From 28bb133aaf577212d5fa224cc8ccdf017da9bb70 Mon Sep 17 00:00:00 2001
From: Quantu <673216+Quantu@users.noreply.github.com>
Date: Tue, 9 Jul 2024 15:44:09 -0400
Subject: [PATCH] Add validation and error handling of invalid management key
 lengths in ykAuthenticate

---
 v2/piv/piv.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/v2/piv/piv.go b/v2/piv/piv.go
index c5b46f1..f0ad16e 100644
--- a/v2/piv/piv.go
+++ b/v2/piv/piv.go
@@ -369,6 +369,13 @@ var (
 	aidYubiKey    = [...]byte{0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01}
 )
 
+var managementKeyLengthMap = map[byte]int{
+	alg3DES:   24,
+	algAES128: 16,
+	algAES192: 24,
+	algAES256: 32,
+}
+
 func ykAuthenticate(tx *scTx, key []byte, rand io.Reader, version *version) error {
 	// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf#page=92
 	// https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=918402#page=114
@@ -398,6 +405,9 @@ func ykAuthenticate(tx *scTx, key []byte, rand io.Reader, version *version) erro
 		managementKeyType = alg3DES
 		challengeLength = 8
 	}
+	if len(key) != managementKeyLengthMap[managementKeyType] {
+		return fmt.Errorf("invalid management key length: %d bytes (expected %d)", len(key), managementKeyLengthMap[managementKeyType])
+	}
 
 	// request a witness
 	cmd := apdu{