diff --git a/doc/tools/dnie-tool.xml b/doc/tools/dnie-tool.xml
index ebc1dcc5..4df384fd 100755
--- a/doc/tools/dnie-tool.xml
+++ b/doc/tools/dnie-tool.xml
@@ -58,6 +58,9 @@
pin, pinSpecify the user pin value to use.
+ If set to env:VARIABLE, the
+ value of the environment variable
+ VARIABLE is used.
The default is do not enter pin
diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml
index f4e28df6..23d5512e 100644
--- a/doc/tools/pkcs11-tool.1.xml
+++ b/doc/tools/pkcs11-tool.1.xml
@@ -199,9 +199,15 @@
pinUse the given pin for
- token operations. WARNING: Be careful using this option
+ token operations. If set to
+ env:VARIABLE, the value of the
+ environment variable VARIABLE is
+ used. WARNING: Be careful using this option
as other users may be able to read the command line from
- the system or if it is embedded in a script.
+ the system or if it is embedded in a script. If set to
+ env:VARIABLE, the value of the
+ environment variable VARIABLE is
+ used.
This option will also set
the option.
@@ -266,8 +272,11 @@
Use the given pin as the
Security Officer PIN for some token operations (token
- initialization, user PIN initialization, etc). The same
- warning as also applies here.
+ initialization, user PIN initialization, etc). If set to
+ env:VARIABLE, the value of the
+ environment variable VARIABLE is
+ used. The same warning as also
+ applies here.
diff --git a/doc/tools/pkcs15-init.1.xml b/doc/tools/pkcs15-init.1.xml
index 736b0f9c..c21d35aa 100644
--- a/doc/tools/pkcs15-init.1.xml
+++ b/doc/tools/pkcs15-init.1.xml
@@ -331,11 +331,17 @@
- These options can be used to specify PIN/PUK values on the command
- line. Note that on most operation systems, any user can display
- the command line of any process on the system using utilities such
- as ps(1). Therefore, you should use these options
- only on a secured system, or in an options file specified with
+ These options can be used to specify PIN/PUK values
+ on the command line. If set to
+ env:VARIABLE, the value
+ of the environment variable
+ VARIABLE is used. Note
+ that on most operation systems, any user can
+ display the command line of any process on the
+ system using utilities such as
+ ps(1). Therefore, you should use
+ these options only on a secured system, or in an
+ options file specified with
.
diff --git a/doc/tools/sc-hsm-tool.1.xml b/doc/tools/sc-hsm-tool.1.xml
index f65fe7e1..d560540a 100644
--- a/doc/tools/sc-hsm-tool.1.xml
+++ b/doc/tools/sc-hsm-tool.1.xml
@@ -123,7 +123,10 @@
value
- Define SO-PIN for initialization.
+ Define SO-PIN for initialization. If set to
+ env:VARIABLE, the value of
+ the environment variable
+ VARIABLE is used.
@@ -132,7 +135,11 @@
value
- Define user PIN for initialization, wrap or unwrap operation.
+ Define user PIN for initialization, wrap or
+ unwrap operation. If set to
+ env:VARIABLE, the value of
+ the environment variable
+ VARIABLE is used.
@@ -150,7 +157,10 @@
value
- Define password for DKEK share encryption.
+ Define password for DKEK share encryption. If set to
+ env:VARIABLE, the value of
+ the environment variable
+ VARIABLE is used.
diff --git a/doc/tools/westcos-tool.1.xml b/doc/tools/westcos-tool.1.xml
index e330e859..240128cd 100644
--- a/doc/tools/westcos-tool.1.xml
+++ b/doc/tools/westcos-tool.1.xml
@@ -118,7 +118,10 @@
value,
value
- Set value of PIN.
+ Set value of PIN. If set to
+ env:VARIABLE, the value of
+ the environment variable
+ VARIABLE is used.
@@ -127,7 +130,10 @@
valueset value of PUK (or value of new PIN for change PIN
- command see ).
+ command see ). If set to
+ env:VARIABLE, the value of
+ the environment variable
+ VARIABLE is used.
diff --git a/src/tools/dnie-tool.c b/src/tools/dnie-tool.c
index b3db7f55..82db6399 100644
--- a/src/tools/dnie-tool.c
+++ b/src/tools/dnie-tool.c
@@ -117,7 +117,7 @@ int main(int argc, char* argv[])
opt_wait = 1;
break;
case 'p':
- opt_pin = optarg;
+ util_get_pin(optarg, &opt_pin);
break;
case 'i':
opt_operation |= OP_GET_IDESP;
diff --git a/src/tools/openpgp-tool.c b/src/tools/openpgp-tool.c
index b4529ef6..60042bb1 100644
--- a/src/tools/openpgp-tool.c
+++ b/src/tools/openpgp-tool.c
@@ -113,7 +113,7 @@ static const char *option_help[] = {
/* v */ "Verbose operation. Use several times to enable debug output.",
/* V */ "Show version number",
"Verify PIN (CHV1, CHV2, CHV3...)",
- "PIN string. can be: 'env:' to get PIN from the environment, otherwise is used.",
+ "PIN string",
/* d */ "Dump private data object number (i.e. PRIVATE-DO-)"
};
@@ -256,7 +256,7 @@ static int decode_options(int argc, char **argv)
break;
case OPT_PIN:
opt_pin++;
- util_get_pin(optarg, (const char **) &pin);
+ util_get_pin(optarg, &pin);
break;
case 'C':
opt_cardinfo++;
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 0a6d936b..fdb27ea5 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -238,10 +238,10 @@ static CK_BYTE opt_object_id[100], new_object_id[100];
static const char * opt_attr_from_file = NULL;
static size_t opt_object_id_len = 0, new_object_id_len = 0;
static char * opt_object_label = NULL;
-static char * opt_pin = NULL;
-static char * opt_so_pin = NULL;
-static char * opt_puk = NULL;
-static char * opt_new_pin = NULL;
+static const char * opt_pin = NULL;
+static const char * opt_so_pin = NULL;
+static const char * opt_puk = NULL;
+static const char * opt_new_pin = NULL;
static char * opt_application_label = NULL;
static char * opt_application_id = NULL;
static char * opt_issuer = NULL;
@@ -511,7 +511,7 @@ int main(int argc, char * argv[])
opt_output = optarg;
break;
case 'p':
- opt_pin = optarg;
+ util_get_pin(optarg, &opt_pin);
break;
case 'c':
do_change_pin = 1;
@@ -585,10 +585,10 @@ int main(int argc, char * argv[])
opt_subject = optarg;
break;
case OPT_NEW_PIN:
- opt_new_pin = optarg;
+ util_get_pin(optarg, &opt_new_pin);
break;
case OPT_PUK:
- opt_puk = optarg;
+ util_get_pin(optarg, &opt_puk);
break;
case OPT_LOGIN_TYPE:
if (!strcmp(optarg, "so"))
@@ -603,7 +603,7 @@ int main(int argc, char * argv[])
}
break;
case OPT_SO_PIN:
- opt_so_pin = optarg;
+ util_get_pin(optarg, &opt_so_pin);
break;
case OPT_INIT_TOKEN:
do_init_token = 1;
@@ -1085,11 +1085,11 @@ static int login(CK_SESSION_HANDLE session, int login_type)
/* Identify which pin to enter */
if (login_type == CKU_SO)
- pin = opt_so_pin;
+ pin = (char *) opt_so_pin;
else if (login_type == CKU_USER)
- pin = opt_pin;
+ pin = (char *) opt_pin;
else if (login_type == CKU_CONTEXT_SPECIFIC)
- pin = opt_pin ? opt_pin : opt_puk;
+ pin = opt_pin ? (char *) opt_pin : (char *) opt_puk;
if (!pin && !(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
printf("Logging in to \"%s\".\n", p11_utf8_to_local(info.label, sizeof(info.label)));
@@ -1154,7 +1154,7 @@ static void init_token(CK_SLOT_ID slot)
util_fatal("Different new SO PINs, exiting\n");
pin_allocated = 1;
} else {
- new_pin = opt_so_pin;
+ new_pin = (char *) opt_so_pin;
}
if (!new_pin || !*new_pin)
util_fatal("Invalid SO PIN\n");
@@ -1199,8 +1199,8 @@ static void init_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess)
}
}
- pin = opt_pin;
- if (!pin) pin = opt_new_pin;
+ pin = (char *) opt_pin;
+ if (!pin) pin = (char *) opt_new_pin;
if (!pin) pin = new_pin1;
rv = p11->C_InitPIN(sess, (CK_UTF8CHAR *) pin, pin == NULL ? 0 : strlen(pin));
@@ -1243,9 +1243,9 @@ static int change_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess)
}
else {
if (opt_so_pin)
- old_pin = opt_so_pin;
+ old_pin = (char *) opt_so_pin;
else
- old_pin = opt_pin;
+ old_pin = (char *) opt_pin;
}
if (!opt_new_pin) {
@@ -1265,7 +1265,7 @@ static int change_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess)
return 1;
}
else {
- new_pin = opt_new_pin;
+ new_pin = (char *) opt_new_pin;
}
}
@@ -1292,9 +1292,9 @@ static int unlock_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess, int login_type)
get_token_info(slot, &info);
if (login_type == CKU_CONTEXT_SPECIFIC)
- unlock_code = opt_pin ? opt_pin : opt_puk;
+ unlock_code = opt_pin ? (char *) opt_pin : (char *) opt_puk;
else if (login_type == -1)
- unlock_code = opt_puk;
+ unlock_code = (char *) opt_puk;
else
return 1;
@@ -1314,7 +1314,7 @@ static int unlock_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess, int login_type)
unlock_code = unlock_buf;
}
- new_pin = opt_new_pin;
+ new_pin = (char *) opt_new_pin;
if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) && !new_pin) {
printf("Please enter the new PIN: ");
r = util_getpass(&new_pin, &len, stdin);
diff --git a/src/tools/pkcs15-init.c b/src/tools/pkcs15-init.c
index 990a90d2..b3d00581 100644
--- a/src/tools/pkcs15-init.c
+++ b/src/tools/pkcs15-init.c
@@ -347,7 +347,7 @@ static char * opt_label = NULL;
static char * opt_puk_label = NULL;
static char * opt_pubkey_label = NULL;
static char * opt_cert_label = NULL;
-static char * opt_pins[4];
+static const char * opt_pins[4];
static char * opt_serial = NULL;
static char * opt_passphrase = NULL;
static char * opt_newkey = NULL;
@@ -2446,13 +2446,15 @@ handle_option(const struct option *opt)
break;
case OPT_PIN1: case OPT_PUK1:
case OPT_PIN2: case OPT_PUK2:
- opt_pins[opt->val & 3] = optarg;
+ util_get_pin(optarg, &(opt_pins[opt->val & 3]));
break;
case OPT_SERIAL:
opt_serial = optarg;
break;
case OPT_PASSPHRASE:
- opt_passphrase = optarg;
+ free(opt_passphrase);
+ opt_passphrase = NULL;
+ util_get_pin(optarg, &opt_passphrase);
break;
case OPT_PUBKEY:
this_action = ACTION_STORE_PUBKEY;
@@ -2844,4 +2846,3 @@ static int verify_pin(struct sc_pkcs15_card *p15card, char *auth_id_str)
return r;
}
-
diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c
index e9fbc3ab..e5689fc0 100644
--- a/src/tools/pkcs15-tool.c
+++ b/src/tools/pkcs15-tool.c
@@ -52,9 +52,9 @@ static char * opt_data = NULL;
static char * opt_pubkey = NULL;
static char * opt_outfile = NULL;
static char * opt_bind_to_aid = NULL;
-static u8 * opt_newpin = NULL;
-static u8 * opt_pin = NULL;
-static u8 * opt_puk = NULL;
+static const u8 * opt_newpin = NULL;
+static const u8 * opt_pin = NULL;
+static const u8 * opt_puk = NULL;
static int verbose = 0;
static int opt_no_prompt = 0;
@@ -1890,13 +1890,13 @@ int main(int argc, char * const argv[])
opt_reader = optarg;
break;
case OPT_PIN:
- opt_pin = (u8 *) optarg;
+ util_get_pin(optarg, (const u8 **) &opt_pin);
break;
case OPT_NEWPIN:
- opt_newpin = (u8 *) optarg;
+ util_get_pin(optarg, (const u8 **) &opt_newpin);
break;
case OPT_PUK:
- opt_puk = (u8 *) optarg;
+ util_get_pin(optarg, (const u8 **) &opt_puk);
break;
case 'o':
opt_outfile = optarg;
diff --git a/src/tools/sc-hsm-tool.c b/src/tools/sc-hsm-tool.c
index b2713dd6..2d173a0e 100644
--- a/src/tools/sc-hsm-tool.c
+++ b/src/tools/sc-hsm-tool.c
@@ -1484,13 +1484,19 @@ int main(int argc, char * const argv[])
action_count++;
break;
case OPT_PASSWORD:
- opt_password = optarg;
+ free(opt_password);
+ opt_password = NULL;
+ util_get_pin(optarg, &opt_password);
break;
case OPT_SO_PIN:
- opt_so_pin = optarg;
+ free(opt_so_pin);
+ opt_so_pin = NULL;
+ util_get_pin(optarg, &opt_so_pin);
break;
case OPT_PIN:
- opt_pin = optarg;
+ free(opt_pin);
+ opt_pin = NULL;
+ util_get_pin(optarg, &opt_pin);
break;
case OPT_RETRY:
opt_retry_counter = atol(optarg);
diff --git a/src/tools/westcos-tool.c b/src/tools/westcos-tool.c
index 07e5f753..6241d9c4 100644
--- a/src/tools/westcos-tool.c
+++ b/src/tools/westcos-tool.c
@@ -90,8 +90,8 @@ static int finalize = 0;
static int install_pin = 0;
static int overwrite = 0;
-static char *pin = NULL;
-static char *puk = NULL;
+static const char *pin = NULL;
+static const char *puk = NULL;
static char *cert = NULL;
static int keylen = 0;
@@ -400,10 +400,10 @@ int main(int argc, char *argv[])
install_pin = 1;
break;
case 'x':
- pin = optarg;
+ util_get_pin(optarg, &pin);
break;
case 'y':
- puk = optarg;
+ util_get_pin(optarg, &puk);
break;
case 'n':
new_pin = 1;