Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support multiple YubiKeys via PIVIT_YK_SERIAL environment variable #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 17, 2025
Merged

Support multiple YubiKeys via PIVIT_YK_SERIAL environment variable #61

merged 3 commits into from
Apr 17, 2025

Conversation

@srfilipek
Copy link
Contributor

@srfilipek srfilipek commented Apr 17, 2025

Overview

This change allows users to use pivit while multiple YubiKeys are attached, or just want specificity when interacting with a YubiKey. This also tweaks the contributing guide make command.

Errors when:

  • no cards are found
  • multiple cards are found and the serial is not specified
  • one or more cards are found and the serial does not match any

Successfully returns a card when:

  • only one card is found and the serial is not specified
  • one or more cards are found and the serial matches

Note that this also applies if there are other potential PIV sources attached, such as a smart card reader.

Changes

  • Create a new YubikeyHandleWithSerial() function.
  • Make YubikeyHandle() call the new function with backward-compatible behavior.
  • Update runCommand() to read the serial from the environment and use the new function.
  • Tweak the contributing guide.

Testing

Behavior when one YubiKey is attached:

~ $ pivit
specify --help, --sign, --verify, --import, --generate, --reset or --print
~ $ PIVIT_YK_SERIAL= pivit
specify --help, --sign, --verify, --import, --generate, --reset or --print
~ $ PIVIT_YK_SERIAL=1234 pivit
failed to open yubikey: no smart card found with serial number 1234
~ $ PIVIT_YK_SERIAL=10180478 pivit
specify --help, --sign, --verify, --import, --generate, --reset or --print
~ $ PIVIT_YK_SERIAL=asdf pivit
failed to open yubikey: invalid serial number format: strconv.ParseUint: parsing "asdf": invalid syntax

No YubiKeys:

~ $ pivit
failed to open yubikey: no smart card found
~ $ PIVIT_YK_SERIAL=asdf pivit
failed to open yubikey: no smart card found

Multiple yubikeys:

~ $ pivit
failed to open yubikey: multiple smart cards found but no serial specified
~ $ PIVIT_YK_SERIAL=10180478 pivit --print
f605a5b5f56cf0d622334b8d84c2eebaf4ffe2a7
-----BEGIN CERTIFICATE-----
...
~ $ PIVIT_YK_SERIAL=13077792 pivit --print
b59aff995edf77effa418ecfae23efa1445791e1
-----BEGIN CERTIFICATE-----
...
~ $ PIVIT_YK_SERIAL=1234 pivit
failed to open yubikey: no smart card found with serial number 1234

@srfilipek
Use PIVIT_YK_SERIAL to specify the desired yubikey.
c8c232a 
Also tweak the contributing guide make command.

Yubikey discovery behavior below.

Errors when:
- no cards are found
- multiple cards are found and the serial is not specified
- one or more cards are found and the serial does not match any

Successfully returns a card when:
- only one card is found and the serial is not specified
- one or more cards are found and the serial matches

Note that this also applies if there are other potential PIV sources
attached, such as a smart card reader.
yoavamit
yoavamit reviewed Apr 17, 2025
View reviewed changes
Copy link
Collaborator

@yoavamit yoavamit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple and clean!

Please update the README as well

pkg/pivit/pivit.go Outdated
continue
}

// Get serial number
Copy link
Collaborator

@yoavamit yoavamit Apr 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

supernit: please remove these comments. This code is simple enough that it doesn't need them.
From a readability perspective - I think it only hurts.

pkg/pivit/pivit.go Outdated
return nil, fmt.Errorf("invalid serial number format: %v", err)
}

// Serial specified - try to find matching card
Copy link
Collaborator

@yoavamit yoavamit Apr 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same

@srfilipek srfilipek requested a review from yoavamit April 17, 2025 17:27
yoavamit
yoavamit approved these changes Apr 17, 2025
View reviewed changes
Copy link
Collaborator

@yoavamit yoavamit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@codecov
Copy link

codecov bot commented Apr 17, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 26 lines in your changes missing coverage. Please review.

Project coverage is 57.72%. Comparing base (a278606) to head (44c5e4a).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
pkg/pivit/pivit.go 0.00% 26 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #61      +/-   ##
==========================================
- Coverage   59.15%   57.72%   -1.44%     
==========================================
  Files          10       10              
  Lines         928      951      +23     
==========================================
  Hits          549      549              
- Misses        312      335      +23     
  Partials       67       67

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@yoavamit yoavamit merged commit f769868 into cashapp:main Apr 17, 2025
4 of 6 checks passed
@srfilipek srfilipek deleted the sfilipek/yubikey-serial branch April 17, 2025 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yoavamit yoavamit yoavamit approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srfilipek @yoavamit