1# Copyright (c) 2018 Yubico AB 2# All rights reserved. 3# 4# Redistribution and use in source and binary forms, with or 5# without modification, are permitted provided that the following 6# conditions are met: 7# 8# 1. Redistributions of source code must retain the above copyright 9# notice, this list of conditions and the following disclaimer. 10# 2. Redistributions in binary form must reproduce the above 11# copyright notice, this list of conditions and the following 12# disclaimer in the documentation and/or other materials provided 13# with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 25# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26# POSSIBILITY OF SUCH DAMAGE. 27 28import time 29import struct 30from yubikit.core.fido import FidoConnection 31from yubikit.core.smartcard import SW 32from fido2.ctap1 import Ctap1, ApduError 33 34from typing import Optional 35 36 37U2F_VENDOR_FIRST = 0x40 38 39# FIPS specific INS values 40INS_FIPS_VERIFY_PIN = U2F_VENDOR_FIRST + 3 41INS_FIPS_SET_PIN = U2F_VENDOR_FIRST + 4 42INS_FIPS_RESET = U2F_VENDOR_FIRST + 5 43INS_FIPS_VERIFY_FIPS_MODE = U2F_VENDOR_FIRST + 6 44 45 46def is_in_fips_mode(fido_connection: FidoConnection) -> bool: 47 """Check if a YubiKey FIPS is in FIPS approved mode.""" 48 try: 49 ctap = Ctap1(fido_connection) 50 ctap.send_apdu(ins=INS_FIPS_VERIFY_FIPS_MODE) 51 return True 52 except ApduError as e: 53 # 0x6a81: Function not supported (PIN not set - not FIPS Mode) 54 if e.code == SW.FUNCTION_NOT_SUPPORTED: 55 return False 56 raise 57 58 59def fips_change_pin( 60 fido_connection: FidoConnection, old_pin: Optional[str], new_pin: str 61): 62 """Change the PIN on a YubiKey FIPS. 63 64 If no PIN is set, pass None or an empty string as old_pin. 65 """ 66 ctap = Ctap1(fido_connection) 67 68 old_pin_bytes = old_pin.encode() if old_pin else b"" 69 new_pin_bytes = new_pin.encode() 70 new_length = len(new_pin_bytes) 71 72 data = struct.pack("B", new_length) + old_pin_bytes + new_pin_bytes 73 74 ctap.send_apdu(ins=INS_FIPS_SET_PIN, data=data) 75 76 77def fips_verify_pin(fido_connection: FidoConnection, pin: str): 78 """Unlock the YubiKey FIPS U2F module for credential creation.""" 79 ctap = Ctap1(fido_connection) 80 ctap.send_apdu(ins=INS_FIPS_VERIFY_PIN, data=pin.encode()) 81 82 83def fips_reset(fido_connection: FidoConnection): 84 """Reset the FIDO module of a YubiKey FIPS. 85 86 Note: This action is only permitted immediately after YubiKey FIPS power-up. It 87 also requires the user to touch the flashing button on the YubiKey, and will halt 88 until that happens, or the command times out. 89 """ 90 ctap = Ctap1(fido_connection) 91 while True: 92 try: 93 ctap.send_apdu(ins=INS_FIPS_RESET) 94 return 95 except ApduError as e: 96 if e.code == SW.CONDITIONS_NOT_SATISFIED: 97 time.sleep(0.5) 98 else: 99 raise e 100