diff --git a/Cargo.lock b/Cargo.lock index 5e8d6c2..3ab108d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -487,7 +487,7 @@ dependencies = [ [[package]] name = "card-cli" -version = "1.10.1" +version = "1.10.2" dependencies = [ "authenticator 0.3.1", "base64 0.21.7", diff --git a/Cargo.toml b/Cargo.toml index 5851f94..46369d9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "card-cli" -version = "1.10.1" +version = "1.10.2" authors = ["Hatter Jiang "] edition = "2018" diff --git a/README.md b/README.md index 126d035..561b449 100644 --- a/README.md +++ b/README.md @@ -173,6 +173,19 @@ $ card-cli pgp-age-address [OK ] Age address: age10l464vxcpnkjguctvylnmp5jg4swhncn4quda0qxta3ud8pycc0qeaj2te ``` +# sign-jwt + +Sign a JWT: +```shell +card-cli sign-jwt -s r3 \ + -C iss:****** \ + -C sub:****** \ + -C aud:client_gard****** \ + -K KEY=ID \ + --jti \ + --validity 10m --json +``` + # SSH CA ## Generate SSH root CA @@ -196,6 +209,11 @@ ssh-keygen -f id_user card-cli ssh-piv-cert --pub id_user.pub -s r15 ``` +Show SSH CA cert details: +```shell +ssh-keygen -L -f id_user-cert.pub +``` + SSH to server: ```shell ssh -i id_user root@example.com diff --git a/src/cmd_sshpivcert.rs b/src/cmd_sshpivcert.rs index 12dc170..a4e67da 100644 --- a/src/cmd_sshpivcert.rs +++ b/src/cmd_sshpivcert.rs @@ -2,7 +2,7 @@ use clap::{App, Arg, ArgMatches, SubCommand}; use ecdsa::elliptic_curve::pkcs8::der::Encode; use rand::random; use rust_util::util_clap::{Command, CommandError}; -use rust_util::XResult; +use rust_util::{util_time, XResult}; use sshcerts::ssh::{CurveKind, PublicKeyKind, SSHCertificateSigner}; use sshcerts::utils::format_signature_for_ssh; use sshcerts::x509::extract_ssh_pubkey_from_x509_certificate; @@ -29,10 +29,13 @@ impl Command for CommandImpl { SubCommand::with_name(self.name()).about("SSH PIV sign cert subcommand") .arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN")) .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e")) - .arg(Arg::with_name("key-id").short("k").long("key-id").takes_value(true).help("SSH user CA key id")) + .arg(Arg::with_name("key-id").short("k").long("key-id").takes_value(true).default_value("default_key_id").help("SSH user CA key id")) .arg(Arg::with_name("principal").short("P").long("principal").takes_value(true).default_value("root").multiple(true).help("SSH user CA principal")) - .arg(Arg::with_name("pub").long("pub").required(true).takes_value(true).help("SSH public key file")) - .arg(Arg::with_name("validity").long("validity").takes_value(true).default_value("3600").help("Validity in seconds")) + .arg(Arg::with_name("pub").short("f").long("pub").alias("pub-file").required(true).takes_value(true).help("SSH public key file")) + .arg(Arg::with_name("out").short("o").long("out").takes_value(true).help("CA out key file")) + .arg(Arg::with_name("type").short("t").long("type").takes_value(true).default_value("user").help("CA type (user or host)")) + .arg(Arg::with_name("validity").long("validity").takes_value(true).default_value("1h").help("CA validity period e.g. 10m means 10 minutes (s - second, m - minute, h - hour, d - day)")) + .arg(Arg::with_name("force").long("force").help("Force write SSH CA file")) } fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError { @@ -44,12 +47,48 @@ impl Command for CommandImpl { let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}"); let slot_id = pivutil::get_slot_id(slot)?; + let serial: u64 = random(); + let key_id = sub_arg_matches.value_of("key-id").unwrap(); + let principals = sub_arg_matches.values_of("principal") + .map(|ps| ps.map(|p| p.to_string()).collect::>()) + .unwrap_or_else(|| vec!["root".to_string()]); + + let ca_type = sub_arg_matches.value_of("type").unwrap(); + let cert_type = match ca_type.to_lowercase().as_str() { + "user" => CertType::User, + "host" => CertType::Host, + _ => return simple_error!("Invalid CA type: {}",ca_type), + }; + + let now_secs = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); + let validity = sub_arg_matches.value_of("validity").unwrap(); + let validity_u64 = util_time::parse_duration(validity).map(|t| t.as_secs()).unwrap(); + + let output = sub_arg_matches.value_of("out"); + let ssh_cert_file = match output { + None if ssh_pub_file.ends_with(".pub") => { + Some(format!("{}-cert.pub", String::from_utf8(ssh_pub_file.as_bytes()[0..ssh_pub_file.len() - 4].to_vec()).unwrap())) + } + None => None, + Some("-") => None, + Some(output) => Some(output.to_string()), + }; + if let Some(ssh_cert_file) = &ssh_cert_file { + let force_write = sub_arg_matches.is_present("force"); + if fs::metadata(ssh_cert_file).is_ok() && !force_write { + return simple_error!("Target file: {} exists", & ssh_cert_file); + } + } + + information!("Serial: {}", serial); + information!("Key ID: {}", key_id); + information!("Principals: {:?}", principals); + information!("Validity: {} seconds", validity_u64); + let pin_opt = sub_arg_matches.value_of("pin"); let pin_opt = pinutil::get_pin(pin_opt); - let pin_opt = pin_opt.as_deref(); let cert_der = find_cert(&mut yk, slot_id)?; - let ca_ssh_pub_key = opt_result!(extract_ssh_pubkey_from_x509_certificate(&cert_der), "Extract SSH public key failed: {}"); debugging!("SSH CA: {}", ca_ssh_pub_key); debugging!("SSH CA fingerprint: {}", ca_ssh_pub_key.fingerprint()); @@ -57,29 +96,14 @@ impl Command for CommandImpl { let ca_ssh_pub_algorithm_id = get_ssh_key_type(&ca_ssh_pub_key)?; let ssh_yubikey_signer = SshYubikeySinger::new( yk, - pin_opt.map(ToString::to_string), + pin_opt, slot_id, ca_ssh_pub_key.clone(), ca_ssh_pub_algorithm_id, ); - let serial: u64 = random(); - let key_id = sub_arg_matches.value_of("key-id").unwrap_or("default_key_id"); - let principals = sub_arg_matches.values_of("principal") - .map(|ps| ps.map(|p| p.to_string()).collect::>()) - .unwrap_or_else(|| vec!["root".to_string()]); - - let now_secs = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); - let validity = sub_arg_matches.value_of("validity").unwrap_or("3600"); - let validity_u64: u64 = opt_result!(validity.parse(), "Parse validity failed: {}"); - - information!("Serial: {}", serial); - information!("Key ID: {}", key_id); - information!("Principals: {:?}", principals); - information!("Validity: {} seconds", validity_u64); - let tobe_signed_ssh_pub_key = opt_result!(PublicKey::from_string(&ssh_pub_str), "Parse tobe signed SSH public key failed: {}"); - let user_cert_result = Certificate::builder(&tobe_signed_ssh_pub_key, CertType::User, &ca_ssh_pub_key) + let user_cert_result = Certificate::builder(&tobe_signed_ssh_pub_key, cert_type, &ca_ssh_pub_key) .unwrap() .serial(serial) .key_id(key_id) @@ -93,14 +117,11 @@ impl Command for CommandImpl { // ssh-keygen -L -f *-cert.pub let user_cert = opt_result!(user_cert_result, "Sign SSH user CA failed: {}"); - if ssh_pub_file.ends_with(".pub") { - let ssh_cert_file = format!("{}-cert.pub", String::from_utf8(ssh_pub_file.as_bytes()[0..ssh_pub_file.len() - 4].to_vec()).unwrap()); - if fs::metadata(&ssh_cert_file).is_ok() { - return simple_error!("Target file: {} exists", &ssh_cert_file); + match ssh_cert_file { + None => println!("{}", user_cert), + Some(ssh_cert_file) => { + opt_result!(fs::write( & ssh_cert_file, user_cert.to_string()), "Write file: {} failed: {}", &ssh_cert_file); } - opt_result!(fs::write(&ssh_cert_file, user_cert.to_string()), "Write file: {} failed: {}", &ssh_cert_file); - } else { - println!("{}", user_cert); } Ok(None)