Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates to PIV PUK documentation to reflect new behavior in firmware 5.7 #133

Merged
merged 8 commits into from
Aug 7, 2024

Conversation

equijano21
Copy link
Collaborator

Description

Updates to PIV PUK documentation to reflect new behavior in firmware 5.7.

Fixes outdated docs identified by customer.

Type of change

  • This change requires a documentation update

How has this been tested?

Local docs build.

@equijano21 equijano21 changed the title Docs/piv puk Updates to PIV PUK documentation to reflect new behavior in firmware 5.7 Aug 1, 2024
@equijano21 equijano21 marked this pull request as draft August 1, 2024 21:01
the YubiKey will allow the PUK to be 6, 7, or 8 bytes long.
The PUK is used to unblock the PIN (see the section below on [blocking](#blocking)). The standard
specifies that the PUK is to be an 8-byte value, with each of the bytes any binary value from `0x00` to
`0xFF`. The YubiKey, however, will allow the PUK to be 6, 7, or 8 bytes long. For YubiKeys with firmware versions prior to 5.7, the key will accept any value in the `0x00` -
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
`0xFF`. The YubiKey, however, will allow the PUK to be 6, 7, or 8 bytes long. For YubiKeys with firmware versions prior to 5.7, the key will accept any value in the `0x00` -
`0xFF`. For YubiKeys with firmware versions prior to 5.7, the key will accept any value in the `0x00` -

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PUK is always 8 characters, the PIN can be 6, 7 or 8 characters.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PUK can actually be 6-8 characters too. Just confirmed the behavior with the authenticator app.

`0xFF` range in the PUK. For YubiKeys with firmware version 5.7 and above, the key will only accept values in the `0x00` -
`0x7F` range. Values from `0x80` - `0xFF` will be considered invalid by the key, and any attempt to change the PUK to a byte array containing one of these values will fail.

These restrictions are due to the YubiKey's PUK length requirements: for firmware versions prior to 5.7, the YubiKey simply requires a PUK length of 6-8 bytes, but for firmware version 5.7 and above, that requirement has changed to 6-8 *Unicode code points* in length. This is an important change because the byte representation (UTF-8 encoding) of a single code point can be 1-4 bytes in length, which means that a 6-8 byte PUK may be less than 6-8 code points. In order to accomodate keys of varying firmware versions, the SDK maintains a 6-8 byte length requirement when calling [PivSession.TryChangePuk](xref:Yubico.YubiKey.Piv.PivSession.TryChangePuk). However, keys with firmware 5.7 and above will only accept values that represent single-byte code points, hence the restricted range of `0x00` - `0x7F` (the range of `0x80` - `0xFF` represents code points of two bytes in length). For additional information on Unicode, UTF-8, and the SDK, see the [FIDO2 documentation](xref:TheFido2Pin).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
These restrictions are due to the YubiKey's PUK length requirements: for firmware versions prior to 5.7, the YubiKey simply requires a PUK length of 6-8 bytes, but for firmware version 5.7 and above, that requirement has changed to 6-8 *Unicode code points* in length. This is an important change because the byte representation (UTF-8 encoding) of a single code point can be 1-4 bytes in length, which means that a 6-8 byte PUK may be less than 6-8 code points. In order to accomodate keys of varying firmware versions, the SDK maintains a 6-8 byte length requirement when calling [PivSession.TryChangePuk](xref:Yubico.YubiKey.Piv.PivSession.TryChangePuk). However, keys with firmware 5.7 and above will only accept values that represent single-byte code points, hence the restricted range of `0x00` - `0x7F` (the range of `0x80` - `0xFF` represents code points of two bytes in length). For additional information on Unicode, UTF-8, and the SDK, see the [FIDO2 documentation](xref:TheFido2Pin).
These restrictions are due to the YubiKey's PUK length requirements: for firmware versions prior to 5.7, the YubiKey simply requires a PUK length of 8 bytes, but for firmware version 5.7 and above, that requirement has changed to 8 *Unicode code points* in length. This is an important change because the byte representation (UTF-8 encoding) of a single code point can be 1-4 bytes in length, which means that a 8 byte PUK may be less than 8 code points. In order to accommodate keys of varying firmware versions, the SDK maintains a 8 byte length requirement when calling [PivSession.TryChangePuk](xref:Yubico.YubiKey.Piv.PivSession.TryChangePuk). However, keys with firmware 5.7 and above will only accept values that represent single-byte code points, hence the restricted range of `0x00` - `0x7F` (the range of `0x80` - `0xFF` represents code points of two bytes in length). For additional information on Unicode, UTF-8, and the SDK, see the [FIDO2 documentation](xref:TheFido2Pin).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe my changes to be accurate but probably best to check with the firmware team to be sure.

Copy link

github-actions bot commented Aug 7, 2024

Test Results: Windows

    2 files      2 suites   4s ⏱️
3 700 tests 3 700 ✅ 0 💤 0 ❌
3 702 runs  3 702 ✅ 0 💤 0 ❌

Results for commit 9ce6982.

♻️ This comment has been updated with latest results.

Copy link

github-actions bot commented Aug 7, 2024

Test Results: Ubuntu

    2 files      2 suites   9s ⏱️
3 692 tests 3 692 ✅ 0 💤 0 ❌
3 694 runs  3 694 ✅ 0 💤 0 ❌

Results for commit 9ce6982.

♻️ This comment has been updated with latest results.

Copy link

github-actions bot commented Aug 7, 2024

Test Results: MacOS

    2 files      2 suites   4s ⏱️
3 692 tests 3 692 ✅ 0 💤 0 ❌
3 694 runs  3 694 ✅ 0 💤 0 ❌

Results for commit 9ce6982.

♻️ This comment has been updated with latest results.

Copy link

github-actions bot commented Aug 7, 2024

Code Coverage

Package Line Rate Branch Rate Complexity Health
Yubico.Core 42% 31% 4257
Yubico.YubiKey 50% 47% 19089
Summary 49% (31993 / 65943) 44% (8185 / 18519) 23346

Minimum allowed line rate is 40%

@equijano21 equijano21 marked this pull request as ready for review August 7, 2024 19:45
@equijano21 equijano21 requested a review from DennisDyallo August 7, 2024 19:46
Copy link
Collaborator

@DennisDyallo DennisDyallo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beautiful, thanks @equijano21 !

@DennisDyallo DennisDyallo merged commit fef2004 into develop Aug 7, 2024
12 checks passed
@DennisDyallo DennisDyallo deleted the docs/piv-puk branch August 7, 2024 22:12
@@ -25,10 +25,14 @@ Which element to change is given in the P2 field of the APDU and the current and
data (old and new PIN or PUK) are given in the data field. The data is simply the two
values concatenated.

Both the PIN and PUK are allowed to be 6 to 8 characters, but if one is less than 8, it
will be padded with 0xff. For example, the default PIN is "123456", but on the device,
Both the PIN and the PUK are allowed to be 6 to 8 characters. If one is less than 8, it
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@equijano21 the PUK has to be 8 characters and 8 characters only. The PIN can be 6-8 characters and will be padded if less than 8.

@@ -581,7 +581,9 @@ All YubiKeys with the PIV application.
Which reference data element to change (PIN or PUK), the current reference value, and
the new value.

Both the PIN and PUK are allowed to be 6 to 8 characters.
Both the PIN and the PUK are allowed to be 6 to 8 characters. The PIN can be composed of any ASCII character, but PUK composition depends on the key's firmware. For YubiKeys with firmware versions prior to 5.7, the PUK is allowed to be any character in the `0x00` -
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above.

the YubiKey will allow the PUK to be 6, 7, or 8 bytes long.
The PUK is used to unblock the PIN (see the section below on [blocking](#blocking)). The standard
specifies that the PUK is to be an 8-byte value, with each of the bytes any binary value from `0x00` to
`0xFF`. The YubiKey, however, will accept a PUK of 6 to 8 characters. For YubiKeys with firmware versions prior to 5.7, the key will accept any value in the `0x00` -
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above

`0xFF` range in the PUK. For YubiKeys with firmware version 5.7 and above, the key will only accept values in the `0x00` -
`0x7F` range. Values from `0x80` - `0xFF` will be considered invalid by the key, and any attempt to change the PUK to a byte array containing one of these values will fail.

These restrictions are due to the YubiKey's PUK length requirements: for firmware versions prior to 5.7, the YubiKey simply requires a PUK length of 6-8 bytes, but for firmware version 5.7 and above, that requirement has changed to 6-8 *Unicode code points* in length. This is an important change because the byte representation (UTF-8 encoding) of a single code point can be 1-4 bytes in length, which means that a 6-byte PUK may be less than 6 code points. In order to accommodate keys of varying firmware versions, the SDK maintains a 6-8 byte length requirement when calling [PivSession.TryChangePuk](xref:Yubico.YubiKey.Piv.PivSession.TryChangePuk) or [Piv.Commands.ChangeReferenceDataCommand](xref:Yubico.YubiKey.Piv.Commands.ChangeReferenceDataCommand). However, keys with firmware 5.7 and above will only accept values that represent single-byte code points, hence the restricted range of `0x00` - `0x7F` (the range of `0x80` - `0xFF` represents code points of two bytes in length). For additional information on Unicode, UTF-8, and the SDK, see the [FIDO2 documentation](xref:TheFido2Pin).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants