Merge pull request #369 from acipia/master

avoid using yubikey attestation cert
4 years ago · 9573b47efb
parent 3e874a1e72 692f7692a2
commit 9573b47efb
2 changed files with 3 additions and 2 deletions
--- a/go.mod
+++ b/go.mod
@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.1.0
 	github.com/aws/aws-sdk-go v1.30.29
 	github.com/go-chi/chi v4.0.2+incompatible
-	github.com/go-piv/piv-go v1.5.0
+	github.com/go-piv/piv-go v1.6.0
 	github.com/googleapis/gax-go/v2 v2.0.5
 	github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a // indirect
 	github.com/lunixbochs/vtclean v1.0.0 // indirect
--- a/kms/yubikey/yubikey.go
+++ b/kms/yubikey/yubikey.go
@ -141,7 +141,8 @@ func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 	}

 	priv, err := k.yk.PrivateKey(slot, cert.PublicKey, piv.KeyAuth{
-		PIN: k.pin,
+		PIN:       k.pin,
+		PINPolicy: piv.PINPolicyAlways,
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, "error retrieving private key")