- provide PINpolicy always to piv-go to avoid trying to use attestation cert, which we might not have

- bump piv-go version to 1.6.0
4 years ago · 179e793f1a
parent 946aedca92
commit 179e793f1a
2 changed files with 2 additions and 1 deletions
--- a/go.mod
+++ b/go.mod
@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.1.0
 	github.com/aws/aws-sdk-go v1.30.29
 	github.com/go-chi/chi v4.0.2+incompatible
-	github.com/go-piv/piv-go v1.5.0
+	github.com/go-piv/piv-go v1.6.0
 	github.com/googleapis/gax-go/v2 v2.0.5
 	github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a // indirect
 	github.com/lunixbochs/vtclean v1.0.0 // indirect
--- a/kms/yubikey/yubikey.go
+++ b/kms/yubikey/yubikey.go
@ -142,6 +142,7 @@ func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e

 	priv, err := k.yk.PrivateKey(slot, cert.PublicKey, piv.KeyAuth{
 		PIN: k.pin,
+		PINPolicy:   piv.PINPolicyAlways,
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, "error retrieving private key")