Merge branch 'attestation2'

This commit is contained in:
Klas Lindfors
2016-05-03 09:24:14 +02:00
6 changed files with 106 additions and 5 deletions
+3 -3
View File
@@ -33,11 +33,11 @@ option "action" a "Action to take" values="version","generate","set-mgm-key",
"request-certificate","verify-pin","change-pin","change-puk","unblock-pin",
"selfsign-certificate","delete-certificate","read-certificate","status",
"test-signature","test-decipher","list-readers","set-ccc","write-object",
"read-object" enum multiple
"read-object","attest" enum multiple
text "
Multiple actions may be given at once and will be executed in order
for example --action=verify-pin --action=request-certificate\n"
option "slot" s "What key slot to operate on" values="9a","9c","9d","9e","82","83","84","85","86","87","88","89","8a","8b","8c","8d","8e","8f","90","91","92","93","94","95" enum optional
option "slot" s "What key slot to operate on" values="9a","9c","9d","9e","82","83","84","85","86","87","88","89","8a","8b","8c","8d","8e","8f","90","91","92","93","94","95","f9" enum optional
text "
9a is for PIV Authentication
9c is for Digital Signature (PIN always checked)
@@ -62,7 +62,7 @@ option "valid-days" - "Time (in days) until the self-signed certificate expires"
option "pin" P "Pin/puk code for verification" string optional
option "new-pin" N "New pin/puk code for changing" string optional dependon="pin"
option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional
option "touch-policy" - "Set touch policy for action generate, import-key or set-mgm-key" values="never","always" enum optional
option "touch-policy" - "Set touch policy for action generate, import-key or set-mgm-key" values="never","always","cached" enum optional
option "id" - "Id of object for write/read object" int optional
option "format" f "Format of data for write/read object" values="hex","base64","binary" enum optional default="hex"
option "sign" - "Sign data" flag off hidden
+5
View File
@@ -330,6 +330,9 @@ int get_object_id(enum enum_slot slot) {
case slot_arg_95:
object = YKPIV_OBJ_RETIRED20;
break;
case slot_arg_f9:
object = YKPIV_OBJ_ATTESTATION;
break;
case slot__NULL:
default:
object = 0;
@@ -601,6 +604,8 @@ unsigned char get_touch_policy(enum enum_touch_policy policy) {
return YKPIV_TOUCHPOLICY_NEVER;
case touch_policy_arg_always:
return YKPIV_TOUCHPOLICY_ALWAYS;
case touch_policy_arg_cached:
return YKPIV_TOUCHPOLICY_CACHED;
case touch_policy__NULL:
default:
return 0;
+70
View File
@@ -1651,6 +1651,68 @@ static bool list_readers(ykpiv_state *state) {
return true;
}
static bool attest(ykpiv_state *state, const char *slot,
enum enum_key_format key_format, const char *output_file_name) {
unsigned char data[2048];
unsigned long len = sizeof(data);
bool ret = false;
X509 *x509 = NULL;
unsigned char templ[] = {0, YKPIV_INS_ATTEST, 0, 0};
int key;
int sw;
FILE *output_file = open_file(output_file_name, OUTPUT);
if(!output_file) {
return false;
}
sscanf(slot, "%2x", &key);
templ[2] = key;
if(key_format != key_format_arg_PEM && key_format != key_format_arg_DER) {
fprintf(stderr, "Only PEM and DER format are supported for attest..\n");
return false;
}
if(ykpiv_transfer_data(state, templ, NULL, 0, data, &len, &sw) != YKPIV_OK) {
fprintf(stderr, "Failed to communicate.\n");
goto attest_out;
} else if(sw != 0x9000) {
fprintf(stderr, "Failed to attest key.\n");
goto attest_out;
}
if(data[0] == 0x30) {
if(key_format == key_format_arg_PEM) {
const unsigned char *ptr = data;
int len2 = len;
x509 = X509_new();
if(!x509) {
fprintf(stderr, "Failed allocating x509 structure.\n");
goto attest_out;
}
x509 = d2i_X509(NULL, &ptr, len2);
if(!x509) {
fprintf(stderr, "Failed parsing x509 information.\n");
goto attest_out;
}
PEM_write_X509(output_file, x509);
ret = true;
} else {
fwrite(data, len, 1, output_file);
}
ret = true;
}
attest_out:
if(output_file != stdout) {
fclose(output_file);
}
if(x509) {
X509_free(x509);
}
return ret;
}
static bool write_object(ykpiv_state *state, int id,
const char *input_file_name, int verbosity, enum enum_format format) {
bool ret = false;
@@ -1753,6 +1815,7 @@ int main(int argc, char *argv[]) {
case action_arg_readMINUS_certificate:
case action_arg_testMINUS_signature:
case action_arg_testMINUS_decipher:
case action_arg_attest:
if(args_info.slot_arg == slot__NULL) {
fprintf(stderr, "The '%s' action needs a slot (-s) to operate on.\n",
cmdline_parser_action_values[action]);
@@ -1870,6 +1933,7 @@ int main(int argc, char *argv[]) {
case action_arg_testMINUS_signature:
case action_arg_testMINUS_decipher:
case action_arg_listMINUS_readers:
case action_arg_attest:
case action_arg_readMINUS_object:
case action__NULL:
default:
@@ -2060,6 +2124,12 @@ int main(int argc, char *argv[]) {
ret = EXIT_FAILURE;
}
break;
case action_arg_attest:
if(attest(state, args_info.slot_orig, args_info.key_format_arg,
args_info.output_arg) == false) {
ret = EXIT_FAILURE;
}
break;
case action__NULL:
default:
fprintf(stderr, "Wrong action. %d.\n", action);