feat: v1.10.20, add sign-jwt-soft

Cargo.lock

@@ -487,7 +487,7 @@ dependencies = [
 
 [[package]]
 name = "card-cli"
-version = "1.10.19"
+version = "1.10.20"
 dependencies = [
  "authenticator 0.3.1",
  "base64 0.21.7",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "card-cli"
-version = "1.10.19"
+version = "1.10.20"
 authors = ["Hatter Jiang <jht5945@gmail.com>"]
 edition = "2018"
 
@@ -36,8 +36,8 @@ yubico_manager = "0.9"
 x509 = "0.2"
 x509-parser = { version = "0.15", features = ["verify"] }
 ssh-agent = { version = "0.2", features = ["agent"] }
-p256 = { version = "0.13", features = ["pem", "ecdh"] }
+p256 = { version = "0.13", features = ["pem", "ecdh", "ecdsa"] }
-p384 = { version = "0.13", features = ["pem", "ecdh"] }
+p384 = { version = "0.13", features = ["pem", "ecdh", "ecdsa"] }
 spki = { version = "0.7", features = ["pem"] }
 tabled = "0.14"
 env_logger = "0.10"

src/cmd_signjwt.rs

@@ -102,7 +102,7 @@ impl Command for CommandImpl {
         let pin_opt = pivutil::check_read_pin(&mut yk, slot_id, sub_arg_matches);
 
         let token_string = sign_jwt(&mut yk, slot_id, &pin_opt, header, &payload, &jwt_claims)?;
-        success!("Singed JWT: {}", token_string);
+        debugging!("Singed JWT: {}", token_string);
         if json_output { json.insert("token", token_string.clone()); }
 
         if json_output {
@@ -165,7 +165,7 @@ fn sign_jwt(yk: &mut YubiKey, slot_id: SlotId, pin_opt: &Option<String>, mut hea
     Ok([&*header, &*claims, &signature].join(SEPARATOR))
 }
 
-fn split_claim(claim: &str) -> Option<(String, Value)> {
+pub fn split_claim(claim: &str) -> Option<(String, Value)> {
     let mut k = String::new();
     let mut v = String::new();
 

src/cmd_signjwtsoft.rs

@@ -0,0 +1,182 @@
+use std::borrow::Cow;
+use std::collections::BTreeMap;
+
+use clap::{App, Arg, ArgMatches, SubCommand};
+use jwt::header::HeaderType;
+use jwt::{AlgorithmType, Header, ToBase64};
+use rust_util::util_clap::{Command, CommandError};
+use rust_util::{util_msg, util_time, XResult};
+use serde_json::{Map, Number, Value};
+use yubikey::piv::{sign_data, AlgorithmId, SlotId};
+use yubikey::{Certificate, YubiKey};
+
+use crate::ecdsautil::parse_ecdsa_to_rs;
+use crate::{cmd_signjwt, digest, ecdsautil, pivutil, rsautil, util};
+
+const SEPARATOR: &str = ".";
+
+pub struct CommandImpl;
+
+impl Command for CommandImpl {
+    fn name(&self) -> &str {
+        "sign-jwt-soft"
+    }
+
+    fn subcommand<'a>(&self) -> App<'a, 'a> {
+        SubCommand::with_name(self.name()).about("Sign JWT subcommand")
+            .arg(Arg::with_name("private-key").short("k").long("private-key").takes_value(true).help("Private key PKCS#8"))
+            .arg(Arg::with_name("key-id").short("K").long("key-id").takes_value(true).help("Header key ID"))
+            .arg(Arg::with_name("claims").short("C").long("claims").takes_value(true).multiple(true).help("Claims, key:value"))
+            .arg(Arg::with_name("payload").short("P").long("payload").takes_value(true).help("Claims in JSON"))
+            .arg(Arg::with_name("jti").long("jti").help("Claims jti"))
+            .arg(Arg::with_name("validity").long("validity").takes_value(true).help("Claims validity period e.g. 10m means 10 minutes (s - second, m - minute, h - hour, d - day)"))
+            .arg(Arg::with_name("json").long("json").help("JSON output"))
+    }
+
+    fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
+        let json_output = sub_arg_matches.is_present("json");
+        if json_output {
+            util_msg::set_logger_std_out(false);
+        }
+
+        let mut json = BTreeMap::<&'_ str, String>::new();
+
+        let private_key = opt_value_result!(
+            sub_arg_matches.value_of("private-key"),
+            "Private key PKCS#8 DER base64 encoded or PEM"
+        );
+
+        let key_id = sub_arg_matches.value_of("key-id");
+        let claims = sub_arg_matches.values_of("claims");
+        let payload = sub_arg_matches.value_of("payload");
+        let validity = sub_arg_matches.value_of("validity");
+        let jti = sub_arg_matches.is_present("jti");
+
+        let header = Header {
+            key_id: key_id.map(ToString::to_string),
+            type_: Some(HeaderType::JsonWebToken),
+            ..Default::default()
+        };
+        let mut jwt_claims = Map::new();
+        if let Some(payload) = payload {
+            match serde_json::from_str::<Value>(payload) {
+                Ok(Value::Object(claims_map)) => {
+                    claims_map.into_iter().for_each(|(k, v)| {
+                        jwt_claims.insert(k, v);
+                    });
+                }
+                Ok(value) => {
+                    warning!("Not valid payload map: {}", value);
+                }
+                Err(e) => {
+                    warning!("Not valid payload value: {}", e);
+                }
+            };
+        }
+
+        match (payload, claims) {
+            (Some(_), None) => {}
+            (_, Some(claims)) => {
+                for claim in claims {
+                    match cmd_signjwt::split_claim(claim) {
+                        None => {
+                            warning!("Claim '{}' do not contains ':'", claim);
+                        }
+                        Some((k, v)) => {
+                            jwt_claims.insert(k, v);
+                        }
+                    }
+                }
+                if !jwt_claims.contains_key("sub") {
+                    return simple_error!("Claim sub is not assigned.");
+                }
+            }
+            _ => return simple_error!("Payload or Claims is required."),
+        }
+
+        // set jti, iat and sub
+        if jti && !jwt_claims.contains_key("jti") {
+            jwt_claims.insert(
+                "jti".to_string(),
+                Value::String(format!("jti-{}", util_time::get_current_millis())),
+            );
+        }
+        if let Some(validity) = validity {
+            match util_time::parse_duration(validity) {
+                None => {
+                    warning!("Bad validity: {}", validity)
+                }
+                Some(validity) => {
+                    let current_secs = (util_time::get_current_millis() / 1000) as u64;
+                    jwt_claims.insert("iat".to_string(), Value::Number(Number::from(current_secs)));
+                    jwt_claims.insert(
+                        "exp".to_string(),
+                        Value::Number(Number::from(current_secs + validity.as_secs())),
+                    );
+                }
+            }
+        }
+
+        let token_string = sign_jwt(private_key, header, &payload, &jwt_claims)?;
+        debugging!("Singed JWT: {}", token_string);
+        if json_output {
+            json.insert("token", token_string.clone());
+        }
+
+        if json_output {
+            println!("{}", serde_json::to_string_pretty(&json).unwrap());
+        }
+        Ok(None)
+    }
+}
+
+fn sign_jwt(
+    private_key: &str,
+    mut header: Header,
+    payload: &Option<&str>,
+    claims: &Map<String, Value>,
+) -> XResult<String> {
+    let p256_private_key_d = ecdsautil::parse_p256_private_key(private_key).ok();
+    let p384_private_key_d = ecdsautil::parse_p384_private_key(private_key).ok();
+
+    let (jwt_algorithm, private_key_d) = match (p256_private_key_d, p384_private_key_d) {
+        (Some(p256_private_key_d), None) => (AlgorithmType::Es256, p256_private_key_d),
+        (None, Some(p384_private_key_d)) => (AlgorithmType::Es384, p384_private_key_d),
+        _ => return simple_error!("Invalid private key: {}", private_key),
+    };
+
+    header.algorithm = jwt_algorithm;
+    debugging!("Header: {:?}", header);
+    debugging!("Claims: {:?}", claims);
+
+    let header = opt_result!(header.to_base64(), "Header to base64 failed: {}");
+    let claims = match (payload, claims.is_empty()) {
+        (Some(payload), true) => {
+            Cow::Owned(util::base64_encode_url_safe_no_pad(payload.as_bytes()))
+        }
+        (_, _) => opt_result!(claims.to_base64(), "Claims to base64 failed: {}"),
+    };
+
+    let mut tobe_signed = vec![];
+    tobe_signed.extend_from_slice(header.as_bytes());
+    tobe_signed.extend_from_slice(SEPARATOR.as_bytes());
+    tobe_signed.extend_from_slice(claims.as_bytes());
+    let raw_in = match jwt_algorithm {
+        AlgorithmType::Rs256 => {
+            rsautil::pkcs15_sha256_rsa_2048_padding_for_sign(&digest::sha256_bytes(&tobe_signed))
+        }
+        AlgorithmType::Es256 => digest::sha256_bytes(&tobe_signed),
+        AlgorithmType::Es384 => digest::sha384_bytes(&tobe_signed),
+        _ => return simple_error!("SHOULD NOT HAPPEN: {:?}", jwt_algorithm),
+    };
+
+    let signed_data = match jwt_algorithm {
+        AlgorithmType::Es256 => ecdsautil::sign_p256_rs(&private_key_d, &raw_in)?,
+        AlgorithmType::Es384 => ecdsautil::sign_p384_rs(&private_key_d, &raw_in)?,
+        _ => return simple_error!("SHOULD NOT HAPPEN: {:?}", jwt_algorithm),
+    };
+
+    let signature = util::base64_encode_url_safe_no_pad(&signed_data);
+
+    Ok([&*header, &*claims, &signature].join(SEPARATOR))
+}

src/ecdsautil.rs

@@ -4,11 +4,10 @@ use ecdsa::VerifyingKey;
 use p256::NistP256;
 use p256::ecdsa::signature::hazmat::PrehashVerifier;
 use p384::NistP384;
-use ecdsa::Signature;
 use p256::pkcs8::EncodePrivateKey;
 use rust_util::XResult;
 use spki::EncodePublicKey;
-use crate::util::base64_encode;
+use crate::util::{base64_encode, try_decode};
 
 #[derive(Copy, Clone)]
 pub enum EcdsaAlgorithm {
@@ -72,8 +71,57 @@ pub fn generate_p384_keypair() -> XResult<(String, String, String)> {
     Ok((secret_key_der_base64, secret_key_pem, public_key_pem))
 }
 
+macro_rules! parse_ecdsa_private_key {
+    ($algo: tt, $parse_ecdsa_private_key: tt) => ({
+        use $algo::ecdsa::{SigningKey};
+        use $algo::pkcs8::DecodePrivateKey;
+        use $algo::SecretKey;
+
+        let secret_key = match SecretKey::from_pkcs8_pem($parse_ecdsa_private_key) {
+            Ok(secret_key) => secret_key,
+            Err(_) => match try_decode($parse_ecdsa_private_key) {
+                Ok(private_key_der) => match SecretKey::from_pkcs8_der(&private_key_der) {
+                    Ok(secret_key) => secret_key,
+                    Err(e) => return simple_error!("Invalid PKCS#8 private key {}, error: {}", $parse_ecdsa_private_key, e),
+                }
+                Err(_) => return simple_error!("Invalid PKCS#8 private key: {}", $parse_ecdsa_private_key),
+            }
+        };
+        Ok(secret_key.to_bytes().to_vec())
+    })
+}
+
+pub fn parse_p256_private_key(private_key_pkcs8: &str) -> XResult<Vec<u8>> {
+    parse_ecdsa_private_key!(p256, private_key_pkcs8)
+}
+
+pub fn parse_p384_private_key(private_key_pkcs8: &str) -> XResult<Vec<u8>> {
+    parse_ecdsa_private_key!(p384, private_key_pkcs8)
+}
+
+pub fn sign_p256_rs(private_key_d: &[u8], pre_hash: &[u8]) -> XResult<Vec<u8>> {
+    use p256::ecdsa::{SigningKey, Signature};
+    use p256::ecdsa::signature::hazmat::PrehashSigner;
+
+    let signing_key = SigningKey::from_slice(&private_key_d)?;
+    let signature: Signature = signing_key.sign_prehash(pre_hash)?;
+
+    Ok(signature.to_bytes().to_vec())
+}
+
+pub fn sign_p384_rs(private_key_d: &[u8], pre_hash: &[u8]) -> XResult<Vec<u8>> {
+    use p384::ecdsa::{SigningKey, Signature};
+    use p384::ecdsa::signature::hazmat::PrehashSigner;
+
+    let signing_key = SigningKey::from_slice(&private_key_d)?;
+    let signature: Signature = signing_key.sign_prehash(pre_hash)?;
+
+    Ok(signature.to_bytes().to_vec())
+}
+
 macro_rules! ecdsa_verify_signature {
     ($algo: tt, $pk_point: tt, $prehash: tt, $signature: tt) => ({
+        use ecdsa::Signature;
         let verifying_key: VerifyingKey<$algo> = opt_result!(VerifyingKey::<$algo>::from_sec1_bytes($pk_point), "Parse public key failed: {}");
         let sign = if let Ok(signature) = Signature::from_der($signature) {
             signature

src/main.rs

@@ -43,6 +43,7 @@ mod cmd_se_generate;
 mod cmd_se_recover;
 mod cmd_signfile;
 mod cmd_signjwt;
+mod cmd_signjwtsoft;
 mod cmd_sshagent;
 mod cmd_sshparse;
 mod cmd_sshparsesign;
@@ -131,6 +132,7 @@ fn inner_main() -> CommandError {
         Box::new(cmd_sshparse::CommandImpl),
         Box::new(cmd_pgpageaddress::CommandImpl),
         Box::new(cmd_signjwt::CommandImpl),
+        Box::new(cmd_signjwtsoft::CommandImpl),
         Box::new(cmd_signfile::CommandImpl),
         Box::new(cmd_verifyfile::CommandImpl),
         #[cfg(feature = "with-secure-enclave")]