From 3d52f7c95842bb8656ea1f576cac3aaa721d15f7 Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Wed, 24 Oct 2012 15:07:33 +0200 Subject: [PATCH] Add example tool to automate programming. --- Makefile.am | 2 +- contrib/oath-unlock-reprogram.sh | 94 ++++++++++++++++++++++++++++++++ contrib/programming.sh | 0 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100755 contrib/oath-unlock-reprogram.sh mode change 100644 => 100755 contrib/programming.sh diff --git a/Makefile.am b/Makefile.am index ae52af4..ecfc07f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,7 +79,7 @@ dist_man1_MANS = ykpersonalize.1 ykchalresp.1 ykinfo.1 EXTRA_DIST = doc/Compatibility.asciidoc doc/Make-Release.asciidoc doc/Read-Me.asciidoc doc/USB-Hid-Issue.asciidoc doc/Windows-Build.asciidoc # Dist contrib stuff. -EXTRA_DIST += contrib/README contrib/programming.sh +EXTRA_DIST += contrib/README contrib/programming.sh contrib/oath-unlock-reprogram.sh # Windows rules. EXTRA_DIST += ykpers4win.mk diff --git a/contrib/oath-unlock-reprogram.sh b/contrib/oath-unlock-reprogram.sh new file mode 100755 index 0000000..0ae1588 --- /dev/null +++ b/contrib/oath-unlock-reprogram.sh @@ -0,0 +1,94 @@ +#!/bin/sh + +# Copyright (c) 2012 Yubico AB. All rights reserved. +# Author: Simon Josefsson . +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +OLDCSV=$1 + +if test -z "$OLDCSV"; then + echo "Usage: $0 OLDCSVFILE" + echo "" + echo "This tool re-program YubiKeys in 6-digit OATH mode, unlocking an" + echo "earlier configuration." + echo "" + echo "The input file is a comma-separated value (CSV) file following" + echo "this format:" + echo "" + echo "SERIALNO,,COUNTER,HEXSECRET,UNLOCKCODE,TIME" + echo "" + echo "As illustration, consider the following three lines:" + echo "" + echo "1458800,,11344,dee628e652b08415c7f36d91b74a9d2a0b1251cf,08caa18ad869,2012-07-31T09:19:07," + echo "1458801,,106976,f7df4ddc61b585613975d0efac4505664730f0f9,7ddb2662e32c,2012-07-31T09:19:07," + echo "1458802,,627328,4d668d01c7e2fa336384e6d8b8839bbb00be10bf,b440a34cd994,2012-07-31T09:19:07," + echo "" + echo "The tool appends to a file \"log\" on the same format with new data." + echo "" + echo "This tool is intended as a basis for your own modifications, thus" + echo "you probably want to read the source code before using it." + exit 1 +fi + +when=`date +%Y-%m-%dT%H:%M:%S` + +while sleep 1; do + # Read serial number. + serialno=`ykinfo -s -q` + rc=$? + if test "$rc" != "0"; then + # ykinfo already printed an error message + continue + fi + + hits=`grep "^$serialno," $OLDCSV | wc -l` + if test "$hits" != "1"; then + echo "No unique entry for serial $serialno in file (found $hits matches)..." + continue + fi + + if test -f log && grep -q "^$serialno," log; then + echo "YubiKey $serialno already re-programmed?! Clear log file if certain..." + continue + fi + + old_unlock=`grep "^$serialno," $OLDCSV | cut -d, -f5` + + echo "notice: Found YubiKey serial $serialno with old unlock code $oldunlock..." + + secret=`dd if=/dev/urandom bs=20 count=1 2>/dev/null | hexdump -v -e '/1 "%02x"'` + new_unlock=`dd if=/dev/urandom bs=6 count=1 2>/dev/null | hexdump -v -e '/1 "%02x"'` + seed=`dd if=/dev/urandom bs=2 count=1 2>/dev/null | hexdump -v -e '/2 "%u"'` + seed=`expr "$seed" "*" 16` + + echo "notice: Using secret $secret unlock code $new_unlock and seed $seed..." + + ykpersonalize -1 -a$secret -c$old_unlock -ooath-hotp -oappend-cr -oaccess=$new_unlock -ooath-imf=$seed -oprotect-cfg2 -oserial-api-visible -y + + echo "$serialno,,$seed,$secret,$new_unlock,$when," >> log + + echo "Finished! Remove YubiKey..." +done diff --git a/contrib/programming.sh b/contrib/programming.sh old mode 100644 new mode 100755 -- 2.39.5