diff --git a/Cargo.lock b/Cargo.lock index 51e4879..1480845 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -487,7 +487,7 @@ dependencies = [ [[package]] name = "card-cli" -version = "1.10.19" +version = "1.10.20" dependencies = [ "authenticator 0.3.1", "base64 0.21.7", diff --git a/Cargo.toml b/Cargo.toml index 674ddc5..8371d77 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "card-cli" -version = "1.10.19" +version = "1.10.20" authors = ["Hatter Jiang "] edition = "2018" @@ -36,8 +36,8 @@ yubico_manager = "0.9" x509 = "0.2" x509-parser = { version = "0.15", features = ["verify"] } ssh-agent = { version = "0.2", features = ["agent"] } -p256 = { version = "0.13", features = ["pem", "ecdh"] } -p384 = { version = "0.13", features = ["pem", "ecdh"] } +p256 = { version = "0.13", features = ["pem", "ecdh", "ecdsa"] } +p384 = { version = "0.13", features = ["pem", "ecdh", "ecdsa"] } spki = { version = "0.7", features = ["pem"] } tabled = "0.14" env_logger = "0.10" diff --git a/src/cmd_signjwt.rs b/src/cmd_signjwt.rs index 0ca4fd4..986d40e 100644 --- a/src/cmd_signjwt.rs +++ b/src/cmd_signjwt.rs @@ -102,7 +102,7 @@ impl Command for CommandImpl { let pin_opt = pivutil::check_read_pin(&mut yk, slot_id, sub_arg_matches); let token_string = sign_jwt(&mut yk, slot_id, &pin_opt, header, &payload, &jwt_claims)?; - success!("Singed JWT: {}", token_string); + debugging!("Singed JWT: {}", token_string); if json_output { json.insert("token", token_string.clone()); } if json_output { @@ -165,7 +165,7 @@ fn sign_jwt(yk: &mut YubiKey, slot_id: SlotId, pin_opt: &Option, mut hea Ok([&*header, &*claims, &signature].join(SEPARATOR)) } -fn split_claim(claim: &str) -> Option<(String, Value)> { +pub fn split_claim(claim: &str) -> Option<(String, Value)> { let mut k = String::new(); let mut v = String::new(); diff --git a/src/cmd_signjwtsoft.rs b/src/cmd_signjwtsoft.rs new file mode 100644 index 0000000..b09a86a --- /dev/null +++ b/src/cmd_signjwtsoft.rs @@ -0,0 +1,182 @@ +use std::borrow::Cow; +use std::collections::BTreeMap; + +use clap::{App, Arg, ArgMatches, SubCommand}; +use jwt::header::HeaderType; +use jwt::{AlgorithmType, Header, ToBase64}; +use rust_util::util_clap::{Command, CommandError}; +use rust_util::{util_msg, util_time, XResult}; +use serde_json::{Map, Number, Value}; +use yubikey::piv::{sign_data, AlgorithmId, SlotId}; +use yubikey::{Certificate, YubiKey}; + +use crate::ecdsautil::parse_ecdsa_to_rs; +use crate::{cmd_signjwt, digest, ecdsautil, pivutil, rsautil, util}; + +const SEPARATOR: &str = "."; + +pub struct CommandImpl; + +impl Command for CommandImpl { + fn name(&self) -> &str { + "sign-jwt-soft" + } + + fn subcommand<'a>(&self) -> App<'a, 'a> { + SubCommand::with_name(self.name()).about("Sign JWT subcommand") + .arg(Arg::with_name("private-key").short("k").long("private-key").takes_value(true).help("Private key PKCS#8")) + .arg(Arg::with_name("key-id").short("K").long("key-id").takes_value(true).help("Header key ID")) + .arg(Arg::with_name("claims").short("C").long("claims").takes_value(true).multiple(true).help("Claims, key:value")) + .arg(Arg::with_name("payload").short("P").long("payload").takes_value(true).help("Claims in JSON")) + .arg(Arg::with_name("jti").long("jti").help("Claims jti")) + .arg(Arg::with_name("validity").long("validity").takes_value(true).help("Claims validity period e.g. 10m means 10 minutes (s - second, m - minute, h - hour, d - day)")) + .arg(Arg::with_name("json").long("json").help("JSON output")) + } + + fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError { + let json_output = sub_arg_matches.is_present("json"); + if json_output { + util_msg::set_logger_std_out(false); + } + + let mut json = BTreeMap::<&'_ str, String>::new(); + + let private_key = opt_value_result!( + sub_arg_matches.value_of("private-key"), + "Private key PKCS#8 DER base64 encoded or PEM" + ); + + let key_id = sub_arg_matches.value_of("key-id"); + let claims = sub_arg_matches.values_of("claims"); + let payload = sub_arg_matches.value_of("payload"); + let validity = sub_arg_matches.value_of("validity"); + let jti = sub_arg_matches.is_present("jti"); + + let header = Header { + key_id: key_id.map(ToString::to_string), + type_: Some(HeaderType::JsonWebToken), + ..Default::default() + }; + let mut jwt_claims = Map::new(); + if let Some(payload) = payload { + match serde_json::from_str::(payload) { + Ok(Value::Object(claims_map)) => { + claims_map.into_iter().for_each(|(k, v)| { + jwt_claims.insert(k, v); + }); + } + Ok(value) => { + warning!("Not valid payload map: {}", value); + } + Err(e) => { + warning!("Not valid payload value: {}", e); + } + }; + } + + match (payload, claims) { + (Some(_), None) => {} + (_, Some(claims)) => { + for claim in claims { + match cmd_signjwt::split_claim(claim) { + None => { + warning!("Claim '{}' do not contains ':'", claim); + } + Some((k, v)) => { + jwt_claims.insert(k, v); + } + } + } + if !jwt_claims.contains_key("sub") { + return simple_error!("Claim sub is not assigned."); + } + } + _ => return simple_error!("Payload or Claims is required."), + } + + // set jti, iat and sub + if jti && !jwt_claims.contains_key("jti") { + jwt_claims.insert( + "jti".to_string(), + Value::String(format!("jti-{}", util_time::get_current_millis())), + ); + } + if let Some(validity) = validity { + match util_time::parse_duration(validity) { + None => { + warning!("Bad validity: {}", validity) + } + Some(validity) => { + let current_secs = (util_time::get_current_millis() / 1000) as u64; + jwt_claims.insert("iat".to_string(), Value::Number(Number::from(current_secs))); + jwt_claims.insert( + "exp".to_string(), + Value::Number(Number::from(current_secs + validity.as_secs())), + ); + } + } + } + + let token_string = sign_jwt(private_key, header, &payload, &jwt_claims)?; + debugging!("Singed JWT: {}", token_string); + if json_output { + json.insert("token", token_string.clone()); + } + + if json_output { + println!("{}", serde_json::to_string_pretty(&json).unwrap()); + } + Ok(None) + } +} + +fn sign_jwt( + private_key: &str, + mut header: Header, + payload: &Option<&str>, + claims: &Map, +) -> XResult { + let p256_private_key_d = ecdsautil::parse_p256_private_key(private_key).ok(); + let p384_private_key_d = ecdsautil::parse_p384_private_key(private_key).ok(); + + let (jwt_algorithm, private_key_d) = match (p256_private_key_d, p384_private_key_d) { + (Some(p256_private_key_d), None) => (AlgorithmType::Es256, p256_private_key_d), + (None, Some(p384_private_key_d)) => (AlgorithmType::Es384, p384_private_key_d), + _ => return simple_error!("Invalid private key: {}", private_key), + }; + + header.algorithm = jwt_algorithm; + debugging!("Header: {:?}", header); + debugging!("Claims: {:?}", claims); + + let header = opt_result!(header.to_base64(), "Header to base64 failed: {}"); + let claims = match (payload, claims.is_empty()) { + (Some(payload), true) => { + Cow::Owned(util::base64_encode_url_safe_no_pad(payload.as_bytes())) + } + (_, _) => opt_result!(claims.to_base64(), "Claims to base64 failed: {}"), + }; + + let mut tobe_signed = vec![]; + tobe_signed.extend_from_slice(header.as_bytes()); + tobe_signed.extend_from_slice(SEPARATOR.as_bytes()); + tobe_signed.extend_from_slice(claims.as_bytes()); + let raw_in = match jwt_algorithm { + AlgorithmType::Rs256 => { + rsautil::pkcs15_sha256_rsa_2048_padding_for_sign(&digest::sha256_bytes(&tobe_signed)) + } + AlgorithmType::Es256 => digest::sha256_bytes(&tobe_signed), + AlgorithmType::Es384 => digest::sha384_bytes(&tobe_signed), + _ => return simple_error!("SHOULD NOT HAPPEN: {:?}", jwt_algorithm), + }; + + let signed_data = match jwt_algorithm { + AlgorithmType::Es256 => ecdsautil::sign_p256_rs(&private_key_d, &raw_in)?, + AlgorithmType::Es384 => ecdsautil::sign_p384_rs(&private_key_d, &raw_in)?, + _ => return simple_error!("SHOULD NOT HAPPEN: {:?}", jwt_algorithm), + }; + + let signature = util::base64_encode_url_safe_no_pad(&signed_data); + + Ok([&*header, &*claims, &signature].join(SEPARATOR)) +} diff --git a/src/ecdsautil.rs b/src/ecdsautil.rs index d72748e..3b3b345 100644 --- a/src/ecdsautil.rs +++ b/src/ecdsautil.rs @@ -4,11 +4,10 @@ use ecdsa::VerifyingKey; use p256::NistP256; use p256::ecdsa::signature::hazmat::PrehashVerifier; use p384::NistP384; -use ecdsa::Signature; use p256::pkcs8::EncodePrivateKey; use rust_util::XResult; use spki::EncodePublicKey; -use crate::util::base64_encode; +use crate::util::{base64_encode, try_decode}; #[derive(Copy, Clone)] pub enum EcdsaAlgorithm { @@ -72,8 +71,57 @@ pub fn generate_p384_keypair() -> XResult<(String, String, String)> { Ok((secret_key_der_base64, secret_key_pem, public_key_pem)) } +macro_rules! parse_ecdsa_private_key { + ($algo: tt, $parse_ecdsa_private_key: tt) => ({ + use $algo::ecdsa::{SigningKey}; + use $algo::pkcs8::DecodePrivateKey; + use $algo::SecretKey; + + let secret_key = match SecretKey::from_pkcs8_pem($parse_ecdsa_private_key) { + Ok(secret_key) => secret_key, + Err(_) => match try_decode($parse_ecdsa_private_key) { + Ok(private_key_der) => match SecretKey::from_pkcs8_der(&private_key_der) { + Ok(secret_key) => secret_key, + Err(e) => return simple_error!("Invalid PKCS#8 private key {}, error: {}", $parse_ecdsa_private_key, e), + } + Err(_) => return simple_error!("Invalid PKCS#8 private key: {}", $parse_ecdsa_private_key), + } + }; + Ok(secret_key.to_bytes().to_vec()) + }) +} + +pub fn parse_p256_private_key(private_key_pkcs8: &str) -> XResult> { + parse_ecdsa_private_key!(p256, private_key_pkcs8) +} + +pub fn parse_p384_private_key(private_key_pkcs8: &str) -> XResult> { + parse_ecdsa_private_key!(p384, private_key_pkcs8) +} + +pub fn sign_p256_rs(private_key_d: &[u8], pre_hash: &[u8]) -> XResult> { + use p256::ecdsa::{SigningKey, Signature}; + use p256::ecdsa::signature::hazmat::PrehashSigner; + + let signing_key = SigningKey::from_slice(&private_key_d)?; + let signature: Signature = signing_key.sign_prehash(pre_hash)?; + + Ok(signature.to_bytes().to_vec()) +} + +pub fn sign_p384_rs(private_key_d: &[u8], pre_hash: &[u8]) -> XResult> { + use p384::ecdsa::{SigningKey, Signature}; + use p384::ecdsa::signature::hazmat::PrehashSigner; + + let signing_key = SigningKey::from_slice(&private_key_d)?; + let signature: Signature = signing_key.sign_prehash(pre_hash)?; + + Ok(signature.to_bytes().to_vec()) +} + macro_rules! ecdsa_verify_signature { ($algo: tt, $pk_point: tt, $prehash: tt, $signature: tt) => ({ + use ecdsa::Signature; let verifying_key: VerifyingKey<$algo> = opt_result!(VerifyingKey::<$algo>::from_sec1_bytes($pk_point), "Parse public key failed: {}"); let sign = if let Ok(signature) = Signature::from_der($signature) { signature diff --git a/src/main.rs b/src/main.rs index 81b7f6c..f3e83d3 100644 --- a/src/main.rs +++ b/src/main.rs @@ -43,6 +43,7 @@ mod cmd_se_generate; mod cmd_se_recover; mod cmd_signfile; mod cmd_signjwt; +mod cmd_signjwtsoft; mod cmd_sshagent; mod cmd_sshparse; mod cmd_sshparsesign; @@ -131,6 +132,7 @@ fn inner_main() -> CommandError { Box::new(cmd_sshparse::CommandImpl), Box::new(cmd_pgpageaddress::CommandImpl), Box::new(cmd_signjwt::CommandImpl), + Box::new(cmd_signjwtsoft::CommandImpl), Box::new(cmd_signfile::CommandImpl), Box::new(cmd_verifyfile::CommandImpl), #[cfg(feature = "with-secure-enclave")]