From 1773186dbf02ec75dd2843f904ab1a5d5c2fc16e Mon Sep 17 00:00:00 2001 From: Hatter Jiang Date: Thu, 1 May 2025 21:55:14 +0800 Subject: [PATCH] feat: update parse_ecdsa_private_key --- src/cmd_external_sign.rs | 17 ++++------------- src/cmd_sign_jwt_soft.rs | 21 +++++++++++++-------- 2 files changed, 17 insertions(+), 21 deletions(-) diff --git a/src/cmd_external_sign.rs b/src/cmd_external_sign.rs index f33d217..9a5b7fd 100644 --- a/src/cmd_external_sign.rs +++ b/src/cmd_external_sign.rs @@ -10,6 +10,7 @@ use rust_util::XResult; use serde_json::Value; use std::collections::BTreeMap; use yubikey::piv::{sign_data, AlgorithmId}; +use crate::cmd_sign_jwt_soft::parse_ecdsa_private_key; pub struct CommandImpl; @@ -70,14 +71,14 @@ fn sign(sub_arg_matches: &ArgMatches) -> XResult> { // FIXME Check Yubikey slot algorithm let jwt_algorithm = get_jwt_algorithm(&key, alg)?; - let raw_in = digest_by_jwt_algorithm(jwt_algorithm, &message_bytes)?; - if let Some(pin) = pin_opt { opt_result!( yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}" ); } + + let raw_in = digest_by_jwt_algorithm(jwt_algorithm, &message_bytes)?; let signed_data = opt_result!( sign_data(&mut yk, &raw_in, key.algorithm, key.slot), "Sign YubiKey failed: {}" @@ -86,24 +87,14 @@ fn sign(sub_arg_matches: &ArgMatches) -> XResult> { } KeyUri::YubikeyHmacEncSoftKey(key) => { let private_key = hmacutil::try_hmac_decrypt_to_string(&key.hmac_enc_private_key)?; - - let p256_private_key_d = ecdsautil::parse_p256_private_key(&private_key).ok(); - let p384_private_key_d = ecdsautil::parse_p384_private_key(&private_key).ok(); - - let (jwt_algorithm, private_key_d) = match (p256_private_key_d, p384_private_key_d) { - (Some(p256_private_key_d), None) => (AlgorithmType::Es256, p256_private_key_d), - (None, Some(p384_private_key_d)) => (AlgorithmType::Es384, p384_private_key_d), - _ => return simple_error!("Invalid private key: {}", private_key), - }; + let (jwt_algorithm, private_key_d) = parse_ecdsa_private_key(&private_key)?; let raw_in = digest_by_jwt_algorithm(jwt_algorithm, &message_bytes)?; - let signed_data = match jwt_algorithm { AlgorithmType::Es256 => ecdsautil::sign_p256_der(&private_key_d, &raw_in)?, AlgorithmType::Es384 => ecdsautil::sign_p384_der(&private_key_d, &raw_in)?, _ => return simple_error!("SHOULD NOT HAPPEN: {:?}", jwt_algorithm), }; - Ok(signed_data) } } diff --git a/src/cmd_sign_jwt_soft.rs b/src/cmd_sign_jwt_soft.rs index afc5382..cea241f 100644 --- a/src/cmd_sign_jwt_soft.rs +++ b/src/cmd_sign_jwt_soft.rs @@ -65,14 +65,7 @@ fn sign_jwt( payload: &Option, claims: &Map, ) -> XResult { - let p256_private_key_d = ecdsautil::parse_p256_private_key(private_key).ok(); - let p384_private_key_d = ecdsautil::parse_p384_private_key(private_key).ok(); - - let (jwt_algorithm, private_key_d) = match (p256_private_key_d, p384_private_key_d) { - (Some(p256_private_key_d), None) => (AlgorithmType::Es256, p256_private_key_d), - (None, Some(p384_private_key_d)) => (AlgorithmType::Es384, p384_private_key_d), - _ => return simple_error!("Invalid private key: {}", private_key), - }; + let (jwt_algorithm, private_key_d) = parse_ecdsa_private_key(private_key)?; header.algorithm = jwt_algorithm; debugging!("Header: {:?}", header); @@ -94,3 +87,15 @@ fn sign_jwt( Ok([&*header, &*claims, &signature].join(SEPARATOR)) } + +pub fn parse_ecdsa_private_key(private_key: &str) -> XResult<(AlgorithmType, Vec)> { + let p256_private_key_d = ecdsautil::parse_p256_private_key(private_key).ok(); + let p384_private_key_d = ecdsautil::parse_p384_private_key(private_key).ok(); + + let (jwt_algorithm, private_key_d) = match (p256_private_key_d, p384_private_key_d) { + (Some(p256_private_key_d), None) => (AlgorithmType::Es256, p256_private_key_d), + (None, Some(p384_private_key_d)) => (AlgorithmType::Es384, p384_private_key_d), + _ => return simple_error!("Invalid private key: {}", private_key), + }; + Ok((jwt_algorithm, private_key_d)) +}