From c970c0a22cd45002255054d4ce6a7feb07e1f79f Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Tue, 30 Sep 2014 09:11:53 +0200 Subject: [PATCH 1/2] drop \n in man file, gives warnings --- tool/yubico-piv-tool.h2m | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tool/yubico-piv-tool.h2m b/tool/yubico-piv-tool.h2m index 760143e..15101ce 100644 --- a/tool/yubico-piv-tool.h2m +++ b/tool/yubico-piv-tool.h2m @@ -41,13 +41,13 @@ key on stdout: Generate a certificate request with public key from stdin, will print the resulting request on stdout: - yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \\\n + yubico-piv-tool -s 9a -S '/CN=foo/OU=test/O=example.com/' -P 123456 \\ -a verify -a request Generate a self-signed certificate with public key from stdin, will print the certificate, for later import, on stdout: - yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \\\n + yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 \\ -a verify -a selfsign Import a certificate from stdin: @@ -57,12 +57,12 @@ Import a certificate from stdin: Set a random chuid, import a key and import a certificate from a PKCS12 file with password test, into slot 9c: - yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \\\n + yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \\ -a import-key -a import-cert Change the management key used for administrative authentication: - yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \\\n + yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \\ -a set-mgm-key Delete a certificate in slot 9a: From 98cd75f08b820a066641ffaab9c8bc263672a88a Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Wed, 1 Oct 2014 14:33:05 +0200 Subject: [PATCH 2/2] only authenticate with the applet if needed --- tool/yubico-piv-tool.c | 51 +++++++++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 11 deletions(-) diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index 424fcbb..af24e6c 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -823,8 +823,6 @@ static bool delete_certificate(ykpiv_state *state, enum enum_slot slot) { int main(int argc, char *argv[]) { struct gengetopt_args_info args_info; ykpiv_state *state; - unsigned char key[KEY_LEN]; - size_t key_len = sizeof(key); int verbosity; enum enum_action action; unsigned int i; @@ -846,16 +844,47 @@ int main(int argc, char *argv[]) { return EXIT_FAILURE; } - if(ykpiv_hex_decode(args_info.key_arg, strlen(args_info.key_arg), key, &key_len) != YKPIV_OK) { - return EXIT_FAILURE; - } + for(i = 0; i < args_info.action_given; i++) { + bool needs_auth = false; + action = *args_info.action_arg++; + switch(action) { + case action_arg_generate: + case action_arg_setMINUS_mgmMINUS_key: + case action_arg_pinMINUS_retries: + case action_arg_importMINUS_key: + case action_arg_importMINUS_certificate: + case action_arg_setMINUS_chuid: + case action_arg_deleteMINUS_certificate: + needs_auth = true; + break; + case action_arg_version: + case action_arg_reset: + case action_arg_requestMINUS_certificate: + case action_arg_verifyMINUS_pin: + case action_arg_changeMINUS_pin: + case action_arg_changeMINUS_puk: + case action_arg_unblockMINUS_pin: + case action_arg_selfsignMINUS_certificate: + case action__NULL: + default: + continue; + } + if(needs_auth) { + unsigned char key[KEY_LEN]; + size_t key_len = sizeof(key); + if(ykpiv_hex_decode(args_info.key_arg, strlen(args_info.key_arg), key, &key_len) != YKPIV_OK) { + return EXIT_FAILURE; + } - if(ykpiv_authenticate(state, key) != YKPIV_OK) { - fprintf(stderr, "Failed authentication with the applet.\n"); - return EXIT_FAILURE; - } - if(verbosity) { - fprintf(stderr, "Successful applet authentication.\n"); + if(ykpiv_authenticate(state, key) != YKPIV_OK) { + fprintf(stderr, "Failed authentication with the applet.\n"); + return EXIT_FAILURE; + } + if(verbosity) { + fprintf(stderr, "Successful applet authentication.\n"); + } + break; + } } /* openssl setup.. */