Add support for yubikey-manager

Because yubikey-personalization is not under active development, I add support for yubikey-manager. It works fine on my machine for format, enroll and open.
I did not test NFC because I do not have NFC machine. For hooks, I added ykman and od, it should work.
README should be modified if this commit is approved.

Author: NgoHuy

src/hooks/ykfde

@@ -16,6 +16,7 @@ YKFDE_CHALLENGE=""
 YKFDE_CHALLENGE_PASSWORD_NEEDED=""
 YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""
 YKFDE_USE_PLYMOUTH=""
+export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
 
 message() {
   if [ "$YKFDE_USE_PLYMOUTH" ]; then
@@ -192,8 +193,8 @@ ykfde_challenge_response() {
   while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do
     _endtime="$(date +%s)"
     _usedtime=$((_endtime - _starttime))
-    [ "$DBG" ] && message "   (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykinfo -$YKFDE_CHALLENGE_SLOT': "
-    _tmp="$(ykinfo -"$YKFDE_CHALLENGE_SLOT" 2>&1)"
+    [ "$DBG" ] && message "   (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykman otp info': "
+    _tmp="$(ykman otp info | grep -q "$YKFDE_CHALLENGE_SLOT: programmed" 2>&1)"
     _rc=$?
     [ "$DBG" ] && message "[$_rc] '$_tmp'"
     if [ "$_rc" -eq 0 ]; then
@@ -232,9 +233,10 @@ ykfde_challenge_response() {
 
   if [ "$_yubikey_detected" ]; then
     while [ -z "$_ykfde_response" ]; do
-      [ "$DBG" ] && message "   Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..."
+      YKFDE_REAL_CHALLENGE="$(printf '%s' "$YKFDE_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')"
+      [ "$DBG" ] && message "   Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_CHALLENGE'..."
       message "   Remember to touch the device if necessary."
-      _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')"
+      _ykfde_response="$(printf '%s' "$YKFDE_REAL_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')"
       [ "$DBG" ] && message "   Received response: '$_ykfde_response'"
     done
   fi

src/install/ykfde

@@ -22,6 +22,25 @@ build() {
     add_all_modules "/crypto/"
   fi
 
+  base_files=$(pacman -Ql python | awk '{print $2}' | /bin/grep -E '.py$|.so$')
+  for file in $base_files
+  do
+    add_file $file
+  done
+
+  python_ver=$(python -V | awk -F'[" ",.]' '{print $2"."$3}')
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/zipp"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/cryptography"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/cffi"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/smartcard"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/fido2"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/importlib_metadata"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/ykman"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/yubikit"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/click"
+  add_full_dir "/usr/lib/python${python_ver}/site-packages/keyring"
+  add_binary "/usr/lib/python${python_ver}/site-packages/_cffi_backend.cpython-311-x86_64-linux-gnu.so"
+  
   add_binary "cryptsetup"
   add_binary "dmsetup"
   add_file "/usr/lib/udev/rules.d/10-dm.rules"
@@ -31,10 +50,12 @@ build() {
 
   # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
   add_binary "/usr/lib/libgcc_s.so.1"
-
+  add_binary "/usr/lib/libssl.so.3"
+  add_binary "/usr/lib/libpcsclite.so.1"
+  add_binary "python"
+  add_binary "ykman"
+  add_binary "od"
   add_binary "tr"
-  add_binary "ykchalresp"
-  add_binary "ykinfo"
   add_binary "date"
   add_binary "sleep"
   add_binary "printf"

src/ykfde-enroll

@@ -84,10 +84,10 @@ while getopts ":d:s:ckovh" opt; do
   esac
 done
 
-YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")"
-[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK"
+YKFDE_SLOT_CHECK="$(ykman otp info | grep "$YKFDE_CHALLENGE_SLOT" | awk '{print $3}')"
+[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykman otp info': slot $YKFDE_CHALLENGE_SLOT: $YKFDE_SLOT_CHECK"
 
-if [ "$YKFDE_SLOT_CHECK" != 1 ]; then
+if [ "$YKFDE_SLOT_CHECK" != "programmed" ]; then
   printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'"
   exit 1
 fi
@@ -144,9 +144,10 @@ if [ -z "$YKFDE_CHALLENGE" ]; then
 fi
 
 while [ -z "$YKFDE_RESPONSE" ]; do
-  [ "$DBG" ] && printf '%s\n' "   Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..."
+  YKFDE_REAL_CHALLENGE="$(printf '%s' "$YKFDE_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')"
+  [ "$DBG" ] && printf '%s\n' "   Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_CHALLENGE'..."
   echo "   Remember to touch the device if necessary."
-  YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true
+  YKFDE_RESPONSE="$(printf '%s' "$YKFDE_REAL_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" || true
   [ "$DBG" ] && printf '%s\n' "   Received response: '$YKFDE_RESPONSE'"
 done
 
@@ -190,9 +191,10 @@ if [ "$YKFDE_OLD_YUBIKEY" ]; then
   fi
 
   while [ -z "$YKFDE_OLD_RESPONSE" ]; do
-    [ "$DBG" ] && printf '%s\n' "   Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_OLD_CHALLENGE'..."
+    YKFDE_REAL_OLD_CHALLENGE=$(printf '%s' "$YKFDE_OLD_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')
+    [ "$DBG" ] && printf '%s\n' "   Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_OLD_CHALLENGE'..."
     echo "   Remember to touch the old device if necessary."
-    YKFDE_OLD_RESPONSE="$(printf %s "$YKFDE_OLD_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true
+    YKFDE_OLD_RESPONSE="$(printf '%s' "$YKFDE_REAL_OLD_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" || true
     [ "$DBG" ] && printf '%s\n' "   Received response: '$YKFDE_OLD_RESPONSE'"
   done
 

src/ykfde-format

@@ -19,10 +19,10 @@ else
   echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults."
 fi
 
-YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")"
-[ "${DBG:-}" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK"
+YKFDE_SLOT_CHECK="$(ykman otp info | grep "$YKFDE_CHALLENGE_SLOT" | awk '{print $3}')"
+[ "${DBG:-}" ] && printf '%s\n' " > YubiKey slot status 'ykman otp info': slot $YKFDE_CHALLENGE_SLOT: $YKFDE_SLOT_CHECK"
 
-if [ "$YKFDE_SLOT_CHECK" != 1 ]; then
+if [ "$YKFDE_SLOT_CHECK" != "programmed" ]; then
   printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'"
   exit 1
 fi
@@ -54,9 +54,10 @@ if [ -z "$YKFDE_CHALLENGE" ]; then
 fi
 
 while [ -z "$YKFDE_RESPONSE" ]; do
-  [ "${DBG:-}" ] && printf '%s\n' "   Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..."
+  YKFDE_REAL_CHALLENGE="$(printf '%s' "$YKFDE_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')"
+  [ "${DBG:-}" ] && printf '%s\n' "   Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_CHALLENGE'..."
   echo "   Remember to touch the device if necessary."
-  YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true
+  YKFDE_RESPONSE="$(printf '%s' "$YKFDE_REAL_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" || true
   [ "${DBG:-}" ] && printf '%s\n' "   Received response: '$YKFDE_RESPONSE'"
 done
 

src/ykfde-open

@@ -93,10 +93,10 @@ done
 
 shift "$((OPTIND - 1))"
 
-YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")"
-[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK"
+YKFDE_SLOT_CHECK="$(ykman otp info | grep "$YKFDE_CHALLENGE_SLOT" | awk '{print $3}')"
+[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykman otp info': slot $YKFDE_CHALLENGE_SLOT: $YKFDE_SLOT_CHECK"
 
-if [ "$YKFDE_SLOT_CHECK" != 1 ]; then
+if [ "$YKFDE_SLOT_CHECK" != "programmed" ]; then
   printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'"
   exit 1
 fi
@@ -140,9 +140,10 @@ while [ -z "$YKFDE_CHALLENGE" ]; do
 done
 
 while [ -z "$YKFDE_RESPONSE" ]; do
-  [ "$DBG" ] && printf '%s\n' "   Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..."
+  YKFDE_REAL_CHALLENGE="$(printf '%s' "$YKFDE_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')"
+  [ "$DBG" ] && printf '%s\n' "   Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_CHALLENGE'..."
   echo "   Remember to touch the device if necessary."
-  YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true
+  YKFDE_RESPONSE="$(printf '%s' "$YKFDE_REAL_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" || true
   [ "$DBG" ] && printf '%s\n' "   Received response: '$YKFDE_RESPONSE'"
 done
 

testrun.sh

@@ -37,24 +37,41 @@ truncate -s 20M "$YKFDE_TMPFILE"
 
 cleanup() {
   rm -f "$YKFDE_TMPFILE"
+  rm -rf initramfs
 }
 trap cleanup EXIT
 
 echo "INFO: Testing 'ykfde-format' script."
-DBG=1 ykfde-format "$YKFDE_TMPFILE"
+DBG=1 bash "$(pwd)/src/ykfde-format" "$YKFDE_TMPFILE"
 echo "Test 'ykfde-format' script successfully passed."
 
 echo "INFO: Testing 'ykfde-enroll' script."
 printf '%s\n' "test" | cryptsetup luksFormat "$YKFDE_TMPFILE"
 echo "INFO: Old LUKS passphrase is 'test'."
-ykfde-enroll -d "$YKFDE_TMPFILE" -s 7 -v
+bash "$(pwd)/src/ykfde-enroll" -d "$YKFDE_TMPFILE" -s 7 -v
 echo "Test 'ykfde-enroll' script successfully passed."
 
 echo "INFO: Testing 'ykfde-open' script."
-ykfde-open -d "$YKFDE_TMPFILE" -n ykfde-test -v
+bash "$(pwd)/src/ykfde-open" -d "$YKFDE_TMPFILE" -n ykfde-test -v
 cryptsetup close ykfde-test
 echo "Test 'ykfde-open' script successfully passed."
 
-echo "All tests successfully passed."
-
+echo "INFO: Testing initramfs..."
+mkdir -p "$(pwd)/initramfs"
+mkinitcpio -d "$(pwd)/initramfs"
+status=1
+status=$(chroot "$(pwd)/initramfs" /bin/sh -c "export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1; ykman otp info; exit 0" 2>&1 | awk '
+  { 
+    if ($0 ~ /No YubiKey detected/) {
+    print "0";
+    exit 0;
+    }
+  }' 
+)
+if [[ "$status" == 0 ]]
+then
+  echo "All tests successfully passed."
+else
+  echo "The image didnot pass the test, please file a bug report to: https://github.com/agherzan/yubikey-full-disk-encryption/issues"
+fi
 exit 0