feat: v1.13.1

src/cmd_external_public_key.rs

@@ -55,8 +55,9 @@ fn fetch_public_key(parameter: &str, serial_opt: &Option<&str>) -> XResult<Vec<u
             if key.usage != KeyUsage::Singing {
                 simple_error!("Not singing key")
             } else {
+                let private_key = cmd_hmac_decrypt::try_decrypt(&key.private_key)?;
                 let (_, public_key_der, _) =
-                    seutil::recover_secure_enclave_p256_public_key(&key.private_key, true)?;
+                    seutil::recover_secure_enclave_p256_public_key(&private_key, true)?;
                 Ok(public_key_der)
             }
         }

src/cmd_external_sign.rs

@@ -65,7 +65,8 @@ pub fn sign(alg: &str, message: &[u8], key_uri: KeyUri, sub_arg_matches: &ArgMat
             if key.usage != KeyUsage::Singing {
                 return simple_error!("Not singing key");
             }
-            seutil::secure_enclave_p256_sign(&key.private_key, message)
+            let private_key = cmd_hmac_decrypt::try_decrypt(&key.private_key)?;
+            seutil::secure_enclave_p256_sign(&private_key, message)
         }
         KeyUri::YubikeyPivKey(key) => {
             let mut yk = yubikeyutil::open_yubikey_with_args(sub_arg_matches)?;

src/cmd_se_ecdh.rs

@@ -35,7 +35,6 @@ impl Command for CommandImpl {
         let key = sub_arg_matches.value_of("key").unwrap();
         let epk = sub_arg_matches.value_of("epk").unwrap();
 
-        let key = cmd_hmac_decrypt::try_decrypt(key)?;
         let key_uri = parse_key_uri(&key)?;
         let se_key_uri = key_uri.as_secure_enclave_key()?;
         debugging!("Secure enclave key URI: {:?}", se_key_uri);
@@ -59,8 +58,9 @@ impl Command for CommandImpl {
             opt_result!(hex::decode(epk), "Decode public key from hex failed: {}")
         };
 
+        let private_key = cmd_hmac_decrypt::try_decrypt(&se_key_uri.private_key)?;
         let dh = seutil::secure_enclave_p256_dh(
-            &se_key_uri.private_key,
+            &private_key,
             &ephemeral_public_key_der_bytes,
         )?;
         let dh_hex = hex::encode(&dh);

src/cmd_se_ecsign.rs

@@ -45,12 +45,12 @@ impl Command for CommandImpl {
             Some(input) => input.as_bytes().to_vec(),
         };
 
-        let key = cmd_hmac_decrypt::try_decrypt(key)?;
         let key_uri = parse_key_uri(&key)?;
         let se_key_uri = key_uri.as_secure_enclave_key()?;
         debugging!("Secure enclave key URI: {:?}", se_key_uri);
 
-        let signature = seutil::secure_enclave_p256_sign(&se_key_uri.private_key, &input_bytes)?;
+        let private_key = cmd_hmac_decrypt::try_decrypt(&se_key_uri.private_key)?;
+        let signature = seutil::secure_enclave_p256_sign(&private_key, &input_bytes)?;
 
         if json_output {
             let mut json = BTreeMap::<&'_ str, String>::new();

src/cmd_se_generate.rs

@@ -60,6 +60,8 @@ impl Command for CommandImpl {
 
         let (public_key_point, public_key_der, private_key) =
             seutil::generate_secure_enclave_p256_keypair(sign, require_bio)?;
+
+        let private_key = cmd_hmac_encrypt::do_encrypt(&private_key, &mut None, sub_arg_matches)?;
         let key_uri = format!(
             "key://{}:se/p256:{}:{}",
             host,
@@ -67,8 +69,6 @@ impl Command for CommandImpl {
             private_key,
         );
 
-        let key_uri = cmd_hmac_encrypt::do_encrypt(&key_uri, &mut None, sub_arg_matches)?;
-
         print_se_key(json_output, &public_key_point, &public_key_der, &key_uri);
         Ok(None)
     }