From 31bf94c0280ad4a2b48dc6b18c7b6593280e77e9 Mon Sep 17 00:00:00 2001
From: Hatter Jiang <jht5945@gmail.com>
Date: Sat, 2 Jul 2022 17:43:07 +0800
Subject: [PATCH] feat: encrypt key

---
 src/cmd_pgpcardserve.rs | 53 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 44 insertions(+), 9 deletions(-)

diff --git a/src/cmd_pgpcardserve.rs b/src/cmd_pgpcardserve.rs
index 5a4c07e..78dd22d 100644
--- a/src/cmd_pgpcardserve.rs
+++ b/src/cmd_pgpcardserve.rs
@@ -1,12 +1,18 @@
 use std::collections::HashMap;
 
 use clap::{App, Arg, ArgMatches, SubCommand};
-use openpgp_card::OpenPgp;
+use openpgp_card::{KeyType, OpenPgp};
+use openssl::encrypt::Encrypter;
+use openssl::pkey::{PKey, Public};
+use openssl::rsa::{Padding, Rsa};
 use rust_util::util_clap::{Command, CommandError};
+use rust_util::XResult;
 use serde_derive::{Deserialize, Serialize};
 use warp::Filter;
 use warp::reply::{Json, json};
 
+use crate::pkiutil;
+
 pub struct CommandImpl;
 
 impl Command for CommandImpl {
@@ -17,7 +23,7 @@ impl Command for CommandImpl {
             .arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).default_value("123456").help("OpenPGP card user pin"))
             .arg(Arg::with_name("pass").long("pass").takes_value(true).help("[deprecated] now OpenPGP card user pin"))
             .arg(Arg::with_name("listen").short("l").long("listen").takes_value(true).default_value("127.0.0.1:3627").help("Listen address"))
-            // .arg(Arg::with_name("ssh-attach-host").long("ssh-attach-host").takes_value(true).help("SSH attache (e.g. root@example.com)"))
+        // .arg(Arg::with_name("ssh-attach-host").long("ssh-attach-host").takes_value(true).help("SSH attache (e.g. root@example.com)"))
     }
 
     fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
@@ -48,26 +54,44 @@ impl Command for CommandImpl {
         // success!("Clear text base64: {}", base64::encode(&text));
         // success!("Clear text UTF-8: {}", String::from_utf8_lossy(&text));
 
+        let (public_key_sha256, keypair) = {
+            let encrypt_public_key = opt_result!(trans.public_key(KeyType::Decryption), "Get decryption public key failed: {}");
+            let (public_key_sha256, public_key_pem) = pkiutil::openpgp_card_public_key_pem(&encrypt_public_key).expect("To decryption public key pem failed");
+            success!("Found public key: {}", hex::encode(&public_key_sha256));
+
+            let keypair = opt_result!(Rsa::public_key_from_pem(public_key_pem.as_bytes()), "Parse RSA failed: {}");
+            let keypair = opt_result!(PKey::from_rsa(keypair), "RSA to PKey failed: {}");
+            (public_key_sha256, keypair)
+        };
+
         let rt = tokio::runtime::Runtime::new().unwrap();
-        rt.block_on(async {
+        rt.block_on(async move {
             let version = warp::get().and(warp::path("version")).map(|| {
                 let mut version = HashMap::new();
                 version.insert("version", env!("CARGO_PKG_VERSION"));
-                warp::reply::json(&version)
+                json(&version)
             });
+            let public_key_sha256 = public_key_sha256.clone();
+            let keypair = keypair.clone();
             let create_key = warp::post()
                 .and(warp::path("create_key"))
                 .and(warp::body::json())
-                .map(|create_key_request: CreateKeyRequest| {
+                .map(move |create_key_request: CreateKeyRequest| {
                     let len = create_key_request.len.unwrap_or(32);
-                    if (len < 16) || (len > 1024) {
+                    if (len < 16) || (len > 128) {
                         return ErrResponse::new(400, format!("Invalid length:{}", len));
                     }
                     let key = crate::randutil::make_rand(len);
+                    let encrypted_key = match encrypt_data(&key, &keypair) {
+                        Err(e) => return ErrResponse::new(500, format!("Encrypt key failed: {}", e)),
+                        Ok(encrypted_key) => encrypted_key,
+                    };
+
                     json(&CreateKeyResponse {
-                        request_pub_key_encrypted_key_hex: None,
+                        request_public_key_encrypted_key_hex: None,
                         raw_key_hex: Some(hex::encode(&key)),
-                        encrypted_key_hex: "".to_string(),
+                        encrypted_key_fingerprint_hex: hex::encode(&public_key_sha256),
+                        encrypted_key_hex: hex::encode(&encrypted_key),
                     })
                 });
 
@@ -82,6 +106,16 @@ impl Command for CommandImpl {
     }
 }
 
+fn encrypt_data(key: &[u8], keypair: &PKey<Public>) -> XResult<Vec<u8>> {
+    let mut encrypter = opt_result!(Encrypter::new(keypair), "Encrypter new failed: {}");
+    opt_result!(encrypter.set_rsa_padding(Padding::PKCS1_OAEP), "Set RSA padding failed: {}");
+    let buffer_len = opt_result!(encrypter.encrypt_len(&key), "Encrypt len failed: {}");
+    let mut encrypted_key = vec![0; buffer_len];
+    let encrypted_len = opt_result!(encrypter.encrypt(&key, &mut encrypted_key), "Encrypt failed: {}");
+    encrypted_key.truncate(encrypted_len);
+    Ok(encrypted_key)
+}
+
 trait ErrorResponseMessage {
     fn to_option_string(self) -> Option<String>;
 }
@@ -121,7 +155,8 @@ struct CreateKeyRequest {
 
 #[derive(Deserialize, Serialize)]
 struct CreateKeyResponse {
-    request_pub_key_encrypted_key_hex: Option<String>,
+    request_public_key_encrypted_key_hex: Option<String>,
     raw_key_hex: Option<String>,
+    encrypted_key_fingerprint_hex: String,
     encrypted_key_hex: String,
 }