From 4f015be35871b237193d90482b0d1d6e925b8aff Mon Sep 17 00:00:00 2001
From: Hatter Jiang <jht5945@gmail.com>
Date: Wed, 1 Nov 2023 00:32:33 +0800
Subject: [PATCH] feat: v1.7.8

---
 Cargo.lock            |  2 +-
 Cargo.toml            |  2 +-
 src/cmd_hmac_sha1.rs  | 89 +++++++++++++++++++++++++++++++++++++++++++
 src/cmd_pivmeta.rs    |  3 +-
 src/cmd_pivsummary.rs |  8 ++--
 src/main.rs           |  2 +
 src/pivutil.rs        | 37 +++++++++++++++++-
 7 files changed, 135 insertions(+), 8 deletions(-)
 create mode 100644 src/cmd_hmac_sha1.rs

diff --git a/Cargo.lock b/Cargo.lock
index cc97de4..969fc3f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -326,7 +326,7 @@ dependencies = [
 
 [[package]]
 name = "card-cli"
-version = "1.7.7"
+version = "1.7.8"
 dependencies = [
  "authenticator",
  "base64 0.21.4",
diff --git a/Cargo.toml b/Cargo.toml
index 2b28eb7..b5876a6 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "card-cli"
-version = "1.7.7"
+version = "1.7.8"
 authors = ["Hatter Jiang <jht5945@gmail.com>"]
 edition = "2018"
 
diff --git a/src/cmd_hmac_sha1.rs b/src/cmd_hmac_sha1.rs
new file mode 100644
index 0000000..26164b9
--- /dev/null
+++ b/src/cmd_hmac_sha1.rs
@@ -0,0 +1,89 @@
+use std::collections::BTreeMap;
+
+use clap::{App, Arg, ArgMatches, SubCommand};
+use rust_util::util_clap::{Command, CommandError};
+use rust_util::util_msg;
+use yubico_manager::hmacmode::HmacKey;
+use yubico_manager::sec::hmac_sha1;
+
+pub struct CommandImpl;
+
+impl Command for CommandImpl {
+    fn name(&self) -> &str { "hmac-sha1" }
+
+    fn subcommand<'a>(&self) -> App<'a, 'a> {
+        SubCommand::with_name(self.name()).about("YubiKey HMAC-SHA1")
+            .arg(Arg::with_name("secret").short("s").long("secret").takes_value(true).help("Secret in HEX"))
+            .arg(Arg::with_name("variable").long("variable").help("Variable"))
+            .arg(Arg::with_name("challenge").short("c").long("challenge").takes_value(true).help("Challenge"))
+            .arg(Arg::with_name("challenge-hex").short("x").long("challenge-hex").takes_value(true).help("Challenge HEX"))
+            .arg(Arg::with_name("sha1").short("1").long("sha1").help("Output SHA1"))
+            .arg(Arg::with_name("sha256").short("2").long("sha256").help("Output SHA256"))
+            .arg(Arg::with_name("sha384").short("3").long("sha384").help("Output SHA256"))
+            .arg(Arg::with_name("sha512").short("5").long("sha512").help("Output SHA256"))
+            .arg(Arg::with_name("json").long("json").help("JSON output"))
+    }
+
+    fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
+        let json_output = sub_arg_matches.is_present("json");
+        if json_output { util_msg::set_logger_std_out(false); }
+
+        let variable = sub_arg_matches.is_present("variable");
+        let sha1_output = sub_arg_matches.is_present("sha1");
+        let sha256_output = sub_arg_matches.is_present("sha256");
+        let sha384_output = sub_arg_matches.is_present("sha384");
+        let sha512_output = sub_arg_matches.is_present("sha512");
+        let secret_bytes: Vec<u8> = if let Some(secret) = sub_arg_matches.value_of("secret") {
+            opt_result!(hex::decode(secret), "Decode secret hex: {}, failed: {}", secret)
+        } else {
+            return simple_error!("Secret must assigned");
+        };
+        let challenge_bytes: Vec<u8> = if let Some(challenge) = sub_arg_matches.value_of("challenge") {
+            challenge.as_bytes().to_vec()
+        } else if let Some(challenge_hex) = sub_arg_matches.value_of("challenge-hex") {
+            opt_result!(hex::decode(challenge_hex), "Decode challenge hex: {}, failed: {}", challenge_hex)
+        } else {
+            return simple_error!("Challenge must assigned");
+        };
+
+        // Challenge can not be greater than 64 bytes
+        if challenge_bytes.len() > 64 {
+            return simple_error!("Challenge bytes is: {}, more than 64", challenge_bytes.len());
+        }
+
+        let hmac_key = HmacKey::from_slice(&secret_bytes);
+        let mut challenge = [0; 64];
+        if variable && challenge_bytes.last() == Some(&0) {
+            challenge = [0xff; 64];
+        }
+        (&mut challenge[..challenge_bytes.len()]).copy_from_slice(&challenge_bytes);
+        let hmac_result = hmac_sha1(&hmac_key, &challenge);
+
+        let v: &[u8] = &hmac_result;
+        let hex_string = hex::encode(v);
+        let hex_sha1 = iff!(sha1_output, Some(crate::digest::sha1_bytes(v)), None);
+        let hex_sha256 = iff!(sha256_output, Some(crate::digest::sha256_bytes(v)), None);
+        let hex_sha384 = iff!(sha384_output, Some(crate::digest::sha384_bytes(v)), None);
+        let hex_sha512 = iff!(sha512_output, Some(crate::digest::sha512_bytes(v)), None);
+
+        if json_output {
+            let mut json = BTreeMap::<&'_ str, String>::new();
+            json.insert("challenge_hex", hex::encode(challenge_bytes));
+            json.insert("response_hex", hex_string);
+            hex_sha1.map(|hex_sha1| json.insert("response_sha1_hex", hex::encode(hex_sha1)));
+            hex_sha256.map(|hex_sha256| json.insert("response_sha256_hex", hex::encode(hex_sha256)));
+            hex_sha384.map(|hex_sha384| json.insert("response_sha384_hex", hex::encode(hex_sha384)));
+            hex_sha512.map(|hex_sha512| json.insert("response_sha512_hex", hex::encode(hex_sha512)));
+
+            println!("{}", serde_json::to_string_pretty(&json).expect("Convert to JSON failed!"));
+        } else {
+            success!("Challenge HEX: {}", hex::encode(challenge_bytes));
+            success!("Response HEX: {}", hex_string);
+            if let Some(hex_sha256) = hex_sha256 { success!("Response SHA256 HEX: {}", hex::encode(hex_sha256)); }
+            if let Some(hex_sha384) = hex_sha384 { success!("Response SHA384 HEX: {}", hex::encode(hex_sha384)); }
+            if let Some(hex_sha512) = hex_sha512 { success!("Response SHA512 HEX: {}", hex::encode(hex_sha512)); }
+        }
+
+        Ok(None)
+    }
+}
diff --git a/src/cmd_pivmeta.rs b/src/cmd_pivmeta.rs
index 4e4a8f7..3c992b8 100644
--- a/src/cmd_pivmeta.rs
+++ b/src/cmd_pivmeta.rs
@@ -35,8 +35,7 @@ impl Command for CommandImpl {
         let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
 
         let slot_id = pivutil::get_slot_id(slot)?;
-
-        json.insert("slot", slot.to_string());
+        json.insert("slot", pivutil::to_slot_hex(&slot_id));
         if let Ok(meta) = metadata(&mut yk, slot_id) {
             debugging!("PIV meta: {:?}", meta);
             let algorithm_str = meta.algorithm.to_str();
diff --git a/src/cmd_pivsummary.rs b/src/cmd_pivsummary.rs
index 1f551ba..b0e03ed 100644
--- a/src/cmd_pivsummary.rs
+++ b/src/cmd_pivsummary.rs
@@ -8,7 +8,7 @@ use x509_parser::parse_x509_certificate;
 use yubikey::{Certificate, YubiKey};
 use yubikey::piv::{metadata, SlotId};
 
-use crate::pivutil::{get_algorithm_id, ToStr};
+use crate::pivutil::{get_algorithm_id, ORDERED_SLOTS, ToStr};
 
 const NA: &str = "N/A";
 
@@ -34,11 +34,13 @@ impl Command for CommandImpl {
         SubCommand::with_name(self.name()).about("PIV subcommand")
             .arg(Arg::with_name("table").long("table").help("Show table"))
             .arg(Arg::with_name("all").long("all").help("Show all"))
+            .arg(Arg::with_name("ordered").long("ordered").help("Show ordered"))
     }
 
     fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
         let show_table = sub_arg_matches.is_present("table");
         let show_all = sub_arg_matches.is_present("all");
+        let show_ordered = sub_arg_matches.is_present("ordered");
 
         let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
         success!("Name: {}", yk.name());
@@ -59,13 +61,13 @@ impl Command for CommandImpl {
 
         match yk.piv_keys() {
             Ok(keys) => {
-                information!("Found {} PIV keys", keys.len());
+                information!("Found {} PIV keys of {}", keys.len(), ORDERED_SLOTS.len());
             }
             Err(e) => failure!("Get PIV keys failed: {}", e)
         }
 
         let mut piv_slots = vec![];
-        for slot in yubikey::piv::SLOTS {
+        for slot in iff!(show_ordered, ORDERED_SLOTS, yubikey::piv::SLOTS) {
             print_summary_info(&mut yk, slot, &mut piv_slots, show_all, show_table).ok();
         }
         if show_table {
diff --git a/src/main.rs b/src/main.rs
index 0a38096..e7fd832 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -32,6 +32,7 @@ mod cmd_pivecdh;
 mod cmd_pivecsign;
 mod cmd_pivdecrypt;
 mod cmd_pivgenerate;
+mod cmd_hmac_sha1;
 mod cmd_chall;
 mod cmd_challconfig;
 mod cmd_sshagent;
@@ -65,6 +66,7 @@ fn inner_main() -> CommandError {
     let commands: Vec<Box<dyn Command>> = vec![
         Box::new(cmd_list::CommandImpl),
         Box::new(cmd_chall::CommandImpl),
+        Box::new(cmd_hmac_sha1::CommandImpl),
         Box::new(cmd_challconfig::CommandImpl),
         Box::new(cmd_rsaencrypt::CommandImpl),
         Box::new(cmd_rsadecrypt::CommandImpl),
diff --git a/src/pivutil.rs b/src/pivutil.rs
index b566415..1b38126 100644
--- a/src/pivutil.rs
+++ b/src/pivutil.rs
@@ -4,7 +4,7 @@ use spki::der::{Decode, Encode};
 use x509_parser::prelude::FromDer;
 use x509_parser::public_key::RSAPublicKey;
 use yubikey::{PinPolicy, TouchPolicy};
-use yubikey::piv::{AlgorithmId, ManagementAlgorithmId, Origin, RetiredSlotId};
+use yubikey::piv::{AlgorithmId, ManagementAlgorithmId, ManagementSlotId, Origin, RetiredSlotId};
 use yubikey::piv::SlotId;
 
 const RSA: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.1");
@@ -19,6 +19,36 @@ const ECC: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.2.1");
 const ECC_P256: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.3.1.7");
 const ECC_P384: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.132.0.34");
 
+pub const ORDERED_SLOTS: [SlotId; 28] = [
+    SlotId::Management(ManagementSlotId::Pin),
+    SlotId::Management(ManagementSlotId::Puk),
+    SlotId::Retired(RetiredSlotId::R1),
+    SlotId::Retired(RetiredSlotId::R2),
+    SlotId::Retired(RetiredSlotId::R3),
+    SlotId::Retired(RetiredSlotId::R4),
+    SlotId::Retired(RetiredSlotId::R5),
+    SlotId::Retired(RetiredSlotId::R6),
+    SlotId::Retired(RetiredSlotId::R7),
+    SlotId::Retired(RetiredSlotId::R8),
+    SlotId::Retired(RetiredSlotId::R9),
+    SlotId::Retired(RetiredSlotId::R10),
+    SlotId::Retired(RetiredSlotId::R11),
+    SlotId::Retired(RetiredSlotId::R12),
+    SlotId::Retired(RetiredSlotId::R13),
+    SlotId::Retired(RetiredSlotId::R14),
+    SlotId::Retired(RetiredSlotId::R15),
+    SlotId::Retired(RetiredSlotId::R16),
+    SlotId::Retired(RetiredSlotId::R17),
+    SlotId::Retired(RetiredSlotId::R18),
+    SlotId::Retired(RetiredSlotId::R19),
+    SlotId::Retired(RetiredSlotId::R20),
+    SlotId::Authentication,
+    SlotId::Management(ManagementSlotId::Management),
+    SlotId::Signature,
+    SlotId::KeyManagement,
+    SlotId::CardAuthentication,
+    SlotId::Attestation,
+];
 
 pub trait ToStr {
     fn to_str(&self) -> &str;
@@ -110,6 +140,11 @@ pub fn slot_equals(slot_id: &SlotId, slot: &str) -> bool {
     get_slot_id(slot).map(|sid| &sid == slot_id).unwrap_or(false)
 }
 
+pub fn to_slot_hex(slot: &SlotId) -> String {
+    let slot_id: u8 = (*slot).into();
+    format!("{:x}", slot_id)
+}
+
 pub fn get_slot_id(slot: &str) -> XResult<SlotId> {
     let slot_lower = slot.to_lowercase();
     Ok(match slot_lower.as_str() {