diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/PkiAuthenticator.csproj | 4 | ||||
| -rw-r--r-- | src/Program.cs | 8 | ||||
| -rw-r--r-- | src/Statics.cs | 15 |
3 files changed, 20 insertions, 7 deletions
diff --git a/src/PkiAuthenticator.csproj b/src/PkiAuthenticator.csproj index 808b447..96d8c19 100644 --- a/src/PkiAuthenticator.csproj +++ b/src/PkiAuthenticator.csproj @@ -38,8 +38,8 @@ <ItemGroup> <PackageReference Include="Serilog" Version="3.1.1" /> <PackageReference Include="Serilog.Sinks.Console" Version="5.0.1" /> - <PackageReference Include="VNLib.Hashing.Portable" Version="0.1.0-ci0114" /> - <PackageReference Include="VNLib.Utils" Version="0.1.0-ci0114" /> + <PackageReference Include="VNLib.Hashing.Portable" Version="0.1.0-ci0120" /> + <PackageReference Include="VNLib.Utils" Version="0.1.0-ci0120" /> <PackageReference Include="Yubico.YubiKey" Version="1.9.1" /> </ItemGroup> diff --git a/src/Program.cs b/src/Program.cs index cdbeea7..a150eba 100644 --- a/src/Program.cs +++ b/src/Program.cs @@ -71,6 +71,11 @@ namespace PkiAuthenticator authenticating. If not specified, uses the certificates CN subject value. + --sign Enables entering custom data to add to the OTP before signing. + This allows applications to add an extra layer of authentication + security. If you application requires signing data, you must set + this flag. + --software <cert file> Runs the process using a software authenticator instead of a YubiKey hardware authenticator. The cert file must be a a valid x509 certificate with the public key. You must also @@ -154,6 +159,9 @@ namespace PkiAuthenticator #software vauth.exe --software cert.pem --export pem + Sign data: + vauth.exe --sign # sign data before generating OTP + List devices: vauth.exe --list-devices # only supported in hardware mode "; diff --git a/src/Statics.cs b/src/Statics.cs index 0978abf..b9d105a 100644 --- a/src/Statics.cs +++ b/src/Statics.cs @@ -90,6 +90,13 @@ namespace PkiAuthenticator string? uid = CliArgs.GetArgument("-u"); uid ??= CliArgs.GetArgument("--user"); + string? dataToSign = null; + if (CliArgs.HasArgument("--sign")) + { + Log.Information("Enter the data to sign: "); + dataToSign = Console.ReadLine(); + } + HashAlg digest; //Init the jwt header @@ -133,17 +140,15 @@ namespace PkiAuthenticator { //Default uid is the subjet name uid ??= cert.SubjectName.Name.AsSpan().SliceAfterParam("=").ToString(); - - //Get random nonce for entropy - string nonce = RandomHash.GetRandomBase32(16); - + jwt.InitPayloadClaim() .AddClaim("sub", uid) - .AddClaim("n", nonce) + .AddClaim("n", RandomHash.GetRandomBase32(16)) .AddClaim("iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds()) //Keyid is the hex sha1 of the certificate .AddClaim("keyid", Convert.ToHexString(cert.GetCertHash(HashAlgorithmName.SHA1))) .AddClaim("serial", cert.SerialNumber) + .AddClaim("data", dataToSign!) .CommitClaims(); } |