refactor: reuse logic for GetMetadata (PivSession)

Author: DennisDyallo

Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Crypto.cs

@@ -266,7 +266,7 @@ public byte[] Decrypt(byte slotNumber, ReadOnlyMemory<byte> dataToDecrypt)
                     CultureInfo.CurrentCulture,
                     ExceptionMessages.IncorrectCiphertextLength));
         }
-        
+
         [Obsolete("Usage of PivEccPublic/PivEccPrivateKey is deprecated. Use IPublicKey, IPrivateKey instead", false)]
         public byte[] KeyAgree(byte slotNumber, PivPublicKey correspondentPublicKey)
         {
@@ -287,7 +287,8 @@ public byte[] KeyAgree(byte slotNumber, PivPublicKey correspondentPublicKey)
 
             // This will verify the slot number and dataToSign length. If one or
             // both are incorrect, the call will throw an exception.
-            var keyAgreeCommand = new AuthenticateKeyAgreeCommand(publicPoint, slotNumber, correspondentPublicKey.Algorithm);
+            var keyAgreeCommand = new AuthenticateKeyAgreeCommand(
+                publicPoint, slotNumber, correspondentPublicKey.Algorithm);
 
             return PerformPrivateKeyOperation(
                 slotNumber,
@@ -297,7 +298,7 @@ public byte[] KeyAgree(byte slotNumber, PivPublicKey correspondentPublicKey)
                     CultureInfo.CurrentCulture,
                     ExceptionMessages.IncorrectEccKeyLength));
         }
-        
+
         /// <summary>
         /// Perform Phase 2 of EC Diffie-Hellman Key Agreement using the private
         /// key in the given slot, and the corresponding party's public key.
@@ -398,9 +399,9 @@ public byte[] KeyAgree(byte slotNumber, IPublicKey correspondentPublicKey)
                         CultureInfo.CurrentCulture,
                         ExceptionMessages.InvalidPublicKeyData))
             };
-            
+
             var keyAgreeCommand = new AuthenticateKeyAgreeCommand(
-                publicPoint, slotNumber, 
+                publicPoint, slotNumber,
                 correspondentPublicKey.KeyType.GetPivAlgorithm());
 
             return PerformPrivateKeyOperation(
@@ -430,16 +431,9 @@ private byte[] PerformPrivateKeyOperation(
             // to verify the PIN again.
             // If the PIN policy is Always, we need to verify the PIN.
 
-            // Metadata will give us our answer, but that feature is
-            // available only on YubiKeys beginning with version 5.3.
-            if (YubiKey.HasFeature(YubiKeyFeature.PivMetadata))
+            var metadata = GetMetadataInternal(slotNumber);
+            if (metadata is not null)
             {
-                var metadataCommand = new GetMetadataCommand(slotNumber);
-                var metadataResponse = Connection.SendCommand(metadataCommand);
-
-                // If there is no key in the slot, this will throw an exception.
-                var metadata = metadataResponse.GetData();
-
                 // We know the algorithm based on the input data. Is it the
                 // algorithm of the key in the slot?
                 // We can make this check with metadata. Without metadata there's
@@ -514,14 +508,10 @@ private byte[] PerformPrivateKeyOperation(
 
         private AuthenticateSignCommand BuildSignCommand(byte slotNumber, ReadOnlyMemory<byte> dataToSign)
         {
-            if (!YubiKey.HasFeature(YubiKeyFeature.PivMetadata))
-            {
-                return new AuthenticateSignCommand(dataToSign, slotNumber);
-            }
-
-            var slotMetadata = GetMetadata(slotNumber);
-            var algorithm = slotMetadata.Algorithm;
-            return new AuthenticateSignCommand(dataToSign, slotNumber, algorithm);
+            var slotMetadata = GetMetadataInternal(slotNumber);
+            return slotMetadata is null 
+                ? new AuthenticateSignCommand(dataToSign, slotNumber) 
+                : new AuthenticateSignCommand(dataToSign, slotNumber, slotMetadata.Algorithm);
         }
     }
 }

Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.ManagementKey.cs

@@ -1013,7 +1013,7 @@ private bool TryAuthenticateManagementKey(
                 }
 
                 ManagementKeyAuthenticated = true;
-                return true; 
+                return true;
             }
 
             Logger.LogInformation($"Failed to authenticate management key. Message: {completeResponse.StatusMessage}");
@@ -1023,24 +1023,8 @@ private bool TryAuthenticateManagementKey(
 
         private void RefreshManagementKeyAlgorithm() => ManagementKeyAlgorithm = GetManagementKeyAlgorithm();
 
-        private PivAlgorithm GetManagementKeyAlgorithm()
-        {
-            if (!YubiKey.HasFeature(YubiKeyFeature.PivMetadata))
-            {
-                // Assume default for version
-                return DefaultManagementKeyAlgorithm;
-            }
-
-            // Get current ManagementKeyAlgorithm from Yubikey metadata
-            var response = Connection.SendCommand(new GetMetadataCommand(PivSlot.Management));
-            if (response.Status != ResponseStatus.Success)
-            {
-                throw new InvalidOperationException(response.StatusMessage);
-            }
-
-            var metadata = response.GetData();
-            return metadata.Algorithm;
-        }
+        private PivAlgorithm GetManagementKeyAlgorithm() =>
+            GetMetadataInternal(PivSlot.Management)?.Algorithm ?? DefaultManagementKeyAlgorithm;
 
         // Verify that and that the given algorithm is allowed.
         // If checkMode is true, also check that the PIN-only mode is None.
@@ -1077,15 +1061,16 @@ private void CheckManagementKeyAlgorithm(PivAlgorithm algorithm, bool checkMode)
                         ExceptionMessages.UnsupportedAlgorithm));
             }
         }
-        
+
         private bool IsValidManagementKeyAlgorithm(PivAlgorithm pivAlgorithm) =>
             pivAlgorithm switch
             {
                 PivAlgorithm.TripleDes => true, // Default for keys below fw version 5.7
-                PivAlgorithm.Aes128 or PivAlgorithm.Aes192 or PivAlgorithm.Aes256 => YubiKey.HasFeature(YubiKeyFeature.PivAesManagementKey),
+                PivAlgorithm.Aes128 or PivAlgorithm.Aes192 or PivAlgorithm.Aes256 => YubiKey.HasFeature(
+                    YubiKeyFeature.PivAesManagementKey),
                 _ => false
             };
-        
+
         private PivAlgorithm DefaultManagementKeyAlgorithm =>
             YubiKey.HasFeature(YubiKeyFeature.PivAesManagementKey) &&
             YubiKey.FirmwareVersion >= FirmwareVersion.V5_7_0

Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.cs

@@ -231,6 +231,7 @@ protected override void Dispose(bool disposing)
                 KeyCollector = null;
                 ResetAuthenticationStatus();
             }
+
             base.Dispose(disposing);
         }
 
@@ -280,18 +281,11 @@ public PivMetadata GetMetadata(byte slotNumber)
         {
             Logger.LogInformation("GetMetadata for slot number {SlotNumber:X2}.", slotNumber);
 
-            if (!YubiKey.HasFeature(YubiKeyFeature.PivMetadata))
-            {
+            return GetMetadataInternal(slotNumber) ??
                 throw new NotSupportedException(
                     string.Format(
                         CultureInfo.CurrentCulture,
                         ExceptionMessages.NotSupportedByYubiKeyVersion));
-            }
-
-            var command = new GetMetadataCommand(slotNumber);
-            var response = Connection.SendCommand(command);
-
-            return response.GetData();
         }
 
         /// <summary>
@@ -571,5 +565,17 @@ private void TryBlock(byte slot)
                     CultureInfo.CurrentCulture,
                     ExceptionMessages.ApplicationResetFailure));
         }
+        
+        private PivMetadata? GetMetadataInternal(byte slotNumber)
+        {
+            if (!YubiKey.HasFeature(YubiKeyFeature.PivMetadata))
+            {
+                return null;
+            }
+
+            var command = new GetMetadataCommand(slotNumber);
+            var response = Connection.SendCommand(command);
+            return response.GetData();
+        }
     }
 }