gravitational · Joerger · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025
diff --git a/api/utils/keys/piv/service_test.go b/api/utils/keys/piv/service_test.go
@@ -165,54 +165,61 @@ func TestOverwritePrompt(t *testing.T) {
 	}
 
 	ctx := context.Background()
-
-	promptWriter := bytes.NewBuffer([]byte{})
 	promptReader := prompt.NewFakeReader()
-	prompt := hardwarekey.NewCLIPrompt(promptWriter, promptReader)
+	prompt := hardwarekey.NewCLIPrompt(os.Stderr, promptReader)
 	s := piv.NewYubiKeyService(prompt)
 
 	y, err := piv.FindYubiKey(0)
 	require.NoError(t, err)
 
-	resetYubikey(t, y)
 	t.Cleanup(func() { resetYubikey(t, y) })
 
+	const testPIN = "123123"
+	setupYubiKey := func(t *testing.T) {
+		resetYubikey(t, y)
+		// Set pin.
+		require.NoError(t, y.SetPIN(pivgo.DefaultPIN, testPIN))
+	}
+
 	// Get the default slot used for hardware_key_touch.
-	touchSlot := pivgo.SlotSignature
+	pinSlot := pivgo.SlotCardAuthentication
 
 	testOverwritePrompt := func(t *testing.T) {
 		// Fail to overwrite slot when user denies
+		promptReader.AddString(testPIN)
 		promptReader.AddString("n")
 		_, err := keys.NewHardwarePrivateKey(ctx, s, hardwarekey.PrivateKeyConfig{
-			Policy: hardwarekey.PromptPolicy{TouchRequired: true},
+			Policy: hardwarekey.PromptPolicy{PINRequired: true},
 		})
+		require.Error(t, err)
 		require.True(t, trace.IsCompareFailed(err), "Expected compare failed error but got %v", err)
 
 		// Successfully overwrite slot when user accepts
+		promptReader.AddString(testPIN)
 		promptReader.AddString("y")
 		_, err = keys.NewHardwarePrivateKey(ctx, s, hardwarekey.PrivateKeyConfig{
-			Policy: hardwarekey.PromptPolicy{TouchRequired: true},
+			Policy: hardwarekey.PromptPolicy{PINRequired: true},
 		})
 		require.NoError(t, err)
 	}
 
 	t.Run("invalid metadata cert", func(t *testing.T) {
-		resetYubikey(t, y)
+		setupYubiKey(t)
 
 		// Set a non-teleport certificate in the slot.
-		err = y.SetMetadataCertificate(touchSlot, pkix.Name{Organization: []string{"not-teleport"}})
+		err = y.SetMetadataCertificate(pinSlot, pkix.Name{Organization: []string{"not-teleport"}})
 		require.NoError(t, err)
 
 		testOverwritePrompt(t)
 	})
 
 	t.Run("invalid key policies", func(t *testing.T) {
-		resetYubikey(t, y)
+		setupYubiKey(t)
 
 		// Generate a key that does not require touch in the slot that Teleport expects to require touch.
 		_, err := keys.NewHardwarePrivateKey(ctx, s, hardwarekey.PrivateKeyConfig{
-			CustomSlot: hardwarekey.PIVSlotKeyString(touchSlot.String()),
-			Policy:     hardwarekey.PromptPolicy{TouchRequired: false},
+			CustomSlot: hardwarekey.PIVSlotKeyString(pinSlot.String()),
+			Policy:     hardwarekey.PromptPolicy{PINRequired: false},
 		})
 		require.NoError(t, err)
 
@@ -286,11 +293,11 @@ func TestPINCaching(t *testing.T) {
 	// Signing with the right PIN should cache it.
 	promptReader.AddString(testPIN)
 	err = priv.WarmupHardwareKey(ctx)
-	require.Error(t, err)
+	require.NoError(t, err)
 
 	// The PIN is cached, no prompt needed.
 	err = priv.WarmupHardwareKey(ctx)
-	require.Error(t, err)
+	require.NoError(t, err)
 }
 
 func TestConcurrentSignature(t *testing.T) {