Remove unused optional parameter from _yk_piv_ctrl

CHANGELOG.md

@@ -9,16 +9,16 @@ and this project adheres to [Semantic Versioning][semver].
 
 ### Added
 
+- Remove unused optional parameter from _yk_piv_ctrl ([572])
 - Implement full partial update. Store last validated commit per repo ([559)])
 
 ### Changed
 
 ### Fixed
 
-
+[572]: https://github.com/openlawlibrary/taf/pull/572
 [559]: https://github.com/openlawlibrary/taf/pull/558
 
-
 ## [0.32.4]
 
 ### Added
@@ -53,7 +53,6 @@ and this project adheres to [Semantic Versioning][semver].
 
 ### Fixed
 
-
 [564]: https://github.com/openlawlibrary/taf/pull/564
 
 ## [0.32.1] - 11/01/2024

setup.py

@@ -33,7 +33,7 @@
     "jinja2==3.1.*",
 ]
 
-yubikey_require = ["yubikey-manager==5.1.*"]
+yubikey_require = ["yubikey-manager==5.5.*"]
 
 
 kwargs = {

taf/api/yubikey.py

@@ -161,7 +161,7 @@ def setup_signing_yubikey(
     on_exceptions=TAFError,
     reraise=True,
 )
-def setup_test_yubikey(key_path: str) -> None:
+def setup_test_yubikey(key_path: str, key_size: Optional[int] = 2048) -> None:
     """
     Reset the inserted yubikey, set default pin and copy the specified key
     to it.
@@ -183,7 +183,7 @@ def setup_test_yubikey(key_path: str) -> None:
     print(f"Importing RSA private key from {key_path} to Yubikey...")
     pin = yk.DEFAULT_PIN
 
-    pub_key = yk.setup(pin, "Test Yubikey", private_key_pem=key_pem)
+    pub_key = yk.setup(pin, "Test Yubikey", private_key_pem=key_pem, key_size=key_size)
     print("\nPrivate key successfully imported.\n")
     print("\nPublic key (PEM): \n{}".format(pub_key.decode("utf-8")))
     print("Pin: {}\n".format(pin))

taf/repository_tool.py

@@ -155,7 +155,7 @@ def _check_key_and_get_pin(expected_key_id):
             inserted_key = yk.get_piv_public_key_tuf()
             if expected_key_id != inserted_key["keyid"]:
                 return None
-            serial_num = yk.get_serial_num(inserted_key)
+            serial_num = yk.get_serial_num()
             pin = yk.get_key_pin(serial_num)
             if pin is None:
                 pin = yk.get_and_validate_pin(name)

taf/tools/yubikey/yubikey_utils.py

@@ -147,7 +147,7 @@ def __init__(self, keystore_path, scheme):
 
 
 @contextmanager
-def _yk_piv_ctrl_mock(serial=None, pub_key_pem=None):
+def _yk_piv_ctrl_mock(serial=None):
     global INSERTED_YUBIKEY
 
     if INSERTED_YUBIKEY is None:

taf/yubikey.py

@@ -95,7 +95,7 @@ def decorator(*args, **kwargs):
 
 
 @contextmanager
-def _yk_piv_ctrl(serial=None, pub_key_pem=None):
+def _yk_piv_ctrl(serial=None):
     """Context manager to open connection and instantiate Piv Session.
 
     Args:
@@ -110,35 +110,13 @@ def _yk_piv_ctrl(serial=None, pub_key_pem=None):
     """
     # If pub_key_pem is given, iterate all devices, read x509 certs and try to match
     # public keys.
-    if pub_key_pem is not None:
-        for dev, info in list_all_devices():
-            # Connect to a YubiKey over a SmartCardConnection, which is needed for PIV.
+    for dev, info in list_all_devices():
+        if serial is None or info.serial == serial:
             with dev.open_connection(SmartCardConnection) as connection:
                 session = PivSession(connection)
-                device_pub_key_pem = (
-                    session.get_certificate(SLOT.SIGNATURE)
-                    .public_key()
-                    .public_bytes(
-                        encoding=serialization.Encoding.PEM,
-                        format=serialization.PublicFormat.SubjectPublicKeyInfo,
-                    )
-                    .decode("utf-8")
-                )
-                # Tries to match without last newline char
-                if (
-                    device_pub_key_pem == pub_key_pem
-                    or device_pub_key_pem[:-1] == pub_key_pem
-                ):
-                    break
                 yield session, info.serial
-    else:
-        for dev, info in list_all_devices():
-            if serial is None or info.serial == serial:
-                with dev.open_connection(SmartCardConnection) as connection:
-                    session = PivSession(connection)
-                    yield session, info.serial
-            else:
-                pass
+        else:
+            pass
 
 
 def is_inserted():
@@ -178,7 +156,7 @@ def is_valid_pin(pin):
 
 
 @raise_yubikey_err("Cannot get serial number.")
-def get_serial_num(pub_key_pem=None):
+def get_serial_num():
     """Get Yubikey serial number.
 
     Args:
@@ -191,12 +169,12 @@ def get_serial_num(pub_key_pem=None):
     Raises:
         - YubikeyError
     """
-    with _yk_piv_ctrl(pub_key_pem=pub_key_pem) as (_, serial):
+    with _yk_piv_ctrl() as (_, serial):
         return serial
 
 
 @raise_yubikey_err("Cannot export x509 certificate.")
-def export_piv_x509(cert_format=serialization.Encoding.PEM, pub_key_pem=None):
+def export_piv_x509(cert_format=serialization.Encoding.PEM):
     """Exports YubiKey's piv slot x509.
 
     Args:
@@ -210,13 +188,13 @@ def export_piv_x509(cert_format=serialization.Encoding.PEM, pub_key_pem=None):
     Raises:
         - YubikeyError
     """
-    with _yk_piv_ctrl(pub_key_pem=pub_key_pem) as (ctrl, _):
+    with _yk_piv_ctrl() as (ctrl, _):
         x509 = ctrl.get_certificate(SLOT.SIGNATURE)
         return x509.public_bytes(encoding=cert_format)
 
 
 @raise_yubikey_err("Cannot export public key.")
-def export_piv_pub_key(pub_key_format=serialization.Encoding.PEM, pub_key_pem=None):
+def export_piv_pub_key(pub_key_format=serialization.Encoding.PEM):
     """Exports YubiKey's piv slot public key.
 
     Args:
@@ -230,7 +208,7 @@ def export_piv_pub_key(pub_key_format=serialization.Encoding.PEM, pub_key_pem=No
     Raises:
         - YubikeyError
     """
-    with _yk_piv_ctrl(pub_key_pem=pub_key_pem) as (ctrl, _):
+    with _yk_piv_ctrl() as (ctrl, _):
         try:
             x509_cert = ctrl.get_certificate(SLOT.SIGNATURE)
             public_key = x509_cert.public_key()
@@ -256,7 +234,7 @@ def export_yk_certificate(certs_dir, key):
 
 
 @raise_yubikey_err("Cannot get public key in TUF format.")
-def get_piv_public_key_tuf(scheme=DEFAULT_RSA_SIGNATURE_SCHEME, pub_key_pem=None):
+def get_piv_public_key_tuf(scheme=DEFAULT_RSA_SIGNATURE_SCHEME):
     """Return public key from a Yubikey in TUF's RSAKEY_SCHEMA format.
 
     Args:
@@ -272,12 +250,12 @@ def get_piv_public_key_tuf(scheme=DEFAULT_RSA_SIGNATURE_SCHEME, pub_key_pem=None
     Raises:
         - YubikeyError
     """
-    pub_key_pem = export_piv_pub_key(pub_key_pem=pub_key_pem).decode("utf-8")
+    pub_key_pem = export_piv_pub_key().decode("utf-8")
     return import_rsakey_from_pem(pub_key_pem, scheme)
 
 
 @raise_yubikey_err("Cannot sign data.")
-def sign_piv_rsa_pkcs1v15(data, pin, pub_key_pem=None):
+def sign_piv_rsa_pkcs1v15(data, pin):
     """Sign data with key from YubiKey's piv slot.
 
     Args:
@@ -292,7 +270,7 @@ def sign_piv_rsa_pkcs1v15(data, pin, pub_key_pem=None):
     Raises:
         - YubikeyError
     """
-    with _yk_piv_ctrl(pub_key_pem=pub_key_pem) as (ctrl, _):
+    with _yk_piv_ctrl() as (ctrl, _):
         ctrl.verify_pin(pin)
         return ctrl.sign(
             SLOT.SIGNATURE, KEY_TYPE.RSA2048, data, hashes.SHA256(), padding.PKCS1v15()