add a new hidden flag --stdin-input for straight stdin input

This commit is contained in:
Klas Lindfors
2017-04-06 15:57:09 +02:00
parent d17aff4e0d
commit e6a7517050
4 changed files with 54 additions and 33 deletions
+1
View File
@@ -66,3 +66,4 @@ option "touch-policy" - "Set touch policy for action generate, import-key or set
option "id" - "Id of object for write/read object" int optional option "id" - "Id of object for write/read object" int optional
option "format" f "Format of data for write/read object" values="hex","base64","binary" enum optional default="hex" option "format" f "Format of data for write/read object" values="hex","base64","binary" enum optional default="hex"
option "sign" - "Sign data" flag off hidden option "sign" - "Sign data" flag off hidden
option "stdin-input" - "Read sensitive values from stdin" flag off hidden
+13 -1
View File
@@ -457,7 +457,7 @@ bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigne
return true; return true;
} }
bool read_pw(const char *name, char *pwbuf, size_t pwbuflen, int verify) { bool read_pw(const char *name, char *pwbuf, size_t pwbuflen, int verify, int stdin_input) {
#define READ_PW_PROMPT_BASE "Enter %s: " #define READ_PW_PROMPT_BASE "Enter %s: "
char prompt[sizeof(READ_PW_PROMPT_BASE) + 32] = {0}; char prompt[sizeof(READ_PW_PROMPT_BASE) + 32] = {0};
int ret; int ret;
@@ -467,6 +467,18 @@ bool read_pw(const char *name, char *pwbuf, size_t pwbuflen, int verify) {
return false; return false;
} }
if(stdin_input) {
fprintf(stdout, "%s\n", name);
if(fgets(pwbuf, pwbuflen, stdin)) {
if(pwbuf[strlen(pwbuf) - 1] == '\n') {
pwbuf[strlen(pwbuf) - 1] = '\0';
}
return true;
} else {
return false;
}
}
ret = snprintf(prompt, sizeof(prompt), READ_PW_PROMPT_BASE, name); ret = snprintf(prompt, sizeof(prompt), READ_PW_PROMPT_BASE, name);
if (ret < 0 || ((unsigned int) ret) > (sizeof(prompt)-1)) { if (ret < 0 || ((unsigned int) ret) > (sizeof(prompt)-1)) {
fprintf(stderr, "Failed to read %s: snprintf failed.\n", name); fprintf(stderr, "Failed to read %s: snprintf failed.\n", name);
+1 -1
View File
@@ -52,7 +52,7 @@ int key_to_object_id(int key);
bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len); bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len);
bool prepare_rsa_signature(const unsigned char*, unsigned int, unsigned char*, bool prepare_rsa_signature(const unsigned char*, unsigned int, unsigned char*,
unsigned int*, int); unsigned int*, int);
bool read_pw(const char*, char*, size_t, int); bool read_pw(const char*, char*, size_t, int, int);
const EVP_MD *get_hash(enum enum_hash, const unsigned char**, size_t*); const EVP_MD *get_hash(enum enum_hash, const unsigned char**, size_t*);
int get_hashnid(enum enum_hash, unsigned char); int get_hashnid(enum enum_hash, unsigned char);
unsigned char get_piv_algorithm(enum enum_algorithm); unsigned char get_piv_algorithm(enum enum_algorithm);
+39 -31
View File
@@ -982,13 +982,6 @@ static bool verify_pin(ykpiv_state *state, const char *pin) {
int tries = -1; int tries = -1;
ykpiv_rc res; ykpiv_rc res;
int len; int len;
char pinbuf[9] = {0};
if(!pin) {
if (!read_pw("PIN", pinbuf, sizeof(pinbuf), false)) {
return false;
}
pin = pinbuf;
}
len = strlen(pin); len = strlen(pin);
if(len > 8) { if(len > 8) {
@@ -1014,10 +1007,7 @@ static bool verify_pin(ykpiv_state *state, const char *pin) {
* since they're very similar in what data they use. */ * since they're very similar in what data they use. */
static bool change_pin(ykpiv_state *state, enum enum_action action, const char *pin, static bool change_pin(ykpiv_state *state, enum enum_action action, const char *pin,
const char *new_pin) { const char *new_pin) {
char pinbuf[9] = {0};
char new_pinbuf[9] = {0};
const char *name = action == action_arg_changeMINUS_pin ? "pin" : "puk"; const char *name = action == action_arg_changeMINUS_pin ? "pin" : "puk";
const char *new_name = action == action_arg_changeMINUS_puk ? "new puk" : "new pin";
int (*op)(ykpiv_state *state, const char * puk, size_t puk_len, int (*op)(ykpiv_state *state, const char * puk, size_t puk_len,
const char * new_pin, size_t new_pin_len, int *tries) = ykpiv_change_pin; const char * new_pin, size_t new_pin_len, int *tries) = ykpiv_change_pin;
size_t pin_len; size_t pin_len;
@@ -1025,18 +1015,6 @@ static bool change_pin(ykpiv_state *state, enum enum_action action, const char *
int tries; int tries;
ykpiv_rc res; ykpiv_rc res;
if(!pin) {
if (!read_pw(name, pinbuf, sizeof(pinbuf), false)) {
return false;
}
pin = pinbuf;
}
if(!new_pin) {
if (!read_pw(new_name, new_pinbuf, sizeof(new_pinbuf), true)) {
return false;
}
new_pin = new_pinbuf;
}
pin_len = strlen(pin); pin_len = strlen(pin);
new_len = strlen(new_pin); new_len = strlen(new_pin);
@@ -1931,7 +1909,7 @@ int main(int argc, char *argv[]) {
if(verbosity) { if(verbosity) {
fprintf(stderr, "Asking for password since '%s' needs it.\n", cmdline_parser_action_values[action]); fprintf(stderr, "Asking for password since '%s' needs it.\n", cmdline_parser_action_values[action]);
} }
if(!read_pw("Password", pwbuf, sizeof(pwbuf), false)) { if(!read_pw("Password", pwbuf, sizeof(pwbuf), false, args_info.stdin_input_flag)) {
fprintf(stderr, "Failed to get password.\n"); fprintf(stderr, "Failed to get password.\n");
return false; return false;
} }
@@ -1947,13 +1925,13 @@ int main(int argc, char *argv[]) {
if(!authed) { if(!authed) {
unsigned char key[KEY_LEN]; unsigned char key[KEY_LEN];
size_t key_len = sizeof(key); size_t key_len = sizeof(key);
char keybuf[KEY_LEN*2+1]; char keybuf[KEY_LEN*2+2]; /* one extra byte for potential \n */
char *key_ptr = args_info.key_arg; char *key_ptr = args_info.key_arg;
if(verbosity) { if(verbosity) {
fprintf(stderr, "Authenticating since action '%s' needs that.\n", cmdline_parser_action_values[action]); fprintf(stderr, "Authenticating since action '%s' needs that.\n", cmdline_parser_action_values[action]);
} }
if(args_info.key_given && args_info.key_orig == NULL) { if(args_info.key_given && args_info.key_orig == NULL) {
if(!read_pw("management key", keybuf, sizeof(keybuf), false)) { if(!read_pw("management key", keybuf, sizeof(keybuf), false, args_info.stdin_input_flag)) {
fprintf(stderr, "Failed to read management key from stdin,\n"); fprintf(stderr, "Failed to read management key from stdin,\n");
return EXIT_FAILURE; return EXIT_FAILURE;
} }
@@ -2007,7 +1985,7 @@ int main(int argc, char *argv[]) {
for(i = 0; i < args_info.action_given; i++) { for(i = 0; i < args_info.action_given; i++) {
char new_keybuf[KEY_LEN*2+1] = {0}; char new_keybuf[KEY_LEN*2+2] = {0}; /* one extra byte for potential \n */
char *new_mgm_key = args_info.new_key_arg; char *new_mgm_key = args_info.new_key_arg;
action = *(args_info.action_arg + i); action = *(args_info.action_arg + i);
if(verbosity) { if(verbosity) {
@@ -2028,7 +2006,7 @@ int main(int argc, char *argv[]) {
break; break;
case action_arg_setMINUS_mgmMINUS_key: case action_arg_setMINUS_mgmMINUS_key:
if(!new_mgm_key) { if(!new_mgm_key) {
if(!read_pw("new management key", new_keybuf, sizeof(new_keybuf), true)) { if(!read_pw("new management key", new_keybuf, sizeof(new_keybuf), true, args_info.stdin_input_flag)) {
fprintf(stderr, "Failed to read management key from stdin,\n"); fprintf(stderr, "Failed to read management key from stdin,\n");
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
break; break;
@@ -2106,17 +2084,46 @@ int main(int argc, char *argv[]) {
fprintf(stderr, "Successfully generated a certificate request.\n"); fprintf(stderr, "Successfully generated a certificate request.\n");
} }
break; break;
case action_arg_verifyMINUS_pin: case action_arg_verifyMINUS_pin: {
if(verify_pin(state, args_info.pin_arg)) { char pinbuf[8+2] = {0};
char *pin = args_info.pin_arg;
if(!pin) {
if (!read_pw("PIN", pinbuf, sizeof(pinbuf), false, args_info.stdin_input_flag)) {
return false;
}
pin = pinbuf;
}
if(verify_pin(state, pin)) {
fprintf(stderr, "Successfully verified PIN.\n"); fprintf(stderr, "Successfully verified PIN.\n");
} else { } else {
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
} }
break; break;
}
case action_arg_changeMINUS_pin: case action_arg_changeMINUS_pin:
case action_arg_changeMINUS_puk: case action_arg_changeMINUS_puk:
case action_arg_unblockMINUS_pin: case action_arg_unblockMINUS_pin: {
if(change_pin(state, action, args_info.pin_arg, args_info.new_pin_arg)) { char pinbuf[8+2] = {0};
char new_pinbuf[8+2] = {0};
char *pin = args_info.pin_arg;
char *new_pin = args_info.new_pin_arg;
const char *name = action == action_arg_changeMINUS_pin ? "pin" : "puk";
const char *new_name = action == action_arg_changeMINUS_puk ? "new puk" : "new pin";
if(!pin) {
if (!read_pw(name, pinbuf, sizeof(pinbuf), false, args_info.stdin_input_flag)) {
return false;
}
pin = pinbuf;
}
if(!new_pin) {
if (!read_pw(new_name, new_pinbuf, sizeof(new_pinbuf), true, args_info.stdin_input_flag)) {
return false;
}
new_pin = new_pinbuf;
}
if(change_pin(state, action, pin, new_pin)) {
if(action == action_arg_unblockMINUS_pin) { if(action == action_arg_unblockMINUS_pin) {
fprintf(stderr, "Successfully unblocked the pin code.\n"); fprintf(stderr, "Successfully unblocked the pin code.\n");
} else { } else {
@@ -2127,6 +2134,7 @@ int main(int argc, char *argv[]) {
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
} }
break; break;
}
case action_arg_selfsignMINUS_certificate: case action_arg_selfsignMINUS_certificate:
if(selfsign_certificate(state, args_info.key_format_arg, args_info.input_arg, if(selfsign_certificate(state, args_info.key_format_arg, args_info.input_arg,
args_info.slot_orig, args_info.subject_arg, args_info.hash_arg, args_info.slot_orig, args_info.subject_arg, args_info.hash_arg,