Skip to content

Commit

Permalink
Revert accidental commit of WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
andsens committed May 31, 2024
1 parent 0daf780 commit 936f597
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 29 deletions.
16 changes: 7 additions & 9 deletions bin/step
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,18 @@ step() {
local p11_kit_socket="$XDG_RUNTIME_DIR/p11-kit/pkcs11"
if [[ -S "$p11_kit_socket" ]] && ! ${STEP_SKIP_P11_KIT:-false}; then
"$pkgroot/.upkg/.bin/checkdeps" p11tool
local token_urls=() token_filter=(
'manufacturer=Yubico%20%28www.yubico.com%29'
'model=Intel.*serial=0000000000000000;token=.\+'
)
readarray -t token_urls < <(p11tool --list-token-urls | grep "$(join_by $'\n' "${token_filter[@]}")")
[[ ${#token_urls[@]} -gt 0 ]] || fatal "No smartcards found"
[[ ${#token_urls[@]} -eq 1 ]] || fatal "%d smartcards detected, remove all but one" "${#token_urls[@]}"
local yubikey_serials=()
readarray -t yubikey_serials < <(p11tool --list-token-urls | grep manufacturer=Yubico%20%28www.yubico.com%29 | sed 's/.*;serial=\([0-9]\+\);.*/\1/g')
[[ ${#yubikey_serials[@]} -gt 0 ]] || fatal "No YubiKeys found"
[[ ${#yubikey_serials[@]} -eq 1 ]] || fatal "%d YubiKeys detected, remove all but one" "${#yubikey_serials[@]}"
if [[ -z $PIN ]]; then
export PIN
# shellcheck disable=2059
PIN=$("$pkgroot/.upkg/.bin/pinentry-wrapper" "PIN" --desc "$(printf -- "${STEP_PIN_DESC:-"Smallstep CLI requires access to your smartcard in order to authenticate with step-ca"}" "${token_urls[0]}")")
PIN=$(pinentry-wrapper "PIN" --desc "$(printf -- "${STEP_PIN_DESC:-"Smallstep CLI requires access to your YubiKey in order to authenticate with step-ca
YubiKey #%s"}" "${yubikey_serials[0]}")")
fi
additional_opts+=(
-e "TOKEN_URL=${token_urls[0]}" -e PIN
-e "YKSERIAL=${yubikey_serials[0]}" -e PIN
-v "$p11_kit_socket:$p11_kit_socket"
)
elif ${STEP_SKIP_P11_KIT:-false}; then
Expand Down
25 changes: 5 additions & 20 deletions step-wrapper.sh
Original file line number Diff line number Diff line change
Expand Up @@ -14,29 +14,14 @@ step_wrapper() {
fi
local config config_path=$STEPPATH/config/defaults.json
config=$(cat "$config_path")
if [[ -n $TOKEN_URL ]]; then
case "$(get_pkcs11_url_val model <<<"${TOKEN_URL:?}")" in
YubiKey*)
config=$(jq --arg token_url "$TOKEN_URL" --arg pin "${PIN:?}" \
'.kms="pkcs11:module-path=/usr/lib/pkcs11/p11-kit-client.so;\($token_url)?pin-value=\($pin)" |
.["x5c-cert"]="pkcs11:\($token_url);object=X.509%20Certificate%20for%20PIV%20Authentication" |
.["x5c-key"]="pkcs11:\($token_url);object=Private%20key%20for%20PIV%20Authentication"' <<<"$config")
;;
Intel*)
config=$(jq --arg token_url "$TOKEN_URL" --arg pin "${PIN:?}" \
'.kms="pkcs11:module-path=/usr/lib/pkcs11/p11-kit-client.so;\($token_url)?pin-value=\($pin)" |
.["x5c-cert"]="pkcs11:\($token_url);object=PIV;" |
.["x5c-key"]="pkcs11:\($token_url);object=PIV;type=private"' <<<"$config")
;;
esac
if [[ -n $YKSERIAL ]]; then
config=$(jq --arg serial "${YKSERIAL:?}" --arg pin "${PIN:?}" \
'.kms="pkcs11:module-path=/usr/lib/pkcs11/p11-kit-client.so;token=YubiKey%20PIV%20%23\($serial)?pin-value=\($pin)" |
.["x5c-cert"]="pkcs11:token=YubiKey%20PIV%20%23\($serial);object=X.509%20Certificate%20for%20PIV%20Authentication" |
.["x5c-key"]="pkcs11:token=YubiKey%20PIV%20%23\($serial);object=Private%20key%20for%20PIV%20Authentication"' <<<"$config")
fi
printf '%s\n' "$config" >"$config_path"
exec step "$@"
}

get_pkcs11_url_val() {
local field=$1
sed 's/^pkcs11:\(.*;\)\?\('"$field"'=\([^;]\+\)\)\?\(;.*\)\?$/\3/g' | grep -v '^pkcs11:'
}

step_wrapper "$@"

0 comments on commit 936f597

Please sign in to comment.