turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Always style PIN names as "User PIN" and "Admin PIN", in user interactions.

Browse source
This commit is contained in:
Heiko Schaefer 2022-04-21 13:33:42 +02:00
parent fe8768298b
commit 3dadc5d16f
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D
2 changed files with 43 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
tools/README.md
View file

@ -132,7 +132,7 @@ To bind the decryption and authentication subkeys (if any) to the signing key, t
``` ```
$ opgpcard pubkey $ opgpcard pubkey
OpenPGP card ABCD:01234567 OpenPGP card ABCD:01234567
Enter user PIN: Enter User PIN:
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: F9C7 97CB 1AF2 1C68 AEEC 8D4D 1002 89F5 5EF6 B2D4 Comment: F9C7 97CB 1AF2 1C68 AEEC 8D4D 1002 89F5 5EF6 B2D4
Comment: baz Comment: baz
@ -164,7 +164,7 @@ You can query a specific card
$ opgpcard pubkey -c ABCD:01234567 $ opgpcard pubkey -c ABCD:01234567
``` ```
And/or pass the user PIN as a file, for non-interactive use": And/or pass the User PIN as a file, for non-interactive use":
``` ```
$ opgpcard pubkey -p <user-pin-file> $ opgpcard pubkey -p <user-pin-file>
@ -274,7 +274,7 @@ $ opgpcard info --card ABCD:01234567
### Admin commands ### Admin commands
All `admin` commands need the admin PIN. It can be provided as a file, with `-P <admin-pin-file>`, All `admin` commands need the Admin PIN. It can be provided as a file, with `-P <admin-pin-file>`,
for non-interactive use. for non-interactive use.
Alternatively, the PIN can be entered interactively on the host computer, or via a pinpad if the OpenPGP card is Alternatively, the PIN can be entered interactively on the host computer, or via a pinpad if the OpenPGP card is
@ -338,9 +338,9 @@ be imported for the other roles.
#### Generate Keys on the card #### Generate Keys on the card
Key generation needs both the admin PIN and the user PIN (the user PIN is needed to export the new key as a public key). Key generation needs both the Admin PIN and the User PIN (the User PIN is needed to export the new key as a public key).
The user PIN can be provided with the `-p <user-pin-file>`, or interactively on the host computer or via the smartcard The User PIN can be provided with the `-p <user-pin-file>`, or interactively on the host computer or via the smartcard
reader pinpad. reader pinpad.
``` ```
@ -430,9 +430,9 @@ When a user has entered a wrong User PIN too often, the card goes into a blocked
User PIN successfully is not possible anymore. The purpose of this is to prevent attackers from trying all possible User PIN successfully is not possible anymore. The purpose of this is to prevent attackers from trying all possible
PINs (e.g. after stealing a card). PINs (e.g. after stealing a card).
To be able to use the card again, the user PIN must be "reset". To be able to use the card again, the User PIN must be "reset".
A user PIN reset can be performed by presenting the Admin PIN. A User PIN reset can be performed by presenting the Admin PIN.
#### The resetting code #### The resetting code
@ -448,9 +448,9 @@ their cards. Instead, an admin may define a resetting code and give that code to
On unconfigured (or factory reset) cards, the Resetting Code is typically unset. On unconfigured (or factory reset) cards, the Resetting Code is typically unset.
#### Set a new user PIN #### Set a new User PIN
Setting a new user PIN requires the admin PIN: Setting a new User PIN requires the Admin PIN:
``` ```
$ opgpcard pin -c ABCD:01234567 set-user $ opgpcard pin -c ABCD:01234567 set-user
@ -462,9 +462,9 @@ For non-interactive PIN change:
$ opgpcard pin -c ABCD:01234567 set-user -p <old-user-pin-file> -q <new-user-pin-file> $ opgpcard pin -c ABCD:01234567 set-user -p <old-user-pin-file> -q <new-user-pin-file>
``` ```
#### Set new admin PIN #### Set new Admin PIN
This requires the (previous) admin PIN. This requires the (previous) Admin PIN.
``` ```
$ opgpcard pin -c ABCD:01234567 set-admin $ opgpcard pin -c ABCD:01234567 set-admin
@ -476,10 +476,10 @@ For non-interactive PIN change:
$ opgpcard pin -c ABCD:01234567 set-admin -p <old-admin-pin-file> -q <new-admin-pin-file> $ opgpcard pin -c ABCD:01234567 set-admin -p <old-admin-pin-file> -q <new-admin-pin-file>
``` ```
#### Reset user PIN with admin PIN #### Reset User PIN with Admin PIN
The user PIN can be reset to a different (or the same) PIN by providing the admin PIN. The User PIN can be reset to a different (or the same) PIN by providing the Admin PIN.
This is possible at any time, including when a wrong user PIN has been entered too often, and the card refuses to accept the user PIN any more. This is possible at any time, including when a wrong User PIN has been entered too often, and the card refuses to accept the User PIN any more.
``` ```
$ opgpcard pin -c ABCD:01234567 reset-user $ opgpcard pin -c ABCD:01234567 reset-user
@ -493,10 +493,10 @@ $ opgpcard pin -c ABCD:01234567 reset-user -P <admin-pin-file> -p <new-user-pin-
#### Configuring the resetting code #### Configuring the resetting code
The resetting code is an alternative mechanism to recover from a lost or locked user PIN. The resetting code is an alternative mechanism to recover from a lost or locked User PIN.
You can set the resetting code after verifying the admin PIN. Once a resetting code is configured on your card, You can set the resetting code after verifying the Admin PIN. Once a resetting code is configured on your card,
you can use that code to reset the user PIN without needing the admin PIN. you can use that code to reset the User PIN without needing the Admin PIN.
``` ```
$ opgpcard pin -c 0006:16019180 set-reset $ opgpcard pin -c 0006:16019180 set-reset
@ -508,15 +508,15 @@ To non-interactively set the resetting code:
$ opgpcard pin -c 0006:16019180 set-reset -P <admin-pin-file> -r <resetting-code-file> $ opgpcard pin -c 0006:16019180 set-reset -P <admin-pin-file> -r <resetting-code-file>
``` ```
#### Reset user PIN with the resetting code #### Reset User PIN with the resetting code
If a resetting code is configured on a card, you can use that code to reset the user PIN: If a resetting code is configured on a card, you can use that code to reset the User PIN:
``` ```
$ opgpcard pin -c 0006:16019180 reset-user-rc $ opgpcard pin -c 0006:16019180 reset-user-rc
Enter resetting code: Enter resetting code:
Enter new user PIN: Enter new User PIN:
Repeat the new user PIN: Repeat the new User PIN:
User PIN has been set. User PIN has been set.
``` ```
@ -541,7 +541,7 @@ NOTE: you do not need a PIN to reset a card!
When using a shell like When using a shell like
[bash](https://www.gnu.org/software/bash/manual/html_node/Redirections.html#Here-Strings) [bash](https://www.gnu.org/software/bash/manual/html_node/Redirections.html#Here-Strings)
, you can pass user and/or admin PINs via file-descriptors (instead of from a file on disk): , you can pass User- and/or Admin PINs via file-descriptors (instead of from a file on disk):
``` ```
$ opgpcard sign --detached -c ABCD:01234567 -p /dev/fd/3 -s <cert-file> 3<<<123456 $ opgpcard sign --detached -c ABCD:01234567 -p /dev/fd/3 -s <cert-file> 3<<<123456
@ -556,4 +556,4 @@ $ opgpcard admin -c ABCD:01234567 -P /dev/fd/3 generate -p /dev/fd/4 -o <output-
If your OpenPGP card is inserted in a card reader with a pinpad, this tool If your OpenPGP card is inserted in a card reader with a pinpad, this tool
offers you the option to use the pinpad to enter the User- or Admin PINs. offers you the option to use the pinpad to enter the User- or Admin PINs.
To do this, you can omit the `-p` and/or `-P` parameters. Then you will To do this, you can omit the `-p` and/or `-P` parameters. Then you will
be prompted to enter the user or admin PINs where needed. be prompted to enter the user or Admin PINs where needed.

40
tools/src/bin/opgpcard/main.rs
View file

@ -27,8 +27,8 @@ use std::io::Write;
mod cli; mod cli;
mod util; mod util;
const ENTER_USER_PIN: &str = "Enter user PIN:"; const ENTER_USER_PIN: &str = "Enter User PIN:";
const ENTER_ADMIN_PIN: &str = "Enter admin PIN:"; const ENTER_ADMIN_PIN: &str = "Enter Admin PIN:";
fn main() -> Result<(), Box<dyn std::error::Error>> { fn main() -> Result<(), Box<dyn std::error::Error>> {
env_logger::init(); env_logger::init();
@ -169,8 +169,8 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
None => { None => {
// ask user for new user pin // ask user for new user pin
util::input_pin_twice( util::input_pin_twice(
"Enter new user PIN: ", "Enter new User PIN: ",
"Repeat the new user PIN: ", "Repeat the new User PIN: ",
)? )?
} }
Some(path) => load_pin(&path)?, Some(path) => load_pin(&path)?,
@ -182,13 +182,13 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// set new user pin via pinpad // set new user pin via pinpad
open.change_user_pin_pinpad(&|| { open.change_user_pin_pinpad(&|| {
println!( println!(
"Enter old user PIN on card reader pinpad, then new user PIN (twice)." "Enter old User PIN on card reader pinpad, then new User PIN (twice)."
) )
}) })
}; };
if res.is_err() { if res.is_err() {
println!("\nFailed to change the user PIN!"); println!("\nFailed to change the User PIN!");
println!("{:?}", res); println!("{:?}", res);
if let Err(err) = res { if let Err(err) = res {
@ -215,8 +215,8 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
None => { None => {
// ask user for new admin pin // ask user for new admin pin
util::input_pin_twice( util::input_pin_twice(
"Enter new admin PIN: ", "Enter new Admin PIN: ",
"Repeat the new admin PIN: ", "Repeat the new Admin PIN: ",
)? )?
} }
Some(path) => load_pin(&path)?, Some(path) => load_pin(&path)?,
@ -228,7 +228,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// set new admin pin via pinpad // set new admin pin via pinpad
open.change_admin_pin_pinpad(&|| { open.change_admin_pin_pinpad(&|| {
println!( println!(
"Enter old admin PIN on card reader pinpad, then new admin PIN (twice)." "Enter old Admin PIN on card reader pinpad, then new Admin PIN (twice)."
) )
})?; })?;
}; };
@ -247,7 +247,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
open.verify_admin(&admin_pin)?; open.verify_admin(&admin_pin)?;
} }
None => { None => {
open.verify_admin_pinpad(&|| println!("Enter admin PIN on pinpad."))?; open.verify_admin_pinpad(&|| println!("Enter Admin PIN on pinpad."))?;
} }
} }
println!("PIN was accepted by the card.\n"); println!("PIN was accepted by the card.\n");
@ -255,8 +255,8 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// ask user for new user pin // ask user for new user pin
let pin = match user_pin_new { let pin = match user_pin_new {
None => util::input_pin_twice( None => util::input_pin_twice(
"Enter new user PIN: ", "Enter new User PIN: ",
"Repeat the new user PIN: ", "Repeat the new User PIN: ",
)?, )?,
Some(path) => load_pin(&path)?, Some(path) => load_pin(&path)?,
}; };
@ -268,7 +268,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
}; };
if res.is_err() { if res.is_err() {
println!("\nFailed to change the user PIN!"); println!("\nFailed to change the User PIN!");
if let Err(err) = res { if let Err(err) = res {
print_gnuk_note(err, &open)?; print_gnuk_note(err, &open)?;
} }
@ -288,7 +288,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
open.verify_admin(&admin_pin)?; open.verify_admin(&admin_pin)?;
} }
None => { None => {
open.verify_admin_pinpad(&|| println!("Enter admin PIN on pinpad."))?; open.verify_admin_pinpad(&|| println!("Enter Admin PIN on pinpad."))?;
} }
} }
println!("PIN was accepted by the card.\n"); println!("PIN was accepted by the card.\n");
@ -329,8 +329,8 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// ask user for new user pin // ask user for new user pin
let pin = match user_pin_new { let pin = match user_pin_new {
None => util::input_pin_twice( None => util::input_pin_twice(
"Enter new user PIN: ", "Enter new User PIN: ",
"Repeat the new user PIN: ", "Repeat the new User PIN: ",
)?, )?,
Some(path) => load_pin(&path)?, Some(path) => load_pin(&path)?,
}; };
@ -338,7 +338,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// reset to new user pin // reset to new user pin
match open.reset_user_pin(&rst, &pin) { match open.reset_user_pin(&rst, &pin) {
Err(err) => { Err(err) => {
println!("\nFailed to change the user PIN!"); println!("\nFailed to change the User PIN!");
print_gnuk_note(err, &open)?; print_gnuk_note(err, &open)?;
} }
Ok(_) => println!("\nUser PIN has been set."), Ok(_) => println!("\nUser PIN has been set."),
@ -662,7 +662,7 @@ fn print_pubkey(ident: Option<String>, user_pin: Option<PathBuf>) -> Result<()>
key_dec, key_dec,
key_aut, key_aut,
user_pin.as_deref(), user_pin.as_deref(),
&|| println!("Enter user PIN on card reader pinpad."), &|| println!("Enter User PIN on card reader pinpad."),
)?; )?;
let armored = String::from_utf8(cert.armored().to_vec()?)?; let armored = String::from_utf8(cert.armored().to_vec()?)?;
@ -813,7 +813,7 @@ fn get_cert(
if user_pin.is_none() && open.feature_pinpad_verify() { if user_pin.is_none() && open.feature_pinpad_verify() {
println!( println!(
"The public cert will now be generated.\n\n\ "The public cert will now be generated.\n\n\
You will need to enter your user PIN multiple times during this process.\n\n" You will need to enter your User PIN multiple times during this process.\n\n"
); );
} }
@ -870,7 +870,7 @@ fn generate_keys(
// need "signing" access to the card (to make binding signatures within // need "signing" access to the card (to make binding signatures within
// the Cert). // the Cert).
let cert = get_cert(&mut open, key_sig, key_dec, key_aut, user_pin, &|| { let cert = get_cert(&mut open, key_sig, key_dec, key_aut, user_pin, &|| {
println!("Enter user PIN on card reader pinpad.") println!("Enter User PIN on card reader pinpad.")
})?; })?;
let armored = String::from_utf8(cert.armored().to_vec()?)?; let armored = String::from_utf8(cert.armored().to_vec()?)?;