Verifying the PIN / Touch Policy on the YubiKey
example of using attestation on slot 9a
ykman piv keys attest 9a $env:USERPROFILE\Desktop\9a.attest.crt
verify the pin policy is set correctly.
certutil -asn $env:USERPROFILE\Desktop\9a.attest.crt
look for
1.3.6.1.4.1.41482.3.8
example:
| | | ; 1.3.6.1.4.1.41482.3.8
01fb: | | 04 02 ; OCTET_STRING (2 Bytes)
01fd: | | 02 03 ; ..
SEE: https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
1.3.6.1.4.1.41482.3.8: Two bytes, the first encoding pin policy and the second touch policy
Pin policy: 01 - never, 02 - once per session, 03 - always
Touch policy: 01 - never, 02 - always, 03 - cached for 15s
Once you've verified the PIN and Touch policy via the attestation function of YubiKey Manager, Next is to test signing a file and verify the PIN and/or Touch policy is honored. This will require the use of our Yubico PIV tool application found here
Open a elevated PowerShell Window, change to the directory you've installed the Yubico PIV tool application, for x64 it should be "C:\Program Files\Yubico\Yubico PIV Tool\bin" and than run the following commands. the second time you run the yubico piv tool command it should prompt for a PIN/Touch if you set the policies to "Always"
echo "hello world" > $env:USERPROFILE\Desktop\data.txt
yubico-piv-tool -a verify --sign -s 9a -i $env:USERPROFILE\Desktop\data.txt -o $env:USERPROFILE\Desktop\sig.bin
yubico-piv-tool -a verify --sign -s 9a -i $env:USERPROFILE\Desktop\data.txt -o $env:USERPROFILE\Desktop\sig.bin