.send_apdu(ins=INS_FIPS_VERIFY_PIN, data=pin.encode())
81
82
83def fips_reset(fido_connection: FidoConnection):
84    """Reset the FIDO module of a YubiKey FIPS.
85
86    Note: This action is only permitted immediately after YubiKey FIPS power-up. It
87    also requires the user to touch the flashing button on the YubiKey, and will halt
88    until that happens, or the command times out.
89    """
90    ctap = Ctap1(fido_connection)
91    while True:
92        try:
93            ctap.send_apdu(ins=INS_FIPS_RESET)
94            return
95        except ApduError as e:
96            if e.code == SW.CONDITIONS_NOT_SATISFIED:
97                time.sleep(0.5)
98            else:
99                raise e
100