p11-kit commands: Add --login option

Previously those tools determined whether a login is necessary by
checking the presence of "pin-value" query attribute in the URI.  It
was too implicit and against modern security practice.  This instead
asks users to specify --login option and if no "pin-value" is given,
it tries to read a PIN from the terminal.

Signed-off-by: Daiki Ueno <[email protected]>

p11-kit/add-profile.c

@@ -43,6 +43,10 @@
 #include "message.h"
 #include "tool.h"
 
+#ifdef OS_UNIX
+#include "tty.h"
+#endif
+
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
@@ -60,7 +64,8 @@ p11_kit_add_profile (int argc,
 
 static int
 add_profile (const char *token_str,
-	     CK_PROFILE_ID profile)
+	     CK_PROFILE_ID profile,
+	     bool login)
 {
 	int ret = 1;
 	CK_RV rv;
@@ -99,8 +104,12 @@ add_profile (const char *token_str,
 	}
 
 	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
-	if (p11_kit_uri_get_pin_value (uri))
+	if (login) {
 		behavior |= P11_KIT_ITER_WITH_LOGIN;
+#ifdef OS_UNIX
+		p11_kit_uri_set_pin_source (uri, "tty");
+#endif
+	}
 	iter = p11_kit_iter_new (uri, behavior);
 	if (iter == NULL) {
 		p11_message (_("failed to initialize iterator"));
@@ -171,25 +180,29 @@ p11_kit_add_profile (int argc,
 	int opt, ret = 2;
 	CK_ULONG profile = CKA_INVALID;
 	p11_dict *profile_nicks = NULL;
+	bool login = false;
 
 	enum {
 		opt_verbose = 'v',
 		opt_quiet = 'q',
 		opt_help = 'h',
 		opt_profile = 'p',
+		opt_login = 'l',
 	};
 
 	struct option options[] = {
 		{ "verbose", no_argument, NULL, opt_verbose },
 		{ "quiet", no_argument, NULL, opt_quiet },
 		{ "help", no_argument, NULL, opt_help },
 		{ "profile", required_argument, NULL, opt_profile },
+		{ "login", no_argument, NULL, opt_login },
 		{ 0 },
 	};
 
 	p11_tool_desc usages[] = {
 		{ 0, "usage: p11-kit add-profile --profile profile pkcs11:token" },
 		{ opt_profile, "specify the profile to add" },
+		{ opt_login, "login to the token" },
 		{ 0 },
 	};
 
@@ -225,6 +238,9 @@ p11_kit_add_profile (int argc,
 				goto cleanup;
 			}
 			break;
+		case opt_login:
+			login = true;
+			break;
 		case '?':
 			goto cleanup;
 		default:
@@ -246,9 +262,19 @@ p11_kit_add_profile (int argc,
 		goto cleanup;
 	}
 
-	ret = add_profile (*argv, profile);
+#ifdef OS_UNIX
+	/* Register a fallback PIN callback that reads from terminal.
+	 * We don't care whether the registration succeeds as it is a fallback.
+	 */
+	(void)p11_kit_pin_register_callback ("tty", p11_pin_tty_callback, NULL, NULL);
+#endif
+
+	ret = add_profile (*argv, profile, login);
 
 cleanup:
+#ifdef OS_UNIX
+	p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
+#endif
 	p11_dict_free (profile_nicks);
 
 	return ret;

p11-kit/delete-profile.c

@@ -43,6 +43,10 @@
 #include "message.h"
 #include "tool.h"
 
+#ifdef OS_UNIX
+#include "tty.h"
+#endif
+
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
@@ -62,7 +66,8 @@ p11_kit_delete_profile (int argc,
 
 static int
 delete_profile (const char *token_str,
-		CK_PROFILE_ID profile)
+		CK_PROFILE_ID profile,
+		bool login)
 {
 	int ret = 1;
 	CK_RV rv;
@@ -99,8 +104,12 @@ delete_profile (const char *token_str,
 	}
 
 	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
-	if (p11_kit_uri_get_pin_value (uri))
+	if (login) {
 		behavior |= P11_KIT_ITER_WITH_LOGIN;
+#ifdef OS_UNIX
+		p11_kit_uri_set_pin_source (uri, "tty");
+#endif
+	}
 	iter = p11_kit_iter_new (uri, behavior);
 	if (iter == NULL) {
 		p11_message (_("failed to initialize iterator"));
@@ -171,25 +180,29 @@ p11_kit_delete_profile (int argc,
 	int opt, ret = 2;
 	CK_ULONG profile = CKA_INVALID;
 	p11_dict *profile_nicks = NULL;
+	bool login = false;
 
 	enum {
 		opt_verbose = 'v',
 		opt_quiet = 'q',
 		opt_help = 'h',
 		opt_profile = 'p',
+		opt_login = 'l',
 	};
 
 	struct option options[] = {
 		{ "verbose", no_argument, NULL, opt_verbose },
 		{ "quiet", no_argument, NULL, opt_quiet },
 		{ "help", no_argument, NULL, opt_help },
 		{ "profile", required_argument, NULL, opt_profile },
+		{ "login", no_argument, NULL, opt_login },
 		{ 0 },
 	};
 
 	p11_tool_desc usages[] = {
 		{ 0, "usage: p11-kit delete-profile --profile profile pkcs11:token" },
 		{ opt_profile, "specify the profile to delete" },
+		{ opt_login, "login to the token" },
 		{ 0 },
 	};
 
@@ -225,6 +238,9 @@ p11_kit_delete_profile (int argc,
 				goto cleanup;
 			}
 			break;
+		case opt_login:
+			login = true;
+			break;
 		case '?':
 			goto cleanup;
 		default:
@@ -246,9 +262,19 @@ p11_kit_delete_profile (int argc,
 		goto cleanup;
 	}
 
-	ret = delete_profile (*argv, profile);
+#ifdef OS_UNIX
+	/* Register a fallback PIN callback that reads from terminal.
+	 * We don't care whether the registration succeeds as it is a fallback.
+	 */
+	(void)p11_kit_pin_register_callback ("tty", p11_pin_tty_callback, NULL, NULL);
+#endif
+
+	ret = delete_profile (*argv, profile, login);
 
 cleanup:
+#ifdef OS_UNIX
+	p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
+#endif
 	p11_dict_free (profile_nicks);
 
 	return ret;

p11-kit/export-object.c

@@ -46,6 +46,10 @@
 #include "pem.h"
 #include "tool.h"
 
+#ifdef OS_UNIX
+#include "tty.h"
+#endif
+
 #ifdef WITH_ASN1
 #include "asn1.h"
 #include "oid.h"
@@ -424,13 +428,15 @@ export_certificate (P11KitIter *iter,
 }
 
 static int
-export_object (const char *token_str)
+export_object (const char *token_str,
+	       bool login)
 {
 	int ret = 1;
 	CK_RV rv;
 	CK_FUNCTION_LIST **modules = NULL;
 	P11KitUri *uri = NULL;
 	P11KitIter *iter = NULL;
+	P11KitIterBehavior behavior;
 	CK_OBJECT_CLASS klass;
 	CK_ATTRIBUTE attr = { CKA_CLASS, &klass, sizeof (klass) };
 	p11_buffer buf;
@@ -455,7 +461,14 @@ export_object (const char *token_str)
 		goto cleanup;
 	}
 
-	iter = p11_kit_iter_new (uri, P11_KIT_ITER_WITH_LOGIN);
+	behavior = 0;
+	if (login) {
+		behavior |= P11_KIT_ITER_WITH_LOGIN;
+#ifdef OS_UNIX
+		p11_kit_uri_set_pin_source (uri, "tty");
+#endif
+	}
+	iter = p11_kit_iter_new (uri, behavior);
 	if (iter == NULL) {
 		p11_message (_("failed to initialize iterator"));
 		goto cleanup;
@@ -512,23 +525,27 @@ int
 p11_kit_export_object (int argc,
 		       char *argv[])
 {
-	int opt;
+	int opt, ret;
+	bool login = false;
 
 	enum {
 		opt_verbose = 'v',
 		opt_quiet = 'q',
 		opt_help = 'h',
+		opt_login = 'l',
 	};
 
 	struct option options[] = {
 		{ "verbose", no_argument, NULL, opt_verbose },
 		{ "quiet", no_argument, NULL, opt_quiet },
 		{ "help", no_argument, NULL, opt_help },
+		{ "login", no_argument, NULL, opt_login },
 		{ 0 },
 	};
 
 	p11_tool_desc usages[] = {
 		{ 0, "usage: p11-kit export-object pkcs11:token" },
+		{ opt_login, "login to the token" },
 		{ 0 },
 	};
 
@@ -543,6 +560,9 @@ p11_kit_export_object (int argc,
 		case opt_help:
 			p11_tool_usage (usages, options);
 			return 0;
+		case opt_login:
+			login = true;
+			break;
 		case '?':
 			return 2;
 		default:
@@ -559,5 +579,18 @@ p11_kit_export_object (int argc,
 		return 2;
 	}
 
-	return export_object (*argv);
+#ifdef OS_UNIX
+	/* Register a fallback PIN callback that reads from terminal.
+	 * We don't care whether the registration succeeds as it is a fallback.
+	 */
+	(void)p11_kit_pin_register_callback ("tty", p11_pin_tty_callback, NULL, NULL);
+#endif
+
+	ret = export_object (*argv, login);
+
+#ifdef OS_UNIX
+	p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
+#endif
+
+	return ret;
 }

p11-kit/generate-keypair.c

@@ -43,6 +43,10 @@
 #include "message.h"
 #include "tool.h"
 
+#ifdef OS_UNIX
+#include "tty.h"
+#endif
+
 #ifdef P11_KIT_TESTABLE
 #include "mock.h"
 #endif
@@ -255,7 +259,8 @@ generate_keypair (const char *token_str,
 		  CK_MECHANISM mechanism,
 		  CK_ULONG bits,
 		  const uint8_t *ec_params,
-		  size_t ec_params_len)
+		  size_t ec_params_len,
+		  bool login)
 {
 	int ret = 1;
 	CK_RV rv;
@@ -292,8 +297,12 @@ generate_keypair (const char *token_str,
 	}
 
 	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
-	if (p11_kit_uri_get_pin_value (uri))
+	if (login) {
 		behavior |= P11_KIT_ITER_WITH_LOGIN;
+#ifdef OS_UNIX
+		p11_kit_uri_set_pin_source (uri, "tty");
+#endif
+	}
 	iter = p11_kit_iter_new (uri, behavior);
 	if (iter == NULL) {
 		p11_message (_("failed to initialize iterator"));
@@ -348,15 +357,17 @@ p11_kit_generate_keypair (int argc,
 	const uint8_t *ec_params = NULL;
 	size_t ec_params_len = 0;
 	CK_MECHANISM mechanism = { CKA_INVALID, NULL_PTR, 0 };
+	bool login = false;
 
 	enum {
 		opt_verbose = 'v',
 		opt_quiet = 'q',
 		opt_help = 'h',
-		opt_label = 'l',
+		opt_label = 'L',
 		opt_type = 't',
 		opt_bits = 'b',
 		opt_curve = 'c',
+		opt_login = 'l',
 	};
 
 	struct option options[] = {
@@ -367,6 +378,7 @@ p11_kit_generate_keypair (int argc,
 		{ "type", required_argument, NULL, opt_type },
 		{ "bits", required_argument, NULL, opt_bits },
 		{ "curve", required_argument, NULL, opt_curve },
+		{ "login", no_argument, NULL, opt_login },
 		{ 0 },
 	};
 
@@ -377,6 +389,7 @@ p11_kit_generate_keypair (int argc,
 		{ opt_type, "type of keys to generate" },
 		{ opt_bits, "number of bits for key generation" },
 		{ opt_curve, "name of the curve for key generation" },
+		{ opt_login, "login to the token" },
 		{ 0 },
 	};
 
@@ -410,6 +423,9 @@ p11_kit_generate_keypair (int argc,
 				goto cleanup;
 			}
 			break;
+		case opt_login:
+			login = true;
+			break;
 		case opt_verbose:
 			p11_kit_be_loud ();
 			break;
@@ -439,9 +455,19 @@ p11_kit_generate_keypair (int argc,
 	if (!check_args (mechanism.mechanism, bits, ec_params))
 		goto cleanup;
 
-	ret = generate_keypair (*argv, label, mechanism, bits, ec_params, ec_params_len);
+#ifdef OS_UNIX
+	/* Register a fallback PIN callback that reads from terminal.
+	 * We don't care whether the registration succeeds as it is a fallback.
+	 */
+	(void)p11_kit_pin_register_callback ("tty", p11_pin_tty_callback, NULL, NULL);
+#endif
+
+	ret = generate_keypair (*argv, label, mechanism, bits, ec_params, ec_params_len, login);
 
 cleanup:
+#ifdef OS_UNIX
+	p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
+#endif
 	free (label);
 
 	return ret;