feat: v1.5.7, update piv

2023-05-14 23:26:13 +08:00
parent 0af2940cd0
commit 0ad8c12c38
8 changed files with 88 additions and 32 deletions
--- a/src/cmd_pivecsign.rs
+++ b/src/cmd_pivecsign.rs
@@ -1,13 +1,14 @@
 use std::collections::BTreeMap;
-use std::str::FromStr;

 use clap::{App, Arg, ArgMatches, SubCommand};
 use rust_util::util_clap::{Command, CommandError};
 use rust_util::util_msg;
 use x509_parser::nom::AsBytes;
+use yubikey::piv::{AlgorithmId, ManagementAlgorithmId, metadata, sign_data};
 use yubikey::YubiKey;
-use yubikey::piv::{AlgorithmId, RetiredSlotId, sign_data, SlotId};
+
 use crate::digest::sha256;
+use crate::pivutil;

 pub struct CommandImpl;

@@ -15,10 +16,11 @@ impl Command for CommandImpl {
    fn name(&self) -> &str { "piv-ecsign" }

    fn subcommand<'a>(&self) -> App<'a, 'a> {
-        SubCommand::with_name(self.name()).about("PIV EC Sign subcommand")
+        SubCommand::with_name(self.name()).about("PIV EC Sign(with SHA256) subcommand")
            .arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user pin"))
-            .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ..."))
+            .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
            .arg(Arg::with_name("hash-hex").short("x").long("hash-hex").takes_value(true).help("Hash"))
+            .arg(Arg::with_name("algorithm").short("a").long("algorithm").takes_value(true).help("Algorithm, p256 or p384"))
            .arg(Arg::with_name("input").short("i").long("input").takes_value(true).help("Input"))
            .arg(Arg::with_name("json").long("json").help("JSON output"))
    }
@@ -31,33 +33,54 @@ impl Command for CommandImpl {

        let pin_opt = sub_arg_matches.value_of("pin");

-        let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ...");
+        let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e");
        let hash_hex = if let Some(input) = sub_arg_matches.value_of("input") {
            hex::encode(sha256(input))
        } else {
            opt_value_result!(sub_arg_matches.value_of("hash-hex"), "--hash-hex must assigned").to_string()
        };
+        let (algorithm, algorithm_str) = match sub_arg_matches.value_of("algorithm") {
+            None | Some("p256") => (AlgorithmId::EccP256, "ecdsa_p256_with_sha256"),
+            Some("p384") => (AlgorithmId::EccP384, "ecdsa_p384_with_sha256"),
+            Some(unknown_algorithm) => return simple_error!("Unknown algorithm {}, e.g. p256 or p384", unknown_algorithm),
+        };

        let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
-        let retired_slot_id = opt_result!(RetiredSlotId::from_str(slot), "Slot not found: {}");
-        debugging!("Slot id: {}", retired_slot_id);
-        let slot_id = SlotId::Retired(retired_slot_id);
+        let slot_id = pivutil::get_slot_id(slot)?;

        if let Some(pin) = pin_opt {
            opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}");
        }

-        let hash_bytes = opt_result!(hex::decode(&hash_hex), "Parse epk failed: {}");
+        let hash_bytes = opt_result!(hex::decode(&hash_hex), "Parse hash in hex failed: {}");

-        let signed_data = opt_result!(sign_data(&mut yk, &hash_bytes, AlgorithmId::EccP256, slot_id), "Sign piv failed: {}");
+        if let Ok(slot_metadata) = metadata(&mut yk, slot_id) {
+            match slot_metadata.algorithm {
+                ManagementAlgorithmId::PinPuk | ManagementAlgorithmId::ThreeDes => {
+                    return simple_error!("Slot not supports PIV sign: {:?}", slot_metadata.algorithm);
+                }
+                ManagementAlgorithmId::Asymmetric(slot_algorithm) => {
+                    if AlgorithmId::Rsa1024 == slot_algorithm || AlgorithmId::Rsa2048 == algorithm {
+                        return simple_error!("Slot supports PIV RSA sign: {:?}, but requires ECDSA", slot_metadata.algorithm);
+                    }
+                    if slot_algorithm != algorithm {
+                        return simple_error!("Slot supported PIV sign not match: {:?}", slot_metadata.algorithm);
+                    }
+                }
+            }
+        }
+
+        let signed_data = opt_result!(sign_data(&mut yk, &hash_bytes, algorithm, slot_id), "Sign PIV failed: {}");

        if json_output {
-            json.insert("slot", slot.to_string());
+            json.insert("slot", slot_id.to_string());
+            json.insert("algorithm", algorithm_str.to_string());
            json.insert("hash_hex", hex::encode(&hash_bytes));
            json.insert("signed_data_hex", hex::encode(&signed_data.as_bytes()));
            json.insert("signed_data_base64", base64::encode(&signed_data.as_bytes()));
        } else {
-            information!("Slot: {}", slot);
+            information!("Slot: {:?}", slot_id);
+            information!("Algorithm: {}", algorithm_str);
            information!("Hash hex: {}", hex::encode(&hash_bytes));
            information!("Signed data base64: {}", base64::encode(&signed_data.as_bytes()));
            information!("Signed data hex: {}", hex::encode(&signed_data.as_bytes()));