Add CLI commands for delete/move keys.

Yubico · Dec 21, 2023 · d35194d · d35194d
1 parent c5a6741
commit d35194d
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 2 deletions.
diff --git a/ykman/_cli/piv.py b/ykman/_cli/piv.py
@@ -757,6 +757,55 @@ def do_verify():
     logger.info(f"Public key for slot {slot} written to {_fname(public_key_output)}")
 
 
+@keys.command("move")
+@click.pass_context
+@click_management_key_option
+@click_pin_option
+@click.argument("source", callback=click_parse_piv_slot)
+@click.argument("dest", callback=click_parse_piv_slot)
+def move_key(ctx, management_key, pin, source, target):
+    """
+    Moves a key.
+
+    Moves a key from one PIV slot into another.
+
+    \b
+    SOURCE            PIV slot of the key to move
+    DEST              PIV slot to move the key into
+    """
+    if source == target:
+        raise CliFail("SOURCE must be different from DEST")
+    session = ctx.obj["session"]
+    _ensure_authenticated(ctx, pin, management_key)
+    try:
+        session.move_key(source, target)
+    except ApduError as e:
+        if e.sw == SW.INCORRECT_PARAMETERS:
+            raise CliFail("DEST slot is not empty")
+        if e.sw == SW.REFERENCE_DATA_NOT_FOUND:
+            raise CliFail("No key in SOURCE slot")
+        raise
+
+
+@keys.command("delete")
+@click.pass_context
+@click_management_key_option
+@click_pin_option
+@click_slot_argument
+def delete_key(ctx, management_key, pin, slot):
+    """
+    Delete a key.
+
+    Delete a key from a PIV slot on the YubiKey.
+
+    \b
+    SLOT            PIV slot of the key
+    """
+    session = ctx.obj["session"]
+    _ensure_authenticated(ctx, pin, management_key)
+    session.delete_key(slot)
+
+
 @piv.group("certificates")
 def cert():
     """

diff --git a/yubikit/piv.py b/yubikit/piv.py
@@ -105,6 +105,8 @@ def algorithm(self):
 
     @property
     def bit_len(self):
+        if self in (KEY_TYPE.ED25519, KEY_TYPE.X25519):
+            return 256
         match = re.search(r"\d+$", self.name)
         if match:
             return int(match.group())
@@ -117,7 +119,6 @@ def from_public_key(cls, key):
                 return getattr(cls, "RSA%d" % key.key_size)
             except AttributeError:
                 raise ValueError("Unsupported RSA key size: %d" % key.key_size)
-                pass  # Fall through to ValueError
         elif isinstance(key, ec.EllipticCurvePublicKey):
             curve_name = key.curve.name
             if curve_name == "secp256r1":
@@ -836,7 +837,11 @@ def decrypt(
         return _unpad_message(padded, padding)
 
     def calculate_secret(
-        self, slot: SLOT, peer_public_key: ec.EllipticCurvePublicKey
+        self,
+        slot: SLOT,
+        peer_public_key: Union[
+            ec.EllipticCurvePrivateKeyWithSerialization, x25519.X25519PublicKey
+        ],
     ) -> bytes:
         """Calculate shared secret using ECDH.