Add support for multiple slots

Rewrite TLV handling to return a list instead of map. This way,
the name tags can be inspected and the correct one can be picked.

The desired slot name is passed as an (optional) argument. If the
argument is omitted, the first slot is used.

Author: Hendrik Eckardt

cmd/yubi-oath-vpn/options_linux.go

@@ -2,5 +2,6 @@ package main
 
 type Options struct {
 	ConnectionName string `required:"yes" short:"c" long:"connection" description:"The name of the connection as shown by 'nmcli c show'"`
+	SlotName       string `required:"no" short:"s" long:"slot" description:"The name of the YubiKey slot to use (typically of the form user@example.com)"`
 	ShowVersion    bool   `required:"no" short:"v" long:"version" description:"Show version and exit"`
 }

cmd/yubi-oath-vpn/options_windows.go

@@ -2,5 +2,6 @@ package main
 
 type Options struct {
 	ConnectionName string `required:"yes" short:"c" long:"connection" description:"The name of the OpenVPN connection without extension'"`
+	SlotName       string `required:"no" short:"s" long:"slot" description:"The name of the YubiKey slot to use (typically of the form user@example.com)"`
 	ShowVersion    bool   `required:"no" short:"v" long:"version" description:"Show version and exit"`
 }

cmd/yubi-oath-vpn/yubi-oath-vpn.go

@@ -86,7 +86,7 @@ func main() {
 			if applicableYubiKey(key) {
 				connectedToTun, _ := isConnectedToTun()
 				if !connectedToTun {
-					controller.ConnectWith(key, opts.ConnectionName)
+					controller.ConnectWith(key, opts.ConnectionName, opts.SlotName)
 				} else {
 					log.Printf("Connected TUN device found, not trying to connect")
 				}

gui2/gui_controller.go

@@ -18,7 +18,7 @@ type ConnectionParameters struct {
 }
 
 type GuiController interface {
-	ConnectWith(key yubikey.YubiKey, connectionId string)
+	ConnectWith(key yubikey.YubiKey, connectionId string, slotName string)
 	InitializeConnection() chan ConnectionParameters
 	ConnectionResult(events netctrl.ConnectionAttemptResult)
 	SetLatestVersion(release githubreleasemon.Release)
@@ -33,6 +33,7 @@ type guiController struct {
 	yubiKey                  yubikey.YubiKey
 	initializeConnectionChan chan ConnectionParameters
 	connectionId             string
+	slotName                 string
 	cancelCurrentConnection  context.CancelFunc
 }
 
@@ -102,9 +103,9 @@ func GuiControllerNew(ctx context.Context, title string) (GuiController, error)
 	return controller, nil
 }
 
-func (ctrl *guiController) ConnectWith(key yubikey.YubiKey, connectionId string) {
+func (ctrl *guiController) ConnectWith(key yubikey.YubiKey, connectionId string, slotName string) {
 	println("ConnectWith")
-	ctrl.sendEvent(evKeyInserted, key, connectionId)
+	ctrl.sendEvent(evKeyInserted, key, connectionId, slotName)
 	go func() {
 		<-key.Context().Done()
 

gui2/states.go

@@ -88,6 +88,7 @@ func eventString(e *fsm.Event, idx int) string {
 func (ctrl *guiController) enterPrepare(e *fsm.Event) {
 	key := key(e, 0)
 	connectionId := eventString(e, 1)
+	slotName := eventString(e, 2)
 	//key.RequiresPassword()
 	// TODO password required?
 	glib.IdleAdd(func() {
@@ -96,6 +97,7 @@ func (ctrl *guiController) enterPrepare(e *fsm.Event) {
 
 	ctrl.yubiKey = key
 	ctrl.connectionId = connectionId
+	ctrl.slotName = slotName
 	ctrl.sendEvent(evPasswordRequired, key, connectionId)
 }
 func (ctrl *guiController) leavePrepare(e *fsm.Event) {
@@ -139,7 +141,7 @@ func (ctrl *guiController) enterConnecting(e *fsm.Event) {
 	ctrl.gtkGui.HideError()
 
 	password := e.Args[0].(string)
-	code, err := ctrl.yubiKey.GetCodeWithPassword(password)
+	code, err := ctrl.yubiKey.GetCodeWithPassword(password, ctrl.slotName)
 
 	println("code", code)
 	println("err", err)

yubierror/errors.go

@@ -7,6 +7,7 @@ const (
 	ErrorChkWrong      YubiKeyError = iota
 	ErrorWrongPassword YubiKeyError = iota
 	ErrorUserCancled   YubiKeyError = iota
+	ErrorSlotNotFound  YubiKeyError = iota
 )
 
 func (e YubiKeyError) Error() string {
@@ -17,6 +18,8 @@ func (e YubiKeyError) Error() string {
 		return "Wrong YubiKey password"
 	case ErrorUserCancled:
 		return "User canceled"
+	case ErrorSlotNotFound:
+		return "No slot with the specified name was found"
 	}
 	return "unknown error"
 }

yubikey/scard/scard_yubikey.go

@@ -57,7 +57,7 @@ func (key *scardYubiKey) Context() context.Context {
 	return key.ctx
 }
 
-func (key *scardYubiKey) GetCodeWithPassword(pwd string) (string, error) {
+func (key *scardYubiKey) GetCodeWithPassword(pwd string, slotName string) (string, error) {
 
 	card := key.card
 
@@ -93,16 +93,18 @@ func (key *scardYubiKey) GetCodeWithPassword(pwd string) (string, error) {
 		return "", err
 	}
 
-	tlvs, err := key.parseTlvs(resp_oath)
+	tlvsList, err := key.parseTlvs(resp_oath)
 	if err != nil {
 		return "", err
 	}
+	tlvs := tlvsToMap(tlvsList)
 
 	OATH_TAG_NAME := byte(0x71)
 	OATH_TAG_CHALLENGE := byte(0x74)
 	OATH_TAG_ALGORITHM := byte(0x7b)
 	OATH_TAG_VERSION := byte(0x79)
 	OATH_TAG_RESPONSE := byte(0x75)
+	OATH_TAG_TRUNCATED_RESPONSE := byte(0x76)
 
 	name := binary.BigEndian.Uint64(tlvs[OATH_TAG_NAME].value)
 
@@ -144,16 +146,17 @@ func (key *scardYubiKey) GetCodeWithPassword(pwd string) (string, error) {
 		return "", err
 	}
 
-	verify_tlvs, err := key.parseTlvs(verify_resp)
+	verifyTlvsList, err := key.parseTlvs(verify_resp)
 	if err != nil {
 		return "", err
 	}
+	verifyTlvs := tlvsToMap(verifyTlvsList)
 
-	println(verify_tlvs)
+	println(verifyTlvs)
 	fmt.Printf("verification: % 0x\n", verification)
-	fmt.Printf("verification: % 0x\n", verify_tlvs[OATH_TAG_RESPONSE].value)
+	fmt.Printf("verification: % 0x\n", verifyTlvs[OATH_TAG_RESPONSE].value)
 
-	if !reflect.DeepEqual(verification, verify_tlvs[OATH_TAG_RESPONSE].value) {
+	if !reflect.DeepEqual(verification, verifyTlvs[OATH_TAG_RESPONSE].value) {
 		panic("Verification failed")
 	}
 
@@ -172,20 +175,40 @@ func (key *scardYubiKey) GetCodeWithPassword(pwd string) (string, error) {
 	}
 	fmt.Printf("% 0x\n", rsp_5)
 
-	creds_tlvs, err := key.parseTlvs(rsp_5)
+	credsTlvs, err := key.parseTlvs(rsp_5)
 	if err != nil {
 		return "", err
 	}
 
-	TRUNCATED_RESPONSE := byte(0x76)
+	foundSlot := false
+	var strCode string
+	for _, tlv := range credsTlvs {
+		if tlv.tag == OATH_TAG_NAME {
+			keySlotName := string(tlv.value)
+
+			if slotName == "" || keySlotName == slotName {
+				foundSlot = true
+				fmt.Printf("slot %s matched\n", keySlotName)
+			} else {
+				fmt.Printf("found non-matching slot %s\n", keySlotName)
+			}
+		}
+
+		if foundSlot && tlv.tag == OATH_TAG_TRUNCATED_RESPONSE {
+			fmt.Printf("code is in: % 0x\n", tlv.value)
 
-	fmt.Printf("code is in: % 0x\n", creds_tlvs[TRUNCATED_RESPONSE].value)
+			code := parseTruncated(tlv.value[1:])
 
-	code := parseTruncated(creds_tlvs[TRUNCATED_RESPONSE].value[1:])
+			fmt.Printf("code: %06d\n", code)
+			strCode = fmt.Sprintf("%06d", code)
 
-	fmt.Printf("code: %06d\n", code)
+			break
+		}
+	}
 
-	strCode := fmt.Sprintf("%06d", code)
+	if !foundSlot {
+		return "", yubierror.ErrorSlotNotFound
+	}
 
 	return strCode, err
 }
@@ -260,8 +283,8 @@ type Tlv struct {
 	value []byte
 }
 
-func (self *scardYubiKey) parseTlvs(response []byte) (map[byte]Tlv, error) {
-	tlvs := make(map[byte]Tlv)
+func (self *scardYubiKey) parseTlvs(response []byte) ([]Tlv, error) {
+	var tlvs []Tlv
 	for len(response) > 0 {
 		tag := response[0]
 		ln := uint64(response[1])
@@ -284,12 +307,22 @@ func (self *scardYubiKey) parseTlvs(response []byte) (map[byte]Tlv, error) {
 			value: value,
 		}
 
-		tlvs[tag] = tlv
+		tlvs = append(tlvs, tlv)
 	}
 
 	return tlvs, nil
 }
 
+func tlvsToMap(tlvs []Tlv) map[byte]Tlv {
+	result := make(map[byte]Tlv)
+
+	for _, tlv := range tlvs {
+		result[tlv.tag] = tlv
+	}
+
+	return result
+}
+
 func (self Tlv) buffer() []byte {
 	res := make([]byte, 1)
 	res[0] = self.tag

yubikey/yubikey.go

@@ -4,5 +4,5 @@ import "context"
 
 type YubiKey interface {
 	Context() context.Context
-	GetCodeWithPassword(password string) (string, error)
+	GetCodeWithPassword(password string, slotName string) (string, error)
 }