use util_get_pin in tools

doc/tools/dnie-tool.xml

@@ -58,6 +58,9 @@
 				<varlistentry>
 					<term><option>--pin</option> pin, <option>-p</option> pin</term>
 					<listitem><para>Specify the user pin <varname>value</varname> to use.
+					If set to env:<replaceable>VARIABLE</replaceable>, the
+					value of the environment variable
+					<replaceable>VARIABLE</replaceable> is used.
 					The default is do not enter pin</para></listitem>
 				</varlistentry>
 				<varlistentry>

doc/tools/pkcs11-tool.1.xml

@@ -199,9 +199,15 @@
 						<option>-p</option> <replaceable>pin</replaceable>
 					</term>
 					<listitem><para>Use the given <replaceable>pin</replaceable> for
-					token operations. WARNING: Be careful using this option
+					token operations. If set to
+					env:<replaceable>VARIABLE</replaceable>, the value of the
+					environment variable <replaceable>VARIABLE</replaceable> is
+					used. WARNING: Be careful using this option
 					as other users may be able to read the command line from
-					the system or if it is embedded in a script.</para>
+					the system or if it is embedded in a script. If set to
+					env:<replaceable>VARIABLE</replaceable>, the value of the
+					environment variable <replaceable>VARIABLE</replaceable> is
+					used.</para>
 					<para>This option will also set
 					the <option>--login</option> option.</para></listitem>
 				</varlistentry>
@@ -266,8 +272,11 @@
 					</term>
 					<listitem><para>Use the given <replaceable>pin</replaceable> as the
 					Security Officer PIN for some token operations (token
-					initialization, user PIN initialization, etc). The same
+					initialization, user PIN initialization, etc). If set to
-					warning as <option>--pin</option> also applies here.</para></listitem>
+					env:<replaceable>VARIABLE</replaceable>, the value of the
+					environment variable <replaceable>VARIABLE</replaceable> is
+					used. The same warning as <option>--pin</option> also
+					applies here.</para></listitem>
 				</varlistentry>
 
 				<varlistentry>

doc/tools/pkcs15-init.1.xml

@@ -331,11 +331,17 @@
 					</term>
 					<listitem>
 						<para>
-							These options can be used to specify PIN/PUK values on the command
+							These options can be used to specify PIN/PUK values
-							line. Note that on most operation systems, any user can display
+							on the command line. If set to
-							the command line of any process on the system using utilities such
+							env:<replaceable>VARIABLE</replaceable>, the value
-							as <command>ps(1)</command>. Therefore, you should use these options
+							of the environment variable
-							only on a secured system, or in an options file specified with
+							<replaceable>VARIABLE</replaceable> is used. Note
+							that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should use
+							these options only on a secured system, or in an
+							options file specified with
 							<option>--options-file</option>.
 						</para>
 					</listitem>

doc/tools/sc-hsm-tool.1.xml

@@ -123,7 +123,10 @@
 						<option>--so-pin</option> <replaceable>value</replaceable>
 					</term>
 					<listitem>
-						<para>Define SO-PIN for initialization.</para>
+						<para>Define SO-PIN for initialization. If set to
+						env:<replaceable>VARIABLE</replaceable>, the value of
+						the environment variable
+						<replaceable>VARIABLE</replaceable> is used.</para>
 					</listitem>
 				</varlistentry>
 				
@@ -132,7 +135,11 @@
 						<option>--pin</option> <replaceable>value</replaceable>
 					</term>
 					<listitem>
-						<para>Define user PIN for initialization, wrap or unwrap operation.</para>
+						<para>Define user PIN for initialization, wrap or
+						unwrap operation. If set to
+						env:<replaceable>VARIABLE</replaceable>, the value of
+						the environment variable
+						<replaceable>VARIABLE</replaceable> is used.</para>
 					</listitem>
 				</varlistentry>
 				
@@ -150,7 +157,10 @@
 						<option>--password</option> <replaceable>value</replaceable>
 					</term>
 					<listitem>
-						<para>Define password for DKEK share encryption.</para>
+						<para>Define password for DKEK share encryption. If set to
+						env:<replaceable>VARIABLE</replaceable>, the value of
+						the environment variable
+						<replaceable>VARIABLE</replaceable> is used.</para>
 					</listitem>
 				</varlistentry>
 				

doc/tools/westcos-tool.1.xml

@@ -118,7 +118,10 @@
 						<option>--pin-value</option> <replaceable>value</replaceable>,
 						<option>-x</option> <replaceable>value</replaceable>
 					</term>
-					<listitem><para>Set value of PIN.</para></listitem>
+					<listitem><para>Set value of PIN. If set to
+					env:<replaceable>VARIABLE</replaceable>, the value of
+					the environment variable
+					<replaceable>VARIABLE</replaceable> is used.</para></listitem>
 				</varlistentry>
 
 				<varlistentry>
@@ -127,7 +130,10 @@
 						<option>-y</option> <replaceable>value</replaceable>
 					</term>
 					<listitem><para>set value of PUK (or value of new PIN for change PIN
-					command see <option>-n</option>).</para></listitem>
+					command see <option>-n</option>). If set to
+					env:<replaceable>VARIABLE</replaceable>, the value of
+					the environment variable
+					<replaceable>VARIABLE</replaceable> is used.</para></listitem>
 				</varlistentry>
 
 				<varlistentry>

src/tools/dnie-tool.c

@@ -117,7 +117,7 @@ int main(int argc, char* argv[])
 			opt_wait = 1;
 			break;
 		case 'p':
-			opt_pin = optarg;
+			util_get_pin(optarg, &opt_pin);
 			break;
 		case 'i':
 			opt_operation |= OP_GET_IDESP;

src/tools/openpgp-tool.c

@@ -113,7 +113,7 @@ static const char *option_help[] = {
 /* v */	"Verbose operation. Use several times to enable debug output.",
 /* V */	"Show version number",
 	"Verify PIN (CHV1, CHV2, CHV3...)",
-	"PIN string. <arg> can be: 'env:<var>' to get PIN from the environment, otherwise <arg> is used.",
+	"PIN string",
 /* d */ "Dump private data object number <arg> (i.e. PRIVATE-DO-<arg>)"
 };
 
@@ -256,7 +256,7 @@ static int decode_options(int argc, char **argv)
 			break;
 		case OPT_PIN:
 			opt_pin++;
-			util_get_pin(optarg, (const char **) &pin);
+			util_get_pin(optarg, &pin);
 			break;
 		case 'C':
 			opt_cardinfo++;

src/tools/pkcs11-tool.c

@@ -238,10 +238,10 @@ static CK_BYTE		opt_object_id[100], new_object_id[100];
 static const char *	opt_attr_from_file = NULL;
 static size_t		opt_object_id_len = 0, new_object_id_len = 0;
 static char *		opt_object_label = NULL;
-static char *		opt_pin = NULL;
+static const char *	opt_pin = NULL;
-static char *		opt_so_pin = NULL;
+static const char *	opt_so_pin = NULL;
-static char *		opt_puk = NULL;
+static const char *	opt_puk = NULL;
-static char *		opt_new_pin = NULL;
+static const char *	opt_new_pin = NULL;
 static char *		opt_application_label = NULL;
 static char *		opt_application_id = NULL;
 static char *		opt_issuer = NULL;
@@ -511,7 +511,7 @@ int main(int argc, char * argv[])
 			opt_output = optarg;
 			break;
 		case 'p':
-			opt_pin = optarg;
+			util_get_pin(optarg, &opt_pin);
 			break;
 		case 'c':
 			do_change_pin = 1;
@@ -585,10 +585,10 @@ int main(int argc, char * argv[])
 			opt_subject = optarg;
 			break;
 		case OPT_NEW_PIN:
-			opt_new_pin = optarg;
+			util_get_pin(optarg, &opt_new_pin);
 			break;
 		case OPT_PUK:
-			opt_puk = optarg;
+			util_get_pin(optarg, &opt_puk);
 			break;
 		case OPT_LOGIN_TYPE:
 			if (!strcmp(optarg, "so"))
@@ -603,7 +603,7 @@ int main(int argc, char * argv[])
 			}
 			break;
 		case OPT_SO_PIN:
-			opt_so_pin = optarg;
+			util_get_pin(optarg, &opt_so_pin);
 			break;
 		case OPT_INIT_TOKEN:
 			do_init_token = 1;
@@ -1085,11 +1085,11 @@ static int login(CK_SESSION_HANDLE session, int login_type)
 	/* Identify which pin to enter */
 
 	if (login_type == CKU_SO)
-		pin = opt_so_pin;
+		pin = (char *) opt_so_pin;
 	else if (login_type == CKU_USER)
-		pin = opt_pin;
+		pin = (char *) opt_pin;
 	else if (login_type == CKU_CONTEXT_SPECIFIC)
-		pin = opt_pin ? opt_pin : opt_puk;
+		pin = opt_pin ? (char *) opt_pin : (char *) opt_puk;
 
 	if (!pin && !(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
 			printf("Logging in to \"%s\".\n", p11_utf8_to_local(info.label, sizeof(info.label)));
@@ -1154,7 +1154,7 @@ static void init_token(CK_SLOT_ID slot)
 				util_fatal("Different new SO PINs, exiting\n");
 			pin_allocated = 1;
 		} else {
-			new_pin = opt_so_pin;
+			new_pin = (char *) opt_so_pin;
 		}
 		if (!new_pin || !*new_pin)
 			util_fatal("Invalid SO PIN\n");
@@ -1199,8 +1199,8 @@ static void init_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess)
 		}
 	}
 
-	pin = opt_pin;
+	pin = (char *) opt_pin;
-	if (!pin) pin = opt_new_pin;
+	if (!pin) pin = (char *) opt_new_pin;
 	if (!pin) pin = new_pin1;
 
 	rv = p11->C_InitPIN(sess, (CK_UTF8CHAR *) pin, pin == NULL ? 0 : strlen(pin));
@@ -1243,9 +1243,9 @@ static int change_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess)
 		}
 		else   {
 			if (opt_so_pin)
-				old_pin = opt_so_pin;
+				old_pin = (char *) opt_so_pin;
 			else
-				old_pin = opt_pin;
+				old_pin = (char *) opt_pin;
 		}
 
 		if (!opt_new_pin) {
@@ -1265,7 +1265,7 @@ static int change_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess)
 				return 1;
 		}
 		else   {
-			new_pin = opt_new_pin;
+			new_pin = (char *) opt_new_pin;
 		}
 	}
 
@@ -1292,9 +1292,9 @@ static int unlock_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess, int login_type)
 	get_token_info(slot, &info);
 
 	if (login_type == CKU_CONTEXT_SPECIFIC)
-		unlock_code = opt_pin ? opt_pin : opt_puk;
+		unlock_code = opt_pin ? (char *) opt_pin : (char *) opt_puk;
 	else if (login_type == -1)
-		unlock_code = opt_puk;
+		unlock_code = (char *) opt_puk;
 	else
 		return 1;
 
@@ -1314,7 +1314,7 @@ static int unlock_pin(CK_SLOT_ID slot, CK_SESSION_HANDLE sess, int login_type)
 		unlock_code = unlock_buf;
 	}
 
-	new_pin = opt_new_pin;
+	new_pin = (char *) opt_new_pin;
 	if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) && !new_pin)   {
 		printf("Please enter the new PIN: ");
 		r = util_getpass(&new_pin, &len, stdin);

src/tools/pkcs15-init.c

@@ -347,7 +347,7 @@ static char *			opt_label = NULL;
 static char *			opt_puk_label = NULL;
 static char *			opt_pubkey_label = NULL;
 static char *			opt_cert_label = NULL;
-static char *			opt_pins[4];
+static const char *		opt_pins[4];
 static char *			opt_serial = NULL;
 static char *			opt_passphrase = NULL;
 static char *			opt_newkey = NULL;
@@ -2446,13 +2446,15 @@ handle_option(const struct option *opt)
 		break;
 	case OPT_PIN1: case OPT_PUK1:
 	case OPT_PIN2: case OPT_PUK2:
-		opt_pins[opt->val & 3] = optarg;
+		util_get_pin(optarg, &(opt_pins[opt->val & 3]));
 		break;
 	case OPT_SERIAL:
 		opt_serial = optarg;
 		break;
 	case OPT_PASSPHRASE:
-		opt_passphrase = optarg;
+		free(opt_passphrase);
+		opt_passphrase = NULL;
+		util_get_pin(optarg, &opt_passphrase);
 		break;
 	case OPT_PUBKEY:
 		this_action = ACTION_STORE_PUBKEY;
@@ -2844,4 +2846,3 @@ static int verify_pin(struct sc_pkcs15_card *p15card, char *auth_id_str)
 
 	return r;
 }
-

src/tools/pkcs15-tool.c

@@ -52,9 +52,9 @@ static char * opt_data = NULL;
 static char * opt_pubkey = NULL;
 static char * opt_outfile = NULL;
 static char * opt_bind_to_aid = NULL;
-static u8 * opt_newpin = NULL;
+static const u8 * opt_newpin = NULL;
-static u8 * opt_pin = NULL;
+static const u8 * opt_pin = NULL;
-static u8 * opt_puk = NULL;
+static const u8 * opt_puk = NULL;
 static int	verbose = 0;
 static int opt_no_prompt = 0;
 
@@ -1890,13 +1890,13 @@ int main(int argc, char * const argv[])
 			opt_reader = optarg;
 			break;
 		case OPT_PIN:
-			opt_pin = (u8 *) optarg;
+			util_get_pin(optarg, (const u8 **) &opt_pin);
 			break;
 		case OPT_NEWPIN:
-			opt_newpin = (u8 *) optarg;
+			util_get_pin(optarg, (const u8 **) &opt_newpin);
 			break;
 		case OPT_PUK:
-			opt_puk = (u8 *) optarg;
+			util_get_pin(optarg, (const u8 **) &opt_puk);
 			break;
 		case 'o':
 			opt_outfile = optarg;

src/tools/sc-hsm-tool.c

@@ -1484,13 +1484,19 @@ int main(int argc, char * const argv[])
 			action_count++;
 			break;
 		case OPT_PASSWORD:
-			opt_password = optarg;
+			free(opt_password);
+			opt_password = NULL;
+			util_get_pin(optarg, &opt_password);
 			break;
 		case OPT_SO_PIN:
-			opt_so_pin = optarg;
+			free(opt_so_pin);
+			opt_so_pin = NULL;
+			util_get_pin(optarg, &opt_so_pin);
 			break;
 		case OPT_PIN:
-			opt_pin = optarg;
+			free(opt_pin);
+			opt_pin = NULL;
+			util_get_pin(optarg, &opt_pin);
 			break;
 		case OPT_RETRY:
 			opt_retry_counter = atol(optarg);

src/tools/westcos-tool.c

@@ -90,8 +90,8 @@ static int finalize = 0;
 static int install_pin = 0;
 static int overwrite = 0;
 
-static char *pin = NULL;
+static const char *pin = NULL;
-static char *puk = NULL;
+static const char *puk = NULL;
 static char *cert = NULL;
 
 static int keylen = 0;
@@ -400,10 +400,10 @@ int main(int argc, char *argv[])
 				install_pin = 1;
 				break;
 			case 'x':
-				pin = optarg;
+				util_get_pin(optarg, &pin);
 				break;
 			case 'y':
-				puk = optarg;
+				util_get_pin(optarg, &puk);
 				break;
 			case 'n':
 				new_pin = 1;