/usr/sbin/yhsm-keystore-unlock is in yhsm-tools 1.0.4l-1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 | #! /usr/bin/python
#
# Copyright (c) 2011 Yubico AB
# See the file COPYING for licence statement.
#
"""
Utility to unlock the key store of a YubiHSM,
using the 'HSM password'/'master key'.
"""
import sys
sys.path.append('Lib')
import pyhsm
import argparse
import getpass
default_device = "/dev/ttyACM0"
def parse_args():
"""
Parse the command line arguments
"""
parser = argparse.ArgumentParser(description = "Unlock key store of YubiHSM",
add_help = True,
formatter_class = argparse.ArgumentDefaultsHelpFormatter,
)
parser.add_argument('-D', '--device',
dest='device',
default=default_device,
required=False,
help='YubiHSM device',
)
parser.add_argument('-v', '--verbose',
dest='verbose',
action='store_true', default=False,
help='Enable verbose operation'
)
parser.add_argument('--debug',
dest='debug',
action='store_true', default=False,
help='Enable debug operation'
)
parser.add_argument('--no-otp',
dest='no_otp',
action='store_true', default=False,
help='Don\'t ask for OTP, even if YubiHSM supports it',
)
parser.add_argument('--stdin',
dest='stdin',
action='store_true', default=False,
help='Read data from stdin instead of prompting',
)
args = parser.parse_args()
return args
def get_password(hsm, args):
""" Get password of correct length for this YubiHSM version. """
expected_len = 32
name = 'HSM password'
if hsm.version.have_key_store_decrypt():
expected_len = 64
name = 'master key'
if args.stdin:
password = sys.stdin.readline()
while password and password[-1] == '\n':
password = password[:-1]
else:
if args.debug:
password = raw_input('Enter %s (press enter to skip) (will be echoed) : ' % (name))
else:
password = getpass.getpass('Enter %s (press enter to skip) : ' % (name))
if len(password) <= expected_len:
password = password.decode('hex')
if not password:
return None
return password
else:
sys.stderr.write("ERROR: Invalid HSM password (expected max %i chars, got %i)\n" % \
(expected_len, len(password)))
return 1
def get_otp(hsm, args):
""" Get OTP from YubiKey. """
if args.no_otp:
return None
if hsm.version.have_unlock():
if args.stdin:
otp = sys.stdin.readline()
while otp and otp[-1] == '\n':
otp = otp[:-1]
else:
otp = raw_input('Enter admin YubiKey OTP (press enter to skip) : ')
if len(otp) == 44:
# YubiHSM admin OTP's always have a public_id length of 6 bytes
return otp
if otp:
sys.stderr.write("ERROR: Invalid YubiKey OTP\n")
return None
def main():
"""
What will be executed when running as a stand alone program.
"""
args = parse_args()
try:
hsm = pyhsm.base.YHSM(device=args.device, debug=args.debug)
if args.debug or args.verbose:
print "Device : %s" % (args.device)
print "Version : %s" % (hsm.info())
print ""
password = get_password(hsm, args)
otp = get_otp(hsm, args)
if not password and not otp:
print "\nAborted\n"
return 1
else:
if args.debug or args.verbose:
print ""
if hsm.unlock(password = password, otp = otp):
if args.debug or args.verbose:
print "OK\n"
except pyhsm.exception.YHSM_Error, e:
sys.stderr.write("ERROR: %s\n" % (e.reason))
return 1
return 0
if __name__ == '__main__':
sys.exit(main())
|