summaryrefslogtreecommitdiff
path: root/src/commands.rs
diff options
context:
space:
mode:
Diffstat (limited to 'src/commands.rs')
-rw-r--r--src/commands.rs984
1 files changed, 984 insertions, 0 deletions
diff --git a/src/commands.rs b/src/commands.rs
new file mode 100644
index 0000000..537a2cf
--- /dev/null
+++ b/src/commands.rs
@@ -0,0 +1,984 @@
+// commands.rs
+
+// *************************************************************************
+// * Copyright (C) 2018-2020 Daniel Mueller (deso@posteo.net) *
+// * *
+// * This program is free software: you can redistribute it and/or modify *
+// * it under the terms of the GNU General Public License as published by *
+// * the Free Software Foundation, either version 3 of the License, or *
+// * (at your option) any later version. *
+// * *
+// * This program is distributed in the hope that it will be useful, *
+// * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+// * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+// * GNU General Public License for more details. *
+// * *
+// * You should have received a copy of the GNU General Public License *
+// * along with this program. If not, see <http://www.gnu.org/licenses/>. *
+// *************************************************************************
+
+use std::fmt;
+use std::result;
+use std::thread;
+use std::time;
+use std::u8;
+
+use libc::sync;
+
+use nitrokey::ConfigureOtp;
+use nitrokey::Device;
+use nitrokey::GenerateOtp;
+use nitrokey::GetPasswordSafe;
+
+use crate::args;
+use crate::error;
+use crate::error::Error;
+use crate::pinentry;
+use crate::Result;
+
+/// Create an `error::Error` with an error message of the format `msg: err`.
+fn get_error(msg: &'static str, err: nitrokey::Error) -> Error {
+ Error::NitrokeyError(Some(msg), err)
+}
+
+/// Set `libnitrokey`'s log level based on the execution context's verbosity.
+fn set_log_level(ctx: &mut args::ExecCtx<'_>) {
+ let log_lvl = match ctx.verbosity {
+ // The error log level is what libnitrokey uses by default. As such,
+ // there is no harm in us setting that as well when the user did not
+ // ask for higher verbosity.
+ 0 => nitrokey::LogLevel::Error,
+ 1 => nitrokey::LogLevel::Warning,
+ 2 => nitrokey::LogLevel::Info,
+ 3 => nitrokey::LogLevel::DebugL1,
+ 4 => nitrokey::LogLevel::Debug,
+ _ => nitrokey::LogLevel::DebugL2,
+ };
+ nitrokey::set_log_level(log_lvl);
+}
+
+/// Connect to any Nitrokey device and do something with it.
+fn with_device<F>(ctx: &mut args::ExecCtx<'_>, op: F) -> Result<()>
+where
+ F: FnOnce(&mut args::ExecCtx<'_>, nitrokey::DeviceWrapper<'_>) -> Result<()>,
+{
+ let mut manager = nitrokey::take()?;
+ set_log_level(ctx);
+
+ let device = match ctx.model {
+ Some(model) => manager.connect_model(model.into()).map_err(|_| {
+ let error = format!("Nitrokey {} device not found", model.as_user_facing_str());
+ Error::Error(error)
+ })?,
+ None => manager
+ .connect()
+ .map_err(|_| Error::from("Nitrokey device not found"))?,
+ };
+
+ op(ctx, device)
+}
+
+/// Connect to a Nitrokey Storage device and do something with it.
+fn with_storage_device<F>(ctx: &mut args::ExecCtx<'_>, op: F) -> Result<()>
+where
+ F: FnOnce(&mut args::ExecCtx<'_>, nitrokey::Storage<'_>) -> Result<()>,
+{
+ let mut manager = nitrokey::take()?;
+ set_log_level(ctx);
+
+ if let Some(model) = ctx.model {
+ if model != args::DeviceModel::Storage {
+ return Err(Error::from(
+ "This command is only available on the Nitrokey Storage",
+ ));
+ }
+ }
+
+ let device = manager
+ .connect_storage()
+ .map_err(|_| Error::from("Nitrokey Storage device not found"))?;
+ op(ctx, device)
+}
+
+/// Connect to any Nitrokey device, retrieve a password safe handle, and
+/// do something with it.
+fn with_password_safe<F>(ctx: &mut args::ExecCtx<'_>, mut op: F) -> Result<()>
+where
+ F: FnMut(&mut args::ExecCtx<'_>, nitrokey::PasswordSafe<'_, '_>) -> Result<()>,
+{
+ with_device(ctx, |ctx, mut device| {
+ let pin_entry = pinentry::PinEntry::from(pinentry::PinType::User, &device)?;
+ try_with_pin_and_data(
+ ctx,
+ &pin_entry,
+ "Could not access the password safe",
+ (),
+ move |ctx, _, pin| {
+ let pws = device
+ .get_password_safe(pin)
+ .map_err(|err| ((), Error::from(err)))?;
+
+ op(ctx, pws).map_err(|err| ((), err))
+ },
+ )
+ })?;
+ Ok(())
+}
+
+/// Authenticate the given device using the given PIN type and operation.
+///
+/// If an error occurs, the error message `msg` is used.
+fn authenticate<'mgr, D, A, F>(
+ ctx: &mut args::ExecCtx<'_>,
+ device: D,
+ pin_type: pinentry::PinType,
+ msg: &'static str,
+ op: F,
+) -> Result<A>
+where
+ D: Device<'mgr>,
+ F: FnMut(&mut args::ExecCtx<'_>, D, &str) -> result::Result<A, (D, nitrokey::Error)>,
+{
+ let pin_entry = pinentry::PinEntry::from(pin_type, &device)?;
+
+ try_with_pin_and_data(ctx, &pin_entry, msg, device, op)
+}
+
+/// Authenticate the given device with the user PIN.
+fn authenticate_user<'mgr, T>(
+ ctx: &mut args::ExecCtx<'_>,
+ device: T,
+) -> Result<nitrokey::User<'mgr, T>>
+where
+ T: Device<'mgr>,
+{
+ authenticate(
+ ctx,
+ device,
+ pinentry::PinType::User,
+ "Could not authenticate as user",
+ |_ctx, device, pin| device.authenticate_user(pin),
+ )
+}
+
+/// Authenticate the given device with the admin PIN.
+fn authenticate_admin<'mgr, T>(
+ ctx: &mut args::ExecCtx<'_>,
+ device: T,
+) -> Result<nitrokey::Admin<'mgr, T>>
+where
+ T: Device<'mgr>,
+{
+ authenticate(
+ ctx,
+ device,
+ pinentry::PinType::Admin,
+ "Could not authenticate as admin",
+ |_ctx, device, pin| device.authenticate_admin(pin),
+ )
+}
+
+/// Return a string representation of the given volume status.
+fn get_volume_status(status: &nitrokey::VolumeStatus) -> &'static str {
+ if status.active {
+ if status.read_only {
+ "read-only"
+ } else {
+ "active"
+ }
+ } else {
+ "inactive"
+ }
+}
+
+/// Try to execute the given function with a pin queried using pinentry.
+///
+/// This function will query the pin of the given type from the user
+/// using pinentry. It will then execute the given function. If this
+/// function returns a result, the result will be passed on. If it
+/// returns a `CommandError::WrongPassword`, the user will be asked
+/// again to enter the pin. Otherwise, this function returns an error
+/// containing the given error message. The user will have at most
+/// three tries to get the pin right.
+///
+/// The data argument can be used to pass on data between the tries. At
+/// the first try, this function will call `op` with `data`. At the
+/// second or third try, it will call `op` with the data returned by the
+/// previous call to `op`.
+fn try_with_pin_and_data_with_pinentry<D, F, R, E>(
+ ctx: &mut args::ExecCtx<'_>,
+ pin_entry: &pinentry::PinEntry,
+ msg: &'static str,
+ data: D,
+ mut op: F,
+) -> Result<R>
+where
+ F: FnMut(&mut args::ExecCtx<'_>, D, &str) -> result::Result<R, (D, E)>,
+ E: error::TryInto<nitrokey::Error>,
+{
+ let mut data = data;
+ let mut retry = 3;
+ let mut error_msg = None;
+ loop {
+ let pin = pinentry::inquire(ctx, pin_entry, pinentry::Mode::Query, error_msg)?;
+ match op(ctx, data, &pin) {
+ Ok(result) => return Ok(result),
+ Err((new_data, err)) => match err.try_into() {
+ Ok(err) => match err {
+ nitrokey::Error::CommandError(nitrokey::CommandError::WrongPassword) => {
+ pinentry::clear(pin_entry)?;
+ retry -= 1;
+
+ if retry > 0 {
+ error_msg = Some("Wrong password, please reenter");
+ data = new_data;
+ continue;
+ }
+ return Err(get_error(msg, err));
+ }
+ err => return Err(get_error(msg, err)),
+ },
+ Err(err) => return Err(err),
+ },
+ };
+ }
+}
+
+/// Try to execute the given function with a PIN.
+fn try_with_pin_and_data<D, F, R, E>(
+ ctx: &mut args::ExecCtx<'_>,
+ pin_entry: &pinentry::PinEntry,
+ msg: &'static str,
+ data: D,
+ mut op: F,
+) -> Result<R>
+where
+ F: FnMut(&mut args::ExecCtx<'_>, D, &str) -> result::Result<R, (D, E)>,
+ E: Into<Error> + error::TryInto<nitrokey::Error>,
+{
+ let pin = match pin_entry.pin_type() {
+ // Ideally we would not clone here, but that would require us to
+ // restrict op to work with an immutable ExecCtx, which is not
+ // possible given that some clients print data.
+ pinentry::PinType::Admin => ctx.admin_pin.clone(),
+ pinentry::PinType::User => ctx.user_pin.clone(),
+ };
+
+ if let Some(pin) = pin {
+ let pin = pin.to_str().ok_or_else(|| {
+ Error::Error(format!(
+ "{}: Failed to read PIN due to invalid Unicode data",
+ msg
+ ))
+ })?;
+ op(ctx, data, &pin).map_err(|(_, err)| err.into())
+ } else {
+ try_with_pin_and_data_with_pinentry(ctx, pin_entry, msg, data, op)
+ }
+}
+
+/// Try to execute the given function with a pin queried using pinentry.
+///
+/// This function behaves exactly as `try_with_pin_and_data`, but
+/// it refrains from passing any data to it.
+fn try_with_pin<F, E>(
+ ctx: &mut args::ExecCtx<'_>,
+ pin_entry: &pinentry::PinEntry,
+ msg: &'static str,
+ mut op: F,
+) -> Result<()>
+where
+ F: FnMut(&str) -> result::Result<(), E>,
+ E: Into<Error> + error::TryInto<nitrokey::Error>,
+{
+ try_with_pin_and_data(ctx, pin_entry, msg, (), |_ctx, data, pin| {
+ op(pin).map_err(|err| (data, err))
+ })
+}
+
+/// Pretty print the status of a Nitrokey Storage.
+fn print_storage_status(
+ ctx: &mut args::ExecCtx<'_>,
+ status: &nitrokey::StorageStatus,
+) -> Result<()> {
+ println!(
+ ctx,
+ r#" Storage:
+ SD card ID: {id:#x}
+ firmware: {fw}
+ storage keys: {sk}
+ volumes:
+ unencrypted: {vu}
+ encrypted: {ve}
+ hidden: {vh}"#,
+ id = status.serial_number_sd_card,
+ fw = if status.firmware_locked {
+ "locked"
+ } else {
+ "unlocked"
+ },
+ sk = if status.stick_initialized {
+ "created"
+ } else {
+ "not created"
+ },
+ vu = get_volume_status(&status.unencrypted_volume),
+ ve = get_volume_status(&status.encrypted_volume),
+ vh = get_volume_status(&status.hidden_volume),
+ )?;
+ Ok(())
+}
+
+/// Query and pretty print the status that is common to all Nitrokey devices.
+fn print_status(
+ ctx: &mut args::ExecCtx<'_>,
+ model: &'static str,
+ device: &nitrokey::DeviceWrapper<'_>,
+) -> Result<()> {
+ let serial_number = device
+ .get_serial_number()
+ .map_err(|err| get_error("Could not query the serial number", err))?;
+
+ println!(
+ ctx,
+ r#"Status:
+ model: {model}
+ serial number: 0x{id}
+ firmware version: {fwv}
+ user retry count: {urc}
+ admin retry count: {arc}"#,
+ model = model,
+ id = serial_number,
+ fwv = device.get_firmware_version()?,
+ urc = device.get_user_retry_count()?,
+ arc = device.get_admin_retry_count()?,
+ )?;
+
+ if let nitrokey::DeviceWrapper::Storage(device) = device {
+ let status = device
+ .get_status()
+ .map_err(|err| get_error("Getting Storage status failed", err))?;
+
+ print_storage_status(ctx, &status)
+ } else {
+ Ok(())
+ }
+}
+
+/// Inquire the status of the nitrokey.
+pub fn status(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_device(ctx, |ctx, device| {
+ let model = match device {
+ nitrokey::DeviceWrapper::Pro(_) => "Pro",
+ nitrokey::DeviceWrapper::Storage(_) => "Storage",
+ };
+ print_status(ctx, model, &device)
+ })
+}
+
+/// Perform a factory reset.
+pub fn reset(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_device(ctx, |ctx, mut device| {
+ let pin_entry = pinentry::PinEntry::from(pinentry::PinType::Admin, &device)?;
+
+ // To force the user to enter the admin PIN before performing a
+ // factory reset, we clear the pinentry cache for the admin PIN.
+ pinentry::clear(&pin_entry)?;
+
+ try_with_pin(ctx, &pin_entry, "Factory reset failed", |pin| {
+ device.factory_reset(&pin)?;
+ // Work around for a timing issue between factory_reset and
+ // build_aes_key, see
+ // https://github.com/Nitrokey/nitrokey-storage-firmware/issues/80
+ thread::sleep(time::Duration::from_secs(3));
+ // Another work around for spurious WrongPassword returns of
+ // build_aes_key after a factory reset on Pro devices.
+ // https://github.com/Nitrokey/nitrokey-pro-firmware/issues/57
+ let _ = device.get_user_retry_count();
+ device.build_aes_key(nitrokey::DEFAULT_ADMIN_PIN)
+ })
+ })
+}
+
+/// Change the configuration of the unencrypted volume.
+pub fn unencrypted_set(
+ ctx: &mut args::ExecCtx<'_>,
+ mode: args::UnencryptedVolumeMode,
+) -> Result<()> {
+ with_storage_device(ctx, |ctx, mut device| {
+ let pin_entry = pinentry::PinEntry::from(pinentry::PinType::Admin, &device)?;
+ let mode = match mode {
+ args::UnencryptedVolumeMode::ReadWrite => nitrokey::VolumeMode::ReadWrite,
+ args::UnencryptedVolumeMode::ReadOnly => nitrokey::VolumeMode::ReadOnly,
+ };
+
+ // The unencrypted volume may reconnect, so be sure to flush caches to
+ // disk.
+ unsafe { sync() };
+
+ try_with_pin(
+ ctx,
+ &pin_entry,
+ "Changing unencrypted volume mode failed",
+ |pin| device.set_unencrypted_volume_mode(&pin, mode),
+ )
+ })
+}
+
+/// Open the encrypted volume on the Nitrokey.
+pub fn encrypted_open(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_storage_device(ctx, |ctx, mut device| {
+ let pin_entry = pinentry::PinEntry::from(pinentry::PinType::User, &device)?;
+
+ // We may forcefully close a hidden volume, if active, so be sure to
+ // flush caches to disk.
+ unsafe { sync() };
+
+ try_with_pin(ctx, &pin_entry, "Opening encrypted volume failed", |pin| {
+ device.enable_encrypted_volume(&pin)
+ })
+ })
+}
+
+/// Close the previously opened encrypted volume.
+pub fn encrypted_close(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_storage_device(ctx, |_ctx, mut device| {
+ // Flush all filesystem caches to disk. We are mostly interested in
+ // making sure that the encrypted volume on the Nitrokey we are
+ // about to close is not closed while not all data was written to
+ // it.
+ unsafe { sync() };
+
+ device
+ .disable_encrypted_volume()
+ .map_err(|err| get_error("Closing encrypted volume failed", err))
+ })
+}
+
+/// Create a hidden volume.
+pub fn hidden_create(ctx: &mut args::ExecCtx<'_>, slot: u8, start: u8, end: u8) -> Result<()> {
+ with_storage_device(ctx, |ctx, mut device| {
+ let pwd_entry = pinentry::PwdEntry::from(&device)?;
+ let pwd = if let Some(pwd) = &ctx.password {
+ pwd
+ .to_str()
+ .ok_or_else(|| Error::from("Failed to read password: invalid Unicode data found"))
+ .map(ToOwned::to_owned)
+ } else {
+ pinentry::choose(ctx, &pwd_entry)
+ }?;
+
+ device
+ .create_hidden_volume(slot, start, end, &pwd)
+ .map_err(|err| get_error("Creating hidden volume failed", err))
+ })
+}
+
+/// Open a hidden volume.
+pub fn hidden_open(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_storage_device(ctx, |ctx, mut device| {
+ let pwd_entry = pinentry::PwdEntry::from(&device)?;
+ let pwd = if let Some(pwd) = &ctx.password {
+ pwd
+ .to_str()
+ .ok_or_else(|| Error::from("Failed to read password: invalid Unicode data found"))
+ .map(ToOwned::to_owned)
+ } else {
+ pinentry::inquire(ctx, &pwd_entry, pinentry::Mode::Query, None)
+ }?;
+
+ // We may forcefully close an encrypted volume, if active, so be sure
+ // to flush caches to disk.
+ unsafe { sync() };
+
+ device
+ .enable_hidden_volume(&pwd)
+ .map_err(|err| get_error("Opening hidden volume failed", err))
+ })
+}
+
+/// Close a previously opened hidden volume.
+pub fn hidden_close(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_storage_device(ctx, |_ctx, mut device| {
+ unsafe { sync() };
+
+ device
+ .disable_hidden_volume()
+ .map_err(|err| get_error("Closing hidden volume failed", err))
+ })
+}
+
+/// Return a String representation of the given Option.
+fn format_option<T: fmt::Display>(option: Option<T>) -> String {
+ match option {
+ Some(value) => format!("{}", value),
+ None => "not set".to_string(),
+ }
+}
+
+/// Read the Nitrokey configuration.
+pub fn config_get(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_device(ctx, |ctx, device| {
+ let config = device
+ .get_config()
+ .map_err(|err| get_error("Could not get configuration", err))?;
+ println!(
+ ctx,
+ r#"Config:
+ numlock binding: {nl}
+ capslock binding: {cl}
+ scrollock binding: {sl}
+ require user PIN for OTP: {otp}"#,
+ nl = format_option(config.numlock),
+ cl = format_option(config.capslock),
+ sl = format_option(config.scrollock),
+ otp = config.user_password,
+ )?;
+ Ok(())
+ })
+}
+
+/// Write the Nitrokey configuration.
+pub fn config_set(
+ ctx: &mut args::ExecCtx<'_>,
+ numlock: args::ConfigOption<u8>,
+ capslock: args::ConfigOption<u8>,
+ scrollock: args::ConfigOption<u8>,
+ user_password: Option<bool>,
+) -> Result<()> {
+ with_device(ctx, |ctx, device| {
+ let mut device = authenticate_admin(ctx, device)?;
+ let config = device
+ .get_config()
+ .map_err(|err| get_error("Could not get configuration", err))?;
+ let config = nitrokey::Config {
+ numlock: numlock.or(config.numlock),
+ capslock: capslock.or(config.capslock),
+ scrollock: scrollock.or(config.scrollock),
+ user_password: user_password.unwrap_or(config.user_password),
+ };
+ device
+ .write_config(config)
+ .map_err(|err| get_error("Could not set configuration", err))
+ })
+}
+
+/// Lock the Nitrokey device.
+pub fn lock(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_device(ctx, |_ctx, mut device| {
+ device
+ .lock()
+ .map_err(|err| get_error("Could not lock the device", err))
+ })
+}
+
+fn get_otp<T>(slot: u8, algorithm: args::OtpAlgorithm, device: &mut T) -> Result<String>
+where
+ T: GenerateOtp,
+{
+ match algorithm {
+ args::OtpAlgorithm::Hotp => device.get_hotp_code(slot),
+ args::OtpAlgorithm::Totp => device.get_totp_code(slot),
+ }
+ .map_err(|err| get_error("Could not generate OTP", err))
+}
+
+fn get_unix_timestamp() -> Result<u64> {
+ time::SystemTime::now()
+ .duration_since(time::UNIX_EPOCH)
+ .map_err(|_| Error::from("Current system time is before the Unix epoch"))
+ .map(|duration| duration.as_secs())
+}
+
+/// Generate a one-time password on the Nitrokey device.
+pub fn otp_get(
+ ctx: &mut args::ExecCtx<'_>,
+ slot: u8,
+ algorithm: args::OtpAlgorithm,
+ time: Option<u64>,
+) -> Result<()> {
+ with_device(ctx, |ctx, mut device| {
+ if algorithm == args::OtpAlgorithm::Totp {
+ device
+ .set_time(
+ match time {
+ Some(time) => time,
+ None => get_unix_timestamp()?,
+ },
+ true,
+ )
+ .map_err(|err| get_error("Could not set time", err))?;
+ }
+ let config = device
+ .get_config()
+ .map_err(|err| get_error("Could not get device configuration", err))?;
+ let otp = if config.user_password {
+ let mut user = authenticate_user(ctx, device)?;
+ get_otp(slot, algorithm, &mut user)
+ } else {
+ get_otp(slot, algorithm, &mut device)
+ }?;
+ println!(ctx, "{}", otp)?;
+ Ok(())
+ })
+}
+
+/// Format a byte vector as a hex string.
+fn format_bytes(bytes: &[u8]) -> String {
+ bytes
+ .iter()
+ .map(|c| format!("{:02x}", c))
+ .collect::<Vec<_>>()
+ .join("")
+}
+
+/// Prepare an ASCII secret string for libnitrokey.
+///
+/// libnitrokey expects secrets as hexadecimal strings. This function transforms an ASCII string
+/// into a hexadecimal string or returns an error if the given string contains non-ASCII
+/// characters.
+fn prepare_ascii_secret(secret: &str) -> Result<String> {
+ if secret.is_ascii() {
+ Ok(format_bytes(&secret.as_bytes()))
+ } else {
+ Err(Error::from(
+ "The given secret is not an ASCII string despite --format ascii being set",
+ ))
+ }
+}
+
+/// Prepare a base32 secret string for libnitrokey.
+fn prepare_base32_secret(secret: &str) -> Result<String> {
+ base32::decode(base32::Alphabet::RFC4648 { padding: false }, secret)
+ .map(|vec| format_bytes(&vec))
+ .ok_or_else(|| Error::from("Could not parse base32 secret"))
+}
+
+/// Configure a one-time password slot on the Nitrokey device.
+pub fn otp_set(
+ ctx: &mut args::ExecCtx<'_>,
+ mut data: nitrokey::OtpSlotData,
+ algorithm: args::OtpAlgorithm,
+ counter: u64,
+ time_window: u16,
+ secret_format: args::OtpSecretFormat,
+) -> Result<()> {
+ with_device(ctx, |ctx, device| {
+ let secret = match secret_format {
+ args::OtpSecretFormat::Ascii => prepare_ascii_secret(&data.secret)?,
+ args::OtpSecretFormat::Base32 => prepare_base32_secret(&data.secret)?,
+ args::OtpSecretFormat::Hex => {
+ // We need to ensure to provide a string with an even number of
+ // characters in it, just because that's what libnitrokey
+ // expects. So prepend a '0' if that is not the case.
+ // TODO: This code can be removed once upstream issue #164
+ // (https://github.com/Nitrokey/libnitrokey/issues/164) is
+ // addressed.
+ if data.secret.len() % 2 != 0 {
+ data.secret.insert(0, '0')
+ }
+ data.secret
+ }
+ };
+ let data = nitrokey::OtpSlotData { secret, ..data };
+ let mut device = authenticate_admin(ctx, device)?;
+ match algorithm {
+ args::OtpAlgorithm::Hotp => device.write_hotp_slot(data, counter),
+ args::OtpAlgorithm::Totp => device.write_totp_slot(data, time_window),
+ }
+ .map_err(|err| get_error("Could not write OTP slot", err))?;
+ Ok(())
+ })
+}
+
+/// Clear an OTP slot.
+pub fn otp_clear(
+ ctx: &mut args::ExecCtx<'_>,
+ slot: u8,
+ algorithm: args::OtpAlgorithm,
+) -> Result<()> {
+ with_device(ctx, |ctx, device| {
+ let mut device = authenticate_admin(ctx, device)?;
+ match algorithm {
+ args::OtpAlgorithm::Hotp => device.erase_hotp_slot(slot),
+ args::OtpAlgorithm::Totp => device.erase_totp_slot(slot),
+ }
+ .map_err(|err| get_error("Could not clear OTP slot", err))?;
+ Ok(())
+ })
+}
+
+fn print_otp_status(
+ ctx: &mut args::ExecCtx<'_>,
+ algorithm: args::OtpAlgorithm,
+ device: &nitrokey::DeviceWrapper<'_>,
+ all: bool,
+) -> Result<()> {
+ let mut slot: u8 = 0;
+ loop {
+ let result = match algorithm {
+ args::OtpAlgorithm::Hotp => device.get_hotp_slot_name(slot),
+ args::OtpAlgorithm::Totp => device.get_totp_slot_name(slot),
+ };
+ slot = match slot.checked_add(1) {
+ Some(slot) => slot,
+ None => {
+ return Err(Error::from("Integer overflow when iterating OTP slots"));
+ }
+ };
+ let name = match result {
+ Ok(name) => name,
+ Err(nitrokey::Error::LibraryError(nitrokey::LibraryError::InvalidSlot)) => return Ok(()),
+ Err(nitrokey::Error::CommandError(nitrokey::CommandError::SlotNotProgrammed)) => {
+ if all {
+ "[not programmed]".to_string()
+ } else {
+ continue;
+ }
+ }
+ Err(err) => return Err(get_error("Could not check OTP slot", err)),
+ };
+ println!(ctx, "{}\t{}\t{}", algorithm, slot - 1, name)?;
+ }
+}
+
+/// Print the status of the OTP slots.
+pub fn otp_status(ctx: &mut args::ExecCtx<'_>, all: bool) -> Result<()> {
+ with_device(ctx, |ctx, device| {
+ println!(ctx, "alg\tslot\tname")?;
+ print_otp_status(ctx, args::OtpAlgorithm::Hotp, &device, all)?;
+ print_otp_status(ctx, args::OtpAlgorithm::Totp, &device, all)?;
+ Ok(())
+ })
+}
+
+/// Clear the PIN stored by various operations.
+pub fn pin_clear(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_device(ctx, |_ctx, device| {
+ pinentry::clear(&pinentry::PinEntry::from(
+ pinentry::PinType::Admin,
+ &device,
+ )?)?;
+ pinentry::clear(&pinentry::PinEntry::from(pinentry::PinType::User, &device)?)?;
+ Ok(())
+ })
+}
+
+/// Choose a PIN of the given type.
+///
+/// If the user has set the respective environment variable for the
+/// given PIN type, it will be used.
+fn choose_pin(
+ ctx: &mut args::ExecCtx<'_>,
+ pin_entry: &pinentry::PinEntry,
+ new: bool,
+) -> Result<String> {
+ let new_pin = match pin_entry.pin_type() {
+ pinentry::PinType::Admin => {
+ if new {
+ &ctx.new_admin_pin
+ } else {
+ &ctx.admin_pin
+ }
+ }
+ pinentry::PinType::User => {
+ if new {
+ &ctx.new_user_pin
+ } else {
+ &ctx.user_pin
+ }
+ }
+ };
+
+ if let Some(new_pin) = new_pin {
+ new_pin
+ .to_str()
+ .ok_or_else(|| Error::from("Failed to read PIN: invalid Unicode data found"))
+ .map(ToOwned::to_owned)
+ } else {
+ pinentry::choose(ctx, pin_entry)
+ }
+}
+
+/// Change a PIN.
+pub fn pin_set(ctx: &mut args::ExecCtx<'_>, pin_type: pinentry::PinType) -> Result<()> {
+ with_device(ctx, |ctx, mut device| {
+ let pin_entry = pinentry::PinEntry::from(pin_type, &device)?;
+ let new_pin = choose_pin(ctx, &pin_entry, true)?;
+
+ try_with_pin(
+ ctx,
+ &pin_entry,
+ "Could not change the PIN",
+ |current_pin| match pin_type {
+ pinentry::PinType::Admin => device.change_admin_pin(&current_pin, &new_pin),
+ pinentry::PinType::User => device.change_user_pin(&current_pin, &new_pin),
+ },
+ )?;
+
+ // We just changed the PIN but confirmed the action with the old PIN,
+ // which may have caused it to be cached. Since it no longer applies,
+ // make sure to evict the corresponding entry from the cache.
+ pinentry::clear(&pin_entry)
+ })
+}
+
+/// Unblock and reset the user PIN.
+pub fn pin_unblock(ctx: &mut args::ExecCtx<'_>) -> Result<()> {
+ with_device(ctx, |ctx, mut device| {
+ let pin_entry = pinentry::PinEntry::from(pinentry::PinType::User, &device)?;
+ let user_pin = choose_pin(ctx, &pin_entry, false)?;
+ let pin_entry = pinentry::PinEntry::from(pinentry::PinType::Admin, &device)?;
+
+ try_with_pin(
+ ctx,
+ &pin_entry,
+ "Could not unblock the user PIN",
+ |admin_pin| device.unlock_user_pin(&admin_pin, &user_pin),
+ )
+ })
+}
+
+fn print_pws_data(
+ ctx: &mut args::ExecCtx<'_>,
+ description: &'static str,
+ result: result::Result<String, nitrokey::Error>,
+ quiet: bool,
+) -> Result<()> {
+ let value = result.map_err(|err| get_error("Could not access PWS slot", err))?;
+ if quiet {
+ println!(ctx, "{}", value)?;
+ } else {
+ println!(ctx, "{} {}", description, value)?;
+ }
+ Ok(())
+}
+
+fn check_slot(pws: &nitrokey::PasswordSafe<'_, '_>, slot: u8) -> Result<()> {
+ if slot >= nitrokey::SLOT_COUNT {
+ return Err(nitrokey::Error::from(nitrokey::LibraryError::InvalidSlot).into());
+ }
+ let status = pws
+ .get_slot_status()
+ .map_err(|err| get_error("Could not read PWS slot status", err))?;
+ if status[slot as usize] {
+ Ok(())
+ } else {
+ Err(get_error(
+ "Could not access PWS slot",
+ nitrokey::CommandError::SlotNotProgrammed.into(),
+ ))
+ }
+}
+
+/// Read a PWS slot.
+pub fn pws_get(
+ ctx: &mut args::ExecCtx<'_>,
+ slot: u8,
+ show_name: bool,
+ show_login: bool,
+ show_password: bool,
+ quiet: bool,
+) -> Result<()> {
+ with_password_safe(ctx, |ctx, pws| {
+ check_slot(&pws, slot)?;
+
+ let show_all = !show_name && !show_login && !show_password;
+ if show_all || show_name {
+ print_pws_data(ctx, "name: ", pws.get_slot_name(slot), quiet)?;
+ }
+ if show_all || show_login {
+ print_pws_data(ctx, "login: ", pws.get_slot_login(slot), quiet)?;
+ }
+ if show_all || show_password {
+ print_pws_data(ctx, "password:", pws.get_slot_password(slot), quiet)?;
+ }
+ Ok(())
+ })
+}
+
+/// Write a PWS slot.
+pub fn pws_set(
+ ctx: &mut args::ExecCtx<'_>,
+ slot: u8,
+ name: &str,
+ login: &str,
+ password: &str,
+) -> Result<()> {
+ with_password_safe(ctx, |_ctx, mut pws| {
+ pws
+ .write_slot(slot, name, login, password)
+ .map_err(|err| get_error("Could not write PWS slot", err))
+ })
+}
+
+/// Clear a PWS slot.
+pub fn pws_clear(ctx: &mut args::ExecCtx<'_>, slot: u8) -> Result<()> {
+ with_password_safe(ctx, |_ctx, mut pws| {
+ pws
+ .erase_slot(slot)
+ .map_err(|err| get_error("Could not clear PWS slot", err))
+ })
+}
+
+fn print_pws_slot(
+ ctx: &mut args::ExecCtx<'_>,
+ pws: &nitrokey::PasswordSafe<'_, '_>,
+ slot: usize,
+ programmed: bool,
+) -> Result<()> {
+ if slot > u8::MAX as usize {
+ return Err(Error::from("Invalid PWS slot number"));
+ }
+ let slot = slot as u8;
+ let name = if programmed {
+ pws
+ .get_slot_name(slot)
+ .map_err(|err| get_error("Could not read PWS slot", err))?
+ } else {
+ "[not programmed]".to_string()
+ };
+ println!(ctx, "{}\t{}", slot, name)?;
+ Ok(())
+}
+
+/// Print the status of all PWS slots.
+pub fn pws_status(ctx: &mut args::ExecCtx<'_>, all: bool) -> Result<()> {
+ with_password_safe(ctx, |ctx, pws| {
+ let slots = pws
+ .get_slot_status()
+ .map_err(|err| get_error("Could not read PWS slot status", err))?;
+ println!(ctx, "slot\tname")?;
+ for (i, &value) in slots.iter().enumerate().filter(|(_, &value)| all || value) {
+ print_pws_slot(ctx, &pws, i, value)?;
+ }
+ Ok(())
+ })
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn prepare_secret_ascii() {
+ let result = prepare_ascii_secret("12345678901234567890");
+ assert_eq!(
+ "3132333435363738393031323334353637383930".to_string(),
+ result.unwrap()
+ );
+ }
+
+ #[test]
+ fn prepare_secret_non_ascii() {
+ let result = prepare_ascii_secret("Österreich");
+ assert!(result.is_err());
+ }
+
+ #[test]
+ fn hex_string() {
+ assert_eq!(format_bytes(&[b' ']), "20");
+ assert_eq!(format_bytes(&[b' ', b' ']), "2020");
+ assert_eq!(format_bytes(&[b'\n', b'\n']), "0a0a");
+ }
+}