sergey/fido2-manage
1
0
Fork 0
mirror of https://github.com/token2/fido2-manage.git synced 2026-04-09 02:35:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
df1b66988ff664020e8c8805a68e3ba46ded6c47
fido2-manage/fido2-manage.sh
Token2 df1b66988f Add files via upload
2024-05-24 11:40:07 +02:00

221 lines
6.6 KiB
Bash
Raw Blame History

#!/bin/bash
FIDO2_TOKEN_CMD="/usr/local/bin/fido2-token"
list=false
info=false
device=""
pin=""
storage=false
residentKeys=false
domain=""
delete=false
credential=""
changePIN=false
setPIN=false
reset=false
uvs=false
uvd=false
help=false
show_message() {
local message=$1
local type=${2:-"Info"}
echo "[$type] $message"
}
while [[ "$#" -gt 0 ]]; do
case $1 in
-list) list=true ;;
-info) info=true ;;
-device) device="$2"; shift ;;
-pin) pin="$2"; shift ;;
-storage) storage=true ;;
-residentKeys) residentKeys=true ;;
-domain) domain="$2"; shift ;;
-delete) delete=true ;;
-credential) credential="$2"; shift ;;
-changePIN) changePIN=true ;;
-setPIN) setPIN=true ;;
-reset) reset=true ;;
-uvs) uvs=true ;;
-uvd) uvd=true ;;
-help) help=true ;;
*) show_message "Unknown parameter: $1" "Error"; exit 1 ;;
esac
shift
done
show_help() {
cat << EOF
FIDO2 Token Management Tool
v 0.2.2
This is a wrapper for libfido2 library
(c) Token2 Sarl
Usage: ./fido2-manage.sh [-list] [-info -device <number>] [-storage -device <number>] [-residentKeys -device <number> -domain <domain>] [-uvs] [-uvd] [-delete -device <number> -credential <credential>] [-help]
Examples:
- List available devices:
./fido2-manage.sh -list
- Retrieve information about a specific device:
./fido2-manage.sh -info -device 1
- Retrieve storage data for credentials (number of resident keys stored and available) on a specific device:
./fido2-manage.sh -storage -device 2
- Retrieve resident keys on a specific device for a domain:
./fido2-manage.sh -residentKeys -device 1 -domain login.microsoft.com
- Enforce user verification to be always requested on a specific device:
./fido2-manage.sh -uvs -device 1
- Disable enforcing user verification to be always requested on a specific device:
./fido2-manage.sh -uvd -device 1
- Sets PIN of a specific device:
./fido2-manage.sh -setPIN -device 1
- Perform a factory reset on a specific device:
./fido2-manage.sh -reset -device 1
- Change PIN of a specific device:
./fido2-manage.sh -changePIN -device 1
- Delete a credential on a specific device:
./fido2-manage.sh -delete -device 2 -credential Y+Dh/tSy/Q2IdZt6PW/G1A==
- Display script help information:
./fido2-manage.sh -help
EOF
}
# Display help if -help parameter is provided
if $help; then
show_help
exit 0
fi
# Check if no arguments are specified, then show help
if ! $list && ! $info && [[ -z $device ]] && ! $storage && ! $residentKeys && [[ -z $domain ]] && ! $delete && [[ -z $credential ]] && ! $changePIN && ! $setPIN && ! $reset && ! $uvs && ! $uvd && ! $help; then
show_help
exit 1
fi
if $list; then
command_output=$($FIDO2_TOKEN_CMD -L 2>&1)
if [ $? -ne 0 ]; then
show_message "Error executing $FIDO2_TOKEN_CMD -L: $command_output" "Error"
exit 1
fi
device_count=1
echo "$command_output" | while read -r line; do
if [[ $line =~ ^([^:]+) ]]; then
echo "Device [$device_count] : $(echo "${line}" | grep -oP '\(([^)]+)\)' | sed 's/(\(.*\))/\1/')"
device_count=$((device_count + 1))
fi
done
exit 0
fi
if [[ -n $device ]]; then
device_index=$((device - 1))
command_output=$($FIDO2_TOKEN_CMD -L 2>&1)
if [ $? -ne 0 ]; then
show_message "Error executing $FIDO2_TOKEN_CMD -L: $command_output" "Error"
exit 1
fi
if [[ $command_output =~ pcsc://slot0: ]]; then
device_string="pcsc://slot0"
else
device_string=$(echo "$command_output" | sed -n "$((device_index + 1))p" | cut -d ':' -f 1)
fi
if $reset; then
show_message "WARNING: Factory reset will remove all data and settings of the device, including its PIN, fingerprints, and passkeys stored. The factory reset process is irreversible. Are you sure you want to proceed? (Y/N)"
read -r confirmation
if [[ $confirmation =~ [Yy] ]]; then
show_message "Touch or press the security key button when it starts blinking."
output=$($FIDO2_TOKEN_CMD -R "$device_string" 2>&1)
if [[ $output == *"FIDO_ERR_NOT_ALLOWED"* ]]; then
show_message "Error: Factory reset not allowed. Factory reset is only allowed within 10 seconds of powering up of the security key. Please unplug and plug the device back in and retry within 10 seconds after plugging in."
else
show_message "Factory reset completed."
fi
else
show_message "Factory reset canceled."
fi
exit 0
fi
if $changePIN; then
show_message "Enter the old and new PIN below."
$FIDO2_TOKEN_CMD -C "$device_string"
exit 0
fi
if $uvs; then
show_message "Enforcing user verification."
$FIDO2_TOKEN_CMD -Su "$device_string"
exit 0
fi
if $uvd; then
show_message "Disabling user verification."
$FIDO2_TOKEN_CMD -Du "$device_string"
exit 0
fi
if $setPIN; then
show_message "Enter and confirm the PIN as prompted below."
$FIDO2_TOKEN_CMD -S "$device_string"
exit 0
fi
if $delete && [[ -n $credential ]]; then
show_message "WARNING: Deleting a credential is irreversible. Are you sure you want to proceed? (Y/N)"
read -r confirmation
if [[ $confirmation =~ [Yy] ]]; then
$FIDO2_TOKEN_CMD -D -i "$credential" "$device_string"
show_message "Credential deleted successfully."
else
show_message "Deletion canceled."
fi
exit 0
fi
if $storage; then
$FIDO2_TOKEN_CMD -I -c "$device_string" $([[ -n $pin ]] && echo "-w $pin ")
exit 0
elif $residentKeys; then
if [[ -n $domain ]]; then
output=$($FIDO2_TOKEN_CMD -L -k "$domain" "$device_string" $([[ -n $pin ]] && echo "-w $pin"))
echo "$output" | grep -oP '(\d+): (\S+) (.+)' | while read -r line; do
key_id=$(echo "$line" | awk '{print $1}')
credential_id=$(echo "$line" | awk '{print $2}')
user=$(echo "$line" | grep -oP '(\S+\s+\S+).+ es256' | head -1)
show_message "Credential ID: $credential_id, User: $user"
done
else
$FIDO2_TOKEN_CMD -L -r "$device_string" $(if [[ -n $pin ]]; then echo "-w $pin"; fi)
fi
exit 0
fi
if $info; then
command_output=$($FIDO2_TOKEN_CMD -I "$device_string")
show_message "Device $device Information:"
echo "$command_output"
exit 0
fi
fi
Reference in New Issue View Git Blame Copy Permalink