hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: 1.9.7, add pinentry support

Browse Source
This commit is contained in:
Hatter Jiang
2024-06-30 23:34:53 +08:00
parent 6e32dc341c
commit 14585af7c6
16 changed files with 170 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/cmd_pgpcardadmin.rs
View File

@@ -2,7 +2,7 @@ use clap::{App, Arg, ArgMatches, SubCommand};
use openpgp_card::card_do::{Lang, Sex};
use rust_util::util_clap::{Command, CommandError};
use crate::pgpcardutil;
use crate::{pgpcardutil, pinutil};
pub struct CommandImpl;
@@ -11,7 +11,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("OpenPGP Card admin subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).default_value("12345678").help("OpenPGP card admin pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("OpenPGP card admin pin"))
.arg(Arg::with_name("pass").long("pass").takes_value(true).help("[deprecated] now OpenPGP card admin pin"))
.arg(Arg::with_name("name").short("n").long("name").takes_value(true).required(false).help("Set name"))
.arg(Arg::with_name("url").long("url").takes_value(true).required(false).help("Set URL"))
@@ -22,6 +22,8 @@ impl Command for CommandImpl {
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
let pin_opt = sub_arg_matches.value_of("pass").or_else(|| sub_arg_matches.value_of("pin"));
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let pin = opt_value_result!(pin_opt, "Pin must be assigned");
if pin.len() < 8 { return simple_error!("Admin pin length:{}, must >= 8!", pin.len()); }

6
src/cmd_pgpcarddecrypt.rs
View File

@@ -5,7 +5,7 @@ use openpgp_card::crypto_data::Cryptogram;
use rust_util::{util_msg, XResult};
use rust_util::util_clap::{Command, CommandError};
use crate::pgpcardutil;
use crate::{pgpcardutil, pinutil};
use crate::util::{base64_encode, read_stdin, try_decode};
#[derive(Debug, Clone, Copy)]
@@ -31,7 +31,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("OpenPGP Card decrypt subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).default_value("123456").help("OpenPGP card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("OpenPGP card user pin"))
.arg(Arg::with_name("pass").long("pass").takes_value(true).help("[deprecated] now OpenPGP card user pin"))
.arg(Arg::with_name("ciphertext").short("c").long("ciphertext").takes_value(true).help("Cipher text (HEX or Base64)"))
.arg(Arg::with_name("stdin").long("stdin").help("Standard input (Ciphertext)"))
@@ -44,6 +44,8 @@ impl Command for CommandImpl {
if json_output { util_msg::set_logger_std_out(false); }
let pin_opt = sub_arg_matches.value_of("pass").or_else(|| sub_arg_matches.value_of("pin"));
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let pin = opt_value_result!(pin_opt, "User pin must be assigned");
if pin.len() < 6 { return simple_error!("User pin length:{}, must >= 6!", pin.len()); }

5
src/cmd_pgpcardmake.rs
View File

@@ -21,6 +21,7 @@ use rust_util::util_clap::{Command, CommandError};
use rust_util::XResult;
use sequoia_openpgp as openpgp;
use crate::pinutil;
use crate::rsautil::RsaCrt;
#[derive(Debug)]
@@ -128,7 +129,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("OpenPGP Card make subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).default_value("12345678").help("OpenPGP card admin pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("OpenPGP card admin pin"))
.arg(Arg::with_name("pass").long("pass").takes_value(true).required(false).help("Password for PGP secret key"))
.arg(Arg::with_name("in").long("in").takes_value(true).required(false).help("PGP file in"))
.arg(Arg::with_name("force-make").long("force-make").help("Force make OpenPGP card"))
@@ -138,6 +139,8 @@ impl Command for CommandImpl {
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let pin = opt_value_result!(pin_opt, "Pin must be assigned");
if pin.len() < 8 { return simple_error!("Admin pin length:{}, must >= 8!", pin.len()); }

13
src/cmd_pgpcardsign.rs
View File

@@ -5,11 +5,11 @@ use std::io::{ErrorKind, Read};
use clap::{App, Arg, ArgMatches, SubCommand};
use digest::Digest;
use openpgp_card::crypto_data::Hash;
use rust_util::util_clap::{Command, CommandError};
use rust_util::{util_msg, XResult};
use rust_util::util_clap::{Command, CommandError};
use sha2::{Sha256, Sha384, Sha512};
use crate::pgpcardutil;
use crate::{pgpcardutil, pinutil};
use crate::util::base64_encode;
const BUFF_SIZE: usize = 512 * 1024;
@@ -39,7 +39,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("OpenPGP Card sign subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).default_value("123456").help("OpenPGP card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("OpenPGP card user pin"))
.arg(Arg::with_name("pass").long("pass").takes_value(true).help("[deprecated] now OpenPGP card user pin"))
.arg(Arg::with_name("sha256").short("2").long("sha256").takes_value(true).help("Digest SHA256 HEX"))
.arg(Arg::with_name("sha384").short("3").long("sha384").takes_value(true).help("Digest SHA384 HEX"))
@@ -57,6 +57,8 @@ impl Command for CommandImpl {
if json_output { util_msg::set_logger_std_out(false); }
let pin_opt = sub_arg_matches.value_of("pass").or_else(|| sub_arg_matches.value_of("pin"));
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let pin = opt_value_result!(pin_opt, "User pin must be assigned");
if pin.len() < 6 { return simple_error!("User pin length:{}, must >= 6!", pin.len()); }
@@ -177,7 +179,10 @@ impl Command for CommandImpl {
}
}
fn calc_file_digest<D>(file_name: &str) -> XResult<Vec<u8>> where D: Digest {
fn calc_file_digest<D>(file_name: &str) -> XResult<Vec<u8>>
where
D: Digest,
{
let mut hasher = D::new();
let mut buf: [u8; BUFF_SIZE] = [0u8; BUFF_SIZE];
let mut f = File::open(file_name)?;

6
src/cmd_pivdecrypt.rs
View File

@@ -6,7 +6,7 @@ use rust_util::util_msg;
use yubikey::piv::AlgorithmId;
use yubikey::YubiKey;
use crate::pivutil;
use crate::{pinutil, pivutil};
use crate::util::{read_stdin, try_decode};
pub struct CommandImpl;
@@ -17,7 +17,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("PIV decrypt(RSA) subcommand")
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).default_value("123456").help("OpenPGP card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
.arg(Arg::with_name("ciphertext").long("ciphertext").short("c").takes_value(true).help("Encrypted data (HEX or Base64)"))
.arg(Arg::with_name("stdin").long("stdin").help("Standard input (Ciphertext)"))
.arg(Arg::with_name("json").long("json").help("JSON output"))
@@ -30,6 +30,8 @@ impl Command for CommandImpl {
let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e");
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let pin = opt_value_result!(pin_opt, "User pin must be assigned");
let encrypted_data = if let Some(ciphertext) = sub_arg_matches.value_of("ciphertext") {

6
src/cmd_pivecdh.rs
View File

@@ -8,7 +8,7 @@ use rust_util::util_msg;
use yubikey::{PinPolicy, YubiKey};
use yubikey::piv::{AlgorithmId, decrypt_data, metadata};
use crate::{ecdhutil, pivutil};
use crate::{ecdhutil, pinutil, pivutil};
use crate::pivutil::get_algorithm_id;
pub struct CommandImpl;
@@ -18,7 +18,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("PIV ECDH subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ..."))
.arg(Arg::with_name("public-256").long("public-256").help("Public key (P-256)"))
.arg(Arg::with_name("public-384").long("public-384").help("Public key (P-384)"))
@@ -71,6 +71,8 @@ impl Command for CommandImpl {
if private {
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ...");
let epk = opt_value_result!(sub_arg_matches.value_of("epk"), "--epk must assigned");

6
src/cmd_pivecsign.rs
View File

@@ -7,7 +7,7 @@ use x509_parser::nom::AsBytes;
use yubikey::piv::{AlgorithmId, ManagementAlgorithmId, metadata, sign_data};
use yubikey::YubiKey;
use crate::{argsutil, pivutil};
use crate::{argsutil, pinutil, pivutil};
use crate::util::base64_encode;
pub struct CommandImpl;
@@ -17,7 +17,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("PIV EC sign(with SHA256) subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
.arg(Arg::with_name("algorithm").short("a").long("algorithm").takes_value(true).help("Algorithm, p256 or p384"))
.arg(Arg::with_name("file").short("f").long("file").takes_value(true).help("Input file"))
@@ -33,6 +33,8 @@ impl Command for CommandImpl {
let mut json = BTreeMap::<&'_ str, String>::new();
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e");
let hash_bytes = argsutil::get_sha256_digest_or_hash(sub_arg_matches)?;

9
src/cmd_pivgenerate.rs
View File

@@ -4,6 +4,8 @@ use rust_util::util_msg;
use yubikey::{PinPolicy, piv, TouchPolicy, YubiKey};
use yubikey::piv::{AlgorithmId, SlotId};
use crate::pinutil;
pub struct CommandImpl;
impl Command for CommandImpl {
@@ -11,7 +13,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("PIV generate subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("OpenPGP card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
.arg(Arg::with_name("force").long("force").help("Force generate"))
.arg(Arg::with_name("json").long("json").help("JSON output"))
}
@@ -21,7 +23,10 @@ impl Command for CommandImpl {
if json_output { util_msg::set_logger_std_out(false); }
warning!("This feature is not works");
let pin = opt_value_result!(sub_arg_matches.value_of("pin"), "User pin must be assigned");
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let pin = opt_value_result!(pin_opt, "User pin must be assigned");
if !sub_arg_matches.is_present("force") {
failure_and_exit!("--force must be assigned");

6
src/cmd_pivrsasign.rs
View File

@@ -6,7 +6,7 @@ use rust_util::util_msg;
use yubikey::{piv, YubiKey};
use yubikey::piv::{AlgorithmId, SlotId};
use crate::{pivutil, rsautil};
use crate::{pinutil, pivutil, rsautil};
use crate::util::base64_encode;
pub struct CommandImpl;
@@ -17,7 +17,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("PIV RSA sign(with SHA256) subcommand")
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).default_value("123456").help("OpenPGP card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
.arg(Arg::with_name("sha256").short("2").long("sha256").takes_value(true).help("Digest SHA256 HEX"))
.arg(Arg::with_name("json").long("json").help("JSON output"))
}
@@ -27,6 +27,8 @@ impl Command for CommandImpl {
if json_output { util_msg::set_logger_std_out(false); }
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let pin = opt_value_result!(pin_opt, "User pin must be assigned");
let sha256_hex_opt = sub_arg_matches.value_of("sha256").map(|s| s.to_string());

6
src/cmd_signfile.rs
View File

@@ -10,7 +10,7 @@ use x509_parser::nom::AsBytes;
use yubikey::{Key, YubiKey};
use yubikey::piv::{sign_data, SlotId};
use crate::{argsutil, pivutil};
use crate::{argsutil, pinutil, pivutil};
use crate::digest::sha256_bytes;
use crate::signfile::{CERTIFICATES_SEARCH_URL, HASH_ALGORITHM_SHA256, SIGNATURE_ALGORITHM_SHA256_WITH_ECDSA, SignFileRequest, SIMPLE_SIG_SCHEMA, SimpleSignFile, SimpleSignFileSignature};
use crate::util::base64_encode;
@@ -40,7 +40,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("PIV sign(with SHA256) subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
.arg(Arg::with_name("slot").short("s").long("slot")
.takes_value(true).required(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
.arg(Arg::with_name("file").short("f").long("file").takes_value(true).required(true).help("Input file"))
@@ -58,6 +58,8 @@ impl Command for CommandImpl {
let attributes_opt = sub_arg_matches.value_of("attributes").map(ToString::to_string);
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e");
// TODO read from stream not in memory

6
src/cmd_signjwt.rs
View File

@@ -10,7 +10,7 @@ use serde_json::{Map, Number, Value};
use yubikey::{Certificate, YubiKey};
use yubikey::piv::{AlgorithmId, sign_data};
use crate::{digest, pivutil, rsautil, util};
use crate::{digest, pinutil, pivutil, rsautil, util};
const SEPARATOR: &str = ".";
@@ -21,7 +21,7 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("Sign JWT subcommand")
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user pin"))
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
.arg(Arg::with_name("key-id").short("K").long("key-id").takes_value(true).help("Header key ID"))
.arg(Arg::with_name("claims").short("C").long("claims").takes_value(true).multiple(true).help("Claims, key:value"))
@@ -38,6 +38,8 @@ impl Command for CommandImpl {
let mut json = BTreeMap::<&'_ str, String>::new();
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin_opt = pin_opt.as_deref();
let slot = opt_value_result!(
sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e");

5
src/cmd_sshagent.rs
View File

@@ -15,6 +15,7 @@ use ssh_agent::proto::message::{self, Message};
use ssh_agent::proto::public_key::PublicKey;
use crate::digest::{copy_sha256, copy_sha512};
use crate::pinutil;
use crate::sshutil::{generate_ssh_string, with_sign};
struct SshAgent {
@@ -161,7 +162,9 @@ impl Command for CommandImpl {
if use_pgp && !(use_pgp_sign ^ use_pgp_auth) {
return simple_error!("Args --pgp-sign or --pgp-auth must have one selection when use --pgp");
}
let pin = sub_arg_matches.value_of("pin").unwrap();
let pin_opt = sub_arg_matches.value_of("pin");
let pin_opt = pinutil::get_pin(pin_opt);
let pin = pin_opt.as_deref().unwrap();
let sock_file = sub_arg_matches.value_of("sock-file").unwrap();
information!("Sock file: {}", sock_file);

1
src/main.rs
View File

@@ -46,6 +46,7 @@ mod cmd_signfile;
mod cmd_verifyfile;
mod signfile;
mod ecdhutil;
mod pinutil;
pub struct DefaultCommandImpl;

49
src/pinutil.rs Normal file
View File

@@ -0,0 +1,49 @@
use std::{env, fs};
use pinentry::PassphraseInput;
use secrecy::ExposeSecret;
const PIN_ENTRY_ENV: &str = "PIN_ENTRY_CMD";
const PIN_ENTRY_1: &str = "/usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac";
const PIN_ENTRY_DEFAULT: &str = "pinentry";
pub fn get_pin(pin_opt: Option<&str>) -> Option<String> {
if let Some(pin) = pin_opt {
return Some(pin.to_string());
}
let pin_entry = get_pin_entry();
if let Some(mut input) = PassphraseInput::with_binary(pin_entry) {
let secret = input
.with_description("Please input PIN.")
.with_prompt("PIN: ")
.interact();
match secret {
Ok(secret_string) => Some(secret_string.expose_secret().to_string()),
Err(e) => {
warning!("Input PIN failed: {}", e);
None
}
}
} else {
match rpassword::prompt_password("Please input PIN: ") {
Ok(pin) => Some(pin),
Err(e) => {
warning!("Input PIN failed: {}", e);
None
}
}
}
}
fn get_pin_entry() -> String {
if let Ok(pin_entry) = env::var(PIN_ENTRY_ENV) {
return pin_entry;
}
if let Ok(m) = fs::metadata(PIN_ENTRY_1) {
if m.is_file() {
return PIN_ENTRY_1.to_string();
}
}
PIN_ENTRY_DEFAULT.to_string()
}