aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nitrocli/src/commands.rs94
-rw-r--r--nitrocli/src/pinentry.rs40
2 files changed, 66 insertions, 68 deletions
diff --git a/nitrocli/src/commands.rs b/nitrocli/src/commands.rs
index a5600b1..1d5c67c 100644
--- a/nitrocli/src/commands.rs
+++ b/nitrocli/src/commands.rs
@@ -91,15 +91,11 @@ fn get_storage_device(ctx: &mut args::ExecCtx<'_>) -> Result<nitrokey::Storage>
/// Open the password safe on the given device.
fn get_password_safe(device: &dyn Device) -> Result<nitrokey::PasswordSafe<'_>> {
- try_with_passphrase_and_data(
+ try_with_pin_and_data(
pinentry::PinType::User,
"Could not access the password safe",
(),
- |_, passphrase| {
- device
- .get_password_safe(passphrase)
- .map_err(|err| ((), err))
- },
+ |_, pin| device.get_password_safe(pin).map_err(|err| ((), err)),
)
.map_err(|(_, err)| err)
}
@@ -117,7 +113,7 @@ where
D: Device,
F: Fn(D, &str) -> result::Result<A, (D, nitrokey::CommandError)>,
{
- try_with_passphrase_and_data(pin_type, msg, device, op).map_err(|(_device, err)| err)
+ try_with_pin_and_data(pin_type, msg, device, op).map_err(|(_device, err)| err)
}
/// Authenticate the given device with the user PIN.
@@ -129,7 +125,7 @@ where
device,
pinentry::PinType::User,
"Could not authenticate as user",
- |device, passphrase| device.authenticate_user(passphrase),
+ |device, pin| device.authenticate_user(pin),
)
}
@@ -142,7 +138,7 @@ where
device,
pinentry::PinType::Admin,
"Could not authenticate as admin",
- |device, passphrase| device.authenticate_admin(passphrase),
+ |device, pin| device.authenticate_admin(pin),
)
}
@@ -159,22 +155,22 @@ fn get_volume_status(status: &nitrokey::VolumeStatus) -> &'static str {
}
}
-/// Try to execute the given function with a passphrase queried using pinentry.
+/// Try to execute the given function with a pin queried using pinentry.
///
-/// This function will query the passphrase of the given type from the
-/// user using pinentry. It will then execute the given function. If
-/// this function returns a result, the result will be passed it on. If
-/// it returns a `CommandError::WrongPassword`, the user will be asked
-/// again to enter the passphrase. Otherwise, this function returns an
-/// error containing the given error message. The user will have at
-/// most three tries to get the passphrase right.
+/// This function will query the pin of the given type from the user
+/// using pinentry. It will then execute the given function. If this
+/// function returns a result, the result will be passed it on. If it
+/// returns a `CommandError::WrongPassword`, the user will be asked
+/// again to enter the pin. Otherwise, this function returns an error
+/// containing the given error message. The user will have at most
+/// three tries to get the pin right.
///
/// The data argument can be used to pass on data between the tries. At
/// the first try, this function will call `op` with `data`. At the
/// second or third try, it will call `op` with the data returned by the
/// previous call to `op`.
-fn try_with_passphrase_and_data<D, F, R>(
- pin: pinentry::PinType,
+fn try_with_pin_and_data<D, F, R>(
+ pin_type: pinentry::PinType,
msg: &'static str,
data: D,
op: F,
@@ -186,19 +182,19 @@ where
let mut retry = 3;
let mut error_msg = None;
loop {
- let passphrase = match pinentry::inquire_passphrase(pin, pinentry::Mode::Query, error_msg) {
- Ok(passphrase) => passphrase,
+ let pin = match pinentry::inquire_pin(pin_type, pinentry::Mode::Query, error_msg) {
+ Ok(pin) => pin,
Err(err) => return Err((data, err)),
};
- let passphrase = match String::from_utf8(passphrase) {
- Ok(passphrase) => passphrase,
+ let pin = match String::from_utf8(pin) {
+ Ok(pin) => pin,
Err(err) => return Err((data, Error::from(err))),
};
- match op(data, &passphrase) {
+ match op(data, &pin) {
Ok(result) => return Ok(result),
Err((new_data, err)) => match err {
nitrokey::CommandError::WrongPassword => {
- if let Err(err) = pinentry::clear_passphrase(pin) {
+ if let Err(err) = pinentry::clear_pin(pin_type) {
return Err((new_data, err));
}
retry -= 1;
@@ -217,16 +213,16 @@ where
}
}
-/// Try to execute the given function with a passphrase queried using pinentry.
+/// Try to execute the given function with a pin queried using pinentry.
///
-/// This function behaves exactly as `try_with_passphrase_and_data`, but
+/// This function behaves exactly as `try_with_pin_and_data`, but
/// it refrains from passing any data to it.
-fn try_with_passphrase<F>(pin: pinentry::PinType, msg: &'static str, op: F) -> Result<()>
+fn try_with_pin<F>(pin_type: pinentry::PinType, msg: &'static str, op: F) -> Result<()>
where
F: Fn(&str) -> result::Result<(), nitrokey::CommandError>,
{
- try_with_passphrase_and_data(pin, msg, (), |data, passphrase| {
- op(passphrase).map_err(|err| (data, err))
+ try_with_pin_and_data(pin_type, msg, (), |data, pin| {
+ op(pin).map_err(|err| (data, err))
})
.map_err(|(_data, err)| err)
}
@@ -271,10 +267,10 @@ pub fn status(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
/// Open the encrypted volume on the nitrokey.
pub fn storage_open(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
let device = get_storage_device(ctx)?;
- try_with_passphrase(
+ try_with_pin(
pinentry::PinType::User,
"Opening encrypted volume failed",
- |passphrase| device.enable_encrypted_volume(&passphrase),
+ |pin| device.enable_encrypted_volume(&pin),
)
}
@@ -560,13 +556,13 @@ pub fn otp_status(ctx: &mut args::ExecCtx<'_>, all: bool) -> Result<()> {
/// Clear the PIN stored by various operations.
pub fn pin_clear() -> Result<()> {
- pinentry::clear_passphrase(pinentry::PinType::Admin)?;
- pinentry::clear_passphrase(pinentry::PinType::User)?;
+ pinentry::clear_pin(pinentry::PinType::Admin)?;
+ pinentry::clear_pin(pinentry::PinType::User)?;
Ok(())
}
-fn check_pin(pintype: pinentry::PinType, pin: &str) -> Result<()> {
- let minimum_length = match pintype {
+fn check_pin(pin_type: pinentry::PinType, pin: &str) -> Result<()> {
+ let minimum_length = match pin_type {
pinentry::PinType::Admin => 8,
pinentry::PinType::User => 6,
};
@@ -580,15 +576,15 @@ fn check_pin(pintype: pinentry::PinType, pin: &str) -> Result<()> {
}
}
-fn choose_pin(pintype: pinentry::PinType) -> Result<String> {
- pinentry::clear_passphrase(pintype)?;
- let new_pin = pinentry::inquire_passphrase(pintype, pinentry::Mode::Choose, None)?;
- pinentry::clear_passphrase(pintype)?;
+fn choose_pin(pin_type: pinentry::PinType) -> Result<String> {
+ pinentry::clear_pin(pin_type)?;
+ let new_pin = pinentry::inquire_pin(pin_type, pinentry::Mode::Choose, None)?;
+ pinentry::clear_pin(pin_type)?;
let new_pin = String::from_utf8(new_pin)?;
- check_pin(pintype, &new_pin)?;
+ check_pin(pin_type, &new_pin)?;
- let confirm_pin = pinentry::inquire_passphrase(pintype, pinentry::Mode::Confirm, None)?;
- pinentry::clear_passphrase(pintype)?;
+ let confirm_pin = pinentry::inquire_pin(pin_type, pinentry::Mode::Confirm, None)?;
+ pinentry::clear_pin(pin_type)?;
let confirm_pin = String::from_utf8(confirm_pin)?;
if new_pin != confirm_pin {
@@ -599,13 +595,13 @@ fn choose_pin(pintype: pinentry::PinType) -> Result<String> {
}
/// Change a PIN.
-pub fn pin_set(ctx: &mut args::ExecCtx<'_>, pintype: pinentry::PinType) -> Result<()> {
+pub fn pin_set(ctx: &mut args::ExecCtx<'_>, pin_type: pinentry::PinType) -> Result<()> {
let device = get_device(ctx)?;
- let new_pin = choose_pin(pintype)?;
- try_with_passphrase(
- pintype,
+ let new_pin = choose_pin(pin_type)?;
+ try_with_pin(
+ pin_type,
"Could not change the PIN",
- |current_pin| match pintype {
+ |current_pin| match pin_type {
pinentry::PinType::Admin => device.change_admin_pin(&current_pin, &new_pin),
pinentry::PinType::User => device.change_user_pin(&current_pin, &new_pin),
},
@@ -616,7 +612,7 @@ pub fn pin_set(ctx: &mut args::ExecCtx<'_>, pintype: pinentry::PinType) -> Resul
pub fn pin_unblock(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
let device = get_device(ctx)?;
let user_pin = choose_pin(pinentry::PinType::User)?;
- try_with_passphrase(
+ try_with_pin(
pinentry::PinType::Admin,
"Could not unblock the user PIN",
|admin_pin| device.unlock_user_pin(&admin_pin, &user_pin),
diff --git a/nitrocli/src/pinentry.rs b/nitrocli/src/pinentry.rs
index 0d9fc5f..6c36d73 100644
--- a/nitrocli/src/pinentry.rs
+++ b/nitrocli/src/pinentry.rs
@@ -93,9 +93,9 @@ impl PinType {
/// PIN entry mode for pinentry.
///
-/// This enum describes the context of the pinentry query, for example prompting for the current
-/// PIN or requesting a new PIN. The mode may affect the pinentry description and whether a
-/// quality bar is shown.
+/// This enum describes the context of the pinentry query, for example
+/// prompting for the current PIN or requesting a new PIN. The mode may
+/// affect the pinentry description and whether a quality bar is shown.
#[derive(Clone, Copy, Debug, PartialEq)]
pub enum Mode {
/// Let the user choose a new PIN.
@@ -112,7 +112,7 @@ impl Mode {
}
}
-fn parse_pinentry_passphrase(response: Vec<u8>) -> Result<Vec<u8>, Error> {
+fn parse_pinentry_pin(response: Vec<u8>) -> Result<Vec<u8>, Error> {
let string = String::from_utf8(response)?;
let lines: Vec<&str> = string.lines().collect();
@@ -138,11 +138,13 @@ fn parse_pinentry_passphrase(response: Vec<u8>) -> Result<Vec<u8>, Error> {
/// Inquire a PIN of the given type from the user.
///
-/// This function inquires a PIN of the given type from the user or returns the cached passphrase,
-/// if available. If an error message is set, it is displayed in the passphrase dialog. The
-/// mode describes the context of the pinentry dialog. It is used to choose an appropriate
-/// description and to decide whether a quality bar is shown in the dialog.
-pub fn inquire_passphrase(
+/// This function inquires a PIN of the given type from the user or
+/// returns the cached pin, if available. If an error message is set,
+/// it is displayed in the pin dialog. The mode describes the context
+/// of the pinentry dialog. It is used to choose an appropriate
+/// description and to decide whether a quality bar is shown in the
+/// dialog.
+pub fn inquire_pin(
pin_type: PinType,
mode: Mode,
error_msg: Option<&str>,
@@ -161,7 +163,7 @@ pub fn inquire_passphrase(
}
command += &args;
// We could also use the --data parameter here to have a more direct
- // representation of the passphrase but the resulting response was
+ // representation of the pin but the resulting response was
// considered more difficult to parse overall. It appears an error
// reported for the GET_PASSPHRASE command does not actually cause
// gpg-connect-agent to exit with a non-zero error code, we have to
@@ -170,7 +172,7 @@ pub fn inquire_passphrase(
.arg(command)
.arg("/bye")
.output()?;
- parse_pinentry_passphrase(output.stdout)
+ parse_pinentry_pin(output.stdout)
}
fn parse_pinentry_response(response: Vec<u8>) -> Result<(), Error> {
@@ -184,8 +186,8 @@ fn parse_pinentry_response(response: Vec<u8>) -> Result<(), Error> {
Err(Error::Error("Unexpected response: ".to_string() + &string))
}
-/// Clear the cached passphrase of the given type.
-pub fn clear_passphrase(pin_type: PinType) -> Result<(), Error> {
+/// Clear the cached pin of the given type.
+pub fn clear_pin(pin_type: PinType) -> Result<(), Error> {
let command = "CLEAR_PASSPHRASE ".to_string() + pin_type.cache_id();
let output = process::Command::new("gpg-connect-agent")
.arg(command)
@@ -200,20 +202,20 @@ mod tests {
use super::*;
#[test]
- fn parse_pinentry_passphrase_good() {
+ fn parse_pinentry_pin_good() {
let response = "D passphrase\nOK\n".to_string().into_bytes();
let expected = "passphrase".to_string().into_bytes();
- assert_eq!(parse_pinentry_passphrase(response).unwrap(), expected)
+ assert_eq!(parse_pinentry_pin(response).unwrap(), expected)
}
#[test]
- fn parse_pinentry_passphrase_error() {
+ fn parse_pinentry_pin_error() {
let error = "83886179 Operation cancelled";
let response = "ERR ".to_string() + error + "\n";
let expected = error;
- let error = parse_pinentry_passphrase(response.to_string().into_bytes());
+ let error = parse_pinentry_pin(response.to_string().into_bytes());
if let Error::Error(ref e) = error.err().unwrap() {
assert_eq!(e, &expected);
@@ -223,11 +225,11 @@ mod tests {
}
#[test]
- fn parse_pinentry_passphrase_unexpected() {
+ fn parse_pinentry_pin_unexpected() {
let response = "foobar\n";
let expected = "Unexpected response: ".to_string() + response;
- let error = parse_pinentry_passphrase(response.to_string().into_bytes());
+ let error = parse_pinentry_pin(response.to_string().into_bytes());
if let Error::Error(ref e) = error.err().unwrap() {
assert_eq!(e, &expected);