diff --git a/bin/step b/bin/step index 2a39b6a..a255837 100755 --- a/bin/step +++ b/bin/step @@ -24,20 +24,18 @@ step() { local p11_kit_socket="$XDG_RUNTIME_DIR/p11-kit/pkcs11" if [[ -S "$p11_kit_socket" ]] && ! ${STEP_SKIP_P11_KIT:-false}; then "$pkgroot/.upkg/.bin/checkdeps" p11tool - local token_urls=() token_filter=( - 'manufacturer=Yubico%20%28www.yubico.com%29' - 'model=Intel.*serial=0000000000000000;token=.\+' - ) - readarray -t token_urls < <(p11tool --list-token-urls | grep "$(join_by $'\n' "${token_filter[@]}")") - [[ ${#token_urls[@]} -gt 0 ]] || fatal "No smartcards found" - [[ ${#token_urls[@]} -eq 1 ]] || fatal "%d smartcards detected, remove all but one" "${#token_urls[@]}" + local yubikey_serials=() + readarray -t yubikey_serials < <(p11tool --list-token-urls | grep manufacturer=Yubico%20%28www.yubico.com%29 | sed 's/.*;serial=\([0-9]\+\);.*/\1/g') + [[ ${#yubikey_serials[@]} -gt 0 ]] || fatal "No YubiKeys found" + [[ ${#yubikey_serials[@]} -eq 1 ]] || fatal "%d YubiKeys detected, remove all but one" "${#yubikey_serials[@]}" if [[ -z $PIN ]]; then export PIN # shellcheck disable=2059 - PIN=$("$pkgroot/.upkg/.bin/pinentry-wrapper" "PIN" --desc "$(printf -- "${STEP_PIN_DESC:-"Smallstep CLI requires access to your smartcard in order to authenticate with step-ca"}" "${token_urls[0]}")") + PIN=$(pinentry-wrapper "PIN" --desc "$(printf -- "${STEP_PIN_DESC:-"Smallstep CLI requires access to your YubiKey in order to authenticate with step-ca +YubiKey #%s"}" "${yubikey_serials[0]}")") fi additional_opts+=( - -e "TOKEN_URL=${token_urls[0]}" -e PIN + -e "YKSERIAL=${yubikey_serials[0]}" -e PIN -v "$p11_kit_socket:$p11_kit_socket" ) elif ${STEP_SKIP_P11_KIT:-false}; then diff --git a/step-wrapper.sh b/step-wrapper.sh index c0508cf..5cc7ae9 100644 --- a/step-wrapper.sh +++ b/step-wrapper.sh @@ -14,29 +14,14 @@ step_wrapper() { fi local config config_path=$STEPPATH/config/defaults.json config=$(cat "$config_path") - if [[ -n $TOKEN_URL ]]; then - case "$(get_pkcs11_url_val model <<<"${TOKEN_URL:?}")" in - YubiKey*) - config=$(jq --arg token_url "$TOKEN_URL" --arg pin "${PIN:?}" \ - '.kms="pkcs11:module-path=/usr/lib/pkcs11/p11-kit-client.so;\($token_url)?pin-value=\($pin)" | - .["x5c-cert"]="pkcs11:\($token_url);object=X.509%20Certificate%20for%20PIV%20Authentication" | - .["x5c-key"]="pkcs11:\($token_url);object=Private%20key%20for%20PIV%20Authentication"' <<<"$config") - ;; - Intel*) - config=$(jq --arg token_url "$TOKEN_URL" --arg pin "${PIN:?}" \ - '.kms="pkcs11:module-path=/usr/lib/pkcs11/p11-kit-client.so;\($token_url)?pin-value=\($pin)" | - .["x5c-cert"]="pkcs11:\($token_url);object=PIV;" | - .["x5c-key"]="pkcs11:\($token_url);object=PIV;type=private"' <<<"$config") - ;; - esac + if [[ -n $YKSERIAL ]]; then + config=$(jq --arg serial "${YKSERIAL:?}" --arg pin "${PIN:?}" \ + '.kms="pkcs11:module-path=/usr/lib/pkcs11/p11-kit-client.so;token=YubiKey%20PIV%20%23\($serial)?pin-value=\($pin)" | + .["x5c-cert"]="pkcs11:token=YubiKey%20PIV%20%23\($serial);object=X.509%20Certificate%20for%20PIV%20Authentication" | + .["x5c-key"]="pkcs11:token=YubiKey%20PIV%20%23\($serial);object=Private%20key%20for%20PIV%20Authentication"' <<<"$config") fi printf '%s\n' "$config" >"$config_path" exec step "$@" } -get_pkcs11_url_val() { - local field=$1 - sed 's/^pkcs11:\(.*;\)\?\('"$field"'=\([^;]\+\)\)\?\(;.*\)\?$/\3/g' | grep -v '^pkcs11:' -} - step_wrapper "$@"