From 838a0eec0fe20f0272a2268d1db10530af6e3f31 Mon Sep 17 00:00:00 2001 From: Dain Nilsson Date: Tue, 26 Mar 2024 12:48:06 +0100 Subject: [PATCH] PIV: Prompt to confirm PIN when unblocking with PUK --- ykman/_cli/piv.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ykman/_cli/piv.py b/ykman/_cli/piv.py index 02a01e9c..bb9c1a89 100644 --- a/ykman/_cli/piv.py +++ b/ykman/_cli/piv.py @@ -523,7 +523,11 @@ def unblock_pin(ctx, puk, new_pin): puk = click_prompt("Enter PUK", default="", show_default=False, hide_input=True) if not new_pin: new_pin = click_prompt( - "Enter a new PIN", default="", show_default=False, hide_input=True + "Enter a new PIN", + default="", + show_default=False, + hide_input=True, + confirmation_prompt=True, ) try: session.unblock_pin(puk, new_pin) @@ -534,6 +538,10 @@ def unblock_pin(ctx, puk, new_pin): raise CliFail("PIN unblock failed - %d tries left." % attempts) else: raise CliFail("PUK is blocked.") + except ApduError as e: + if e.sw == SW.CONDITIONS_NOT_SATISFIED: + raise CliFail("PIN does not meet complexity requirement.") + raise @piv.group()