feat: v1.10.2, improve ssh-piv-cert

src/cmd_sshpivcert.rs

@@ -2,7 +2,7 @@ use clap::{App, Arg, ArgMatches, SubCommand};
 use ecdsa::elliptic_curve::pkcs8::der::Encode;
 use rand::random;
 use rust_util::util_clap::{Command, CommandError};
-use rust_util::XResult;
+use rust_util::{util_time, XResult};
 use sshcerts::ssh::{CurveKind, PublicKeyKind, SSHCertificateSigner};
 use sshcerts::utils::format_signature_for_ssh;
 use sshcerts::x509::extract_ssh_pubkey_from_x509_certificate;
@@ -29,10 +29,13 @@ impl Command for CommandImpl {
         SubCommand::with_name(self.name()).about("SSH PIV sign cert subcommand")
             .arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
             .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
-            .arg(Arg::with_name("key-id").short("k").long("key-id").takes_value(true).help("SSH user CA key id"))
+            .arg(Arg::with_name("key-id").short("k").long("key-id").takes_value(true).default_value("default_key_id").help("SSH user CA key id"))
             .arg(Arg::with_name("principal").short("P").long("principal").takes_value(true).default_value("root").multiple(true).help("SSH user CA principal"))
-            .arg(Arg::with_name("pub").long("pub").required(true).takes_value(true).help("SSH public key file"))
-            .arg(Arg::with_name("validity").long("validity").takes_value(true).default_value("3600").help("Validity in seconds"))
+            .arg(Arg::with_name("pub").short("f").long("pub").alias("pub-file").required(true).takes_value(true).help("SSH public key file"))
+            .arg(Arg::with_name("out").short("o").long("out").takes_value(true).help("CA out key file"))
+            .arg(Arg::with_name("type").short("t").long("type").takes_value(true).default_value("user").help("CA type (user or host)"))
+            .arg(Arg::with_name("validity").long("validity").takes_value(true).default_value("1h").help("CA validity period e.g. 10m means 10 minutes (s - second, m - minute, h - hour, d - day)"))
+            .arg(Arg::with_name("force").long("force").help("Force write SSH CA file"))
     }
 
     fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
@@ -44,12 +47,48 @@ impl Command for CommandImpl {
         let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
         let slot_id = pivutil::get_slot_id(slot)?;
 
+        let serial: u64 = random();
+        let key_id = sub_arg_matches.value_of("key-id").unwrap();
+        let principals = sub_arg_matches.values_of("principal")
+            .map(|ps| ps.map(|p| p.to_string()).collect::<Vec<_>>())
+            .unwrap_or_else(|| vec!["root".to_string()]);
+
+        let ca_type = sub_arg_matches.value_of("type").unwrap();
+        let cert_type = match ca_type.to_lowercase().as_str() {
+            "user" => CertType::User,
+            "host" => CertType::Host,
+            _ => return simple_error!("Invalid CA type: {}",ca_type),
+        };
+
+        let now_secs = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
+        let validity = sub_arg_matches.value_of("validity").unwrap();
+        let validity_u64 = util_time::parse_duration(validity).map(|t| t.as_secs()).unwrap();
+
+        let output = sub_arg_matches.value_of("out");
+        let ssh_cert_file = match output {
+            None  if ssh_pub_file.ends_with(".pub") => {
+                Some(format!("{}-cert.pub", String::from_utf8(ssh_pub_file.as_bytes()[0..ssh_pub_file.len() - 4].to_vec()).unwrap()))
+            }
+            None => None,
+            Some("-") => None,
+            Some(output) => Some(output.to_string()),
+        };
+        if let Some(ssh_cert_file) = &ssh_cert_file {
+            let force_write = sub_arg_matches.is_present("force");
+            if fs::metadata(ssh_cert_file).is_ok() && !force_write {
+                return simple_error!("Target file: {} exists", & ssh_cert_file);
+            }
+        }
+
+        information!("Serial: {}", serial);
+        information!("Key ID: {}", key_id);
+        information!("Principals: {:?}", principals);
+        information!("Validity: {} seconds", validity_u64);
+
         let pin_opt = sub_arg_matches.value_of("pin");
         let pin_opt = pinutil::get_pin(pin_opt);
-        let pin_opt = pin_opt.as_deref();
 
         let cert_der = find_cert(&mut yk, slot_id)?;
-
         let ca_ssh_pub_key = opt_result!(extract_ssh_pubkey_from_x509_certificate(&cert_der), "Extract SSH public key failed: {}");
         debugging!("SSH CA: {}", ca_ssh_pub_key);
         debugging!("SSH CA fingerprint: {}", ca_ssh_pub_key.fingerprint());
@@ -57,29 +96,14 @@ impl Command for CommandImpl {
         let ca_ssh_pub_algorithm_id = get_ssh_key_type(&ca_ssh_pub_key)?;
         let ssh_yubikey_signer = SshYubikeySinger::new(
             yk,
-            pin_opt.map(ToString::to_string),
+            pin_opt,
             slot_id,
             ca_ssh_pub_key.clone(),
             ca_ssh_pub_algorithm_id,
         );
 
-        let serial: u64 = random();
-        let key_id = sub_arg_matches.value_of("key-id").unwrap_or("default_key_id");
-        let principals = sub_arg_matches.values_of("principal")
-            .map(|ps| ps.map(|p| p.to_string()).collect::<Vec<_>>())
-            .unwrap_or_else(|| vec!["root".to_string()]);
-
-        let now_secs = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
-        let validity = sub_arg_matches.value_of("validity").unwrap_or("3600");
-        let validity_u64: u64 = opt_result!(validity.parse(), "Parse validity failed: {}");
-
-        information!("Serial: {}", serial);
-        information!("Key ID: {}", key_id);
-        information!("Principals: {:?}", principals);
-        information!("Validity: {} seconds", validity_u64);
-
         let tobe_signed_ssh_pub_key = opt_result!(PublicKey::from_string(&ssh_pub_str), "Parse tobe signed SSH public key failed: {}");
-        let user_cert_result = Certificate::builder(&tobe_signed_ssh_pub_key, CertType::User, &ca_ssh_pub_key)
+        let user_cert_result = Certificate::builder(&tobe_signed_ssh_pub_key, cert_type, &ca_ssh_pub_key)
             .unwrap()
             .serial(serial)
             .key_id(key_id)
@@ -93,14 +117,11 @@ impl Command for CommandImpl {
         // ssh-keygen -L -f *-cert.pub
         let user_cert = opt_result!(user_cert_result, "Sign SSH user CA failed: {}");
 
-        if ssh_pub_file.ends_with(".pub") {
-            let ssh_cert_file = format!("{}-cert.pub", String::from_utf8(ssh_pub_file.as_bytes()[0..ssh_pub_file.len() - 4].to_vec()).unwrap());
-            if fs::metadata(&ssh_cert_file).is_ok() {
-                return simple_error!("Target file: {} exists", &ssh_cert_file);
+        match ssh_cert_file {
+            None => println!("{}", user_cert),
+            Some(ssh_cert_file) => {
+                opt_result!(fs::write( & ssh_cert_file, user_cert.to_string()), "Write file: {} failed: {}", &ssh_cert_file);
             }
-            opt_result!(fs::write(&ssh_cert_file, user_cert.to_string()), "Write file: {} failed: {}", &ssh_cert_file);
-        } else {
-            println!("{}", user_cert);
         }
 
         Ok(None)