add touch tlv for generate and import-key

This commit is contained in:
Klas Lindfors
2015-06-25 12:04:05 +02:00
parent be8f37924d
commit ca6a355b5d
5 changed files with 35 additions and 5 deletions
+4
View File
@@ -152,6 +152,10 @@ extern "C"
#define YKPIV_PINPOLICY_ONCE 2 #define YKPIV_PINPOLICY_ONCE 2
#define YKPIV_PINPOLICY_ALWAYS 3 #define YKPIV_PINPOLICY_ALWAYS 3
#define YKPIV_TOUCHPOLICY_TAG 0xab
#define YKPIV_TOUCHPOLICY_NEVER 1
#define YKPIV_TOUCHPOLICY_ALWAYS 2
#define IS_ECKEY(a) ((a == YKPIV_ALGO_ECCP256 || a == YKPIV_ALGO_ECCP384)) #define IS_ECKEY(a) ((a == YKPIV_ALGO_ECCP256 || a == YKPIV_ALGO_ECCP384))
#define IS_RSAKEY(a) ((a == YKPIV_ALGO_RSA1024 || a == YKPIV_ALGO_RSA2048)) #define IS_RSAKEY(a) ((a == YKPIV_ALGO_RSA1024 || a == YKPIV_ALGO_RSA2048))
+1
View File
@@ -59,3 +59,4 @@ option "pin" P "Pin/puk code for verification" string optional
option "new-pin" N "New pin/puk code for changing" string optional dependon="pin" option "new-pin" N "New pin/puk code for changing" string optional dependon="pin"
option "sign" - "Sign data" flag off hidden option "sign" - "Sign data" flag off hidden
option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional
option "touch-policy" - "Set touch policy for action generate or import-key" values="never","always" enum optional
+12
View File
@@ -418,3 +418,15 @@ unsigned char get_pin_policy(enum enum_pin_policy policy) {
return 0; return 0;
} }
} }
unsigned char get_touch_policy(enum enum_touch_policy policy) {
switch(policy) {
case touch_policy_arg_never:
return YKPIV_TOUCHPOLICY_NEVER;
case touch_policy_arg_always:
return YKPIV_TOUCHPOLICY_ALWAYS;
case touch_policy__NULL:
default:
return 0;
}
}
+1
View File
@@ -51,5 +51,6 @@ const EVP_MD *get_hash(enum enum_hash, const unsigned char**, size_t*);
int get_hashnid(enum enum_hash, unsigned char); int get_hashnid(enum enum_hash, unsigned char);
unsigned char get_piv_algorithm(enum enum_algorithm); unsigned char get_piv_algorithm(enum enum_algorithm);
unsigned char get_pin_policy(enum enum_pin_policy); unsigned char get_pin_policy(enum enum_pin_policy);
unsigned char get_touch_policy(enum enum_touch_policy);
#endif #endif
+17 -5
View File
@@ -86,8 +86,9 @@ static void print_version(ykpiv_state *state, const char *output_file_name) {
static bool generate_key(ykpiv_state *state, const char *slot, static bool generate_key(ykpiv_state *state, const char *slot,
enum enum_algorithm algorithm, const char *output_file_name, enum enum_algorithm algorithm, const char *output_file_name,
enum enum_key_format key_format, enum enum_pin_policy pin_policy) { enum enum_key_format key_format, enum enum_pin_policy pin_policy,
unsigned char in_data[8]; enum enum_touch_policy touch_policy) {
unsigned char in_data[11];
unsigned char *in_ptr = in_data; unsigned char *in_ptr = in_data;
unsigned char data[1024]; unsigned char data[1024];
unsigned char templ[] = {0, YKPIV_INS_GENERATE_ASYMMERTRIC, 0, 0}; unsigned char templ[] = {0, YKPIV_INS_GENERATE_ASYMMERTRIC, 0, 0};
@@ -127,6 +128,12 @@ static bool generate_key(ykpiv_state *state, const char *slot,
*in_ptr++ = 1; *in_ptr++ = 1;
*in_ptr++ = get_pin_policy(pin_policy); *in_ptr++ = get_pin_policy(pin_policy);
} }
if(touch_policy != touch_policy__NULL) {
in_data[1] += 3;
*in_ptr++ = YKPIV_TOUCHPOLICY_TAG;
*in_ptr++ = 1;
*in_ptr++ = get_touch_policy(touch_policy);
}
if(ykpiv_transfer_data(state, templ, in_data, in_ptr - in_data, data, if(ykpiv_transfer_data(state, templ, in_data, in_ptr - in_data, data,
&recv_len, &sw) != YKPIV_OK) { &recv_len, &sw) != YKPIV_OK) {
fprintf(stderr, "Failed to communicate.\n"); fprintf(stderr, "Failed to communicate.\n");
@@ -287,7 +294,7 @@ static bool set_pin_retries(ykpiv_state *state, int pin_retries, int puk_retries
static bool import_key(ykpiv_state *state, enum enum_key_format key_format, static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
const char *input_file_name, const char *slot, char *password, const char *input_file_name, const char *slot, char *password,
enum enum_pin_policy pin_policy) { enum enum_pin_policy pin_policy, enum enum_touch_policy touch_policy) {
int key = 0; int key = 0;
FILE *input_file = NULL; FILE *input_file = NULL;
EVP_PKEY *private_key = NULL; EVP_PKEY *private_key = NULL;
@@ -405,6 +412,11 @@ static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
*in_ptr++ = 1; *in_ptr++ = 1;
*in_ptr++ = get_pin_policy(pin_policy); *in_ptr++ = get_pin_policy(pin_policy);
} }
if(touch_policy != touch_policy__NULL) {
*in_ptr++ = YKPIV_TOUCHPOLICY_TAG;
*in_ptr++ = 1;
*in_ptr++ = get_touch_policy(touch_policy);
}
if(ykpiv_transfer_data(state, templ, in_data, in_ptr - in_data, data, if(ykpiv_transfer_data(state, templ, in_data, in_ptr - in_data, data,
&recv_len, &sw) != YKPIV_OK) { &recv_len, &sw) != YKPIV_OK) {
@@ -1674,7 +1686,7 @@ int main(int argc, char *argv[]) {
break; break;
case action_arg_generate: case action_arg_generate:
if(generate_key(state, args_info.slot_orig, args_info.algorithm_arg, args_info.output_arg, args_info.key_format_arg, if(generate_key(state, args_info.slot_orig, args_info.algorithm_arg, args_info.output_arg, args_info.key_format_arg,
args_info.pin_policy_arg) == false) { args_info.pin_policy_arg, args_info.touch_policy_arg) == false) {
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
} else { } else {
fprintf(stderr, "Successfully generated a new private key.\n"); fprintf(stderr, "Successfully generated a new private key.\n");
@@ -1716,7 +1728,7 @@ int main(int argc, char *argv[]) {
break; break;
case action_arg_importMINUS_key: case action_arg_importMINUS_key:
if(import_key(state, args_info.key_format_arg, args_info.input_arg, args_info.slot_orig, args_info.password_arg, if(import_key(state, args_info.key_format_arg, args_info.input_arg, args_info.slot_orig, args_info.password_arg,
args_info.pin_policy_arg) == false) { args_info.pin_policy_arg, args_info.touch_policy_arg) == false) {
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
} else { } else {
fprintf(stderr, "Successfully imported a new private key.\n"); fprintf(stderr, "Successfully imported a new private key.\n");