hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: v1.7.8

Browse Source
This commit is contained in:
Hatter Jiang
2023-11-01 00:32:33 +08:00
parent aadb4b0530
commit 4f015be358
7 changed files with 135 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
src/cmd_hmac_sha1.rs Normal file
View File

@@ -0,0 +1,89 @@
use std::collections::BTreeMap;
use clap::{App, Arg, ArgMatches, SubCommand};
use rust_util::util_clap::{Command, CommandError};
use rust_util::util_msg;
use yubico_manager::hmacmode::HmacKey;
use yubico_manager::sec::hmac_sha1;
pub struct CommandImpl;
impl Command for CommandImpl {
fn name(&self) -> &str { "hmac-sha1" }
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("YubiKey HMAC-SHA1")
.arg(Arg::with_name("secret").short("s").long("secret").takes_value(true).help("Secret in HEX"))
.arg(Arg::with_name("variable").long("variable").help("Variable"))
.arg(Arg::with_name("challenge").short("c").long("challenge").takes_value(true).help("Challenge"))
.arg(Arg::with_name("challenge-hex").short("x").long("challenge-hex").takes_value(true).help("Challenge HEX"))
.arg(Arg::with_name("sha1").short("1").long("sha1").help("Output SHA1"))
.arg(Arg::with_name("sha256").short("2").long("sha256").help("Output SHA256"))
.arg(Arg::with_name("sha384").short("3").long("sha384").help("Output SHA256"))
.arg(Arg::with_name("sha512").short("5").long("sha512").help("Output SHA256"))
.arg(Arg::with_name("json").long("json").help("JSON output"))
}
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
let json_output = sub_arg_matches.is_present("json");
if json_output { util_msg::set_logger_std_out(false); }
let variable = sub_arg_matches.is_present("variable");
let sha1_output = sub_arg_matches.is_present("sha1");
let sha256_output = sub_arg_matches.is_present("sha256");
let sha384_output = sub_arg_matches.is_present("sha384");
let sha512_output = sub_arg_matches.is_present("sha512");
let secret_bytes: Vec<u8> = if let Some(secret) = sub_arg_matches.value_of("secret") {
opt_result!(hex::decode(secret), "Decode secret hex: {}, failed: {}", secret)
} else {
return simple_error!("Secret must assigned");
};
let challenge_bytes: Vec<u8> = if let Some(challenge) = sub_arg_matches.value_of("challenge") {
challenge.as_bytes().to_vec()
} else if let Some(challenge_hex) = sub_arg_matches.value_of("challenge-hex") {
opt_result!(hex::decode(challenge_hex), "Decode challenge hex: {}, failed: {}", challenge_hex)
} else {
return simple_error!("Challenge must assigned");
};
// Challenge can not be greater than 64 bytes
if challenge_bytes.len() > 64 {
return simple_error!("Challenge bytes is: {}, more than 64", challenge_bytes.len());
}
let hmac_key = HmacKey::from_slice(&secret_bytes);
let mut challenge = [0; 64];
if variable && challenge_bytes.last() == Some(&0) {
challenge = [0xff; 64];
}
(&mut challenge[..challenge_bytes.len()]).copy_from_slice(&challenge_bytes);
let hmac_result = hmac_sha1(&hmac_key, &challenge);
let v: &[u8] = &hmac_result;
let hex_string = hex::encode(v);
let hex_sha1 = iff!(sha1_output, Some(crate::digest::sha1_bytes(v)), None);
let hex_sha256 = iff!(sha256_output, Some(crate::digest::sha256_bytes(v)), None);
let hex_sha384 = iff!(sha384_output, Some(crate::digest::sha384_bytes(v)), None);
let hex_sha512 = iff!(sha512_output, Some(crate::digest::sha512_bytes(v)), None);
if json_output {
let mut json = BTreeMap::<&'_ str, String>::new();
json.insert("challenge_hex", hex::encode(challenge_bytes));
json.insert("response_hex", hex_string);
hex_sha1.map(|hex_sha1| json.insert("response_sha1_hex", hex::encode(hex_sha1)));
hex_sha256.map(|hex_sha256| json.insert("response_sha256_hex", hex::encode(hex_sha256)));
hex_sha384.map(|hex_sha384| json.insert("response_sha384_hex", hex::encode(hex_sha384)));
hex_sha512.map(|hex_sha512| json.insert("response_sha512_hex", hex::encode(hex_sha512)));
println!("{}", serde_json::to_string_pretty(&json).expect("Convert to JSON failed!"));
} else {
success!("Challenge HEX: {}", hex::encode(challenge_bytes));
success!("Response HEX: {}", hex_string);
if let Some(hex_sha256) = hex_sha256 { success!("Response SHA256 HEX: {}", hex::encode(hex_sha256)); }
if let Some(hex_sha384) = hex_sha384 { success!("Response SHA384 HEX: {}", hex::encode(hex_sha384)); }
if let Some(hex_sha512) = hex_sha512 { success!("Response SHA512 HEX: {}", hex::encode(hex_sha512)); }
}
Ok(None)
}
}

3
src/cmd_pivmeta.rs
View File

@@ -35,8 +35,7 @@ impl Command for CommandImpl {
let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
let slot_id = pivutil::get_slot_id(slot)?;
json.insert("slot", slot.to_string());
json.insert("slot", pivutil::to_slot_hex(&slot_id));
if let Ok(meta) = metadata(&mut yk, slot_id) {
debugging!("PIV meta: {:?}", meta);
let algorithm_str = meta.algorithm.to_str();

8
src/cmd_pivsummary.rs
View File

@@ -8,7 +8,7 @@ use x509_parser::parse_x509_certificate;
use yubikey::{Certificate, YubiKey};
use yubikey::piv::{metadata, SlotId};
use crate::pivutil::{get_algorithm_id, ToStr};
use crate::pivutil::{get_algorithm_id, ORDERED_SLOTS, ToStr};
const NA: &str = "N/A";
@@ -34,11 +34,13 @@ impl Command for CommandImpl {
SubCommand::with_name(self.name()).about("PIV subcommand")
.arg(Arg::with_name("table").long("table").help("Show table"))
.arg(Arg::with_name("all").long("all").help("Show all"))
.arg(Arg::with_name("ordered").long("ordered").help("Show ordered"))
}
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
let show_table = sub_arg_matches.is_present("table");
let show_all = sub_arg_matches.is_present("all");
let show_ordered = sub_arg_matches.is_present("ordered");
let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
success!("Name: {}", yk.name());
@@ -59,13 +61,13 @@ impl Command for CommandImpl {
match yk.piv_keys() {
Ok(keys) => {
information!("Found {} PIV keys", keys.len());
information!("Found {} PIV keys of {}", keys.len(), ORDERED_SLOTS.len());
}
Err(e) => failure!("Get PIV keys failed: {}", e)
}
let mut piv_slots = vec![];
for slot in yubikey::piv::SLOTS {
for slot in iff!(show_ordered, ORDERED_SLOTS, yubikey::piv::SLOTS) {
print_summary_info(&mut yk, slot, &mut piv_slots, show_all, show_table).ok();
}
if show_table {

2
src/main.rs
View File

@@ -32,6 +32,7 @@ mod cmd_pivecdh;
mod cmd_pivecsign;
mod cmd_pivdecrypt;
mod cmd_pivgenerate;
mod cmd_hmac_sha1;
mod cmd_chall;
mod cmd_challconfig;
mod cmd_sshagent;
@@ -65,6 +66,7 @@ fn inner_main() -> CommandError {
let commands: Vec<Box<dyn Command>> = vec![
Box::new(cmd_list::CommandImpl),
Box::new(cmd_chall::CommandImpl),
Box::new(cmd_hmac_sha1::CommandImpl),
Box::new(cmd_challconfig::CommandImpl),
Box::new(cmd_rsaencrypt::CommandImpl),
Box::new(cmd_rsadecrypt::CommandImpl),

37
src/pivutil.rs
View File

@@ -4,7 +4,7 @@ use spki::der::{Decode, Encode};
use x509_parser::prelude::FromDer;
use x509_parser::public_key::RSAPublicKey;
use yubikey::{PinPolicy, TouchPolicy};
use yubikey::piv::{AlgorithmId, ManagementAlgorithmId, Origin, RetiredSlotId};
use yubikey::piv::{AlgorithmId, ManagementAlgorithmId, ManagementSlotId, Origin, RetiredSlotId};
use yubikey::piv::SlotId;
const RSA: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.1");
@@ -19,6 +19,36 @@ const ECC: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.2.1");
const ECC_P256: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.3.1.7");
const ECC_P384: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.132.0.34");
pub const ORDERED_SLOTS: [SlotId; 28] = [
SlotId::Management(ManagementSlotId::Pin),
SlotId::Management(ManagementSlotId::Puk),
SlotId::Retired(RetiredSlotId::R1),
SlotId::Retired(RetiredSlotId::R2),
SlotId::Retired(RetiredSlotId::R3),
SlotId::Retired(RetiredSlotId::R4),
SlotId::Retired(RetiredSlotId::R5),
SlotId::Retired(RetiredSlotId::R6),
SlotId::Retired(RetiredSlotId::R7),
SlotId::Retired(RetiredSlotId::R8),
SlotId::Retired(RetiredSlotId::R9),
SlotId::Retired(RetiredSlotId::R10),
SlotId::Retired(RetiredSlotId::R11),
SlotId::Retired(RetiredSlotId::R12),
SlotId::Retired(RetiredSlotId::R13),
SlotId::Retired(RetiredSlotId::R14),
SlotId::Retired(RetiredSlotId::R15),
SlotId::Retired(RetiredSlotId::R16),
SlotId::Retired(RetiredSlotId::R17),
SlotId::Retired(RetiredSlotId::R18),
SlotId::Retired(RetiredSlotId::R19),
SlotId::Retired(RetiredSlotId::R20),
SlotId::Authentication,
SlotId::Management(ManagementSlotId::Management),
SlotId::Signature,
SlotId::KeyManagement,
SlotId::CardAuthentication,
SlotId::Attestation,
];
pub trait ToStr {
fn to_str(&self) -> &str;
@@ -110,6 +140,11 @@ pub fn slot_equals(slot_id: &SlotId, slot: &str) -> bool {
get_slot_id(slot).map(|sid| &sid == slot_id).unwrap_or(false)
}
pub fn to_slot_hex(slot: &SlotId) -> String {
let slot_id: u8 = (*slot).into();
format!("{:x}", slot_id)
}
pub fn get_slot_id(slot: &str) -> XResult<SlotId> {
let slot_lower = slot.to_lowercase();
Ok(match slot_lower.as_str() {