hatter/yubikey-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: support get PIN from pinentry

Browse Source
This commit is contained in:
Hatter Jiang
2024-06-30 16:32:47 +08:00
parent b080d96258
commit 260b79a153
4 changed files with 39 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
yubikey-ca-java/README.md
View File

@@ -27,7 +27,7 @@ $ ykman piv certificates generate $SLOT$ public.pem -s 'O=Org,OU=OrgUnit,CN=Comm
```shell
$ java -jar yubikey-ca-java.jar --issue-root-ca \
--sign-slot 88 --subject 'CN=Hatter EC Root CA' \
--pin ****** \
[--pin ******] \
[--add-to-remote]
```
@@ -37,7 +37,7 @@ $ java -jar yubikey-ca-java.jar --issue-root-ca \
$ java -jar yubikey-ca-java.jar --issue-intermediate-ca \
--sign-slot 88 --subject 'CN=Hatter EC Intermediate CA' \
--cert-slot 89 --root-ca-id 43 \
--pin ****** \
[--pin ******] \
[--add-to-remote]
```
@@ -48,7 +48,7 @@ $ java -jar yubikey-ca-java.jar --issue-server-ca \
--sign-slot 89 --subject 'CN=hatter-test' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
--dns-name a.example.com --dns-name b.example.com \
--pin ****** \
[--pin ******] \
[--cert-slot NN | --cert-file <CERT-FILE-PEM>] \
[--add-to-remote]
```
@@ -59,7 +59,7 @@ $ java -jar yubikey-ca-java.jar --issue-server-ca \
$ java -jar yubikey-ca-java.jar --issue-client-ca \
--sign-slot 89 --subject 'CN=hatter-test' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
--pin ****** \
[--pin ******] \
[--add-to-remote]
```
@@ -69,7 +69,7 @@ $ java -jar yubikey-ca-java.jar --issue-client-ca \
$ java -jar yubikey-ca-java.jar --issue-client-code-ca \
--sign-slot 89 --subject 'CN=hatter-test-code' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
--pin ****** \
[--pin ******] \
[--add-to-remote]
```

5
yubikey-ca-java/build.json
View File

@@ -13,8 +13,9 @@
"repo": {
"dependencies": [
"info.picocli:picocli:4.6.1",
"me.hatter:commons:3.68",
"me.hatter:crypto:1.13"
"me.hatter:commons:3.71",
"me.hatter:crypto:1.13",
"me.hatter:pinentry-cli-java:1.0"
],
"testDependencies": [
"junit:junit:4.12"

24
yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java
View File

@@ -65,7 +65,8 @@ public class YubikeyCaMain {
return;
}
final X509Certificate interCertificate = CertificateUtil.getCertificate(args.pin, args.intermediateCaId);
final X509Certificate interCertificate = CertificateUtil.getCertificate(
YubikeyCaPinUtil.getPin(args), args.intermediateCaId);
final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot);
@@ -92,7 +93,7 @@ public class YubikeyCaMain {
.certPubKey(publicKey)
.validYears(validYears(args, 2))
.customerSigner(new CardCliPivCustomerSigner(
args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd));
YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd));
final X509Certificate cert;
if (args.issueServerCa) {
@@ -110,7 +111,8 @@ public class YubikeyCaMain {
log.info("Issued CA: \n" + certPem);
if (args.addToRemote) {
CertificateUtil.addCertificate(args.pin, args.intermediateCaId, args.memo, certPem, privateKeyPem);
CertificateUtil.addCertificate(
YubikeyCaPinUtil.getPin(args), args.intermediateCaId, args.memo, certPem, privateKeyPem);
} else {
log.info("Issued CA private Key: \n" + privateKeyPem);
}
@@ -169,7 +171,8 @@ public class YubikeyCaMain {
return;
}
final X509Certificate rootCertificate = CertificateUtil.getCertificate(args.pin, args.rootCaId);
final X509Certificate rootCertificate = CertificateUtil.getCertificate(
YubikeyCaPinUtil.getPin(args), args.rootCaId);
final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot);
final PivMeta certPivMeta = CardCliUtil.getPivPublicKey(args.certSlot);
@@ -181,13 +184,14 @@ public class YubikeyCaMain {
.certPubKey(certPivMeta.getPublicKey())
.validYears(validYears(args, 10))
.customerSigner(new CardCliPivCustomerSigner(
args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd))
YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd))
.createIntermediateCert();
final String intermediateCaPem = X509CertUtil.serializeX509CertificateToPEM(intermediateCa);
log.info("Issued intermediate CA: " + intermediateCaPem);
if (args.addToRemote) {
CertificateUtil.addCertificate(args.pin, args.rootCaId, args.memo, intermediateCaPem, null);
CertificateUtil.addCertificate(
YubikeyCaPinUtil.getPin(args), args.rootCaId, args.memo, intermediateCaPem, null);
}
}
@@ -202,13 +206,13 @@ public class YubikeyCaMain {
.certPubKey(signPivMeta.getPublicKey())
.validYears(validYears(args, 40))
.customerSigner(new CardCliPivCustomerSigner(
args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd))
YubikeyCaPinUtil.getPin(args), args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd))
.createCA();
final String rootCaPem = X509CertUtil.serializeX509CertificateToPEM(rootCa);
log.info("Issued root CA: " + rootCaPem);
if (args.addToRemote) {
CertificateUtil.addCertificate(args.pin, null, args.memo, rootCaPem, null);
CertificateUtil.addCertificate(YubikeyCaPinUtil.getPin(args), null, args.memo, rootCaPem, null);
}
}
@@ -221,10 +225,6 @@ public class YubikeyCaMain {
log.error("Certificate subject is required.");
return true;
}
if (StringUtil.isEmpty(args.pin)) {
log.error("PIV PIN is required.");
return true;
}
return false;
}

19
yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaPinUtil.java Normal file
View File

@@ -0,0 +1,19 @@
package me.hatter.tools.yubikeyca;
import me.hatter.tools.commons.string.StringUtil;
import me.hatter.tools.pinentry.PinEntryException;
import me.hatter.tools.pinentry.PinEntryTool;
public class YubikeyCaPinUtil {
public static String getPin(YubikeyCaArgs args) {
if (StringUtil.isNotEmpty(args.pin)) {
return args.pin;
}
try {
return PinEntryTool.instance().getPin();
} catch (PinEntryException e) {
throw new RuntimeException("Get PIN failed: " + e.getMessage(), e);
}
}
}