feat: v1.1.11, piv sign works, add piv generate
This commit is contained in:
@@ -46,7 +46,7 @@ impl Command for CommandImpl {
|
||||
let mut yubi = Yubico::new();
|
||||
|
||||
if let Ok(device) = yubi.find_yubikey() {
|
||||
success!("Found key, Vendor ID: {:?} Product ID {:?}", device.vendor_id, device.product_id);
|
||||
success!("Found key, Vendor ID: {:?}, Product ID: {:?}", device.vendor_id, device.product_id);
|
||||
|
||||
let config = Config::default()
|
||||
.set_vendor_id(device.vendor_id)
|
||||
|
||||
@@ -84,7 +84,7 @@ impl Command for CommandImpl {
|
||||
|
||||
if let Some(sha256) = sha256 {
|
||||
let sha256_hex = opt_result!(hex::decode(sha256.trim()), "Decode sha256 failed: {}");
|
||||
let sha256_hex = copy_sha256(&sha256_hex)?;
|
||||
let sha256_hex = crate::digest::copy_sha256(&sha256_hex)?;
|
||||
opt_result!(trans.verify_pw1_sign(pin.as_ref()), "User sign pin verify failed: {}");
|
||||
success!("User sign pin verify success!");
|
||||
let sig = trans.signature_for_hash(Hash::SHA256(sha256_hex))?;
|
||||
@@ -99,7 +99,7 @@ impl Command for CommandImpl {
|
||||
}
|
||||
if let Some(sha384) = sha384 {
|
||||
let sha384_hex = opt_result!(hex::decode(sha384.trim()), "Decode sha384 failed: {}");
|
||||
let sha384_hex = copy_sha384(&sha384_hex)?;
|
||||
let sha384_hex = crate::digest::copy_sha384(&sha384_hex)?;
|
||||
opt_result!(trans.verify_pw1_sign(pin.as_ref()), "User sign pin verify failed: {}");
|
||||
success!("User sign pin verify success!");
|
||||
let sig = trans.signature_for_hash(Hash::SHA384(sha384_hex))?;
|
||||
@@ -114,7 +114,7 @@ impl Command for CommandImpl {
|
||||
}
|
||||
if let Some(sha512) = sha512 {
|
||||
let sha512_hex = opt_result!(hex::decode(sha512.trim()), "Decode sha512 failed: {}");
|
||||
let sha512_hex = copy_sha512(&sha512_hex)?;
|
||||
let sha512_hex = crate::digest::copy_sha512(&sha512_hex)?;
|
||||
opt_result!(trans.verify_pw1_sign(pin.as_ref()), "User sign pin verify failed: {}");
|
||||
success!("User sign pin verify success!");
|
||||
let sig = trans.signature_for_hash(Hash::SHA512(sha512_hex))?;
|
||||
@@ -152,22 +152,3 @@ fn calc_file_digest<D>(file_name: &str) -> XResult<Vec<u8>> where D: Digest {
|
||||
hasher.update(&buf[..len]);
|
||||
}
|
||||
}
|
||||
|
||||
macro_rules! define_copy_array {
|
||||
($fn_name: ident, $len: tt) => (
|
||||
fn $fn_name(in_arr: &[u8]) -> XResult<[u8; $len]> {
|
||||
if in_arr.len() != $len {
|
||||
return simple_error!("Array length is not: {}, but is: {}", $len, in_arr.len());
|
||||
}
|
||||
let mut out_arr = [0_u8; $len];
|
||||
for i in 0..$len {
|
||||
out_arr[i] = in_arr[i];
|
||||
}
|
||||
Ok(out_arr)
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
define_copy_array!(copy_sha256, 0x20);
|
||||
define_copy_array!(copy_sha384, 0x30);
|
||||
define_copy_array!(copy_sha512, 0x40);
|
||||
|
||||
35
src/cmd_pivgenerate.rs
Normal file
35
src/cmd_pivgenerate.rs
Normal file
@@ -0,0 +1,35 @@
|
||||
use clap::{App, Arg, ArgMatches, SubCommand};
|
||||
use rust_util::util_clap::{Command, CommandError};
|
||||
use yubikey::{PinPolicy, TouchPolicy, YubiKey};
|
||||
use yubikey::piv::{AlgorithmId, SlotId};
|
||||
|
||||
pub struct CommandImpl;
|
||||
|
||||
impl Command for CommandImpl {
|
||||
fn name(&self) -> &str { "piv-generate" }
|
||||
|
||||
fn subcommand<'a>(&self) -> App<'a, 'a> {
|
||||
SubCommand::with_name(self.name()).about("PIV Generate subcommand")
|
||||
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).default_value("123456").help("OpenPGP card user pin"))
|
||||
.arg(Arg::with_name("json").long("json").help("JSON output"))
|
||||
}
|
||||
|
||||
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
|
||||
let json_output = sub_arg_matches.is_present("json");
|
||||
if json_output { rust_util::util_msg::set_logger_std_out(false); }
|
||||
|
||||
warning!("This feature is not works");
|
||||
let pin = opt_value_result!(sub_arg_matches.value_of("pin"), "User pin must be assigned");
|
||||
|
||||
let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
|
||||
opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}");
|
||||
|
||||
let public_key_info = opt_result!(yubikey::piv::generate(&mut yk,SlotId::Signature, AlgorithmId::Rsa2048,
|
||||
PinPolicy::Default, TouchPolicy::Default), "Generate key failed: {}");
|
||||
|
||||
success!("Generate key success: {:?}", public_key_info);
|
||||
|
||||
|
||||
Ok(None)
|
||||
}
|
||||
}
|
||||
@@ -2,6 +2,8 @@ use std::collections::BTreeMap;
|
||||
|
||||
use clap::{App, Arg, ArgMatches, SubCommand};
|
||||
use rust_util::util_clap::{Command, CommandError};
|
||||
use rust_util::util_msg::MessageType;
|
||||
use rust_util::XResult;
|
||||
use yubikey::piv::{AlgorithmId, SlotId};
|
||||
use yubikey::YubiKey;
|
||||
|
||||
@@ -28,14 +30,21 @@ impl Command for CommandImpl {
|
||||
|
||||
let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
|
||||
opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}");
|
||||
// TODO make PKCS#1_5 padding signature
|
||||
let raw_in = [1_u8; 256];
|
||||
|
||||
let hash = hex::decode(
|
||||
"3031300d060960864801650304020105000420".to_string() +
|
||||
"66d8dff9cbf819183700ff6d08349d9472af54031e8e297f8ab341e307f5387c").unwrap();
|
||||
rust_util::util_msg::when(MessageType::DEBUG, || debugging!("Hash: {}", hex::encode(&hash)));
|
||||
let hash_padding = pkcs1_padding_for_sign(&hash, 2048).unwrap();
|
||||
rust_util::util_msg::when(MessageType::DEBUG, || debugging!("PKCS1 padding: {}", hex::encode(&hash_padding)));
|
||||
let raw_in = crate::digest::copy_rsa2048(&hash_padding).unwrap();
|
||||
let sign_result = yubikey::piv::sign_data(&mut yk, &raw_in, AlgorithmId::Rsa2048, SlotId::Signature);
|
||||
let sign = opt_result!(sign_result, "Sign data failed: {}");
|
||||
let sign_bytes = sign.as_slice();
|
||||
|
||||
if json_output {
|
||||
let mut json = BTreeMap::<&'_ str, String>::new();
|
||||
json.insert("hash_hex", hex::encode(&hash));
|
||||
json.insert("sign_hex", hex::encode(&sign_bytes));
|
||||
json.insert("sign_base64", base64::encode(&sign_bytes));
|
||||
println!("{}", serde_json::to_string_pretty(&json).unwrap());
|
||||
@@ -46,3 +55,21 @@ impl Command for CommandImpl {
|
||||
Ok(None)
|
||||
}
|
||||
}
|
||||
|
||||
fn pkcs1_padding_for_sign(bs: &[u8], bit_len: usize) -> XResult<Vec<u8>> {
|
||||
let byte_len = bit_len / 8;
|
||||
let max_len = byte_len - (1 + 1 + 8 + 2);
|
||||
if bs.len() > max_len {
|
||||
return simple_error!("Length is too large: {} > {}", bs.len(), max_len);
|
||||
}
|
||||
let mut output = Vec::<u8>::with_capacity(byte_len);
|
||||
output.push(0x00);
|
||||
output.push(0x01);
|
||||
let ps_len = byte_len - bs.len() - (1 + 1 + 1);
|
||||
for _ in 0..ps_len {
|
||||
output.push(0xff);
|
||||
}
|
||||
output.push(0x00);
|
||||
output.extend_from_slice(bs);
|
||||
Ok(output)
|
||||
}
|
||||
|
||||
@@ -1,11 +1,13 @@
|
||||
use std::fs::File;
|
||||
|
||||
use clap::{App, Arg, ArgMatches, SubCommand};
|
||||
use openssl::bn::{BigNum, BigNumContext};
|
||||
use openssl::hash::MessageDigest;
|
||||
use openssl::pkey::PKey;
|
||||
use openssl::rsa::Rsa;
|
||||
use openssl::sign::Verifier;
|
||||
use rust_util::util_clap::{Command, CommandError};
|
||||
use rust_util::util_msg::MessageType;
|
||||
use rust_util::XResult;
|
||||
|
||||
use crate::digest::sha256_bytes;
|
||||
@@ -47,6 +49,16 @@ impl Command for CommandImpl {
|
||||
return simple_error!("Signature is required, --signature argument!");
|
||||
};
|
||||
|
||||
rust_util::util_msg::when(MessageType::DEBUG, || {
|
||||
let rsa = keypair.rsa().clone().unwrap();
|
||||
let n = rsa.n();
|
||||
let e = rsa.e();
|
||||
let m = BigNum::from_slice(&signature).unwrap();
|
||||
let mut r = BigNum::new().unwrap();
|
||||
r.mod_exp(&m, &e, &n, &mut BigNumContext::new().unwrap()).unwrap();
|
||||
debugging!("Signature raw HEX: {}", hex::encode(&r.to_vec()));
|
||||
});
|
||||
|
||||
let file_in = opt_value_result!(sub_arg_matches.value_of("in"), "File in --in required");
|
||||
information!("File in: {}", file_in);
|
||||
information!("Public key fingerprint: {}", pub_key_fingerprint);
|
||||
|
||||
@@ -35,4 +35,25 @@ pub fn sha512_bytes(input: &[u8]) -> Vec<u8> {
|
||||
let mut challenge = Sha512::default();
|
||||
Digest::update(&mut challenge, input);
|
||||
challenge.finalize().to_vec()
|
||||
}
|
||||
}
|
||||
|
||||
macro_rules! define_copy_array {
|
||||
($fn_name: ident, $len: tt) => (
|
||||
pub fn $fn_name(in_arr: &[u8]) -> rust_util::XResult<[u8; $len]> {
|
||||
if in_arr.len() != $len {
|
||||
return simple_error!("Array length is not: {}, but is: {}", $len, in_arr.len());
|
||||
}
|
||||
let mut out_arr = [0_u8; $len];
|
||||
for i in 0..$len {
|
||||
out_arr[i] = in_arr[i];
|
||||
}
|
||||
Ok(out_arr)
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
define_copy_array!(copy_sha256, 0x20);
|
||||
define_copy_array!(copy_sha384, 0x30);
|
||||
define_copy_array!(copy_sha512, 0x40);
|
||||
|
||||
define_copy_array!(copy_rsa2048, 0x100);
|
||||
|
||||
@@ -22,6 +22,7 @@ mod cmd_pgpcarddecrypt;
|
||||
mod cmd_pgpcardmake;
|
||||
mod cmd_piv;
|
||||
mod cmd_pivsign;
|
||||
mod cmd_pivgenerate;
|
||||
mod cmd_chall;
|
||||
mod cmd_challconfig;
|
||||
|
||||
@@ -58,6 +59,7 @@ fn inner_main() -> CommandError {
|
||||
Box::new(cmd_pgpcardmake::CommandImpl),
|
||||
Box::new(cmd_piv::CommandImpl),
|
||||
Box::new(cmd_pivsign::CommandImpl),
|
||||
Box::new(cmd_pivgenerate::CommandImpl),
|
||||
Box::new(cmd_u2fregister::CommandImpl),
|
||||
Box::new(cmd_u2fsign::CommandImpl),
|
||||
];
|
||||
|
||||
Reference in New Issue
Block a user