You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TAF's Yubikey piv context manager (_yk_piv_ctrl) takes an optional pub_key_pem argument to identify a specific Yubikey. It does so by matching the passed key against the public keys on available devices.
If there is a match, the function unexpectedly raises RuntimeError("generator didn't yield"):
get_serial_num, which seems to be the only caller that does pass a pub_key_pem, passes a legacy tuf key dictionary which can never match.
Matching pems without any canonicalisation is highly unreliable. I suggest to at least re-serialize the passed public key with the same pyca/cryptography method as the public key on the Yubikey. Or, if you only ever support RSA, you could compare just the modulus and exponent.
Alternatively, you could consider actual authentication for matching, where the Yubikey is asked to sign some data, and the passed public key tries to verify it. The big downside is that the user will
_yk_piv_ctrl seems to have a few other code paths, which do not yield and this might raise an unexpected RuntimeError.
The text was updated successfully, but these errors were encountered:
TAF's Yubikey piv context manager (
_yk_piv_ctrl) takes an optionalpub_key_pemargument to identify a specific Yubikey. It does so by matching the passed key against the public keys on available devices.If there is a match, the function unexpectedly raises RuntimeError("generator didn't yield"):
taf/taf/yubikey.py
Lines 127 to 132 in a163ea2
Related issues and recommendations
get_serial_num, which seems to be the only caller that does pass apub_key_pem, passes a legacy tuf key dictionary which can never match._yk_piv_ctrlseems to have a few other code paths, which do not yield and this might raise an unexpected RuntimeError.The text was updated successfully, but these errors were encountered: