From f8974ff18331c5af13a5dc3e6075d3054939a3f4 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Tue, 26 Mar 2024 19:52:47 +0100
Subject: [PATCH] Add PIN policy check on AUTHENTICATE.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/openpgp/piv.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/openpgp/piv.c b/src/openpgp/piv.c
index d0db54f..5b79190 100644
--- a/src/openpgp/piv.c
+++ b/src/openpgp/piv.c
@@ -536,6 +536,14 @@ static int cmd_authenticate() {
             return SW_INCORRECT_P1P2();
         }
     }
+    uint8_t *meta = NULL;
+    int meta_len = 0;
+    if ((meta_len = meta_find(key_ref, &meta)) <= 0) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    if (meta[1] == PINPOLICY_ALWAYS && !has_pwpiv && (key_ref == EF_PIV_KEY_AUTHENTICATION || key_ref == EF_PIV_KEY_SIGNATURE || key_ref == EF_PIV_KEY_KEYMGM || IS_RETIRED(key_ref))) {
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    }
     uint8_t chal_len = (algo == PIV_ALGO_3DES ? sizeof(challenge) / 2 : sizeof(challenge));
     asn1_ctx_t ctxi, a7c = { 0 };
     asn1_ctx_init(apdu.data, (uint16_t)apdu.nc, &ctxi);