Skip to content

Commit

Permalink
p11-kit commands: Add --login option
Browse files Browse the repository at this point in the history
Previously those tools determined whether a login is necessary by
checking the presence of "pin-value" query attribute in the URI.  It
was too implicit and against modern security practice.  This instead
asks users to specify --login option and if no "pin-value" is given,
it tries to read a PIN from the terminal.

Signed-off-by: Daiki Ueno <[email protected]>
  • Loading branch information
ueno committed Oct 6, 2023
1 parent ad9c437 commit b0a32fd
Show file tree
Hide file tree
Showing 8 changed files with 261 additions and 27 deletions.
33 changes: 30 additions & 3 deletions p11-kit/add-profile.c
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,12 @@
#include "message.h"
#include "tool.h"

#ifdef OS_UNIX
#include "tty.h"
#endif

#include <assert.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>

Expand All @@ -60,7 +65,8 @@ p11_kit_add_profile (int argc,

static int
add_profile (const char *token_str,
CK_PROFILE_ID profile)
CK_PROFILE_ID profile,
bool login)
{
int ret = 1;
CK_RV rv;
Expand Down Expand Up @@ -99,8 +105,12 @@ add_profile (const char *token_str,
}

behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
if (p11_kit_uri_get_pin_value (uri))
if (login) {
behavior |= P11_KIT_ITER_WITH_LOGIN;
#ifdef OS_UNIX
p11_kit_uri_set_pin_source (uri, "tty");
#endif
}
iter = p11_kit_iter_new (uri, behavior);
if (iter == NULL) {
p11_message (_("failed to initialize iterator"));
Expand Down Expand Up @@ -171,25 +181,29 @@ p11_kit_add_profile (int argc,
int opt, ret = 2;
CK_ULONG profile = CKA_INVALID;
p11_dict *profile_nicks = NULL;
bool login = false;

enum {
opt_verbose = 'v',
opt_quiet = 'q',
opt_help = 'h',
opt_profile = 'p',
opt_login = CHAR_MAX + 1,
};

struct option options[] = {
{ "verbose", no_argument, NULL, opt_verbose },
{ "quiet", no_argument, NULL, opt_quiet },
{ "help", no_argument, NULL, opt_help },
{ "profile", required_argument, NULL, opt_profile },
{ "login", no_argument, NULL, opt_login },
{ 0 },
};

p11_tool_desc usages[] = {
{ 0, "usage: p11-kit add-profile --profile profile pkcs11:token" },
{ opt_profile, "specify the profile to add" },
{ opt_login, "login to the token" },
{ 0 },
};

Expand Down Expand Up @@ -225,6 +239,9 @@ p11_kit_add_profile (int argc,
goto cleanup;
}
break;
case opt_login:
login = true;
break;
case '?':
goto cleanup;
default:
Expand All @@ -246,9 +263,19 @@ p11_kit_add_profile (int argc,
goto cleanup;
}

ret = add_profile (*argv, profile);
#ifdef OS_UNIX
/* Register a fallback PIN callback that reads from terminal.
* We don't care whether the registration succeeds as it is a fallback.
*/
(void)p11_kit_pin_register_callback ("tty", p11_pin_tty_callback, NULL, NULL);
#endif

ret = add_profile (*argv, profile, login);

cleanup:
#ifdef OS_UNIX
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif
p11_dict_free (profile_nicks);

return ret;
Expand Down
33 changes: 30 additions & 3 deletions p11-kit/delete-profile.c
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,12 @@
#include "message.h"
#include "tool.h"

#ifdef OS_UNIX
#include "tty.h"
#endif

#include <assert.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>

Expand All @@ -62,7 +67,8 @@ p11_kit_delete_profile (int argc,

static int
delete_profile (const char *token_str,
CK_PROFILE_ID profile)
CK_PROFILE_ID profile,
bool login)
{
int ret = 1;
CK_RV rv;
Expand Down Expand Up @@ -99,8 +105,12 @@ delete_profile (const char *token_str,
}

behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
if (p11_kit_uri_get_pin_value (uri))
if (login) {
behavior |= P11_KIT_ITER_WITH_LOGIN;
#ifdef OS_UNIX
p11_kit_uri_set_pin_source (uri, "tty");
#endif
}
iter = p11_kit_iter_new (uri, behavior);
if (iter == NULL) {
p11_message (_("failed to initialize iterator"));
Expand Down Expand Up @@ -171,25 +181,29 @@ p11_kit_delete_profile (int argc,
int opt, ret = 2;
CK_ULONG profile = CKA_INVALID;
p11_dict *profile_nicks = NULL;
bool login = false;

enum {
opt_verbose = 'v',
opt_quiet = 'q',
opt_help = 'h',
opt_profile = 'p',
opt_login = CHAR_MAX + 1,
};

struct option options[] = {
{ "verbose", no_argument, NULL, opt_verbose },
{ "quiet", no_argument, NULL, opt_quiet },
{ "help", no_argument, NULL, opt_help },
{ "profile", required_argument, NULL, opt_profile },
{ "login", no_argument, NULL, opt_login },
{ 0 },
};

p11_tool_desc usages[] = {
{ 0, "usage: p11-kit delete-profile --profile profile pkcs11:token" },
{ opt_profile, "specify the profile to delete" },
{ opt_login, "login to the token" },
{ 0 },
};

Expand Down Expand Up @@ -225,6 +239,9 @@ p11_kit_delete_profile (int argc,
goto cleanup;
}
break;
case opt_login:
login = true;
break;
case '?':
goto cleanup;
default:
Expand All @@ -246,9 +263,19 @@ p11_kit_delete_profile (int argc,
goto cleanup;
}

ret = delete_profile (*argv, profile);
#ifdef OS_UNIX
/* Register a fallback PIN callback that reads from terminal.
* We don't care whether the registration succeeds as it is a fallback.
*/
(void)p11_kit_pin_register_callback ("tty", p11_pin_tty_callback, NULL, NULL);
#endif

ret = delete_profile (*argv, profile, login);

cleanup:
#ifdef OS_UNIX
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif
p11_dict_free (profile_nicks);

return ret;
Expand Down
41 changes: 37 additions & 4 deletions p11-kit/export-object.c
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@
#include "pem.h"
#include "tool.h"

#ifdef OS_UNIX
#include "tty.h"
#endif

#ifdef WITH_ASN1
#include "asn1.h"
#include "oid.h"
Expand Down Expand Up @@ -424,13 +428,15 @@ export_certificate (P11KitIter *iter,
}

static int
export_object (const char *token_str)
export_object (const char *token_str,
bool login)
{
int ret = 1;
CK_RV rv;
CK_FUNCTION_LIST **modules = NULL;
P11KitUri *uri = NULL;
P11KitIter *iter = NULL;
P11KitIterBehavior behavior;
CK_OBJECT_CLASS klass;
CK_ATTRIBUTE attr = { CKA_CLASS, &klass, sizeof (klass) };
p11_buffer buf;
Expand All @@ -455,7 +461,14 @@ export_object (const char *token_str)
goto cleanup;
}

iter = p11_kit_iter_new (uri, P11_KIT_ITER_WITH_LOGIN);
behavior = 0;
if (login) {
behavior |= P11_KIT_ITER_WITH_LOGIN;
#ifdef OS_UNIX
p11_kit_uri_set_pin_source (uri, "tty");
#endif
}
iter = p11_kit_iter_new (uri, behavior);
if (iter == NULL) {
p11_message (_("failed to initialize iterator"));
goto cleanup;
Expand Down Expand Up @@ -512,23 +525,27 @@ int
p11_kit_export_object (int argc,
char *argv[])
{
int opt;
int opt, ret;
bool login = false;

enum {
opt_verbose = 'v',
opt_quiet = 'q',
opt_help = 'h',
opt_login = CHAR_MAX + 1,
};

struct option options[] = {
{ "verbose", no_argument, NULL, opt_verbose },
{ "quiet", no_argument, NULL, opt_quiet },
{ "help", no_argument, NULL, opt_help },
{ "login", no_argument, NULL, opt_login },
{ 0 },
};

p11_tool_desc usages[] = {
{ 0, "usage: p11-kit export-object pkcs11:token" },
{ opt_login, "login to the token" },
{ 0 },
};

Expand All @@ -543,6 +560,9 @@ p11_kit_export_object (int argc,
case opt_help:
p11_tool_usage (usages, options);
return 0;
case opt_login:
login = true;
break;
case '?':
return 2;
default:
Expand All @@ -559,5 +579,18 @@ p11_kit_export_object (int argc,
return 2;
}

return export_object (*argv);
#ifdef OS_UNIX
/* Register a fallback PIN callback that reads from terminal.
* We don't care whether the registration succeeds as it is a fallback.
*/
(void)p11_kit_pin_register_callback ("tty", p11_pin_tty_callback, NULL, NULL);
#endif

ret = export_object (*argv, login);

#ifdef OS_UNIX
p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
#endif

return ret;
}
Loading

0 comments on commit b0a32fd

Please sign in to comment.