Last active
March 10, 2022 14:43
-
-
Save a-dma/797e4fa2ac4b5c9024cc to your computer and use it in GitHub Desktop.
Bash script for setting or clearing touch requirements for cryptographic operations in the OpenPGP application on a YubiKey 4.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Bash script for setting or clearing touch requirements for | |
| # cryptographic operations the OpenPGP application on a YubiKey 4. | |
| # | |
| # Author: Alessio Di Mauro <alessio@yubico.com> | |
| GCA=$(which gpg-connect-agent) | |
| DO=0 | |
| UIF=0 | |
| PE=$(which pinentry) | |
| PE_PROMPT="SETPROMPT Admin PIN\nGETPIN\nBYE" | |
| if [ -z "$GCA" ] | |
| then | |
| echo "Can not find gpg-connect-agent. Aborting..."; | |
| exit 1; | |
| fi | |
| if [ $# -lt 2 ] || [ $# -gt 3 ] | |
| then | |
| echo "Wrong parameters" | |
| echo "usage: yubitouch {sig|aut|dec} {off|on|fix} [admin_pin]"; | |
| exit 1; | |
| fi | |
| if [ "$1" == "sig" ] | |
| then | |
| DO="D6" | |
| elif [ "$1" == "dec" ] | |
| then | |
| DO="D7" | |
| elif [ "$1" == "aut" ] | |
| then | |
| DO="D8" | |
| else | |
| echo "Invalid value $1 (must be sig, aut, dec). Aborting..." | |
| exit 1 | |
| fi | |
| if [ "$2" == "off" ] | |
| then | |
| UIF="00"; | |
| elif [ "$2" == "on" ] | |
| then | |
| UIF="01" | |
| elif [ "$2" == "fix" ] | |
| then | |
| UIF="02"; | |
| else | |
| echo "Invalid value $2 (must be off, on, fix). Aborting..." | |
| exit 1 | |
| fi | |
| if [ $# -eq 3 ] | |
| then | |
| PIN="$3" | |
| elif [ -z "$PE" ] | |
| then | |
| echo -e "Pinentry not present\nFalling back to regular stdin.\nBe careful!" | |
| echo "Enter your admin PIN: " | |
| read PIN | |
| else | |
| PIN="$(echo -e $PE_PROMPT | $PE | sed -n '/^D .*/s/^D //p')" | |
| fi | |
| if [ -z "$PIN" ] | |
| then | |
| echo "Empty PIN. Aborting..." | |
| exit 1 | |
| fi | |
| PIN_LEN=${#PIN} | |
| PIN_LEN=$(printf %02x $PIN_LEN) | |
| PIN=$(echo -n "$PIN" | xxd -ps | sed 's/[[:xdigit:]]\{2\}/& /g') | |
| $GCA --hex "scd reset" /bye > /dev/null | |
| VERIFY=$($GCA --hex "scd apdu 00 20 00 83 $PIN_LEN $PIN" /bye) | |
| if ! echo $VERIFY | grep -q "90 00" | |
| then | |
| echo "Verification failed, wrong pin?" | |
| exit 1 | |
| fi | |
| PUT=$($GCA --hex "scd apdu 00 da 00 $DO 02 $UIF 20" /bye) | |
| if ! echo $PUT | grep -q "90 00" | |
| then | |
| echo "Unable to change mode. Set to fix?" | |
| exit 1 | |
| fi | |
| echo "All done!" | |
| exit 0 |
This script had problems with long passwords
$ echo -n "Lorem ipsum dolor sit amet, consetetur s" | xxd -ps | sed 's/[[:xdigit:]]\{2\}/& /g'
4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f
6e 73 65 74 65 74 75 72 20 73 od works better
$ echo -n "Lorem ipsum dolor sit amet, consetetur s" | od -A n -t x1 --width=40
4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73 65 74 65 74 75 72 20 73@@ -72,9 +72,10 @@
fi
PIN_LEN=${#PIN}
+
+PIN=$(echo -n "$PIN" | od -A n -t x1 --width=$PIN_LEN)
PIN_LEN=$(printf %02x $PIN_LEN)
-PIN=$(echo -n "$PIN" | xxd -ps | sed 's/[[:xdigit:]]\{2\}/& /g')
$GCA --hex "scd reset" /bye > /dev/null
Thanks, I've incorporated the changes above and move this gist to its own repo at https://github.com/a-dma/yubitouch.
Please direct future discussions there.
This gist is still linked from https://developers.yubico.com/PGP/Card_edit.html
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks to Steven Allen for some improvements.