Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Bash script for setting or clearing touch requirements for cryptographic operations in the OpenPGP application on a YubiKey 4.
#!/bin/bash
# Bash script for setting or clearing touch requirements for
# cryptographic operations the OpenPGP application on a YubiKey 4.
#
# Author: Alessio Di Mauro <alessio@yubico.com>
GCA=$(which gpg-connect-agent)
DO=0
UIF=0
PE=$(which pinentry)
PE_PROMPT="SETPROMPT Admin PIN\nGETPIN\nBYE"
if [ -z "$GCA" ]
then
echo "Can not find gpg-connect-agent. Aborting...";
exit 1;
fi
if [ $# -lt 2 ] || [ $# -gt 3 ]
then
echo "Wrong parameters"
echo "usage: yubitouch {sig|aut|dec} {off|on|fix} [admin_pin]";
exit 1;
fi
if [ "$1" == "sig" ]
then
DO="D6"
elif [ "$1" == "dec" ]
then
DO="D7"
elif [ "$1" == "aut" ]
then
DO="D8"
else
echo "Invalid value $1 (must be sig, aut, dec). Aborting..."
exit 1
fi
if [ "$2" == "off" ]
then
UIF="00";
elif [ "$2" == "on" ]
then
UIF="01"
elif [ "$2" == "fix" ]
then
UIF="02";
else
echo "Invalid value $2 (must be off, on, fix). Aborting..."
exit 1
fi
if [ $# -eq 3 ]
then
PIN="$3"
elif [ -z "$PE" ]
then
echo -e "Pinentry not present\nFalling back to regular stdin.\nBe careful!"
echo "Enter your admin PIN: "
read PIN
else
PIN="$(echo -e $PE_PROMPT | $PE | sed -n '/^D .*/s/^D //p')"
fi
if [ -z "$PIN" ]
then
echo "Empty PIN. Aborting..."
exit 1
fi
PIN_LEN=${#PIN}
PIN_LEN=$(printf %02x $PIN_LEN)
PIN=$(echo -n "$PIN" | xxd -ps | sed 's/[[:xdigit:]]\{2\}/& /g')
$GCA --hex "scd reset" /bye > /dev/null
VERIFY=$($GCA --hex "scd apdu 00 20 00 83 $PIN_LEN $PIN" /bye)
if ! echo $VERIFY | grep -q "90 00"
then
echo "Verification failed, wrong pin?"
exit 1
fi
PUT=$($GCA --hex "scd apdu 00 da 00 $DO 02 $UIF 20" /bye)
if ! echo $PUT | grep -q "90 00"
then
echo "Unable to change mode. Set to fix?"
exit 1
fi
echo "All done!"
exit 0
@a-dma

This comment has been minimized.

Copy link
Owner Author

commented Jan 19, 2016

Thanks to Steven Allen for some improvements.

@tuxlife

This comment has been minimized.

Copy link

commented Mar 14, 2016

This script had problems with long passwords

$ echo -n "Lorem ipsum dolor sit amet, consetetur s" | xxd -ps | sed 's/[[:xdigit:]]\{2\}/& /g'
4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 
6e 73 65 74 65 74 75 72 20 73 

od works better

$ echo -n "Lorem ipsum dolor sit amet, consetetur s" | od -A n -t x1 --width=40        
 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 74 65 74 75 72 20 73
@@ -72,9 +72,10 @@
 fi

 PIN_LEN=${#PIN}
+
+PIN=$(echo -n "$PIN" | od -A n -t x1 --width=$PIN_LEN)
 PIN_LEN=$(printf %02x $PIN_LEN)

-PIN=$(echo -n "$PIN" | xxd -ps | sed 's/[[:xdigit:]]\{2\}/& /g')

 $GCA --hex "scd reset" /bye > /dev/null
@a-dma

This comment has been minimized.

Copy link
Owner Author

commented Oct 11, 2016

Thanks, I've incorporated the changes above and move this gist to its own repo at https://github.com/a-dma/yubitouch.

Please direct future discussions there.

@Zenexer

This comment has been minimized.

Copy link

commented Feb 1, 2017

This gist is still linked from https://developers.yubico.com/PGP/Card_edit.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.