use crate::{
consts::{
TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_ADMIN_TIMESTAMP, TAG_PROTECTED_FLAGS_1,
TAG_PROTECTED_MGM,
},
metadata::{AdminData, ProtectedData},
mgm::{MgmType, ADMIN_FLAGS_1_PROTECTED_MGM},
yubikey::{YubiKey, ADMIN_FLAGS_1_PUK_BLOCKED},
Result,
};
use log::error;
use std::time::{Duration, SystemTime, UNIX_EPOCH};
const CB_ADMIN_TIMESTAMP: usize = 0x04;
const PROTECTED_FLAGS_1_PUK_NOBLOCK: u8 = 0x01;
#[derive(Copy, Clone, Debug)]
pub struct Config {
pub protected_data_available: bool,
pub puk_blocked: bool,
pub puk_noblock_on_upgrade: bool,
pub pin_last_changed: Option<SystemTime>,
pub mgm_type: MgmType,
}
impl Default for Config {
fn default() -> Config {
Config {
protected_data_available: false,
puk_blocked: false,
puk_noblock_on_upgrade: false,
pin_last_changed: None,
mgm_type: MgmType::Manual,
}
}
}
impl Config {
pub(crate) fn get(yubikey: &mut YubiKey) -> Result<Config> {
let mut config = Self::default();
let txn = yubikey.begin_transaction()?;
if let Ok(admin_data) = AdminData::read(&txn) {
if let Ok(item) = admin_data.get_item(TAG_ADMIN_FLAGS_1) {
if item.is_empty() {
error!("empty response for admin flags metadata item! ignoring");
} else {
if item[0] & ADMIN_FLAGS_1_PUK_BLOCKED != 0 {
config.puk_blocked = true;
}
if item[0] & ADMIN_FLAGS_1_PROTECTED_MGM != 0 {
config.mgm_type = MgmType::Protected;
}
}
}
if admin_data.get_item(TAG_ADMIN_SALT).is_ok() {
if config.mgm_type != MgmType::Manual {
error!("conflicting types of MGM key administration configured");
} else {
config.mgm_type = MgmType::Derived;
}
}
if let Ok(item) = admin_data.get_item(TAG_ADMIN_TIMESTAMP) {
if item.len() != CB_ADMIN_TIMESTAMP {
error!("pin timestamp in admin metadata is an invalid size");
} else {
let pin_last_changed = u32::from_le_bytes(item.try_into().unwrap());
if pin_last_changed != 0 {
config.pin_last_changed =
Some(UNIX_EPOCH + Duration::from_secs(pin_last_changed as u64));
}
}
}
}
if let Ok(protected_data) = ProtectedData::read(&txn) {
config.protected_data_available = true;
if let Ok(item) = protected_data.get_item(TAG_PROTECTED_FLAGS_1) {
if item.is_empty() {
error!("empty response for protected flags metadata item! ignoring");
} else if item[0] & PROTECTED_FLAGS_1_PUK_NOBLOCK != 0 {
config.puk_noblock_on_upgrade = true;
}
}
if protected_data.get_item(TAG_PROTECTED_MGM).is_ok() {
if config.mgm_type != MgmType::Protected {
error!("conflicting MGM key types: protected MGM exists");
}
config.mgm_type = MgmType::Protected;
}
}
Ok(config)
}
}