Merge pull request #14 from virot/YubiKeyPolicies

virot · web-flow · commit 78461df1a3e3 · 2025-01-17T03:17:09.000+01:00
Fix YubiKeyPolicy spelling
diff --git a/TameMyCerts.Tests/XMLPolicyTests.cs b/TameMyCerts.Tests/XMLPolicyTests.cs
@@ -103,21 +103,16 @@ public void Test_Yubikey_Policies()
 
         string sampleXML = @"<CertificateRequestPolicy xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance""
   xmlns:xsd=""http://www.w3.org/2001/XMLSchema"">
-<YubikeyPolicies>
-  <YubikeyPolicy>
+  <YubiKeyPolicies>
+  <YubiKeyPolicy>
     <Action>Allow</Action>
-    <PinPolicy>
-      <string>Always</string>
-      <string>Once</string>
-     </PinPolicy>
-     <TouchPolicy>
-       <string>Always</string>
-       <string>Cached</string>
-     </TouchPolicy>
-  </YubikeyPolicy>
-</YubikeyPolicies>
-
+      <Slot>
+        <string>9A</string>
+      </Slot>
+  </YubiKeyPolicy>
+  </YubiKeyPolicies>
 </CertificateRequestPolicy>
+
 ";
         File.WriteAllText(filename, sampleXML);
         _listener.ClearEvents();
diff --git a/TameMyCerts.Tests/YubikeyValidatorTests.cs b/TameMyCerts.Tests/YubikeyValidatorTests.cs
@@ -738,6 +738,42 @@ public void Validate_Slot_Allow_if_Wrong_slot_is_denied_10020()
             Assert.False(result.DeniedForIssuance);
             PrintResult(result);
 
+            output.WriteLine(policy.SaveToString());
+        }
+        [Fact]
+        public void Validate_Slot_with_0x_10021()
+        {
+            CertificateDatabaseRow dbRow = new CertificateDatabaseRow(_yubikey_valid_5_4_3_Once_Never_UsbAKeychain_9a_Normal_RSA_2048_CSR, CertCli.CR_IN_PKCS10, null, 10020);
+            CertificateRequestPolicy policy = _policy;
+            var result = new CertificateRequestValidationResult(dbRow);
+
+            // Required slot 0x9a, which needs to match 9a
+            policy = _policy;
+            policy.YubikeyPolicy[0].Slot = new List<string> { "0x9a" };
+            result = new CertificateRequestValidationResult(dbRow);
+            result = _YKvalidator.ExtractAttestion(result, _policy, dbRow, out var yubikeyInfo);
+            result = _YKvalidator.VerifyRequest(result, policy, yubikeyInfo, dbRow.RequestID);
+            Assert.False(result.DeniedForIssuance);
+            PrintResult(result);
+
+            output.WriteLine(policy.SaveToString());
+        }
+        [Fact]
+        public void Validate_Slot_incorrect_with_0x_10022()
+        {
+            CertificateDatabaseRow dbRow = new CertificateDatabaseRow(_yubikey_valid_5_4_3_Once_Never_UsbAKeychain_9a_Normal_RSA_2048_CSR, CertCli.CR_IN_PKCS10, null, 10020);
+            CertificateRequestPolicy policy = _policy;
+            var result = new CertificateRequestValidationResult(dbRow);
+
+            // Should not match the csr which is 9A
+            policy = _policy;
+            policy.YubikeyPolicy[0].Slot = new List<string> { "0x9e" };
+            result = new CertificateRequestValidationResult(dbRow);
+            result = _YKvalidator.ExtractAttestion(result, _policy, dbRow, out var yubikeyInfo);
+            result = _YKvalidator.VerifyRequest(result, policy, yubikeyInfo, dbRow.RequestID);
+            Assert.True(result.DeniedForIssuance);
+            PrintResult(result);
+
             output.WriteLine(policy.SaveToString());
         }
     }
diff --git a/TameMyCerts/Models/CertificateRequestPolicy.cs b/TameMyCerts/Models/CertificateRequestPolicy.cs
@@ -85,6 +85,7 @@ public class CertificateRequestPolicy
     public DirectoryServicesMapping DirectoryServicesMapping { get; set; }
 
     [XmlArray(ElementName = "YubiKeyPolicies")]
+    [XmlArrayItem(ElementName = "YubiKeyPolicy")]
     public List<YubikeyPolicy> YubikeyPolicy { get; set; } = new();
 
     [XmlElement(ElementName = "SupplementDnsNames")]
diff --git a/TameMyCerts/Validators/YubikeyValidator.cs b/TameMyCerts/Validators/YubikeyValidator.cs
@@ -186,7 +186,9 @@ private bool ObjectMatchesPolicy(YubikeyPolicy policy, YubikeyObject yubikey)
             #endregion
 
             #region Slot
-            if (policy.Slot.Any() && !policy.Slot.Contains(yubikey.Slot))
+            // Look if the slot is in the policy, if not, say that we arent matching
+            // Look for both 0xXX and XX
+            if (policy.Slot.Any() && !(policy.Slot.Any(s => s.Equals(yubikey.Slot, StringComparison.OrdinalIgnoreCase)) || policy.Slot.Any(s => s.Equals($"0x{yubikey.Slot}", StringComparison.OrdinalIgnoreCase))))
             {
                 return false;
             }

Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,9 @@ private bool ObjectMatchesPolicy(YubikeyPolicy policy, YubikeyObject yubikey)`
`186`	`186`	`#endregion`
`187`	`187`
`188`	`188`	`#region Slot`
`189`		`- if (policy.Slot.Any() && !policy.Slot.Contains(yubikey.Slot))`
	`189`	`+ // Look if the slot is in the policy, if not, say that we arent matching`
	`190`	`+ // Look for both 0xXX and XX`
	`191`	`+ if (policy.Slot.Any() && !(policy.Slot.Any(s => s.Equals(yubikey.Slot, StringComparison.OrdinalIgnoreCase)) \|\| policy.Slot.Any(s => s.Equals($"0x{yubikey.Slot}", StringComparison.OrdinalIgnoreCase))))`
`190`	`192`	`{`
`191`	`193`	`return false;`
`192`	`194`	`}`