Skip to content

Revised EA cmdlet. Still requires PIN (may be SDK issue). #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Revised EA cmdlet. Still requires PIN (may be SDK issue). #180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cf6a536
Revised EA cmdlet. Still requires PIN (may be SDK issue).
JMarkstrom Sep 12, 2025
e0fc965
Improvements to ea cmdlet
JMarkstrom Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -364,3 +364,4 @@ FodyWeavers.xsd
/.vscode/launch.json
/powershellYK.psd1
/.cursorrules
/Docs/Cookbook/Set-BIO-random-PIN.ps1
35 changes: 22 additions & 13 deletions Module/Cmdlets/FIDO2/EnableYubikeyFIDO2EnterpriseAttestation.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
/// <summary>
/// Enables enterprise attestation the YubiKey FIDO2 applet.
/// Enables enterprise attestation on the YubiKey FIDO2 applet.
/// Enterprise attestation (EA) allows the YubiKey to provide detailed device information
/// during FIDO2 authentication, which can be useful for enterprise deployments.
/// Requires a YubiKey capable of Enterprise Attestation and administrator privileges on Windows.
/// Note: Enterprise attestation cannot be disabled without resetting the FIDO2 applet.
/// Note: Enterprise attestation is only disabled when resetting the FIDO2 applet.
///
/// .EXAMPLE
/// Enable-YubiKeyFIDO2EnterpriseAttestation
/// Enables enterprise attestation on the connected YubiKey
///
/// .EXAMPLE
/// Enable-YubiKeyFIDO2EnterpriseAttestation -Confirm:$false
/// Enables enterprise attestation without confirmation prompt
/// Enable-YubiKeyFIDO2EnterpriseAttestation -InformationAction Continue
/// Enables enterprise attestation and displays informational messages
/// </summary>

// Imports
Expand All @@ -25,7 +25,7 @@

namespace powershellYK.Cmdlets.Fido
{
[Cmdlet(VerbsLifecycle.Enable, "YubiKeyFIDO2EnterpriseAttestation", SupportsShouldProcess = true, ConfirmImpact = ConfirmImpact.High)]
[Cmdlet(VerbsLifecycle.Enable, "YubiKeyFIDO2EnterpriseAttestation")]
public class EnableYubikeyFIDO2CmdletEnterpriseAttestation : PSCmdlet
{
// Initialize processing and verify requirements
Expand All @@ -34,7 +34,7 @@ protected override void BeginProcessing()
// Connect to FIDO2 if not already authenticated
if (YubiKeyModule._fido2PIN is null)
{
WriteDebug("No FIDO2 session has been authenticated, calling Connect-YubikeyFIDO2");
WriteDebug("No FIDO2 session has been authenticated, calling Connect-YubikeyFIDO2...");
var myPowersShellInstance = PowerShell.Create(RunspaceMode.CurrentRunspace).AddCommand("Connect-YubikeyFIDO2");
if (this.MyInvocation.BoundParameters.ContainsKey("InformationAction"))
{
Expand All @@ -43,7 +43,7 @@ protected override void BeginProcessing()
myPowersShellInstance.Invoke();
if (YubiKeyModule._fido2PIN is null)
{
throw new Exception("Connect-YubikeyFIDO2 failed to connect FIDO2 application.");
throw new Exception("Connect-YubikeyFIDO2 failed to connect to the FIDO2 applet!");
}
}

Expand All @@ -57,19 +57,28 @@ protected override void BeginProcessing()
// Process the main cmdlet logic
protected override void ProcessRecord()
{
// Create a FIDO2 session with the YubiKey
using (var fido2Session = new Fido2Session((YubiKeyDevice)YubiKeyModule._yubikey!))
{
// Set up key collector for PIN operations
fido2Session.KeyCollector = YubiKeyModule._KeyCollector.YKKeyCollectorDelegate;
fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep));
if (!(fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep))) || fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.ep) == OptionValue.False)
// Check if enterprise attestation is supported
if (!fido2Session.AuthenticatorInfo.Options!.Any(v => v.Key.Contains(AuthenticatorOptions.ep)))
{
throw new Exception("Enterprise attestation not supported by this YubiKey.");
}
if (ShouldProcess("Enterprise attestion cannot be disabled without resetting the FIDO2 applet.", "Enterprise attestion cannot be disabled without resetting the FIDO2 applet.", "Disable not possible."))

// Check if enterprise attestation is already enabled
if (fido2Session.AuthenticatorInfo.GetOptionValue(AuthenticatorOptions.ep) == OptionValue.True)
{
fido2Session.TryEnableEnterpriseAttestation();
WriteInformation("Enterprise attestation is already enabled on this YubiKey.", new string[] { "FIDO2", "Info" });
return;
}

// Set up key collector for PIN operations (required by SDK)
fido2Session.KeyCollector = YubiKeyModule._KeyCollector.YKKeyCollectorDelegate;

// Enable enterprise attestation if supported by the YubiKey
fido2Session.TryEnableEnterpriseAttestation();
WriteInformation("Enterprise attestation has been successfully enabled on this YubiKey.", new string[] { "FIDO2", "Info" });
}
}
}
Expand Down
Loading