Impl put authkey_asym_ex

Yubico · Nov 2, 2021 · 45b0d16 · 45b0d16
1 parent 26b9a7a
commit 45b0d16
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 1 deletion.
diff --git a/lib/yubihsm.c b/lib/yubihsm.c
@@ -1335,6 +1335,20 @@ yh_rc yh_util_generate_auth_key(const char *key_name, uint8_t *key,
   return YHR_SUCCESS;
 }
 
+yh_rc yh_util_generate_asym_auth_key(const char *key_name, uint8_t *key,
+                                     size_t len) {
+  int rc = 0;
+
+  if ((rc = ecdh_generate_keypair_ex(ecdh_curve_p256(), key_name, key, len)) <=
+      0) {
+    DBG_ERR("%s: Failed to generate EC-P256 key %s: %d",
+            yh_strerror(YHR_GENERIC_ERROR), key_name, rc);
+    return YHR_GENERIC_ERROR;
+  }
+
+  return YHR_SUCCESS;
+}
+
 yh_rc yh_util_destroy_auth_key(const char *key) {
 
   int rc = 0;

diff --git a/lib/yubihsm.h b/lib/yubihsm.h
@@ -945,6 +945,9 @@ yh_rc yh_util_list_client_asym_auth_keys(FILE *out);
 
 yh_rc yh_util_generate_auth_key(const char *key_name, uint8_t *key, size_t len);
 
+yh_rc yh_util_generate_asym_auth_key(const char *key_name, uint8_t *key,
+                                     size_t len);
+
 yh_rc yh_util_destroy_auth_key(const char *key);
 
 /**

diff --git a/src/commands.c b/src/commands.c
@@ -2044,7 +2044,7 @@ int yh_com_put_authentication(yubihsm_context *ctx, Argument *argv,
   return 0;
 }
 
-// NOTE: Store an asymmetric authentication key
+// NOTE: Store an authentication key persistently
 // argc = 7
 // arg 0: e:session
 // arg 1: w:key_id
@@ -2156,6 +2156,46 @@ int yh_com_put_authentication_asym(yubihsm_context *ctx, Argument *argv,
 
   return 0;
 }
+// NOTE: Store an asymmetric authentication key persistently
+// argc = 7
+// arg 0: e:session
+// arg 1: w:key_id
+// arg 2: s:label
+// arg 3: w:domains
+// arg 4: c:capabilities
+// arg 5: c:delegated_capabilities
+// arg 6: s:key_name
+int yh_com_put_authentication_asym_ex(yubihsm_context *ctx, Argument *argv,
+                                      cmd_format in_fmt, cmd_format fmt) {
+
+  UNUSED(ctx);
+  UNUSED(argv);
+  UNUSED(in_fmt);
+  UNUSED(fmt);
+
+  uint8_t pub[65];
+  yh_rc yrc = yh_util_generate_asym_auth_key(argv[6].s, pub, sizeof(pub));
+
+  if (yrc != YHR_SUCCESS) {
+    fprintf(stderr, "Failed to generate persistent private key: %s\n",
+            yh_strerror(yrc));
+    return -1;
+  }
+
+  yrc = yh_util_import_authentication_key(argv[0].e, &argv[1].w, argv[2].s,
+                                          argv[3].w, &argv[4].c, &argv[5].c,
+                                          pub, sizeof(pub), NULL, 0);
+
+  if (yrc != YHR_SUCCESS) {
+    fprintf(stderr, "Failed to store asymmetric authkey: %s\n",
+            yh_strerror(yrc));
+    return -1;
+  }
+
+  fprintf(stderr, "Stored Asymmetric Persistents Authentication key 0x%04x\n",
+          argv[1].w);
+  return 0;
+}
 #endif
 
 // NOTE(adma): Store an opaque object

diff --git a/src/commands.h b/src/commands.h
@@ -152,6 +152,8 @@ int yh_com_put_authentication_ex(yubihsm_context *ctx, Argument *argv,
 #ifdef USE_ASYMMETRIC_AUTH
 int yh_com_put_authentication_asym(yubihsm_context *ctx, Argument *argv,
                                    cmd_format in_fmt, cmd_format fmt);
+int yh_com_put_authentication_asym_ex(yubihsm_context *ctx, Argument *argv,
+                                      cmd_format in_fmt, cmd_format fmt);
 #endif
 int yh_com_put_opaque(yubihsm_context *ctx, Argument *argv, cmd_format in_fmt,
                       cmd_format fmt);

diff --git a/src/main.c b/src/main.c
@@ -474,6 +474,15 @@ static void create_command_list(CommandList *c) {
                                 fmt_password, fmt_nofmt,
                                 "Store an asymmetric authentication key", NULL,
                                 NULL});
+  register_subcommand(*c, (Command){"authkey_asym_ex",
+                                    yh_com_put_authentication_asym_ex,
+                                    "e:session,w:key_id,s:label,d:domains,c:"
+                                    "capabilities,c:delegated_capabilities,"
+                                    "s:key_name",
+                                    fmt_nofmt, fmt_nofmt,
+                                    "Provision a random persistent "
+                                    "asymmetric authentication key",
+                                    NULL, NULL});
 #endif
   register_subcommand(*c, (Command){"opaque", yh_com_put_opaque,
                                     "e:session,w:object_id,s:label,d:domains,c:"