Merge branch 'jens/piv-move-delete-key'

Yubico · Jun 19, 2024 · 5cbb858 · 5cbb858
2 parents e79e143 + b6c5b90
commit 5cbb858
Show file tree

Hide file tree

Showing 12 changed files with 360 additions and 106 deletions.
diff --git a/YubiKit/YubiKit.xcodeproj/project.pbxproj b/YubiKit/YubiKit.xcodeproj/project.pbxproj
@@ -226,6 +226,7 @@
 		B4C9BBCC2A05547400FFDFD6 /* NSData+GZIP.m in Sources */ = {isa = PBXBuildFile; fileRef = B4C9BBC92A05547400FFDFD6 /* NSData+GZIP.m */; };
 		B4CFA9BE28AA4D0B0080813A /* YKFSmartCardConnection.m in Sources */ = {isa = PBXBuildFile; fileRef = B4CFA9BD28AA4D0B0080813A /* YKFSmartCardConnection.m */; };
 		B4CFA9C428ABB9BB0080813A /* YKFSmartCardConnectionController.m in Sources */ = {isa = PBXBuildFile; fileRef = B4CFA9C328ABB9BB0080813A /* YKFSmartCardConnectionController.m */; };
+		B4E1C3632C12F1140011F0F6 /* YKFPIVSlotMetadata.m in Sources */ = {isa = PBXBuildFile; fileRef = B4E1C3622C12F1140011F0F6 /* YKFPIVSlotMetadata.m */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -641,6 +642,9 @@
 		B4CFA9BF28AA95B70080813A /* YKFSmartCardConnection+Private.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "YKFSmartCardConnection+Private.h"; sourceTree = "<group>"; };
 		B4CFA9C228ABB9920080813A /* YKFSmartCardConnectionController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = YKFSmartCardConnectionController.h; sourceTree = "<group>"; };
 		B4CFA9C328ABB9BB0080813A /* YKFSmartCardConnectionController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = YKFSmartCardConnectionController.m; sourceTree = "<group>"; };
+		B4E1C3602C12EB110011F0F6 /* YKFPIVSlotMetadata.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = YKFPIVSlotMetadata.h; sourceTree = "<group>"; };
+		B4E1C3612C12ED710011F0F6 /* YKFPIVSlotMetadata+Private.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "YKFPIVSlotMetadata+Private.h"; sourceTree = "<group>"; };
+		B4E1C3622C12F1140011F0F6 /* YKFPIVSlotMetadata.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = YKFPIVSlotMetadata.m; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -685,6 +689,9 @@
 				51ACC32825DC01DA0069214B /* YKFPIVSessionFeatures.m */,
 				51ACC34125E553910069214B /* YKFPIVManagementKeyType.h */,
 				51ACC33B25E553580069214B /* YKFPIVManagementKeyType.m */,
+				B4E1C3602C12EB110011F0F6 /* YKFPIVSlotMetadata.h */,
+				B4E1C3612C12ED710011F0F6 /* YKFPIVSlotMetadata+Private.h */,
+				B4E1C3622C12F1140011F0F6 /* YKFPIVSlotMetadata.m */,
 				5110D67425F8FD1500467680 /* YKFPIVManagementKeyMetadata.h */,
 				5110D68125F8FED500467680 /* YKFPIVManagementKeyMetadata+Private.h */,
 				5110D67525F8FD2F00467680 /* YKFPIVManagementKeyMetadata.m */,
@@ -1558,6 +1565,7 @@
 				5110D6992600D9C800467680 /* YKFPIVPadding.m in Sources */,
 				95B58B8B229C03AE00199F8E /* YKFAccessoryConnection+Debugging.m in Sources */,
 				95B0CAAD21EF53E1009C6A34 /* YKFFIDO2Error.m in Sources */,
+				B4E1C3632C12F1140011F0F6 /* YKFPIVSlotMetadata.m in Sources */,
 				95DD40A72099A8A400363FEE /* YKFAccessoryConnection.m in Sources */,
 				95DD409D2099A89600363FEE /* YKFU2FRegisterResponse.m in Sources */,
 				B4CFA9BE28AA4D0B0080813A /* YKFSmartCardConnection.m in Sources */,

diff --git a/YubiKit/YubiKit/Connections/Shared/Errors/YKFPIVError.h b/YubiKit/YubiKit/Connections/Shared/Errors/YKFPIVError.h
@@ -14,14 +14,6 @@
 
 #import "YKFSessionError.h"
 
-typedef NS_ENUM(NSUInteger, YKFPIVErrorCode) {
-
-    /*! Unexpected reply from the YubiKey.
-     */
-    YKFPIVErrorCodeBadResponse = 0x01,
-    YKFPIVErrorCodeBadKeyLength = 0x02
-};
-
 
 NS_ASSUME_NONNULL_BEGIN
 /*!

diff --git a/YubiKit/YubiKit/Connections/Shared/Errors/YKFPIVError.m b/YubiKit/YubiKit/Connections/Shared/Errors/YKFPIVError.m
@@ -13,14 +13,15 @@
 // limitations under the License.
 
 #import "YKFPIVError.h"
+#import "YKFPIVSession.h"
 #import "YKFSessionError+Private.h"
 
 @implementation YKFPIVError
 
 + (instancetype)errorWithCode:(NSUInteger)code {
     NSString *message;
     switch (code) {
-        case YKFPIVErrorCodeBadResponse:
+        case YKFPIVErrorCodeInvalidResponse:
             message = @"Bad response";
             break;
         default:
@@ -31,7 +32,7 @@ + (instancetype)errorWithCode:(NSUInteger)code {
 }
 
 + (instancetype)errorUnpackingTLVExpected:(NSUInteger)expected got:(NSUInteger)got {
-    return [[self alloc] initWithCode:YKFPIVErrorCodeBadResponse message:[[NSString alloc] initWithFormat:@"Exptected tag: %02lx, got %02lx", (unsigned long)expected, (unsigned long)got]];
+    return [[self alloc] initWithCode:YKFPIVErrorCodeInvalidResponse message:[[NSString alloc] initWithFormat:@"Exptected tag: %02lx, got %02lx", (unsigned long)expected, (unsigned long)got]];
 }
 
 @end
diff --git a/YubiKit/YubiKit/Connections/Shared/Sessions/PIV/YKFPIVSession.h b/YubiKit/YubiKit/Connections/Shared/Sessions/PIV/YKFPIVSession.h
@@ -48,18 +48,19 @@ typedef NS_ENUM(NSUInteger, YKFPIVSlot) {
 extern NSString* _Nonnull const YKFPIVFErrorDomain;
 
 /// PIV error codes.
-typedef NS_ENUM(NSUInteger, YKFPIVFErrorCode) {
-    YKFPIVFErrorCodeInvalidCipherTextLength = 1,
-    YKFPIVFErrorCodeUnsupportedOperation = 2,
-    YKFPIVFErrorCodeDataParseError = 3,
-    YKFPIVFErrorCodeUnknownKeyType = 4,
-    YKFPIVFErrorCodeInvalidPin = 5,
-    YKFPIVFErrorCodePinLocked = 6,
-    YKFPIVFErrorCodeInvalidResponse = 7,
-    YKFPIVFErrorCodeAuthenticationFailed = 8
+typedef NS_ENUM(NSUInteger, YKFPIVErrorCode) {
+    YKFPIVErrorCodeInvalidCipherTextLength = 1,
+    YKFPIVErrorCodeUnsupportedOperation = 2,
+    YKFPIVErrorCodeDataParseError = 3,
+    YKFPIVErrorCodeUnknownKeyType = 4,
+    YKFPIVErrorCodeInvalidPin = 5,
+    YKFPIVErrorCodePinLocked = 6,
+    YKFPIVErrorCodeInvalidResponse = 7,
+    YKFPIVErrorCodeAuthenticationFailed = 8,
+    YKFPIVErrorCodeIllegalArgument = 9
 };
 
-@class YKFPIVSessionFeatures, YKFPIVManagementKeyType, YKFPIVManagementKeyMetadata;
+@class YKFPIVSessionFeatures, YKFPIVManagementKeyType, YKFPIVManagementKeyMetadata, YKFPIVSlotMetadata;
 
 NS_ASSUME_NONNULL_BEGIN
 
@@ -140,6 +141,10 @@ typedef void (^YKFPIVSessionPinPukMetadataCompletionBlock)
 typedef void (^YKFPIVSessionPinAttemptsCompletionBlock)
     (int retriesRemaining, NSError* _Nullable error);
 
+
+typedef void (^YKFPIVSessionSlotMetadataCompletionBlock)
+    (YKFPIVSlotMetadata* _Nullable metaData, NSError* _Nullable error);
+
 /// @abstract Response block for [getManagementKeyMetadata:completion:] which provides the management key metadata or an error.
 /// @param metaData The management key metadata.
 /// @param error An error object that indicates why the request failed, or nil if the request was successful.
@@ -262,6 +267,20 @@ typedef void (^YKFPIVSessionManagementKeyMetadataCompletionBlock)
 - (void)putKey:(SecKeyRef)key inSlot:(YKFPIVSlot)slot completion:(nonnull YKFPIVSessionPutKeyCompletionBlock)completion
         NS_SWIFT_NAME(putKey(_:inSlot:completion:));
 
+/// @abstract Move key from one slot to another. The source slot must not be the attestation slot and the
+///           destination slot must be empty. This method requires authentication with the management key.
+/// @discussion This method requires authentication.
+/// @param sourceSlot Slot to move the key from.
+/// @param destinationSlot Slot to move the key to.
+/// @param completion The completion handler that gets called once the YubiKey has finished processing the
+///                   request. This handler is executed on a background queue.
+- (void)moveKey:(YKFPIVSlot)sourceSlot destinationSlot:(YKFPIVSlot)destinationSlot completion:(nonnull YKFPIVSessionGenericCompletionBlock)completion;
+
+/// @abstract Delete key from slot. This method requires authentication with the management key.
+///
+/// @param slot Slot to delete the key from.
+- (void)deleteKeyInSlot:(YKFPIVSlot)slot completion:(nonnull YKFPIVSessionGenericCompletionBlock)completion;
+
 /// @abstract Writes an X.509 certificate to a slot on the YubiKey.
 /// @discussion This method requires authentication.
 /// @param certificate Certificate to write.
@@ -374,6 +393,14 @@ typedef void (^YKFPIVSessionManagementKeyMetadataCompletionBlock)
 /// @note: This method is thread safe and can be invoked from any thread (main or a background thread).
 - (void)getSerialNumberWithCompletion:(nonnull YKFPIVSessionSerialNumberCompletionBlock)completion;
 
+/// @abstract Reads metadata about the private key stored in a slot.
+/// @param slot The slot to read metadata about.
+/// @param completion The completion handler that gets called once the YubiKey has finished processing the request.
+///                   This handler is executed on a background queue.
+/// @note This functionality requires support for feature metadata, available on YubiKey 5.3 or later.
+/// @note: This method is thread safe and can be invoked from any thread (main or a background thread).
+- (void)getMetadataForSlot:(YKFPIVSlot)slot completion:(nonnull YKFPIVSessionSlotMetadataCompletionBlock)completion;
+
 /// @abstract Reads metadata about the card management key.
 /// @param completion The completion handler that gets called once the YubiKey has finished processing the request.
 ///                   This handler is executed on a background queue.