Add ykpiv_attest() and use it in yubico-piv-tool

This commit is contained in:
Trevor Bentley
2017-09-20 16:29:37 +02:00
parent 248980fe27
commit f6b817f056
3 changed files with 43 additions and 30 deletions
+22
View File
@@ -1273,6 +1273,28 @@ ykpiv_rc ykpiv_import_private_key(ykpiv_state *state, const unsigned char key, u
} }
ykpiv_rc ykpiv_attest(ykpiv_state *state, int object_id, unsigned char *data, size_t *data_len) {
ykpiv_rc res;
bool ret = false;
unsigned char templ[] = {0, YKPIV_INS_ATTEST, object_id, 0};
int sw;
if (state == NULL || data == NULL || data_len == NULL) {
return YKPIV_ARGUMENT_ERROR;
}
if ((res = ykpiv_transfer_data(state, templ, NULL, 0, data, data_len, &sw)) != YKPIV_OK) {
return res;
}
else if(SW_SUCCESS != sw) {
return YKPIV_GENERIC_ERROR;
}
if (data[0] != 0x30) {
return YKPIV_GENERIC_ERROR;
}
return YKPIV_OK;
}
// TREV TODO: remove these, fix minidriver // TREV TODO: remove these, fix minidriver
ykpiv_rc ykpiv_done2(ykpiv_state *state, bool disconnect) { ykpiv_rc ykpiv_done2(ykpiv_state *state, bool disconnect) {
+1
View File
@@ -126,6 +126,7 @@ extern "C"
ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries); ykpiv_rc ykpiv_get_pin_retries(ykpiv_state *state, int* tries);
// TREV TODO: document that 0 == successful no-op. // TREV TODO: document that 0 == successful no-op.
ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries); ykpiv_rc ykpiv_set_pin_retries(ykpiv_state *state, int pin_tries, int puk_tries);
ykpiv_rc ykpiv_attest(ykpiv_state *state, int object_id, unsigned char *data, size_t *data_len);
#define YKPIV_ALGO_TAG 0x80 #define YKPIV_ALGO_TAG 0x80
#define YKPIV_ALGO_3DES 0x03 #define YKPIV_ALGO_3DES 0x03
+20 -30
View File
@@ -1604,55 +1604,45 @@ static bool list_readers(ykpiv_state *state) {
static bool attest(ykpiv_state *state, const char *slot, static bool attest(ykpiv_state *state, const char *slot,
enum enum_key_format key_format, const char *output_file_name) { enum enum_key_format key_format, const char *output_file_name) {
unsigned char data[2048]; unsigned char data[YKPIV_OBJ_MAX_SIZE];
unsigned long len = sizeof(data); unsigned long len = sizeof(data);
bool ret = false; bool ret = false;
X509 *x509 = NULL; X509 *x509 = NULL;
unsigned char templ[] = {0, YKPIV_INS_ATTEST, 0, 0};
int key; int key;
int sw;
FILE *output_file = open_file(output_file_name, OUTPUT); FILE *output_file = open_file(output_file_name, OUTPUT);
if(!output_file) { if(!output_file) {
return false; return false;
} }
sscanf(slot, "%2x", &key);
templ[2] = key;
if(key_format != key_format_arg_PEM && key_format != key_format_arg_DER) { if(key_format != key_format_arg_PEM && key_format != key_format_arg_DER) {
fprintf(stderr, "Only PEM and DER format are supported for attest..\n"); fprintf(stderr, "Only PEM and DER format are supported for attest..\n");
return false; return false;
} }
if(ykpiv_transfer_data(state, templ, NULL, 0, data, &len, &sw) != YKPIV_OK) { sscanf(slot, "%2x", &key);
fprintf(stderr, "Failed to communicate.\n"); if (ykpiv_attest(state, key, data, &len) != YKPIV_OK) {
goto attest_out; fprintf(stderr, "Failed to attest data.\n");
} else if(sw != SW_SUCCESS) {
fprintf(stderr, "Failed to attest key.\n");
goto attest_out; goto attest_out;
} }
if(data[0] == 0x30) { if(key_format == key_format_arg_PEM) {
if(key_format == key_format_arg_PEM) { const unsigned char *ptr = data;
const unsigned char *ptr = data; int len2 = len;
int len2 = len; x509 = X509_new();
x509 = X509_new(); if(!x509) {
if(!x509) { fprintf(stderr, "Failed allocating x509 structure.\n");
fprintf(stderr, "Failed allocating x509 structure.\n"); goto attest_out;
goto attest_out;
}
x509 = d2i_X509(NULL, &ptr, len2);
if(!x509) {
fprintf(stderr, "Failed parsing x509 information.\n");
goto attest_out;
}
PEM_write_X509(output_file, x509);
ret = true;
} else {
fwrite(data, len, 1, output_file);
} }
ret = true; x509 = d2i_X509(NULL, &ptr, len2);
if(!x509) {
fprintf(stderr, "Failed parsing x509 information.\n");
goto attest_out;
}
PEM_write_X509(output_file, x509);
} else {
fwrite(data, len, 1, output_file);
} }
ret = true;
attest_out: attest_out:
if(output_file != stdout) { if(output_file != stdout) {