Get the hardware key PIN in a secure way

yoavamit · yoavamit · commit 0843302617a3 · 2021-06-10T12:05:43.000-04:00
diff --git a/pinentry/pinentry.go b/pinentry/pinentry.go
@@ -0,0 +1,129 @@
+package pinentry
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+// Pinentry gets the PIN from the user to access the smart card or hardware key
+type Pinentry struct {
+	path string
+}
+
+// NewPinentry initializes the pinentry program used to get the PIN
+func NewPinentry() (*Pinentry, error) {
+	fromEnv := os.Getenv("SMIMESIGM_PINENTRY")
+	if len(fromEnv) > 0 {
+		pinentryFromEnv, err := exec.LookPath(fromEnv)
+		if err == nil && len(pinentryFromEnv) > 0 {
+			return &Pinentry{path: pinentryFromEnv}, nil
+		}
+	}
+
+	executables := pinentryPaths()
+	for _, programName := range executables {
+		pinentry, err := exec.LookPath(programName)
+		if err == nil && len(pinentry) > 0 {
+			return &Pinentry{path: pinentry}, nil
+		}
+	}
+
+	return nil, fmt.Errorf("failed to find suitable program to enter pin")
+}
+
+// Get executes the pinentry program and returns the PIN entered by the user
+// see https://www.gnupg.org/documentation/manuals/assuan/Introduction.html for more details
+func (pin *Pinentry) Get(prompt string) (string, error) {
+	cmd := exec.Command(pin.path)
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return "", err
+	}
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return "", err
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		return "", err
+	}
+
+	bufferReader := bufio.NewReader(stdout)
+	lineBytes, _, err := bufferReader.ReadLine()
+	if err != nil {
+		return "", err
+	}
+
+	line := string(lineBytes)
+	if !strings.HasPrefix(line, "OK") {
+		return "", fmt.Errorf("failed to initialize pinentry, got response: %v", line)
+	}
+
+	terminal := os.Getenv("TERM")
+	if len(terminal) > 0 {
+		if ok := setOption(stdin, bufferReader, fmt.Sprintf("OPTION ttytype=%s\n", terminal)); !ok {
+			return "", fmt.Errorf("failed to set ttytype")
+		}
+	}
+
+	if ok := setOption(stdin, bufferReader, fmt.Sprintf("OPTION ttyname=%v\n", tty())); !ok {
+		return "", fmt.Errorf("failed to set ttyname")
+	}
+
+	if ok := setOption(stdin, bufferReader, "SETPROMPT PIN:\n"); !ok {
+		return "", fmt.Errorf("failed to set prompt")
+	}
+	if ok := setOption(stdin, bufferReader, "SETTITLE smimesign\n"); !ok {
+		return "", fmt.Errorf("failed to set title")
+	}
+	if ok := setOption(stdin, bufferReader, fmt.Sprintf("SETDESC %s\n", prompt)); !ok {
+		return "", fmt.Errorf("failed to set description")
+	}
+
+	_, err = fmt.Fprint(stdin, "GETPIN\n")
+	if err != nil {
+		return "", err
+	}
+
+	lineBytes, _, err = bufferReader.ReadLine()
+	if err != nil {
+		return "", err
+	}
+
+	line = string(lineBytes)
+
+	_, err = fmt.Fprint(stdin, "BYE\n")
+	if err != nil {
+		return "", err
+	}
+
+	if err = cmd.Wait(); err != nil {
+		return "", err
+	}
+
+	if !strings.HasPrefix(line, "D ") {
+		return "", fmt.Errorf(line)
+	}
+
+	return strings.TrimPrefix(line, "D "), nil
+}
+
+func setOption(writer io.Writer, bufferedReader *bufio.Reader, option string) bool {
+	_, err := fmt.Fprintf(writer, option)
+	lineBytes, _, err := bufferedReader.ReadLine()
+	if err != nil {
+		return false
+	}
+
+	line := string(lineBytes)
+	if !strings.HasPrefix(line, "OK") {
+		return false
+	}
+	return true
+}
diff --git a/pinentry/pinentry_darwin.go b/pinentry/pinentry_darwin.go
@@ -0,0 +1,13 @@
+package pinentry
+
+func pinentryPaths() []string {
+	return []string{
+		"pinentry-mac",
+		"pinentry-curses",
+		"pinentry",
+	}
+}
+
+func tty() string {
+	return "/dev/tty"
+}
diff --git a/pinentry/pinentry_linux.go b/pinentry/pinentry_linux.go
@@ -0,0 +1,17 @@
+package pinentry
+
+func pinentryPaths() []string {
+	// there are many flavours for the GnuPG pinentry program for different linux distros
+	// this is a non-exhaustive list of some common implementations
+	return []string{
+		"pinentry-gnome3",
+		"pinentry-gtk",
+		"pinentry-qy",
+		"pinentry-tty",
+		"pinentry",
+	}
+}
+
+func tty() string {
+	return "/dev/tty"
+}
diff --git a/pinentry/pinentry_windows.go b/pinentry/pinentry_windows.go
@@ -0,0 +1,14 @@
+package pinentry
+
+func pinentryPaths() []string {
+	return []string{
+		"pinentry-gtk-2.exe",
+		"pinentry-qt4.exe",
+		"pinentry-w32.exe",
+		"pinentry.exe",
+	}
+}
+
+func tty() string {
+	return "windows"
+}
diff --git a/piv_identity.go b/piv_identity.go
@@ -5,12 +5,9 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
-	"io/fs"
-	"os"
-
-	"golang.org/x/crypto/ssh/terminal"
 
 	"github.com/github/certstore"
+	"github.com/github/smimesign/pinentry"
 	"github.com/go-piv/piv-go/piv"
 	"github.com/pkg/errors"
 )
@@ -91,8 +88,17 @@ func (ident *PivIdentity) Public() crypto.PublicKey {
 
 // Sign implements the crypto.Signer interface
 func (ident *PivIdentity) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	entry, err := pinentry.NewPinentry()
+	if err != nil {
+		return nil, err
+	}
+
+	pin, err := entry.Get(fmt.Sprintf("Enter PIN for \"%v\"", ident.card))
+	if err != nil {
+		return nil, err
+	}
 	private, err := ident.yk.PrivateKey(piv.SlotSignature, ident.Public(), piv.KeyAuth{
-		PINPrompt: ident.promptHardwareKeyPin,
+		PIN: pin,
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get private key for signing")
@@ -105,32 +111,3 @@ func (ident *PivIdentity) Sign(rand io.Reader, digest []byte, opts crypto.Signer
 		return nil, fmt.Errorf("invalid key type")
 	}
 }
-
-func (ident *PivIdentity) promptHardwareKeyPin() (string, error) {
-	tty, err := os.OpenFile("/dev/tty", os.O_RDWR, fs.ModeCharDevice)
-	if err != nil {
-		return "", err
-	}
-	defer tty.Close()
-
-	_, err = fmt.Fprintf(tty, "enter PIN for hardware key \"%v\" (press enter for the default PIN):\n", ident.card)
-	if err != nil {
-		return "", err
-	}
-
-	var hardwareKeyPin string
-	pin, err := terminal.ReadPassword(int(tty.Fd()))
-	if err != nil {
-		return "", err
-	}
-
-	if len(pin) == 0 {
-		hardwareKeyPin = piv.DefaultPIN
-	} else {
-		hardwareKeyPin = string(pin)
-	}
-
-	_, _ = fmt.Fprintf(tty, "Touch %v now unlock\n", ident.card)
-
-	return hardwareKeyPin, nil
-}
