Merge PR #2020

Author: AdamVe

android/app/src/main/kotlin/com/yubico/authenticator/piv/CertificateUtils.kt

@@ -19,6 +19,7 @@ package com.yubico.authenticator.piv
 import com.yubico.yubikit.piv.KeyType
 import com.yubico.yubikit.piv.PivSession
 import com.yubico.yubikit.piv.Slot
+import com.yubico.yubikit.piv.jca.PivProvider
 import org.bouncycastle.asn1.ASN1ObjectIdentifier
 import org.bouncycastle.asn1.edec.EdECObjectIdentifiers
 import org.bouncycastle.cert.X509CertificateHolder
@@ -41,6 +42,8 @@ import java.util.Date
 import javax.security.auth.x500.X500Principal
 import java.security.cert.X509Certificate
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier
+import java.security.KeyStore
+import java.security.PrivateKey
 import java.security.SecureRandom
 import java.security.Signature
 
@@ -148,10 +151,14 @@ class PivContentSigner(
     @Throws(OperatorCreationException::class)
     override fun getSignature(): ByteArray {
         try {
-            val toBeSigned = buffer.toByteArray()
-            val signature = Signature.getInstance(signatureAlgorithm.jcaName)
-            // TODO use JCA
-            return session.sign(slot, keyAlg, toBeSigned, signature)
+            val provider = PivProvider(session)
+            val keyStore = KeyStore.getInstance("YKPiv", provider)
+            keyStore.load(null)
+
+            return Signature.getInstance(signatureAlgorithm.jcaName, provider).apply {
+                initSign(keyStore.getKey(slot.stringAlias, null) as PrivateKey)
+                update(buffer.toByteArray())
+            }.sign()
         } catch (e: GeneralSecurityException) {
             throw OperatorCreationException("PIV signing failed", e)
         }

android/app/src/main/kotlin/com/yubico/authenticator/piv/PivConnectionHelper.kt

@@ -17,11 +17,16 @@
 package com.yubico.authenticator.piv
 
 import com.yubico.authenticator.device.DeviceManager
+import com.yubico.authenticator.device.Info
+import com.yubico.authenticator.device.unknownDeviceWithCapability
+import com.yubico.authenticator.yubikit.DeviceInfoHelper.Companion.getDeviceInfo
 import com.yubico.authenticator.yubikit.NfcState
 import com.yubico.authenticator.yubikit.withConnection
+import com.yubico.yubikit.android.transport.nfc.NfcYubiKeyDevice
 import com.yubico.yubikit.android.transport.usb.UsbYubiKeyDevice
 import com.yubico.yubikit.core.smartcard.SmartCardConnection
 import com.yubico.yubikit.core.util.Result
+import com.yubico.yubikit.support.DeviceUtil
 import org.slf4j.LoggerFactory
 import kotlin.coroutines.cancellation.CancellationException
 import kotlin.coroutines.suspendCoroutine
@@ -56,11 +61,13 @@ class PivConnectionHelper(private val deviceManager: DeviceManager) {
     suspend fun <T> useSmartCardConnection(
         onComplete: ((SmartCardConnection) -> Unit)? = null,
         waitForNfcKeyRemoval: Boolean = false,
+        updateDeviceInfo: Boolean = false,
         block: (SmartCardConnection) -> T
     ): T {
+        PivManager.updateDeviceInfo.set(updateDeviceInfo)
         NfcState.waitForNfcKeyRemoval = waitForNfcKeyRemoval
         return deviceManager.withKey(
-            onUsb = { useSmartCardConnectionUsb(it, onComplete, block) },
+            onUsb = { useSmartCardConnectionUsb(it, onComplete, updateDeviceInfo, block) },
             onNfc = { useSmartCardConnectionNfc(onComplete, block) },
             onCancelled = {
                 pendingAction?.invoke(Result.failure(CancellationException()))
@@ -72,9 +79,23 @@ class PivConnectionHelper(private val deviceManager: DeviceManager) {
     suspend fun <T> useSmartCardConnectionUsb(
         device: UsbYubiKeyDevice,
         onComplete: ((SmartCardConnection) -> Unit)? = null,
+        updateDeviceInfo: Boolean,
         block: (SmartCardConnection) -> T
     ): T = device.withConnection<SmartCardConnection, T> { connection ->
-        block(connection).also { onComplete?.invoke(connection) }
+        block(connection).also {
+            onComplete?.invoke(connection)
+            if (updateDeviceInfo) {
+                val pid = device.pid
+                runCatching {
+                    deviceManager.setDeviceInfo(runCatching {
+                        val deviceInfo = DeviceUtil.readInfo(connection, pid)
+                        val name = DeviceUtil.getName(deviceInfo, pid.type)
+                        Info(name, false, pid.value, deviceInfo)
+                    }.getOrNull())
+
+                }
+            }
+        }
     }
 
     suspend fun <T> useSmartCardConnectionNfc(

android/app/src/main/kotlin/com/yubico/authenticator/piv/PivManager.kt

@@ -32,6 +32,7 @@ import com.yubico.authenticator.piv.data.SlotMetadata
 import com.yubico.authenticator.piv.data.fingerprint
 import com.yubico.authenticator.piv.data.isoFormat
 import com.yubico.authenticator.setHandler
+import com.yubico.authenticator.yubikit.DeviceInfoHelper.Companion.getDeviceInfo
 import com.yubico.authenticator.yubikit.withConnection
 import com.yubico.yubikit.android.transport.nfc.NfcYubiKeyDevice
 import com.yubico.yubikit.core.YubiKeyConnection
@@ -69,6 +70,7 @@ import java.text.SimpleDateFormat
 import java.util.Arrays
 import java.util.Locale
 import java.util.TimeZone
+import java.util.concurrent.atomic.AtomicBoolean
 
 typealias PivAction = (Result<SmartCardConnection, Exception>) -> Unit
 
@@ -228,6 +230,10 @@ class PivManager(
             device.withConnection<SmartCardConnection, Unit> { connection ->
                 requestHandled = processYubiKey(connection, device)
             }
+
+            if (updateDeviceInfo.getAndSet(false)) {
+                deviceManager.setDeviceInfo(runCatching { getDeviceInfo(device) }.getOrNull())
+            }
         } catch (e: Exception) {
 
             logger.error("Cancelling pending action. Cause: ", e)
@@ -351,7 +357,10 @@ class PivManager(
 
 
     private suspend fun reset(): String =
-        connectionHelper.useSmartCardConnection {
+        connectionHelper.useSmartCardConnection(
+            onComplete = ::updatePivState,
+            updateDeviceInfo = true
+        ) {
             val piv = getPivSession(it)
             piv.reset()
             ""
@@ -361,6 +370,7 @@ class PivManager(
         val defaultPin = "123456".toCharArray()
         val defaultManagementKey =
             "010203040506070801020304050607080102030405060708".hexToByteArray()
+        val updateDeviceInfo = AtomicBoolean(false)
     }
 
     private fun doAuthenticate(piv: PivSession, serial: String) =
@@ -485,7 +495,10 @@ class PivManager(
         }
 
     private suspend fun changePin(pin: CharArray, newPin: CharArray): String =
-        connectionHelper.useSmartCardConnection(::updatePivState) {
+        connectionHelper.useSmartCardConnection(
+            onComplete = ::updatePivState,
+            updateDeviceInfo = true
+        ) {
             try {
                 val piv = getPivSession(it)
                 handlePinPukErrors { PivmanUtils.pivmanChangePin(piv, pin, newPin) }
@@ -496,7 +509,10 @@ class PivManager(
         }
 
     private suspend fun changePuk(puk: CharArray, newPuk: CharArray): String =
-        connectionHelper.useSmartCardConnection(::updatePivState) {
+        connectionHelper.useSmartCardConnection(
+            onComplete = ::updatePivState,
+            updateDeviceInfo = true
+        ) {
             try {
                 val piv = getPivSession(it)
                 handlePinPukErrors { piv.changePuk(puk, newPuk) }
@@ -511,7 +527,10 @@ class PivManager(
         keyType: ManagementKeyType,
         storeKey: Boolean
     ): String =
-        connectionHelper.useSmartCardConnection(::updatePivState) {
+        connectionHelper.useSmartCardConnection(
+            onComplete = ::updatePivState,
+            updateDeviceInfo = true
+        ) {
             val piv = getPivSession(it)
             doVerifyPin(piv, pivViewModel.currentSerial())
             doAuthenticate(piv, pivViewModel.currentSerial())
@@ -915,7 +934,17 @@ class PivManager(
                 mapOf(
                     "id" to slot.value,
                     "name" to slot.stringAlias,
-                    "metadata" to pivViewModel.getMetadata(slot.stringAlias),
+                    "metadata" to pivViewModel.getMetadata(slot.stringAlias)?.let { slotMetadata ->
+                        JSONObject(
+                            mapOf(
+                                "key_type" to slotMetadata.keyType.toInt(),
+                                "pin_policy" to slotMetadata.pinPolicy,
+                                "touch_policy" to slotMetadata.touchPolicy,
+                                "generated" to slotMetadata.generated,
+                                "public_key" to slotMetadata.publicKey?.toPublicKey()?.toPem()
+                            )
+                        )
+                    },
                     "certificate" to pivViewModel.getCertificate(slot.stringAlias)?.toPem(),
                 )
             ).toString()

integration_test/oath_test.dart

@@ -24,7 +24,7 @@ extension on PatrolTester {
     bool requireTouch = false,
   }) async {
     if (isAndroid) {
-      // The camera view breaks the test on Android, add programatically
+      // The camera view breaks the test on Android, add programmatically
       await read(
         credentialListProvider(data.node.path).notifier,
       ).addAccount(cred.toUri(), requireTouch: requireTouch);

lib/oath/state.dart

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 Yubico.
+ * Copyright (C) 2022-2025 Yubico.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,7 +40,7 @@ class AccountsSearchNotifier extends StateNotifier<String> {
 }
 
 final oathLayoutProvider =
-    StateNotifierProvider.autoDispose<OathLayoutNotfier, OathLayout>((ref) {
+    StateNotifierProvider.autoDispose<OathLayoutNotifier, OathLayout>((ref) {
       final device = ref.watch(currentDeviceProvider);
       List<OathPair> credentials = device != null
           ? ref.read(
@@ -53,18 +53,18 @@ final oathLayoutProvider =
       final pinnedCreds = credentials.where(
         (entry) => favorites.contains(entry.credential.id),
       );
-      return OathLayoutNotfier(
+      return OathLayoutNotifier(
         'OATH_STATE_LAYOUT',
         ref.watch(prefProvider),
         credentials,
         pinnedCreds.toList(),
       );
     });
 
-class OathLayoutNotfier extends StateNotifier<OathLayout> {
+class OathLayoutNotifier extends StateNotifier<OathLayout> {
   final String _key;
   final SharedPreferences _prefs;
-  OathLayoutNotfier(
+  OathLayoutNotifier(
     this._key,
     this._prefs,
     List<OathPair> credentials,

lib/oath/views/add_account_page.dart

@@ -192,7 +192,7 @@ class _OathAddAccountPageState extends ConsumerState<OathAddAccountPage>
       oathState = ref
           .watch(oathStateProvider(deviceNode.path))
           .maybeWhen(data: (data) => data, orElse: () => null);
-      _credentials = ref
+      _credentials ??= ref
           .watch(credentialListProvider(deviceNode.path))
           ?.map((e) => e.credential)
           .toList();

lib/oath/views/rename_account_dialog.dart

@@ -178,8 +178,11 @@ class _RenameAccountDialogState extends ConsumerState<RenameAccountDialog> {
     // is this credential name/issuer of valid format
     final nameNotEmpty = name.isNotEmpty;
 
+    // issuer field does not contain a colon character
+    final issuerNoColon = !_issuerController.text.contains(':');
+
     // can we rename with the new values
-    final isValid = isUnique && nameNotEmpty;
+    final isValid = isUnique && nameNotEmpty && issuerNoColon;
 
     return ResponsiveDialog(
       title: Text(l10n.s_rename_account),
@@ -209,6 +212,9 @@ class _RenameAccountDialogState extends ConsumerState<RenameAccountDialog> {
                         labelText: l10n.s_issuer_optional,
                         helperText:
                             '', // Prevents dialog resizing when disabled
+                        errorText: issuerNoColon
+                            ? null
+                            : l10n.l_invalid_character_issuer,
                         icon: const Icon(Symbols.business),
                       ),
                       textInputAction: TextInputAction.next,