From 2444fda8b140ffd99c511ca682f20d926acdda3c Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Thu, 3 Oct 2024 14:38:39 +0200
Subject: [PATCH] Upgrade to `go-piv` @ `v2.2.0`

---
 go.mod                        |  1 +
 go.sum                        |  2 ++
 kms/yubikey/yubikey.go        |  9 +++++----
 kms/yubikey/yubikey_no_cgo.go |  1 +
 kms/yubikey/yubikey_test.go   | 33 +++++++++++++++++----------------
 5 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/go.mod b/go.mod
index 6e868127..573fba74 100644
--- a/go.mod
+++ b/go.mod
@@ -13,6 +13,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.27.39
 	github.com/aws/aws-sdk-go-v2/service/kms v1.36.3
 	github.com/go-jose/go-jose/v3 v3.0.3
+	github.com/go-piv/piv-go/v2 v2.2.0
 	github.com/golang/mock v1.6.0
 	github.com/google/go-tpm v0.9.1
 	github.com/google/go-tpm-tools v0.4.4
diff --git a/go.sum b/go.sum
index 738f56b1..c546f80d 100644
--- a/go.sum
+++ b/go.sum
@@ -303,6 +303,8 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-piv/piv-go/v2 v2.2.0 h1:kOcyd7+JiKLF1BtGUO6vg7XlDJLhchinoMuksOpWBEI=
+github.com/go-piv/piv-go/v2 v2.2.0/go.mod h1:ShZi74nnrWNQEdWzRUd/3cSig3uNOcEZp+EWl0oewnI=
 github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM=
 github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
 github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
diff --git a/kms/yubikey/yubikey.go b/kms/yubikey/yubikey.go
index 5cb8db55..3ed44bec 100644
--- a/kms/yubikey/yubikey.go
+++ b/kms/yubikey/yubikey.go
@@ -16,8 +16,9 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/go-piv/piv-go/piv"
+	"github.com/go-piv/piv-go/v2/piv"
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/uri"
 )
@@ -34,13 +35,13 @@ type YubiKey struct {
 	yk            pivKey
 	pin           string
 	card          string
-	managementKey [24]byte
+	managementKey []byte
 }
 
 type pivKey interface {
 	Certificate(slot piv.Slot) (*x509.Certificate, error)
-	SetCertificate(key [24]byte, slot piv.Slot, cert *x509.Certificate) error
-	GenerateKey(key [24]byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error)
+	SetCertificate(key []byte, slot piv.Slot, cert *x509.Certificate) error
+	GenerateKey(key []byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error)
 	PrivateKey(slot piv.Slot, public crypto.PublicKey, auth piv.KeyAuth) (crypto.PrivateKey, error)
 	Attest(slot piv.Slot) (*x509.Certificate, error)
 	Serial() (uint32, error)
diff --git a/kms/yubikey/yubikey_no_cgo.go b/kms/yubikey/yubikey_no_cgo.go
index d6bebdb6..a93fd664 100644
--- a/kms/yubikey/yubikey_no_cgo.go
+++ b/kms/yubikey/yubikey_no_cgo.go
@@ -9,6 +9,7 @@ import (
 	"path/filepath"
 
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/kms/apiv1"
 )
 
diff --git a/kms/yubikey/yubikey_test.go b/kms/yubikey/yubikey_test.go
index 8052f87b..5d20ffec 100644
--- a/kms/yubikey/yubikey_test.go
+++ b/kms/yubikey/yubikey_test.go
@@ -21,9 +21,10 @@ import (
 	"sync"
 	"testing"
 
-	"github.com/go-piv/piv-go/piv"
+	"github.com/go-piv/piv-go/v2/piv"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/minica"
 )
@@ -147,7 +148,7 @@ func (s *stubPivKey) Certificate(slot piv.Slot) (*x509.Certificate, error) {
 	return cert, nil
 }
 
-func (s *stubPivKey) SetCertificate(key [24]byte, slot piv.Slot, cert *x509.Certificate) error {
+func (s *stubPivKey) SetCertificate(key []byte, slot piv.Slot, cert *x509.Certificate) error {
 	if !bytes.Equal(piv.DefaultManagementKey[:], key[:]) {
 		return errors.New("missing or invalid management key")
 	}
@@ -155,7 +156,7 @@ func (s *stubPivKey) SetCertificate(key [24]byte, slot piv.Slot, cert *x509.Cert
 	return nil
 }
 
-func (s *stubPivKey) GenerateKey(key [24]byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error) {
+func (s *stubPivKey) GenerateKey(key []byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error) {
 	if !bytes.Equal(piv.DefaultManagementKey[:], key[:]) {
 		return nil, errors.New("missing or invalid management key")
 	}
@@ -306,7 +307,7 @@ func TestNew(t *testing.T) {
 			pivMap = sync.Map{}
 			pivCards = okMultiplePivCards
 			pivOpen = okPivOpen
-		}, &YubiKey{yk: yk, pin: "111111", card: "Yubico YubiKey OTP+FIDO+CCID", managementKey: [24]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33}}, false},
+		}, &YubiKey{yk: yk, pin: "111111", card: "Yubico YubiKey OTP+FIDO+CCID", managementKey: []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33}}, false},
 		{"ok with uri and serial", args{ctx, apiv1.Options{
 			URI: "yubikey:serial=112233?pin-value=123456",
 		}}, func() {
@@ -329,7 +330,7 @@ func TestNew(t *testing.T) {
 			pivMap = sync.Map{}
 			pivCards = okPivCards
 			pivOpen = okPivOpen
-		}, &YubiKey{yk: yk, pin: "123456", card: "Yubico YubiKey OTP+FIDO+CCID", managementKey: [24]byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33}}, false},
+		}, &YubiKey{yk: yk, pin: "123456", card: "Yubico YubiKey OTP+FIDO+CCID", managementKey: []byte{0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0x11, 0x22, 0x33}}, false},
 		{"fail uri", args{ctx, apiv1.Options{URI: "badschema:"}}, func() {
 			pivMap = sync.Map{}
 			pivCards = okPivCards
@@ -390,7 +391,7 @@ func TestYubiKey_LoadCertificate(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	type args struct {
 		req *apiv1.LoadCertificateRequest
@@ -450,7 +451,7 @@ func TestYubiKey_StoreCertificate(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	type args struct {
 		req *apiv1.StoreCertificateRequest
@@ -472,7 +473,7 @@ func TestYubiKey_StoreCertificate(t *testing.T) {
 			Name:        "slot-id=9c",
 			Certificate: cert,
 		}}, true},
-		{"fail setCertificate", fields{yk, "123456", [24]byte{}}, args{&apiv1.StoreCertificateRequest{
+		{"fail setCertificate", fields{yk, "123456", []byte{}}, args{&apiv1.StoreCertificateRequest{
 			Name:        "yubikey:slot-id=9c",
 			Certificate: cert,
 		}}, true},
@@ -497,7 +498,7 @@ func TestYubiKey_GetPublicKey(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	type args struct {
 		req *apiv1.GetPublicKeyRequest
@@ -544,7 +545,7 @@ func TestYubiKey_CreateKey(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	type args struct {
 		req *apiv1.CreateKeyRequest
@@ -680,7 +681,7 @@ func TestYubiKey_CreateKey(t *testing.T) {
 			Name:               "yubikey:foo=82",
 			SignatureAlgorithm: apiv1.ECDSAWithSHA256,
 		}}, func() *apiv1.CreateKeyResponse { return nil }, true},
-		{"fail generateKey", fields{yk, "123456", [24]byte{}}, args{&apiv1.CreateKeyRequest{
+		{"fail generateKey", fields{yk, "123456", []byte{}}, args{&apiv1.CreateKeyRequest{
 			Name:               "yubikey:slot-id=82",
 			SignatureAlgorithm: apiv1.ECDSAWithSHA256,
 		}}, func() *apiv1.CreateKeyResponse { return nil }, true},
@@ -711,7 +712,7 @@ func TestYubiKey_CreateKey_policies(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	type args struct {
 		req *apiv1.CreateKeyRequest
@@ -867,7 +868,7 @@ func TestYubiKey_CreateSigner(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	type args struct {
 		req *apiv1.CreateSignerRequest
@@ -929,7 +930,7 @@ func TestYubiKey_CreateDecrypter(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	type args struct {
 		req *apiv1.CreateDecrypterRequest
@@ -991,7 +992,7 @@ func TestYubiKey_CreateAttestation(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	type args struct {
 		req *apiv1.CreateAttestationRequest
@@ -1079,7 +1080,7 @@ func TestYubiKey_Close(t *testing.T) {
 	type fields struct {
 		yk            pivKey
 		pin           string
-		managementKey [24]byte
+		managementKey []byte
 	}
 	tests := []struct {
 		name    string