hatter/yubikey-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: support get PIN from pinentry

Browse Source
This commit is contained in:
Hatter Jiang
2024-06-30 16:32:47 +08:00
parent b080d96258
commit 260b79a153
4 changed files with 39 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
yubikey-ca-java/README.md
View File

@@ -27,7 +27,7 @@ $ ykman piv certificates generate $SLOT$ public.pem -s 'O=Org,OU=OrgUnit,CN=Comm
```shell ```shell
$ java -jar yubikey-ca-java.jar --issue-root-ca \ $ java -jar yubikey-ca-java.jar --issue-root-ca \
--sign-slot 88 --subject 'CN=Hatter EC Root CA' \ --sign-slot 88 --subject 'CN=Hatter EC Root CA' \
--pin ****** \ [--pin ******] \
[--add-to-remote] [--add-to-remote]
``` ```
@@ -37,7 +37,7 @@ $ java -jar yubikey-ca-java.jar --issue-root-ca \
$ java -jar yubikey-ca-java.jar --issue-intermediate-ca \ $ java -jar yubikey-ca-java.jar --issue-intermediate-ca \
--sign-slot 88 --subject 'CN=Hatter EC Intermediate CA' \ --sign-slot 88 --subject 'CN=Hatter EC Intermediate CA' \
--cert-slot 89 --root-ca-id 43 \ --cert-slot 89 --root-ca-id 43 \
--pin ****** \ [--pin ******] \
[--add-to-remote] [--add-to-remote]
``` ```
@@ -48,7 +48,7 @@ $ java -jar yubikey-ca-java.jar --issue-server-ca \
--sign-slot 89 --subject 'CN=hatter-test' \ --sign-slot 89 --subject 'CN=hatter-test' \
--intermediate-ca-id 44 --keypair-type secp256r1 \ --intermediate-ca-id 44 --keypair-type secp256r1 \
--dns-name a.example.com --dns-name b.example.com \ --dns-name a.example.com --dns-name b.example.com \
--pin ****** \ [--pin ******] \
[--cert-slot NN | --cert-file <CERT-FILE-PEM>] \ [--cert-slot NN | --cert-file <CERT-FILE-PEM>] \
[--add-to-remote] [--add-to-remote]
``` ```
@@ -59,7 +59,7 @@ $ java -jar yubikey-ca-java.jar --issue-server-ca \
$ java -jar yubikey-ca-java.jar --issue-client-ca \ $ java -jar yubikey-ca-java.jar --issue-client-ca \
--sign-slot 89 --subject 'CN=hatter-test' \ --sign-slot 89 --subject 'CN=hatter-test' \
--intermediate-ca-id 44 --keypair-type secp256r1 \ --intermediate-ca-id 44 --keypair-type secp256r1 \
--pin ****** \ [--pin ******] \
[--add-to-remote] [--add-to-remote]
``` ```
@@ -69,7 +69,7 @@ $ java -jar yubikey-ca-java.jar --issue-client-ca \
$ java -jar yubikey-ca-java.jar --issue-client-code-ca \ $ java -jar yubikey-ca-java.jar --issue-client-code-ca \
--sign-slot 89 --subject 'CN=hatter-test-code' \ --sign-slot 89 --subject 'CN=hatter-test-code' \
--intermediate-ca-id 44 --keypair-type secp256r1 \ --intermediate-ca-id 44 --keypair-type secp256r1 \
--pin ****** \ [--pin ******] \
[--add-to-remote] [--add-to-remote]
``` ```

5
yubikey-ca-java/build.json
View File

@@ -13,8 +13,9 @@
"repo": { "repo": {
"dependencies": [ "dependencies": [
"info.picocli:picocli:4.6.1", "info.picocli:picocli:4.6.1",
"me.hatter:commons:3.68", "me.hatter:commons:3.71",
"me.hatter:crypto:1.13" "me.hatter:crypto:1.13",
"me.hatter:pinentry-cli-java:1.0"
], ],
"testDependencies": [ "testDependencies": [
"junit:junit:4.12" "junit:junit:4.12"

24
yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java
View File

@@ -65,7 +65,8 @@ public class YubikeyCaMain {
return; return;
} }
final X509Certificate interCertificate = CertificateUtil.getCertificate(args.pin, args.intermediateCaId); final X509Certificate interCertificate = CertificateUtil.getCertificate(
YubikeyCaPinUtil.getPin(args), args.intermediateCaId);
final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot); final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot);
@@ -92,7 +93,7 @@ public class YubikeyCaMain {
.certPubKey(publicKey) .certPubKey(publicKey)
.validYears(validYears(args, 2)) .validYears(validYears(args, 2))
.customerSigner(new CardCliPivCustomerSigner( .customerSigner(new CardCliPivCustomerSigner(
args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)); YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd));
final X509Certificate cert; final X509Certificate cert;
if (args.issueServerCa) { if (args.issueServerCa) {
@@ -110,7 +111,8 @@ public class YubikeyCaMain {
log.info("Issued CA: \n" + certPem); log.info("Issued CA: \n" + certPem);
if (args.addToRemote) { if (args.addToRemote) {
CertificateUtil.addCertificate(args.pin, args.intermediateCaId, args.memo, certPem, privateKeyPem); CertificateUtil.addCertificate(
YubikeyCaPinUtil.getPin(args), args.intermediateCaId, args.memo, certPem, privateKeyPem);
} else { } else {
log.info("Issued CA private Key: \n" + privateKeyPem); log.info("Issued CA private Key: \n" + privateKeyPem);
} }
@@ -169,7 +171,8 @@ public class YubikeyCaMain {
return; return;
} }
final X509Certificate rootCertificate = CertificateUtil.getCertificate(args.pin, args.rootCaId); final X509Certificate rootCertificate = CertificateUtil.getCertificate(
YubikeyCaPinUtil.getPin(args), args.rootCaId);
final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot); final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot);
final PivMeta certPivMeta = CardCliUtil.getPivPublicKey(args.certSlot); final PivMeta certPivMeta = CardCliUtil.getPivPublicKey(args.certSlot);
@@ -181,13 +184,14 @@ public class YubikeyCaMain {
.certPubKey(certPivMeta.getPublicKey()) .certPubKey(certPivMeta.getPublicKey())
.validYears(validYears(args, 10)) .validYears(validYears(args, 10))
.customerSigner(new CardCliPivCustomerSigner( .customerSigner(new CardCliPivCustomerSigner(
args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)) YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd))
.createIntermediateCert(); .createIntermediateCert();
final String intermediateCaPem = X509CertUtil.serializeX509CertificateToPEM(intermediateCa); final String intermediateCaPem = X509CertUtil.serializeX509CertificateToPEM(intermediateCa);
log.info("Issued intermediate CA: " + intermediateCaPem); log.info("Issued intermediate CA: " + intermediateCaPem);
if (args.addToRemote) { if (args.addToRemote) {
CertificateUtil.addCertificate(args.pin, args.rootCaId, args.memo, intermediateCaPem, null); CertificateUtil.addCertificate(
YubikeyCaPinUtil.getPin(args), args.rootCaId, args.memo, intermediateCaPem, null);
} }
} }
@@ -202,13 +206,13 @@ public class YubikeyCaMain {
.certPubKey(signPivMeta.getPublicKey()) .certPubKey(signPivMeta.getPublicKey())
.validYears(validYears(args, 40)) .validYears(validYears(args, 40))
.customerSigner(new CardCliPivCustomerSigner( .customerSigner(new CardCliPivCustomerSigner(
args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)) YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd))
.createCA(); .createCA();
final String rootCaPem = X509CertUtil.serializeX509CertificateToPEM(rootCa); final String rootCaPem = X509CertUtil.serializeX509CertificateToPEM(rootCa);
log.info("Issued root CA: " + rootCaPem); log.info("Issued root CA: " + rootCaPem);
if (args.addToRemote) { if (args.addToRemote) {
CertificateUtil.addCertificate(args.pin, null, args.memo, rootCaPem, null); CertificateUtil.addCertificate(YubikeyCaPinUtil.getPin(args), null, args.memo, rootCaPem, null);
} }
} }
@@ -221,10 +225,6 @@ public class YubikeyCaMain {
log.error("Certificate subject is required."); log.error("Certificate subject is required.");
return true; return true;
} }
if (StringUtil.isEmpty(args.pin)) {
log.error("PIV PIN is required.");
return true;
}
return false; return false;
} }

19
yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaPinUtil.java Normal file
View File

@@ -0,0 +1,19 @@
package me.hatter.tools.yubikeyca;
import me.hatter.tools.commons.string.StringUtil;
import me.hatter.tools.pinentry.PinEntryException;
import me.hatter.tools.pinentry.PinEntryTool;
public class YubikeyCaPinUtil {
public static String getPin(YubikeyCaArgs args) {
if (StringUtil.isNotEmpty(args.pin)) {
return args.pin;
}
try {
return PinEntryTool.instance().getPin();
} catch (PinEntryException e) {
throw new RuntimeException("Get PIN failed: " + e.getMessage(), e);
}
}
}