From 600b302c1d720cfa717223bf59953e3f2013e565 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 25 Jun 2015 12:04:20 +0200 Subject: [PATCH] add touch for set-mgm-key --- configure.ac | 8 ++++---- lib/ykpiv.c | 12 +++++++++++- lib/ykpiv.h | 2 ++ lib/ykpiv.map | 6 ++++++ tool/cmdline.ggo | 2 +- tool/yubico-piv-tool.c | 2 +- 6 files changed, 25 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 2cf4764..5ad286d 100644 --- a/configure.ac +++ b/configure.ac @@ -24,7 +24,7 @@ # non-source form of such a combination shall include the source code # for the parts of OpenSSL used as well as that of the covered work. -AC_INIT([yubico-piv-tool], [1.0.1]) +AC_INIT([yubico-piv-tool], [1.1.0]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) @@ -32,9 +32,9 @@ AC_CONFIG_MACRO_DIR([m4]) # Interfaces changed/added/removed: CURRENT++ REVISION=0 # Interfaces added: AGE++ # Interfaces removed: AGE=0 -AC_SUBST([LT_CURRENT], 1) -AC_SUBST([LT_REVISION], 6) -AC_SUBST([LT_AGE], 0) +AC_SUBST([LT_CURRENT], 2) +AC_SUBST([LT_REVISION], 0) +AC_SUBST([LT_AGE], 1) AM_INIT_AUTOMAKE([-Wall -Werror foreign]) AM_SILENT_RULES([yes]) diff --git a/lib/ykpiv.c b/lib/ykpiv.c index 89fbe55..bf7d4a0 100644 --- a/lib/ykpiv.c +++ b/lib/ykpiv.c @@ -427,6 +427,10 @@ ykpiv_rc ykpiv_authenticate(ykpiv_state *state, unsigned const char *key) { } ykpiv_rc ykpiv_set_mgmkey(ykpiv_state *state, const unsigned char *new_key) { + return ykpiv_set_mgmkey2(state, new_key, 0); +} + +ykpiv_rc ykpiv_set_mgmkey2(ykpiv_state *state, const unsigned char *new_key, const unsigned char touch) { APDU apdu; unsigned char data[0xff]; unsigned long recv_len = sizeof(data); @@ -453,7 +457,13 @@ ykpiv_rc ykpiv_set_mgmkey(ykpiv_state *state, const unsigned char *new_key) { memset(apdu.raw, 0, sizeof(apdu)); apdu.st.ins = YKPIV_INS_SET_MGMKEY; apdu.st.p1 = 0xff; - apdu.st.p2 = 0xff; + if(touch == 0) { + apdu.st.p2 = 0xff; + } else if(touch == 1) { + apdu.st.p2 = 0xfe; + } else { + return YKPIV_GENERIC_ERROR; + } apdu.st.lc = DES_KEY_SZ * 3 + 3; apdu.st.data[0] = YKPIV_ALGO_3DES; apdu.st.data[1] = YKPIV_KEY_CARDMGM; diff --git a/lib/ykpiv.h b/lib/ykpiv.h index 0edf065..4585d4c 100644 --- a/lib/ykpiv.h +++ b/lib/ykpiv.h @@ -70,6 +70,8 @@ extern "C" unsigned char *out_data, unsigned long *out_len, int *sw); ykpiv_rc ykpiv_authenticate(ykpiv_state *state, const unsigned char *key); ykpiv_rc ykpiv_set_mgmkey(ykpiv_state *state, const unsigned char *new_key); + ykpiv_rc ykpiv_set_mgmkey2(ykpiv_state *state, const unsigned char *new_key, + const unsigned char touch); ykpiv_rc ykpiv_hex_decode(const char *hex_in, size_t in_len, unsigned char *hex_out, size_t *out_len); ykpiv_rc ykpiv_sign_data(ykpiv_state *state, const unsigned char *sign_in, diff --git a/lib/ykpiv.map b/lib/ykpiv.map index 19969cc..0e262f4 100644 --- a/lib/ykpiv.map +++ b/lib/ykpiv.map @@ -53,3 +53,9 @@ YKPIV_0.2.0 global: ykpiv_decipher_data; } YKPIV_0.1.0; + +YKPIV_1.1.0 +{ +global: + ykpiv_set_mgmkey2; +} YKPIV_0.1.0; diff --git a/tool/cmdline.ggo b/tool/cmdline.ggo index 40aa65e..848db95 100644 --- a/tool/cmdline.ggo +++ b/tool/cmdline.ggo @@ -59,4 +59,4 @@ option "pin" P "Pin/puk code for verification" string optional option "new-pin" N "New pin/puk code for changing" string optional dependon="pin" option "sign" - "Sign data" flag off hidden option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional -option "touch-policy" - "Set touch policy for action generate or import-key" values="never","always" enum optional +option "touch-policy" - "Set touch policy for action generatem, import-key or set-mgm-key" values="never","always" enum optional diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index 92301b1..443402a 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -1699,7 +1699,7 @@ int main(int argc, char *argv[]) { if(ykpiv_hex_decode(args_info.new_key_arg, strlen(args_info.new_key_arg), new_key, &new_key_len) != YKPIV_OK) { fprintf(stderr, "Failed decoding new key!\n"); ret = EXIT_FAILURE; - } else if(ykpiv_set_mgmkey(state, new_key) != YKPIV_OK) { + } else if(ykpiv_set_mgmkey2(state, new_key, args_info.touch_policy_arg == touch_policy_arg_always ? 1 : 0) != YKPIV_OK) { fprintf(stderr, "Failed setting the new key!\n"); ret = EXIT_FAILURE; } else {