hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: update external_sign

Browse Source
This commit is contained in:
Hatter Jiang
2025-05-01 00:35:04 +08:00
parent b8f0be2023
commit 5329108380
1 changed files with 31 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
src/cmd_external_sign.rs
View File

@@ -1,5 +1,5 @@
use crate::cmd_sign_jwt::digest_by_jwt_algorithm; use crate::cmd_sign_jwt::digest_by_jwt_algorithm;
use crate::keyutil::{parse_key_uri, KeyUri, KeyUsage}; use crate::keyutil::{parse_key_uri, KeyUri, KeyUsage, YubikeyPivKey};
use crate::pivutil::ToStr; use crate::pivutil::ToStr;
use crate::util::{base64_decode, base64_encode}; use crate::util::{base64_decode, base64_encode};
use crate::{cmdutil, pivutil, seutil, util}; use crate::{cmdutil, pivutil, seutil, util};
@@ -59,40 +59,17 @@ fn sign(sub_arg_matches: &ArgMatches) -> XResult<Vec<u8>> {
return simple_error!("Invalid alg: {}", alg); return simple_error!("Invalid alg: {}", alg);
} }
if key.usage != KeyUsage::Singing { if key.usage != KeyUsage::Singing {
simple_error!("Not singing key") return simple_error!("Not singing key");
} else {
Ok(seutil::secure_enclave_p256_sign(
&key.private_key,
&message_bytes,
)?)
} }
seutil::secure_enclave_p256_sign(&key.private_key, &message_bytes)
} }
KeyUri::YubikeyPivKey(key) => { KeyUri::YubikeyPivKey(key) => {
let mut yk = opt_result!(YubiKey::open(), "Find YubiKey failed: {}"); let mut yk = opt_result!(YubiKey::open(), "Find YubiKey failed: {}");
let pin_opt = pivutil::check_read_pin(&mut yk, key.slot, sub_arg_matches); let pin_opt = pivutil::check_read_pin(&mut yk, key.slot, sub_arg_matches);
// FIXME Check Yubikey slot algorithm // FIXME Check Yubikey slot algorithm
let jwt_algorithm = match alg { let jwt_algorithm = get_jwt_algorithm(alg)?;
"ES256" => AlgorithmType::Es256, check_algorithm(&key, alg, jwt_algorithm)?;
"ES384" => AlgorithmType::Es384,
"RS256" => AlgorithmType::Rs256,
_ => return simple_error!("Invalid alg: {}", alg),
};
if key.algorithm == AlgorithmId::Rsa1024 {
return simple_error!("Invalid algorithm: RSA1024");
}
let is_p256_mismatch =
key.algorithm == AlgorithmId::EccP256 && jwt_algorithm != AlgorithmType::Es256;
let is_p384_mismatch =
key.algorithm == AlgorithmId::EccP384 && jwt_algorithm != AlgorithmType::Es384;
let is_rsa_mismatch =
key.algorithm == AlgorithmId::Rsa2048 && jwt_algorithm != AlgorithmType::Rs256;
if is_p256_mismatch || is_p384_mismatch || is_rsa_mismatch {
return simple_error!("Invalid algorithm: {} vs {}", key.algorithm.to_str(), alg);
}
let raw_in = digest_by_jwt_algorithm(jwt_algorithm, &message_bytes)?; let raw_in = digest_by_jwt_algorithm(jwt_algorithm, &message_bytes)?;
@@ -110,3 +87,29 @@ fn sign(sub_arg_matches: &ArgMatches) -> XResult<Vec<u8>> {
} }
} }
} }
fn check_algorithm(key: &YubikeyPivKey, alg: &str, jwt_algorithm: AlgorithmType) -> XResult<()> {
if key.algorithm == AlgorithmId::Rsa1024 {
return simple_error!("Invalid algorithm: RSA1024");
}
let is_p256_mismatch =
key.algorithm == AlgorithmId::EccP256 && jwt_algorithm != AlgorithmType::Es256;
let is_p384_mismatch =
key.algorithm == AlgorithmId::EccP384 && jwt_algorithm != AlgorithmType::Es384;
let is_rsa_mismatch =
key.algorithm == AlgorithmId::Rsa2048 && jwt_algorithm != AlgorithmType::Rs256;
if is_p256_mismatch || is_p384_mismatch || is_rsa_mismatch {
return simple_error!("Invalid algorithm: {} vs {}", key.algorithm.to_str(), alg);
}
Ok(())
}
fn get_jwt_algorithm(alg: &str) -> XResult<AlgorithmType> {
Ok(match alg {
"ES256" => AlgorithmType::Es256,
"ES384" => AlgorithmType::Es384,
"RS256" => AlgorithmType::Rs256,
_ => return simple_error!("Invalid alg: {}", alg),
})
}