Add validation and error handling of invalid management key lengths i…

…n ykAuthenticate
go-piv · Jul 9, 2024 · 28bb133 · 28bb133
1 parent 01ed07b
commit 28bb133
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/v2/piv/piv.go b/v2/piv/piv.go
@@ -369,6 +369,13 @@ var (
 	aidYubiKey    = [...]byte{0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01}
 )
 
+var managementKeyLengthMap = map[byte]int{
+	alg3DES:   24,
+	algAES128: 16,
+	algAES192: 24,
+	algAES256: 32,
+}
+
 func ykAuthenticate(tx *scTx, key []byte, rand io.Reader, version *version) error {
 	// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf#page=92
 	// https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=918402#page=114
@@ -398,6 +405,9 @@ func ykAuthenticate(tx *scTx, key []byte, rand io.Reader, version *version) erro
 		managementKeyType = alg3DES
 		challengeLength = 8
 	}
+	if len(key) != managementKeyLengthMap[managementKeyType] {
+		return fmt.Errorf("invalid management key length: %d bytes (expected %d)", len(key), managementKeyLengthMap[managementKeyType])
+	}
 
 	// request a witness
 	cmd := apdu{