diff --git a/yubikey-ca-java/README.md b/yubikey-ca-java/README.md index 8d23443..8276b2b 100644 --- a/yubikey-ca-java/README.md +++ b/yubikey-ca-java/README.md @@ -27,7 +27,7 @@ $ ykman piv certificates generate $SLOT$ public.pem -s 'O=Org,OU=OrgUnit,CN=Comm ```shell $ java -jar yubikey-ca-java.jar --issue-root-ca \ --sign-slot 88 --subject 'CN=Hatter EC Root CA' \ - --pin ****** \ + [--pin ******] \ [--add-to-remote] ``` @@ -37,7 +37,7 @@ $ java -jar yubikey-ca-java.jar --issue-root-ca \ $ java -jar yubikey-ca-java.jar --issue-intermediate-ca \ --sign-slot 88 --subject 'CN=Hatter EC Intermediate CA' \ --cert-slot 89 --root-ca-id 43 \ - --pin ****** \ + [--pin ******] \ [--add-to-remote] ``` @@ -48,7 +48,7 @@ $ java -jar yubikey-ca-java.jar --issue-server-ca \ --sign-slot 89 --subject 'CN=hatter-test' \ --intermediate-ca-id 44 --keypair-type secp256r1 \ --dns-name a.example.com --dns-name b.example.com \ - --pin ****** \ + [--pin ******] \ [--cert-slot NN | --cert-file ] \ [--add-to-remote] ``` @@ -59,7 +59,7 @@ $ java -jar yubikey-ca-java.jar --issue-server-ca \ $ java -jar yubikey-ca-java.jar --issue-client-ca \ --sign-slot 89 --subject 'CN=hatter-test' \ --intermediate-ca-id 44 --keypair-type secp256r1 \ - --pin ****** \ + [--pin ******] \ [--add-to-remote] ``` @@ -69,7 +69,7 @@ $ java -jar yubikey-ca-java.jar --issue-client-ca \ $ java -jar yubikey-ca-java.jar --issue-client-code-ca \ --sign-slot 89 --subject 'CN=hatter-test-code' \ --intermediate-ca-id 44 --keypair-type secp256r1 \ - --pin ****** \ + [--pin ******] \ [--add-to-remote] ``` diff --git a/yubikey-ca-java/build.json b/yubikey-ca-java/build.json index 434c47e..95569a8 100644 --- a/yubikey-ca-java/build.json +++ b/yubikey-ca-java/build.json @@ -13,8 +13,9 @@ "repo": { "dependencies": [ "info.picocli:picocli:4.6.1", - "me.hatter:commons:3.68", - "me.hatter:crypto:1.13" + "me.hatter:commons:3.71", + "me.hatter:crypto:1.13", + "me.hatter:pinentry-cli-java:1.0" ], "testDependencies": [ "junit:junit:4.12" diff --git a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java index 8912ffe..5783e40 100644 --- a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java +++ b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java @@ -65,7 +65,8 @@ public class YubikeyCaMain { return; } - final X509Certificate interCertificate = CertificateUtil.getCertificate(args.pin, args.intermediateCaId); + final X509Certificate interCertificate = CertificateUtil.getCertificate( + YubikeyCaPinUtil.getPin(args), args.intermediateCaId); final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot); @@ -92,7 +93,7 @@ public class YubikeyCaMain { .certPubKey(publicKey) .validYears(validYears(args, 2)) .customerSigner(new CardCliPivCustomerSigner( - args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)); + YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)); final X509Certificate cert; if (args.issueServerCa) { @@ -110,7 +111,8 @@ public class YubikeyCaMain { log.info("Issued CA: \n" + certPem); if (args.addToRemote) { - CertificateUtil.addCertificate(args.pin, args.intermediateCaId, args.memo, certPem, privateKeyPem); + CertificateUtil.addCertificate( + YubikeyCaPinUtil.getPin(args), args.intermediateCaId, args.memo, certPem, privateKeyPem); } else { log.info("Issued CA private Key: \n" + privateKeyPem); } @@ -169,7 +171,8 @@ public class YubikeyCaMain { return; } - final X509Certificate rootCertificate = CertificateUtil.getCertificate(args.pin, args.rootCaId); + final X509Certificate rootCertificate = CertificateUtil.getCertificate( + YubikeyCaPinUtil.getPin(args), args.rootCaId); final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot); final PivMeta certPivMeta = CardCliUtil.getPivPublicKey(args.certSlot); @@ -181,13 +184,14 @@ public class YubikeyCaMain { .certPubKey(certPivMeta.getPublicKey()) .validYears(validYears(args, 10)) .customerSigner(new CardCliPivCustomerSigner( - args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)) + YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)) .createIntermediateCert(); final String intermediateCaPem = X509CertUtil.serializeX509CertificateToPEM(intermediateCa); log.info("Issued intermediate CA: " + intermediateCaPem); if (args.addToRemote) { - CertificateUtil.addCertificate(args.pin, args.rootCaId, args.memo, intermediateCaPem, null); + CertificateUtil.addCertificate( + YubikeyCaPinUtil.getPin(args), args.rootCaId, args.memo, intermediateCaPem, null); } } @@ -202,13 +206,13 @@ public class YubikeyCaMain { .certPubKey(signPivMeta.getPublicKey()) .validYears(validYears(args, 40)) .customerSigner(new CardCliPivCustomerSigner( - args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)) + YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)) .createCA(); final String rootCaPem = X509CertUtil.serializeX509CertificateToPEM(rootCa); log.info("Issued root CA: " + rootCaPem); if (args.addToRemote) { - CertificateUtil.addCertificate(args.pin, null, args.memo, rootCaPem, null); + CertificateUtil.addCertificate(YubikeyCaPinUtil.getPin(args), null, args.memo, rootCaPem, null); } } @@ -221,10 +225,6 @@ public class YubikeyCaMain { log.error("Certificate subject is required."); return true; } - if (StringUtil.isEmpty(args.pin)) { - log.error("PIV PIN is required."); - return true; - } return false; } diff --git a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaPinUtil.java b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaPinUtil.java new file mode 100644 index 0000000..33c461c --- /dev/null +++ b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaPinUtil.java @@ -0,0 +1,19 @@ +package me.hatter.tools.yubikeyca; + +import me.hatter.tools.commons.string.StringUtil; +import me.hatter.tools.pinentry.PinEntryException; +import me.hatter.tools.pinentry.PinEntryTool; + +public class YubikeyCaPinUtil { + + public static String getPin(YubikeyCaArgs args) { + if (StringUtil.isNotEmpty(args.pin)) { + return args.pin; + } + try { + return PinEntryTool.instance().getPin(); + } catch (PinEntryException e) { + throw new RuntimeException("Get PIN failed: " + e.getMessage(), e); + } + } +}