From a5a50369250ff5c7d8f1fa53fc31ddb1da2a04a6 Mon Sep 17 00:00:00 2001 From: vnugent Date: Thu, 3 Aug 2023 21:30:36 -0400 Subject: Pre-public update --- src/HardwareAuthenticator.cs | 31 ++++++++++++++++--- src/IAuthenticator.cs | 22 +++++++++++++- src/PkiAuthenticator.csproj | 4 +-- src/ProcessArguments.cs | 23 ++++++++++++-- src/Program.cs | 72 +++++++++++++++++++++++++++++++------------- src/SoftwareAuthenticator.cs | 26 ++++++++++++++-- src/Statics.cs | 23 ++++++++++++-- 7 files changed, 165 insertions(+), 36 deletions(-) (limited to 'src') diff --git a/src/HardwareAuthenticator.cs b/src/HardwareAuthenticator.cs index 1f0f0b2..f4984ac 100644 --- a/src/HardwareAuthenticator.cs +++ b/src/HardwareAuthenticator.cs @@ -1,4 +1,24 @@ -using System; +/* +* Copyright (c) 2023 Vaughn Nugent +* +* Package: PkiAuthenticator +* File: HardwareAuthenticator.cs +* +* PkiAuthenticator is free software: you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published +* by the Free Software Foundation, either version 2 of the License, +* or (at your option) any later version. +* +* PkiAuthenticator is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with PkiAuthenticator. If not, see http://www.gnu.org/licenses/. +*/ + +using System; using System.Linq; using System.Text; using System.Buffers; @@ -13,8 +33,6 @@ using Yubico.YubiKey.Piv; using VNLib.Utils; using VNLib.Utils.Logging; using VNLib.Utils.Extensions; -using VNLib.Hashing; -using VNLib.Hashing.IdentityUtility; using static PkiAuthenticator.Statics; @@ -55,6 +73,8 @@ namespace PkiAuthenticator { IYubiKeyDevice? device; + Log.Debug("Using hardware authenticator"); + //User may select the serial of the specific key to use if (CliArgs.HasArg("--key") && int.TryParse(CliArgs.GetArg("--key"), out int serial)) { @@ -87,7 +107,7 @@ namespace PkiAuthenticator KeyCollector = GetUserPinInput }; - Log.Debug("Connected to device {id}", device.SerialNumber!); + Log.Information("Connected to device {id}, using slot {slot}", device.SerialNumber!, PivSlot.ToString("x")); //Store the key algorithm KeyAlgorithm = _session.GetMetadata(PivSlot).Algorithm; @@ -129,7 +149,8 @@ namespace PkiAuthenticator public X509Certificate2 GetCertificate() => _session?.GetCertificate(PivSlot) ?? throw new InvalidOperationException("The PIV session has not been successfully initialized"); - + + /// protected override void Free() { _session?.Dispose(); diff --git a/src/IAuthenticator.cs b/src/IAuthenticator.cs index 440a69f..447f35e 100644 --- a/src/IAuthenticator.cs +++ b/src/IAuthenticator.cs @@ -1,4 +1,24 @@ - +/* +* Copyright (c) 2023 Vaughn Nugent +* +* Package: PkiAuthenticator +* File: IAuthenticator.cs +* +* PkiAuthenticator is free software: you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published +* by the Free Software Foundation, either version 2 of the License, +* or (at your option) any later version. +* +* PkiAuthenticator is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with PkiAuthenticator. If not, see http://www.gnu.org/licenses/. +*/ + + using System; using System.Security.Cryptography.X509Certificates; diff --git a/src/PkiAuthenticator.csproj b/src/PkiAuthenticator.csproj index 4e24a8a..22a4e92 100644 --- a/src/PkiAuthenticator.csproj +++ b/src/PkiAuthenticator.csproj @@ -26,8 +26,8 @@ - - + + diff --git a/src/ProcessArguments.cs b/src/ProcessArguments.cs index df683e5..4d1febd 100644 --- a/src/ProcessArguments.cs +++ b/src/ProcessArguments.cs @@ -1,4 +1,24 @@ -using System; +/* +* Copyright (c) 2023 Vaughn Nugent +* +* Package: PkiAuthenticator +* File: ProcessArguments.cs +* +* PkiAuthenticator is free software: you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published +* by the Free Software Foundation, either version 2 of the License, +* or (at your option) any later version. +* +* PkiAuthenticator is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with PkiAuthenticator. If not, see http://www.gnu.org/licenses/. +*/ + +using System; using System.Linq; using System.Collections.Generic; @@ -15,7 +35,6 @@ namespace PkiAuthenticator public bool Verbose => HasArg("-v") || HasArg("--verbose"); public bool Debug => HasArg("-d") || HasArg("--debug"); public bool Silent => HasArg("-s") || HasArg("--silent"); - public bool RpMalloc => HasArg("--rpmalloc"); public bool DoubleVerbose => Verbose && HasArg("-vv"); public bool LogHttp => HasArg("--log-http"); diff --git a/src/Program.cs b/src/Program.cs index 230f950..8ff694c 100644 --- a/src/Program.cs +++ b/src/Program.cs @@ -1,4 +1,24 @@ -using System; +/* +* Copyright (c) 2023 Vaughn Nugent +* +* Package: PkiAuthenticator +* File: Program.cs +* +* PkiAuthenticator is free software: you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published +* by the Free Software Foundation, either version 2 of the License, +* or (at your option) any later version. +* +* PkiAuthenticator is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with PkiAuthenticator. If not, see http://www.gnu.org/licenses/. +*/ + +using System; using VNLib.Utils.Logging; @@ -6,7 +26,7 @@ using static PkiAuthenticator.Statics; namespace PkiAuthenticator { - internal class Program + internal sealed class Program { public const string JWK_EXPORT_TEMPLATE = "You may copy your JWK public key\n\n{pk}\n"; public const string TOKEN_PRINT_TEMPLATE = "You may copy your authentication token \n\n{tk}\n"; @@ -14,14 +34,19 @@ namespace PkiAuthenticator public const string SOFTWARE_PASSWORD_VAR_NAME = "CERT_PASSWORD"; public const string PEM_EXPORT_TEMPLATE = "You may copy your public key\n\n{cert}\n"; - const string HELP_MESSAGE = -@$" VAuth Copyright (c) Vaughn Nugent - Usage: vauth.exe + const string HELP_MESSAGE = @$" + vauth Copyright © Vaughn Nugent https://www.vaughnnugent.com/resources/software - No args: Connects to the first PIV enabled YubiKey and requests slot 0x9a - sign a new authentication message for the default usename (cert CN), - prompts the user for a pin (if enabled on device) and prints the - signed JWT authentication token to STDOUT. + Usage: vauth + + A cross-platform hardware (YubiKey) or software backed authenticator for generating short lived + OTPs for VNLib.Plugins.Essentials.Accounts enabled servers. This tool generates a signed Json Web + Token (JWT) that can be used as a single factor authentication method for accounts that have a stored + public key. Currently the plugin requires JSON Web Keys (JWK) format for public keys. It requires + serial numbers, key-ids, and the public key itself, x509 is not used. You may use the --export + flag to export this public key in the required JWK format. This tool currently supports YubiKey + as a hardware authenticator, and PEM encoded x509 certificates as a software authenticator. You + may use this tool to list your connected YubiKey devices, and their serial numbers. Command flags: @@ -50,13 +75,14 @@ namespace PkiAuthenticator --private-key The path to the private key file, may be password protected. This flag is only required in software mode. - --password The password string (utf8 decoded) used to decrypt the PEM - private key file. WARNING! You should avoid using this flag - unless you have cli history disabled, otherwise your password - may be recovered from your history file. This allows you to - automate the authentication process. NOTE: consider setting the - {SOFTWARE_PASSWORD_VAR_NAME} environment variable before starting the - process instead. + --password Set this flag if your private key is password protected. + The password string (utf8 decoded) used to decrypt the PEM + private key file. WARNING! You should avoid setting your password + after this flag unless you have cli history disabled, otherwise + your password may be recovered from your shell history file. This + allows you to automate the authentication process. NOTE: consider + setting the {SOFTWARE_PASSWORD_VAR_NAME} environment variable before + starting the process instead of supplying the password as a flag. --key Allows you to specify the serial number (int32) of the exact YubiKey to connect to if multiple keys are connected. (PIV must @@ -76,7 +102,7 @@ namespace PkiAuthenticator required operations, a --pin flag must be set, or set the {YUBIKEY_PIN_ENV_VAR_NAME} env variable. If an op error occurs, an exit code is returned. - -v, --verbose Enables verbose logging to be writtento STDOUT, is overridden + -v, --verbose Enables verbose logging to be written to STDOUT, is overridden by silent mode, and will override -d debug mode. -d, --debug Enables debug logging to be written to STDOUT, is overridden by @@ -106,12 +132,12 @@ namespace PkiAuthenticator vauth.exe # default cert CN usename vauth.exe -u 'name@example.com' # specify username vauth.exe --key 1111111 # specify hardware key serial numer - vauth.exe -s > token.txt # write token to a text file + vauth.exe -s > token.txt # write token to a text file w/ silent mode vauth.exe --piv-slot 9C # specify a differnt PIV slot on the yubikey (in hex) #software mode vauth.exe --software 'cert.pem' --private-key 'priv.pem' - vauth.exe --software 'cert.pem' --private-ke 'priv.pem' --password 'mypassword' + vauth.exe --software 'cert.pem' --private-key 'priv.pem' --password 'mypassword' Export public key: vauth.exe --export # for JWK output @@ -132,7 +158,7 @@ namespace PkiAuthenticator return 0; } - Log.Information("vauth (c) 2023 Vaughn Nugent"); + Log.Information("vauth © 2023 Vaughn Nugent"); int exitCode = 1; try @@ -146,11 +172,15 @@ namespace PkiAuthenticator //Only continue if authenticator successfully initialized if (CliArgs.HasArg("--list-devices")) { + Log.Verbose("Gathering device information"); + //List devices flag exitCode = authenticator.ListDevices(); } else if (CliArgs.HasArg("-e") || CliArgs.HasArg("--export")) { + Log.Verbose("Exporting public key"); + //Check for pem encoding flag if (CliArgs.HasArg("pem")) { @@ -195,7 +225,7 @@ namespace PkiAuthenticator } } - Log.Information("Exiting..."); + Log.Verbose("Exiting..."); return exitCode; } diff --git a/src/SoftwareAuthenticator.cs b/src/SoftwareAuthenticator.cs index 0972373..f147113 100644 --- a/src/SoftwareAuthenticator.cs +++ b/src/SoftwareAuthenticator.cs @@ -1,8 +1,27 @@ -using System; +/* +* Copyright (c) 2023 Vaughn Nugent +* +* Package: PkiAuthenticator +* File: SoftwareAuthenticator.cs +* +* PkiAuthenticator is free software: you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published +* by the Free Software Foundation, either version 2 of the License, +* or (at your option) any later version. +* +* PkiAuthenticator is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with PkiAuthenticator. If not, see http://www.gnu.org/licenses/. +*/ + +using System; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; -using VNLib.Hashing; using VNLib.Utils; using VNLib.Utils.IO; using VNLib.Utils.Logging; @@ -42,6 +61,8 @@ namespace PkiAuthenticator /// public bool Initialize() { + Log.Debug("Using software authenticator"); + //try to import the certificate file string? cerFilePath = CliArgs.GetArg("--software"); if(cerFilePath == null) @@ -232,7 +253,6 @@ namespace PkiAuthenticator return written; } - break; case PivAlgorithm.EccP256: case PivAlgorithm.EccP384: { diff --git a/src/Statics.cs b/src/Statics.cs index 56e3e25..c27b27a 100644 --- a/src/Statics.cs +++ b/src/Statics.cs @@ -1,4 +1,24 @@ -using System; +/* +* Copyright (c) 2023 Vaughn Nugent +* +* Package: PkiAuthenticator +* File: Statics.cs +* +* PkiAuthenticator is free software: you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published +* by the Free Software Foundation, either version 2 of the License, +* or (at your option) any later version. +* +* PkiAuthenticator is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with PkiAuthenticator. If not, see http://www.gnu.org/licenses/. +*/ + +using System; using System.Linq; using System.Text; using System.Buffers; @@ -64,7 +84,6 @@ namespace PkiAuthenticator /// Generats a signed VNLib authentication toke, used to authenticate against /// web applications using the YubiKey /// - /// /// The process exit code returning the status of the operation. public static int GenerateOtp(this IAuthenticator authenticator) { -- cgit