diff --git a/cmdline.ggo b/cmdline.ggo index 103bfe2..80ffe4a 100644 --- a/cmdline.ggo +++ b/cmdline.ggo @@ -27,7 +27,7 @@ option "verbose" v "Print more information" int optional default="0" argoptional option "reader" r "Only use a matching reader" string optional default="Yubikey" option "key" k "Authentication key to use" string optional default="010203040506070801020304050607080102030405060708" -option "action" a "Action to take" values="version","generate","set-mgm-key","reset","pin-retries","import-key","import-certificate","set-chuid","request-certificate","verify-pin" enum multiple +option "action" a "Action to take" values="version","generate","set-mgm-key","reset","pin-retries","import-key","import-certificate","set-chuid","request-certificate","verify-pin","change-pin","change-puk" enum multiple option "slot" s "What key slot to operate on" values="9a","9c","9d","9e" enum optional option "algorithm" A "What algorithm to use" values="RSA1024","RSA2048","ECCP256" enum optional default="RSA2048" option "new-key" n "New authentication key to use" string optional @@ -39,4 +39,5 @@ option "key-format" K "Format of the key being read/written" values="PEM","PKCS1 option "password" p "Password for decryption of private key file" string optional option "subject" S "The subject to use for certificate request" string optional details="The subject must be written as /CN=host.example.com/OU=test/O=example.com/\n" -option "pin" P "Pin code for verification" string optional +option "pin" P "Pin/puk code for verification" string optional +option "new-pin" N "New pin/puk code for changing" string optional dependon="pin" diff --git a/yubico-piv-tool.c b/yubico-piv-tool.c index c339044..3b31e23 100644 --- a/yubico-piv-tool.c +++ b/yubico-piv-tool.c @@ -1021,6 +1021,7 @@ static bool verify_pin(SCARDHANDLE *card, const char *pin, int verbose) { if(len > 8) { fprintf(stderr, "Maximum 8 digits of PIN supported.\n"); + return false; } memset(apdu.raw, 0, sizeof(apdu.raw)); @@ -1039,6 +1040,39 @@ static bool verify_pin(SCARDHANDLE *card, const char *pin, int verbose) { return true; } +static bool change_pin(SCARDHANDLE *card, enum enum_action action, const char *pin, + const char *new_pin, int verbose) { + APDU apdu; + unsigned char data[0xff]; + unsigned long recv_len = sizeof(data); + int sw; + size_t pin_len = strlen(pin); + size_t new_len = strlen(new_pin); + + if(pin_len > 8 || new_len > 8) { + fprintf(stderr, "Maximum 8 digits of PIN supported.\n"); + return false; + } + + memset(apdu.raw, 0, sizeof(apdu.raw)); + apdu.st.ins = 0x24; + apdu.st.p2 = action == action_arg_changeMINUS_pin ? 0x80 : 0x81; + apdu.st.lc = 0x10; + memcpy(apdu.st.data, pin, pin_len); + if(pin_len < 8) { + memset(apdu.st.data + pin_len, 0xff, 8 - pin_len); + } + memcpy(apdu.st.data + 8, new_pin, new_len); + if(new_len < 8) { + memset(apdu.st.data + 8 + new_len, 0xff, 16 - new_len); + } + sw = send_data(card, &apdu, data, &recv_len, verbose); + if(sw != 0x9000) { + return false; + } + return true; +} + static unsigned char get_algorithm(EVP_PKEY *key) { int type = EVP_PKEY_type(key->type); switch(type) { @@ -1418,6 +1452,13 @@ int main(int argc, char *argv[]) { return EXIT_FAILURE; } break; + case action_arg_changeMINUS_pin: + case action_arg_changeMINUS_puk: + if(args_info.pin_arg && args_info.new_pin_arg) { + change_pin(&card, action, args_info.pin_arg, args_info.new_pin_arg, verbosity); + } else { + fprintf(stderr, "The change-%s action needs a pin (-P) and a new-pin (-N).\n", action == action_arg_changeMINUS_pin ? "pin" : "puk"); + } case action__NULL: default: fprintf(stderr, "Wrong action. %d.\n", action);