Merge pull request #37 from cashapp/add-cached-touch-policy-option

Added "cached" option when setting the touch policy
cashapp · Dec 20, 2023 · 3a5d2c9 · 3a5d2c9
2 parents b49876c + e6689b6
commit 3a5d2c9
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -53,10 +53,10 @@ This option is useful if you don't need the generated key to be a part of an exi
 you can still verify the key's certificate using Yubico's certificate [here](https://developers.yubico.com/PIV/Introduction/PIV_attestation.html).
 
 The `--pin-policy` flag controls when to prompt for a PIN when accessing the generated key.  
-Set to one of `"never"`, `"once"`, or `"always"` (default is `"never"`).
+Set to one of `never`, `once`, or `always` (default is `never`).
 
 The `--touch-policy` flag controls when to prompt to physically touch the hardware when accessing the generated key.  
-Set to one of `"never"` or `"always"` (default is `"always"`).
+Set to one of `never`, `cached`, or `always` (default is `always`).
 
 Output for the command will look like:
 

diff --git a/cmd/pivit/generate.go b/cmd/pivit/generate.go
@@ -92,7 +92,7 @@ func commandGenerate(slot string, isP256, selfSign, generateCsr, assumeYes bool,
 		return errors.Wrap(err, "verify device certificate")
 	}
 	if selfSign {
-		if touchPolicy == piv.TouchPolicyAlways {
+		if touchPolicy != piv.TouchPolicyNever {
 			fmt.Println("Touch Yubikey now to sign your key...")
 		}
 
@@ -112,7 +112,7 @@ func commandGenerate(slot string, isP256, selfSign, generateCsr, assumeYes bool,
 			return errors.Wrap(err, "import self-signed certificate")
 		}
 	} else if generateCsr {
-		if touchPolicy == piv.TouchPolicyAlways {
+		if touchPolicy != piv.TouchPolicyNever {
 			fmt.Println("Touch Yubikey now to sign your CSR...")
 		}
 

diff --git a/cmd/pivit/main.go b/cmd/pivit/main.go
@@ -38,7 +38,7 @@ func runCommand() error {
 	noCsrFlag := getopt.BoolLong("no-csr", 0, "don't create and print a certificate signing request when generating a key pair")
 	assumeYesFlag := getopt.BoolLong("assume-yes", 0, "assume yes to any y/n prompts, for scripting")
 	pinPolicyFlag := getopt.EnumLong("pin-policy", 0, []string{"always", "once", "never"}, "never", "set the PIN policy of the generated key (never, once, or always)", "policy")
-	touchPolicyFlag := getopt.EnumLong("touch-policy", 0, []string{"always", "never"}, "always", "set the touch policy of the generated key (never or always)", "policy")
+	touchPolicyFlag := getopt.EnumLong("touch-policy", 0, []string{"always", "cached", "never"}, "always", "set the touch policy of the generated key (never, cached, or always)", "policy")
 
 	getopt.HelpColumn = 40
 	getopt.SetParameters("[files]")
@@ -114,13 +114,15 @@ func runCommand() error {
 		switch *touchPolicyFlag {
 		case "never":
 			touchPolicy = piv.TouchPolicyNever
+		case "cached":
+			touchPolicy = piv.TouchPolicyCached
 		case "always":
 			touchPolicy = piv.TouchPolicyAlways
 		}
-
 		if pinPolicy == piv.PINPolicyNever && touchPolicy == piv.TouchPolicyNever {
 			return errors.New("can't set both PIN and touch policies to \"never\"")
 		}
+
 		return commandGenerate(*slot, isP256, *selfSignFlag, generateCsr, *assumeYesFlag, pinPolicy, touchPolicy)
 	}