gravitational · Joerger · Apr 23, 2025 · Apr 18, 2025 · Apr 18, 2025 · Apr 18, 2025
diff --git a/api/constants/constants.go b/api/constants/constants.go
@@ -540,3 +540,6 @@ const (
 	// GitLab CI job.
 	EnvVarGitlabIDTokenEnvVar = "TF_TELEPORT_GITLAB_ID_TOKEN_ENV_VAR"
 )
+
+// MaxPIVPINCacheTTL defines the maximum allowed TTL for PIV PIN client caches.
+const MaxPIVPINCacheTTL = time.Hour
diff --git a/api/gen/proto/go/teleport/hardwarekeyagent/v1/hardwarekeyagent_service.pb.go b/api/gen/proto/go/teleport/hardwarekeyagent/v1/hardwarekeyagent_service.pb.go
diff --git a/api/proto/teleport/hardwarekeyagent/v1/hardwarekeyagent_service.proto b/api/proto/teleport/hardwarekeyagent/v1/hardwarekeyagent_service.proto
@@ -18,6 +18,8 @@ syntax = "proto3";
 
 package teleport.hardwarekeyagent.v1;
 
+import "google/protobuf/duration.proto";
+
 option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/hardwarekeyagent/v1;hardwarekeyagentv1";
 
 // HardwareKeyAgentService provides an agent service for hardware key (PIV) signatures.
@@ -104,6 +106,9 @@ message KeyInfo {
   // ClusterName is a Teleport cluster name that the key is associated with.
   // May be used to add context to PIN/touch prompts.
   string cluster_name = 5;
+  // PinCacheTtl is the amount of time that the PIN should be cached for
+  // PIN prompts associated with this key. A TTL of 0 means no PIN caching.
+  google.protobuf.Duration pin_cache_ttl = 6;
 }
 
 // PIVSlotKey is the key reference for a specific PIV slot.

diff --git a/api/types/authentication.go b/api/types/authentication.go
@@ -877,6 +877,10 @@ func (c *AuthPreferenceV2) CheckAndSetDefaults() error {
 		c.Spec.Okta = &OktaOptions{}
 	}
 
+	if c.GetPIVPINCacheTTL() > constants.MaxPIVPINCacheTTL {
+		return trace.BadParameter("piv_pin_cache_ttl cannot be larger than %s", constants.MaxPIVPINCacheTTL)
+	}
+
 	return nil
 }
 

diff --git a/api/utils/keys/hardwarekey/cachingprompt.go b/api/utils/keys/hardwarekey/cachingprompt.go
diff --git a/api/utils/keys/hardwarekey/cachingprompt_test.go b/api/utils/keys/hardwarekey/cachingprompt_test.go
diff --git a/api/utils/keys/hardwarekey/hardwarekey.go b/api/utils/keys/hardwarekey/hardwarekey.go
@@ -22,6 +22,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"io"
+	"time"
 
 	"github.com/gravitational/trace"
 )
@@ -38,13 +39,6 @@ type Service interface {
 	// GetFullKeyRef gets the full [PrivateKeyRef] for an existing hardware private
 	// key in the given slot of the hardware key with the given serial number.
 	GetFullKeyRef(serialNumber uint32, slotKey PIVSlotKey) (*PrivateKeyRef, error)
-	// SetPrompt sets the hardware key prompt used by the hardware key service, if applicable.
-	// This is used by Teleport Connect which sets the prompt later than the hardware key service,
-	// due to process initialization constraints.
-	SetPrompt(prompt Prompt)
-	// GetPrompt gets the hardware key prompt used by the hardware key service, or nil if
-	// the service does not support prompts.
-	GetPrompt() Prompt
 }
 
 // Signer is a hardware key implementation of [crypto.Signer].
@@ -131,6 +125,8 @@ type PrivateKeyRef struct {
 	// AttestationStatement contains the hardware private key's attestation statement, which is
 	// to attest the touch and pin requirements for this hardware private key during login.
 	AttestationStatement *AttestationStatement `json:"attestation_statement"`
+	// PINCacheTTL is how long hardware key prompts should cache the PIN for this key, if at all.
+	PINCacheTTL time.Duration `json:"pin_cache_ttl"`
 }
 
 // encode encodes a [PrivateKeyRef] to JSON.
@@ -246,6 +242,8 @@ type PrivateKeyConfig struct {
 	Algorithm SignatureAlgorithm
 	// ContextualKeyInfo contains additional info to associate with the key.
 	ContextualKeyInfo ContextualKeyInfo
+	// PINCacheTTL is an option to enable PIN caching for this key with the specified TTL.
+	PINCacheTTL time.Duration
 }
 
 // ContextualKeyInfo contains contextual information associated with a hardware [PrivateKey].