From 56498accd167aa38ac43a23704cfc4394ba224d7 Mon Sep 17 00:00:00 2001
From: coder <coder@x2o.net>
Date: Wed, 22 May 2024 23:59:15 +0900
Subject: [PATCH] PINPolicyAlways if Attest fails

---
 piv/key.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/piv/key.go b/piv/key.go
index d070eac..b3162d6 100644
--- a/piv/key.go
+++ b/piv/key.go
@@ -936,6 +936,11 @@ func pinPolicy(yk *YubiKey, slot Slot) (PINPolicy, error) {
 	cert, err := yk.Attest(slot)
 	if err != nil {
 		var e *apduErr
+		errors.As(err, &e)
+		if e == nil {
+			// Yubikey Version 5.2.7 Attest returns ErrNotFound
+			return PINPolicyAlways, nil
+		}
 		if errors.As(err, &e) && e.sw1 == 0x6d && e.sw2 == 0x00 {
 			// Attestation cert command not supported, probably an older YubiKey.
 			// Guess PINPolicyAlways.