| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
| |
This patch implements the `otp clear` subcommand that erases an OTP slot.
|
| |
|
|
|
|
|
|
|
|
| |
This patch implements the `otp set` subcommand that configures an OTP
slot. There are two ways to specify an OTP secret: as a hexadecimal
string (that means that every two characters are interpreted as a
hexadecimal representation of one byte of the secret) or as an ASCII
string (that means that the ASCII code of every character is interpreted
as one byte of the secret). As the HOTP RFC mentions both
representations, this implementation supports both.
|
| |
|
|
|
|
|
| |
This patch implements the `otp get` subcommand that allows the user to
generate a one-time password on the Nitrokey device. Before generating
the password, the device configuration is checked so that the user only
has to enter a PIN if it is required for the OTP generation.
|
| |
|
|
|
| |
This patch adds the `otp` top-level command. Its subcommands provide
access to one-time passwords on the Nitrokey.
|
| |
|
|
|
|
| |
This patch implements authentication with the user or admin PIN. This
is a preparation for the `otp get` and `otp set` commands which require
user and admin access to the Nitrokey.
|
| |
|
|
|
|
| |
Currently, we only clear the user PIN if clear is called. This patch
changes the clear command to also clear the admin PIN as we will start
to use the admin PIN in upcoming patches.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, `open` directly calls the `pinentry` module and loops until
the user entered a correct passphrase or the retry limit is reached.
This patch moves the pinentry call and the loop into the
`try_with_passphrase_and_data` function. This function queries a
passphrase of a given type and executes a function with that passphrase.
This function has a data argument and may return data that is passed to
the next call of the function (if it failed).
This data-passing mechanism is required for the `nitrokey`
authentication functions: These functions take ownership of the device
and either return an authenticated device after successful
authentication, or an error including the unauthenticated device if the
authentication failed. This patch enables the usage of these functions
in future patches.
|
| |
|
|
|
|
|
| |
Currently, invalid UTF-8 code points in the passphrase returned by
pinentry are replaced with replacement characters by
`String::from_utf8_lossy`. This patch changes the code to use
`String::from_utf8` and returns an UTF-8 error if encountered.
|
| |
|
|
|
|
|
|
|
| |
This patch replaces the macro for argument parsing with
`argparse::ArgumentParser` from the argparse crate. It moves the
application logic to the `commands` module and the argument parsing to
the `options` module. An enum is used to represent the available
commands. The code is based on the `subcommands.rs` example shipped
with argparse.
|
| |
|
|
|
|
|
| |
In order to prepare for the new argument parsing support based on the
argparse crate, this change factors out the existing code used for
responding to commands in a new file, commands.rs. No semantic change is
introduced.
|
| |
|
|
|
|
|
| |
Spaces in the arguments for gpg-connect-agent’s `GET_PASSPHRASE` command
have to be esaced using a plus sign. Somehow this was missing for the
prompt argument. This patch adds escaping for the prompt so that the
pinentry dialog is displayed correctly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
An automated code formatter can help tremendously in reducing the amount
of cognitive energy wasted on thinking about the "best" formatting of
code as well as the number of nitpicks reviews typically get -- the
format is machine checked (and enforced) and there is usually little to
no discussion about the validity.
To reach the goal of having such automated enforcement, we want to run
the rustfmt tool as part of the CI pipeline. With rustfmt having reached
1.0 recently, the believe is that by now the formatting is reasonably
stable and usable for this purpose.
In that light, this change formats the code using rustfmt and prepares
for such an automated style check.
|
| |
|
|
|
|
|
| |
After the switch to using the nitrokey crate for communication with the
device, we have to warnings standing in the way of enabling clippy
unconditionally for the nitrocli crate. This change fixes those two
warnings.
|
| |
|
|
|
|
|
| |
Currently, the nitrokey crate is renamed to libnitrokey in Cargo.toml as
there used to exist a nitrokey module in this crate. As this module
does no longer exist and is not likely to return, this patch removes the
customized name for the nitrokey crate.
|
| |
|
|
|
|
|
|
|
| |
This patch removes all dependencies that are no longer required since
the hidapi communication is replaced by libnitrokey.
Delete subrepo hid/:hid
Delete subrepo hidapi-sys/:hidapi-sys
Delete subrepo pkg-config/:pkg-config
|
| |
|
|
|
|
| |
This patch removes the raw hidapi implementation of the status command
and all utility methods that are no longer needed. With this patch, all
device communication is performed using libnitrokey.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the raw hidapi implementations of the Enable
Encrypted Volume and Disable Encrypted Volume commands and replaces them
with the methods enable_encrypted_volume and disable_encrypted_volume of
the Storage struct provided by the nitrokey trait.
To provide some context to the error messages, the errors are wrapped
using the map_err method of the Result enum and the get_error function
that combines a nitrokey error code and a string into a nitrocli error.
It would be more idiomatic to define a conversion from a nitrokey error
to a nitrocli error, but then we would lose information about the
context of the error.
|
| |
|
|
|
|
|
|
| |
Given that development is picking up speed again we should accept all
the help we get from the compiler to catch issues as early as possible.
To that end, this change enables more lints for the program. As "usual",
lints that are suspected to potentially change in future versions of
Rust are reported as warnings and not errors.
|
| |
|
|
|
|
|
| |
With the 1.31 release of Rust support for Edition 2018 has reached
the stable tool chain.
This change enables compilation based off of this new edition for the
crate. This change resolves issue #6.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With a recent Rust version upgrade hidden lifetime parameters cause a
warning of the form:
> warning: hidden lifetime parameters in types are deprecated
> --> src/error.rs:58:25
> |
> 58 | fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
> | ^^^^^^^^^^^^^^- help: indicate the anonymous lifetime: `<'_>`
This change adjusts the code to make those lifetimes explicit (while
keeping them anonymous).
|
| |
|
|
|
|
|
|
| |
This change enables the rust_2018_idioms lint which helps enforce the
usage of Rust 2018 code idioms. A while back the "impl trait" feature
stabilized and along with it trait objects are supposed to be prefixed
with "dyn".
This change adjusts the code accordingly.
|
| |
|
|
|
|
|
|
| |
In preparation for the switch to using Rust 2018, this change enables
the rust_2018_compatibility lint. Along with that enablement we fix the
warnings emitted by it, which evolve around the module system changes
Rust has gone through and that require us to prefix initial uses of
crate local modules with "crate".
|
| | |
|
| |
|
|
|
|
|
|
| |
Currently, the pinentry module only supports querying the user PIN. The
Nitrokey devices also have an admin PIN. This patch adds support for
querying multiple PIN types to the pinentry module. While this is
currently not used, it will be needed to add support for administrative
commands like unlocking the device or changeing the user PIN.
|
| |
|
|
|
|
|
|
|
| |
Currently, the error message for a wrong password is printed to the
standard output. Yet the standard output might not be visible to the
user if they are using the curses frontend for pinentry. Pinentry
already supports displaying an error message in the passphrase prompt.
This patch moves the error message from the standard output to the
pinentry prompt.
|
| |
|
|
|
|
|
|
| |
The GnuPG documentation [0] refers to the GET_PASSPHRASE arguments as
“error message”, “prompt” and “description”. This patch changes the
names of the constants for these arguments to match the documented names.
[0] https://www.gnupg.org/documentation/manuals/gnupg/Agent-GET_005fPASSPHRASE.html#Agent-GET_005fPASSPHRASE
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the application name (nitrocli) and the type of the
requested PIN (user PIN) to the cache ID user with pinentry to conform
with the GnuPG documentation [0]:
> By convention either the hexified fingerprint of the key shall be used
> for cache_id or an arbitrary string prefixed with the name of the
> calling application and a colon: Like gpg:somestring.
[0] https://www.gnupg.org/documentation/manuals/gnupg/Agent-GET_005fPASSPHRASE.html#Agent-GET_005fPASSPHRASE
|
| |
|
|
|
| |
The clippy tool has a couple of suggestions on how to improve the code.
This change applies them to the project's code base.
|
| |
|
|
|
|
|
|
|
|
|
| |
In the past the Nitrokey Storage device reported wrong CRC values for
certain commands, e.g., the closing of an encrypted volume. This problem
was tracked by issue 32: Nitrokey/nitrokey-storage-firmware#32
Firmware version 0.47 includes a fix for the problem. With this change
we remove the workaround for the incorrect CRC from nitrocli. By doing
so, we require the Nitrokey Storage to be running firmware 0.47 or
higher to be properly usable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nitrokey-storage-firmware package defines an array of four byte
values to hold information about the firmware version. libnitrokey uses
a similar definition but overlays it with some more semantically
meaningful information by putting it into a union:
union {
uint8_t VersionInfo_au8[4];
struct {
uint8_t __unused;
uint8_t major;
uint8_t __unused2;
uint8_t minor;
} versionInfo;
};
In order to derive the firmware version representation for nitrocli we
used the same major/minor version definition as libnitrokey. This
definition, however, is wrong or at least not in line with how the
firmware is versioned officially.
This change reworks the way we interpret the version information
reported by the Nitrokey Storage device. Like the firmware, we treat the
first byte as the major version and the second one as the minor version.
The remaining two bytes seem to represent the build number and an
internal version according to usage of those fields in
nitrokey-storage-firmware but we ignore both to keep the reported string
similar to that of the nitrokey-app.
|
| |
|
|
|
|
|
|
| |
When closing the encrypted volume we could potentially cause the volume
to be in an inconsistent state if writes to it were cached by the
operating system.
To mitigate this case this patch causes an invocation to the sync(2)
system call to flush outstanding writes to disk.
|
| |
|
|
|
|
|
|
|
| |
Until now we treated any response but "ok" and "idle" to the encrypted
volume opening command as an error and reported it. However, the opening
process is a potentially long running and it is very likely that the
nitrokey reports a couple of "busy" messages.
This change implements the logic to wait until the nitrokey either
reports an error or a successful open.
|
| |
|
|
|
|
|
|
|
|
| |
We currently unconditionally use gpg-agent to enter the PIN to use when
opening the encrypted volume. The agent has the advantage of caching the
password for us so that subsequent invocations against the same cache
entry can be served without user interaction.
For various reasons, however, it can be desirable to have the ability to
remove this entry from the cache. This change introduces a new command
'clear' that achieves precisely this task.
|
| |
|
|
|
|
|
|
|
|
| |
When a wrong password is entered when attempting to open the encrypted
volume the nitrokey will report that in the form of an error. In such a
case we should retry the operation after asking the user for the
corrected password.
This change implements this logic. Note that because we use gpg-agent
for the PIN inquiry and because it caches passwords by default we must
make sure to clear the cache before retrying.
|
| |
|
|
|
|
|
|
|
|
|
| |
The nitrokey supports a status command that instructs it to report
details about itself. This data includes general useful information such
as the current version of the firmware being installed along with more
contextual bits such as the number of remaining retries for the user
and admin PINs or whether the different volumes (unencrypted, encrypted,
hidden) are writable.
This change introduces the 'status' command line option that can be used
to retrieve this information from the nitrokey and to display it.
|
| |
|
|
|
|
|
|
|
|
| |
The nitrokey embeds a wrong CRC code into the response for certain
commands. When closing the encrypted volume, for example, the CRC code
never matches the actual report data. This problem is tracked by issue
32: https://github.com/Nitrokey/nitrokey-storage-firmware/issues/32
To work around this problem for now we unfortunately have to ignore the
result of the CRC check. This change adjusts the code to do that.
|
| |
|
|
|
|
|
|
|
| |
The send a report, wait for some time, and receive a response pattern is
used in many places already and more are to come. In fact, no send
should ever happen without the wait for a response.
To that end, this change introduces a new 'transmit' function that
performs the exactly this task: send a report and return the response to
it.
|
| |
|
|
|
|
|
|
|
|
| |
It is possible that sending or receiving a feature report fails. Such
failures can have multiple reasons, including transient problems. In the
case of such a transient failure we should retry the operation.
This change accomplishes this feat by retrying a send in case of a
failure up to a maximum of three times, with a small wait in between. It
also introduces the logic or receiving a response (which is not yet
evaluated fully).
|
| |
|
|
|
|
|
|
|
| |
By just sending a command to the nitrokey alone we have no idea of what
actually happened on the side of the nitrokey. A command could simply be
invalid in the current context or the stick could be busy or in a
failure state.
In order to determine the success of an operation, this change adds the
logic to retrieve the response from the nitrokey as well.
|
| |
|
|
|
|
|
|
| |
Commands to the nitrokey all must follow a similar pattern in that they
all require to have a constructor (i.e., a new() method) and need to
implement the AsRef trait for byte slices.
For we require more commands in the future, this change introduces
macros that simplify creation of command objects.
|
| |
|
|
|
|
|
| |
With this change we assemble a HID feature report and send it to the
nitrokey device. Feature reports are the objects used for sending
commands to the nitrokey. We create two different reports for
opening and closing of the encrypted volume.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do not want to roll our own infrastructure for entering a password
(or PIN) securely, as there are existing providers of such
functionality. gpg-agent, which uses pinentry for this very purpose, is
such a program and we can safely assume to be present because we use it
with the smartcard part of the nitrokey.
This change introduces a new module, pinentry.rs, that provides the
means to invoke gpg-agent to ask the user for a PIN and to parse the
result. Using gpg-agent like this has two advantages that other
solutions do not necessarily provide: first, because we use gpg-agent
anyway it's pinentry configuration is as the user desires it and, hence,
the integration appears seamless. And second, the agent caches
pass phrases which alleviates the need for repeated entry should the
credential be required again.
|
| |
|
|
|
|
|
|
|
|
|
| |
This change uses the 'hid' crate to discover and open the Nitrokey
Storage device. 'hid' is a wrapper around libhidapi (its libusb back-end
in particular).
Being a command line application some sort of parameter handling needs
to happen. The approach we take is very simple for now to minimize the
number of dependencies: we just compare the first argument against the
expected ones and raise an error if no match was found. Because we only
have positional arguments right now this is all we need.
|
|
|
This change adds the basic scaffolding for the nitrocli application. The
scaffolding was created using the following command:
$ cargo new --bin nitrocli
The application aims at providing a command line interface for the
Nitrokey Storage device.
|
