Attachment #219069 for bug #250601





PORTNAME=	onlykey
PORTVERSION=	1.2.2
PORTREVISION=	1
CATEGORIES=	security python
MASTER_SITES=	CHEESESHOP
PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}

MAINTAINER=	dmytro@posteo.net
COMMENT=	Python command line tool for configuring and using OnlyKey

LICENSE=	MIT

RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}prompt_toolkit>0:devel/py-prompt_toolkit@${PY_FLAVOR} \
		${PYTHON_PKGNAMEPREFIX}libusb1>0:devel/py-libusb1@${PY_FLAVOR} \
		${PYTHON_PKGNAMEPREFIX}pynacl>0:security/py-pynacl@${PY_FLAVOR} \
		${PYTHON_PKGNAMEPREFIX}ecdsa>=0.13:security/py-ecdsa@${PY_FLAVOR} \
		${PYTHON_PKGNAMEPREFIX}hidapi>0:comms/py-hidapi@${PY_FLAVOR} \
		${PYTHON_PKGNAMEPREFIX}uhid-freebsd>0:devel/py-uhid-freebsd@${PY_FLAVOR} \
		${PYTHON_PKGNAMEPREFIX}aenum>0:devel/py-aenum@${PY_FLAVOR} \
		u2f-host:security/libu2f-host

USES=		python:3.7+
USE_PYTHON=	autoplist distutils

SUB_FILES=	pkg-message

PLIST_FILES=	"${PREFIX}/etc/devd/onlykey.conf.sample" "${PREFIX}/man/man1/onlykey-cli.1.gz"

NO_ARCH=	yes

post-install:
	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/devd
	${INSTALL_DATA} ${FILESDIR}/onlykey.conf.sample \
		${STAGEDIR}${PREFIX}/etc/devd
	${INSTALL_MAN} ${FILESDIR}/onlykey-cli.1 ${STAGEDIR}${PREFIX}/man/man1

.include <bsd.port.mk>

Line 0 Link Here

(-)security/py-onlykey/distinfo (+3 lines)
	1	TIMESTAMP = 1603049784
	2	SHA256 (onlykey-1.2.2.tar.gz) = b17197715e9197885574a0806cce8af087756f99c87d27415be7d15e967a6be2
	3	SIZE (onlykey-1.2.2.tar.gz) = 11911




.Dd October 23, 2020
.Dt ONLYKEY-CLI 1
.Os
.Sh NAME
.Nm onlykey-cli
.Nd Python client for interacting with the OnlyKey
.Sh SYNOPSIS
.Nm
.Op Ar command
.Sh DESCRIPTION
.Nm
is a command line interface to the OnlyKey that can be used for
configuration (similar functionality to OnlyKey App). You can either
provide a
.Ar command
to get it executed immediately or run 
.Nm
without parameters to open an interactive prompt and type commands there.
.Sh COMMANDS
.Bl -tag -width 2n
.It Xo
.Cm init
.Xc
.Pp
Sets OnlyKey into initial configuration mode (setting PIN).
.It Xo
.Cm settime
.Xc
.Pp
Sets time on OnlyKey, time is needed for TOTP (Google Authenticator).
.It Xo
.Cm getlabels
.Xc
.Pp
Prints label for each slot.
.It Xo
.Cm getkeylabels
.Xc
.Pp
Prints key label for each RSA and ECC key.
.It Xo
.Cm setslot
.Ar slot_id
.Ar type
.Ar value
.Xc
.Pp
For the specified slot sets parameter of the specified
.Ar type
to the 
.Ar value
provided.
.Bl -tag -width indent
.It Ar slot_id
Slot id: 1a-6b.
.It Ar type
Type of the parameter to set. Must be one of the following:
.Bl -tag -offset 4n -width 8n
.It Sy label
The slot label.
.It Sy url
URL of the login page.
.It Sy delay1
Delay after entering URL, seconds: 0-9.
.It Sy add_char1
Additional character before username: 1 for TAB, 0 to clear.
.It Sy username
Username to login.
.It Sy add_char2
Additional character after username: 1 for TAB, 2 for RETURN.
.It Sy delay2
Delay after entering username, seconds: 0-9.
.It Sy password
Password to login.
.It Sy add_char3
Additional character after password: 1 for TAB, 2 for RETURN.
.It Sy delay3
Delay after entering password, seconds: 0-9.
.It Sy add_char4
Additional character before OTP: 1 for TAB, 2 for RETURN.
.It Sy 2fa
Type of two factor authentication: g for Google Authenticator, y - Yubico OTP, u - U2F.
.It Sy totpkey
Google Authenticator key.
.It Sy add_char5
Additional character after OTP: 1 for TAB, 2 for RETURN.
.El
.It Ar value
Value to set, see accepted values in each parameter type description above.
.El
.It Xo
.Cm wipeslot
.Ar slot_id
.Xc
.Pp
Erases all the data (URL/username/password/label/etc.) of the slot with provided
.Ar slot_id
(1a-6b).
.It Xo
.Cm setkey
.Ar key_slot
.Ar key_type
.Xc
.Pp
Sets custom key of provided
.Ar key_type
to the 
.Ar key_slot .
.It Xo
.Cm wipekey
.Ar key_slot
.Xc
.Pp
Wipes custom key from the provided
.Ar key_slot .
.It Xo
.Cm idletimeout
.Ar timeout
.Xc
.Pp
Sets the OnlyKey auto-lock time value to 
.Ar timout
minutes: 1-255; default is 30; 0 to disable.
.It Xo
.Cm wipemode
.Ar mode_id
.Xc
.Pp
Configures how the OnlyKey responds to a factory reset. Accepted
.Ar mode_id
values are:
.Bl -tag -width indent
.It 1
Only sensitive data will be wiped (default).
.It 2
Entire OnlyKey device will be wiped, including firmware. Firmware must be
reloaded after factory reset. This mode is recommended for plausible
deniability users. WARNING: setting to this mode cannot be changed.
.El
.It Xo
.Cm keylayout
.Ar layout_id
.Xc
.Pp
Configures the OnlyKey keyboard layout. Accepted
.Ar layout_id
values are:
.Bl -tag -width indent
.It 1
USA_ENGLISH (default).
.It 2
CANADIAN_FRENCH.
.It 3
CANADIAN_MULTILINGUAL.
.It 4
DANISH.
.It 5
FINNISH.
.It 6
FRENCH.
.It 7
FRENCH_BELGIAN.
.It 8
FRENCH_SWISS.
.It 9
GERMAN.
.It 10
GERMAN_MAC.
.It 11
GERMAN_SWISS.
.It 12
ICELANDIC.
.It 13
IRISH.
.It 14
ITALIAN.
.It 15
NORWEGIAN.
.It 16
PORTUGUESE.
.It 17
PORTUGUESE_BRAZILIAN.
.It 18
SPANISH.
.It 19
SPANISH_LATIN_AMERICA.
.It 20
SWEDISH.
.It 21
TURKISH.
.It 22
UNITED_KINGDOM.
.It 23
CZECH.
.It 24
SERBIAN_LATIN_ONLY.
.It 25
HUNGARIAN.
.El
.It Xo
.Cm keytypespeed
.Ar speed
.Xc
.Pp
Sets type 
.Ar speed
: 1 is slowest; 10 is fastest; 4 is default.
.Sh BUGS
Sometimes the 
.Nm
doesn't recognize that PIN has been entered and the OnlyKey in unlocked
successfully.
In such case any command to the OnlyKey fails with an
error 'OnlyKey is locked, enter PIN to unlock'.
The workaround for such issue is to just retry one more time.
.Sh AUTHORS
This manual page is a
.Xr mdoc 7
reimplementation of the OnlyKey PIP module's README.md,
modified and customized for
.Fx . The
.Xr mdoc 7
implementation of this manual page was initially written by
.An Dmytro Bilokha Aq dmytro@posteo.net .
.Sh WWW
Main OnlyKey product page: https://onlykey.io/

OnlyKey documentation site: https://docs.crp.to/

Source code: https://github.com/trustcrypto/python-onlykey




# OnlyKey Security KEY
notify 100 {
        match "system"          "USB";
        match "subsystem"       "DEVICE";
        match "type"            "ATTACH";
        match "vendor"          "0x1d50";
        match "product"         "0x60fc";
# Instead of "u2f" below put the users group name who should be able to use OnlyKey
        action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
};

notify 100 {
        match "system"          "USB";
        match "subsystem"       "DEVICE";
        match "type"            "ATTACH";
        match "vendor"          "0x16c0";
        match "product"         "0x0486";
# Instead of "u2f" below put the users group name who should be able to use OnlyKey
        action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
};

attach 100 {
        match "vendor"          "0x1d50";
        match "product"         "0x60fc";
# Instead of "u2f" below put the users group name who should be able to use OnlyKey
        action  "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
};

attach 100 {
        match "vendor"          "0x16c0";
        match "product"         "0x0486";
# Instead of "u2f" below put the users group name who should be able to use OnlyKey
        action  "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
};





[
{ type: install
  message: <<EOM
To allow some group of non-root users access to the OnlyKey token:
1. Copy sample devd config file:

$ cp %%PREFIX%%/etc/devd/onlykey.conf.sample %%PREFIX%%/etc/devd/onlykey.conf

2. Open %%PREFIX%%/etc/devd/onlykey.conf in your favourite text editor and 
set the users group name.
EOM
}
]

Line 0 Link Here

(-)security/py-onlykey/pkg-descr (+4 lines)
	1	Python command line tool for configuring and using OnlyKey USB
	2	secrets manager.
	3
	4	WWW: https://github.com/trustcrypto/python-onlykey

Return to bug 250601

Line 0 Link Here

(-)security/py-onlykey/Makefile (+38 lines)
	1
	2	PORTNAME= onlykey
	3	PORTVERSION= 1.2.2
	4	PORTREVISION= 1
	5	CATEGORIES= security python
	6	MASTER_SITES= CHEESESHOP
	7	PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
	8
	9	MAINTAINER= dmytro@posteo.net
	10	COMMENT= Python command line tool for configuring and using OnlyKey
	11
	12	LICENSE= MIT
	13
	14	RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}prompt_toolkit>0:devel/py-prompt_toolkit@${PY_FLAVOR} \
	15	${PYTHON_PKGNAMEPREFIX}libusb1>0:devel/py-libusb1@${PY_FLAVOR} \
	16	${PYTHON_PKGNAMEPREFIX}pynacl>0:security/py-pynacl@${PY_FLAVOR} \
	17	${PYTHON_PKGNAMEPREFIX}ecdsa>=0.13:security/py-ecdsa@${PY_FLAVOR} \
	18	${PYTHON_PKGNAMEPREFIX}hidapi>0:comms/py-hidapi@${PY_FLAVOR} \
	19	${PYTHON_PKGNAMEPREFIX}uhid-freebsd>0:devel/py-uhid-freebsd@${PY_FLAVOR} \
	20	${PYTHON_PKGNAMEPREFIX}aenum>0:devel/py-aenum@${PY_FLAVOR} \
	21	u2f-host:security/libu2f-host
	22
	23	USES= python:3.7+
	24	USE_PYTHON= autoplist distutils
	25
	26	SUB_FILES= pkg-message
	27
	28	PLIST_FILES= "${PREFIX}/etc/devd/onlykey.conf.sample" "${PREFIX}/man/man1/onlykey-cli.1.gz"
	29
	30	NO_ARCH= yes
	31
	32	post-install:
	33	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/devd
	34	${INSTALL_DATA} ${FILESDIR}/onlykey.conf.sample \
	35	${STAGEDIR}${PREFIX}/etc/devd
	36	${INSTALL_MAN} ${FILESDIR}/onlykey-cli.1 ${STAGEDIR}${PREFIX}/man/man1
	37
	38	.include <bsd.port.mk>

Line 0 Link Here

(-)security/py-onlykey/files/onlykey-cli.1 (+230 lines)
		1	.Dd October 23, 2020
		2	.Dt ONLYKEY-CLI 1
		3	.Os
		4	.Sh NAME
		5	.Nm onlykey-cli
		6	.Nd Python client for interacting with the OnlyKey
		7	.Sh SYNOPSIS
		8	.Nm
		9	.Op Ar command
		10	.Sh DESCRIPTION
		11	.Nm
		12	is a command line interface to the OnlyKey that can be used for
		13	configuration (similar functionality to OnlyKey App). You can either
		14	provide a
		15	.Ar command
		16	to get it executed immediately or run
		17	.Nm
		18	without parameters to open an interactive prompt and type commands there.
		19	.Sh COMMANDS
		20	.Bl -tag -width 2n
		21	.It Xo
		22	.Cm init
		23	.Xc
		24	.Pp
		25	Sets OnlyKey into initial configuration mode (setting PIN).
		26	.It Xo
		27	.Cm settime
		28	.Xc
		29	.Pp
		30	Sets time on OnlyKey, time is needed for TOTP (Google Authenticator).
		31	.It Xo
		32	.Cm getlabels
		33	.Xc
		34	.Pp
		35	Prints label for each slot.
		36	.It Xo
		37	.Cm getkeylabels
		38	.Xc
		39	.Pp
		40	Prints key label for each RSA and ECC key.
		41	.It Xo
		42	.Cm setslot
		43	.Ar slot_id
		44	.Ar type
		45	.Ar value
		46	.Xc
		47	.Pp
		48	For the specified slot sets parameter of the specified
		49	.Ar type
		50	to the
		51	.Ar value
		52	provided.
		53	.Bl -tag -width indent
		54	.It Ar slot_id
		55	Slot id: 1a-6b.
		56	.It Ar type
		57	Type of the parameter to set. Must be one of the following:
		58	.Bl -tag -offset 4n -width 8n
		59	.It Sy label
		60	The slot label.
		61	.It Sy url
		62	URL of the login page.
		63	.It Sy delay1
		64	Delay after entering URL, seconds: 0-9.
65	.It Sy add_char1
66	Additional character before username: 1 for TAB, 0 to clear.
67	.It Sy username
68	Username to login.
69	.It Sy add_char2
70	Additional character after username: 1 for TAB, 2 for RETURN.
71	.It Sy delay2
72	Delay after entering username, seconds: 0-9.
73	.It Sy password
74	Password to login.
75	.It Sy add_char3
76	Additional character after password: 1 for TAB, 2 for RETURN.
77	.It Sy delay3
78	Delay after entering password, seconds: 0-9.
79	.It Sy add_char4
80	Additional character before OTP: 1 for TAB, 2 for RETURN.
81	.It Sy 2fa
82	Type of two factor authentication: g for Google Authenticator, y - Yubico OTP, u - U2F.
83	.It Sy totpkey
84	Google Authenticator key.
85	.It Sy add_char5
86	Additional character after OTP: 1 for TAB, 2 for RETURN.
87	.El
88	.It Ar value
89	Value to set, see accepted values in each parameter type description above.
90	.El
91	.It Xo
92	.Cm wipeslot
93	.Ar slot_id
94	.Xc
95	.Pp
96	Erases all the data (URL/username/password/label/etc.) of the slot with provided
97	.Ar slot_id
98	(1a-6b).
99	.It Xo
100	.Cm setkey
101	.Ar key_slot
102	.Ar key_type
103	.Xc
104	.Pp
105	Sets custom key of provided
106	.Ar key_type
107	to the
108	.Ar key_slot .
109	.It Xo
110	.Cm wipekey
111	.Ar key_slot
112	.Xc
113	.Pp
114	Wipes custom key from the provided
115	.Ar key_slot .
116	.It Xo
117	.Cm idletimeout
118	.Ar timeout
119	.Xc
120	.Pp
121	Sets the OnlyKey auto-lock time value to
122	.Ar timout
123	minutes: 1-255; default is 30; 0 to disable.
124	.It Xo
125	.Cm wipemode
126	.Ar mode_id
127	.Xc
128	.Pp
129	Configures how the OnlyKey responds to a factory reset. Accepted
130	.Ar mode_id
131	values are:
132	.Bl -tag -width indent
133	.It 1
134	Only sensitive data will be wiped (default).
135	.It 2
136	Entire OnlyKey device will be wiped, including firmware. Firmware must be
137	reloaded after factory reset. This mode is recommended for plausible
138	deniability users. WARNING: setting to this mode cannot be changed.
139	.El
140	.It Xo
141	.Cm keylayout
142	.Ar layout_id
143	.Xc
144	.Pp
145	Configures the OnlyKey keyboard layout. Accepted
146	.Ar layout_id
147	values are:
148	.Bl -tag -width indent
149	.It 1
150	USA_ENGLISH (default).
151	.It 2
152	CANADIAN_FRENCH.
153	.It 3
154	CANADIAN_MULTILINGUAL.
155	.It 4
156	DANISH.
157	.It 5
158	FINNISH.
159	.It 6
160	FRENCH.
161	.It 7
162	FRENCH_BELGIAN.
163	.It 8
164	FRENCH_SWISS.
165	.It 9
166	GERMAN.
167	.It 10
168	GERMAN_MAC.
169	.It 11
170	GERMAN_SWISS.
171	.It 12
172	ICELANDIC.
173	.It 13
174	IRISH.
175	.It 14
176	ITALIAN.
177	.It 15
178	NORWEGIAN.
179	.It 16
180	PORTUGUESE.
181	.It 17
182	PORTUGUESE_BRAZILIAN.
183	.It 18
184	SPANISH.
185	.It 19
186	SPANISH_LATIN_AMERICA.
187	.It 20
188	SWEDISH.
189	.It 21
190	TURKISH.
191	.It 22
192	UNITED_KINGDOM.
193	.It 23
194	CZECH.
195	.It 24
196	SERBIAN_LATIN_ONLY.
197	.It 25
198	HUNGARIAN.
199	.El
200	.It Xo
201	.Cm keytypespeed
202	.Ar speed
203	.Xc
204	.Pp
205	Sets type
206	.Ar speed
207	: 1 is slowest; 10 is fastest; 4 is default.
208	.Sh BUGS
209	Sometimes the
210	.Nm
211	doesn't recognize that PIN has been entered and the OnlyKey in unlocked
212	successfully.
213	In such case any command to the OnlyKey fails with an
214	error 'OnlyKey is locked, enter PIN to unlock'.
215	The workaround for such issue is to just retry one more time.
216	.Sh AUTHORS
217	This manual page is a
218	.Xr mdoc 7
219	reimplementation of the OnlyKey PIP module's README.md,
220	modified and customized for
221	.Fx . The
222	.Xr mdoc 7
223	implementation of this manual page was initially written by
224	.An Dmytro Bilokha Aq dmytro@posteo.net .
225	.Sh WWW
226	Main OnlyKey product page: https://onlykey.io/
227
228	OnlyKey documentation site: https://docs.crp.to/
229
230	Source code: https://github.com/trustcrypto/python-onlykey

Line 0 Link Here

(-)security/py-onlykey/files/onlykey.conf.sample (+35 lines)
	1	# OnlyKey Security KEY
	2	notify 100 {
	3	match "system" "USB";
	4	match "subsystem" "DEVICE";
	5	match "type" "ATTACH";
	6	match "vendor" "0x1d50";
	7	match "product" "0x60fc";
	8	# Instead of "u2f" below put the users group name who should be able to use OnlyKey
	9	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
	10	};
	11
	12	notify 100 {
	13	match "system" "USB";
	14	match "subsystem" "DEVICE";
	15	match "type" "ATTACH";
	16	match "vendor" "0x16c0";
	17	match "product" "0x0486";
	18	# Instead of "u2f" below put the users group name who should be able to use OnlyKey
	19	action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
	20	};
	21
	22	attach 100 {
	23	match "vendor" "0x1d50";
	24	match "product" "0x60fc";
	25	# Instead of "u2f" below put the users group name who should be able to use OnlyKey
	26	action "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
	27	};
	28
	29	attach 100 {
	30	match "vendor" "0x16c0";
	31	match "product" "0x0486";
	32	# Instead of "u2f" below put the users group name who should be able to use OnlyKey
	33	action "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name";
	34	};
	35

Line 0 Link Here

(-)security/py-onlykey/files/pkg-message.in (+13 lines)
	1	[
	2	{ type: install
	3	message: <<EOM
	4	To allow some group of non-root users access to the OnlyKey token:
	5	1. Copy sample devd config file:
	6
	7	$ cp %%PREFIX%%/etc/devd/onlykey.conf.sample %%PREFIX%%/etc/devd/onlykey.conf
	8
	9	2. Open %%PREFIX%%/etc/devd/onlykey.conf in your favourite text editor and
	10	set the users group name.
	11	EOM
	12	}
	13	]