hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: v1.10.0, SSH CA works

Browse Source
This commit is contained in:
Hatter Jiang
2024-09-07 00:43:30 +08:00
parent cbf127a297
commit 61854b7abf
6 changed files with 65 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.lock generated
View File

@@ -481,7 +481,7 @@ dependencies = [
[[package]]
name = "card-cli"
version = "1.9.13"
version = "1.10.0"
dependencies = [
"authenticator 0.3.1",
"base64 0.21.7",

2
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "card-cli"
version = "1.9.13"
version = "1.10.0"
authors = ["Hatter Jiang <jht5945@gmail.com>"]
edition = "2018"

23
README.md
View File

@@ -173,6 +173,29 @@ $ card-cli pgp-age-address
[OK ] Age address: age10l464vxcpnkjguctvylnmp5jg4swhncn4quda0qxta3ud8pycc0qeaj2te
```
# SSH CA
## Generate SSH root CA
```shell
card-cli ssh-pub-key --ca -s r15
```
Outputs:
```
cert-authority,principals="root" ecdsa-sha2-nistp384 AAAAE2VjZHNh****** Yubikey-PIV-R15
```
## Generate SSH user CA
```shell
ssh-keygen -f id_user
card-cli ssh-piv-cert --pub id_user.pub -s r15
ssh -i id_user root@example.com
```
<br><br>

44
src/cmd_sshpivcert.rs
View File

@@ -7,6 +7,7 @@ use sshcerts::ssh::{CurveKind, PublicKeyKind, SSHCertificateSigner};
use sshcerts::utils::format_signature_for_ssh;
use sshcerts::x509::extract_ssh_pubkey_from_x509_certificate;
use sshcerts::{CertType, Certificate, PublicKey};
use std::fs;
use std::sync::Mutex;
use std::time::SystemTime;
use yubikey::piv::{sign_data, AlgorithmId, SlotId};
@@ -29,13 +30,15 @@ impl Command for CommandImpl {
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
.arg(Arg::with_name("key-id").short("k").long("key-id").takes_value(true).help("SSH user CA key id"))
.arg(Arg::with_name("principal").short("P").long("principal").takes_value(true).help("SSH user CA principal"))
.arg(Arg::with_name("principal").short("P").long("principal").takes_value(true).default_value("root").help("SSH user CA principal"))
.arg(Arg::with_name("pub").long("pub").required(true).takes_value(true).help("SSH public key file"))
.arg(Arg::with_name("validity").long("validity").takes_value(true).default_value("3600").help("Validity in seconds"))
}
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
let ssh_pub = util::read_file_or_stdin(sub_arg_matches.value_of("pub").unwrap())?;
let ssh_pub_str = String::from_utf8(ssh_pub).expect("Read SSh pub file failed: {}");
let ssh_pub_file = sub_arg_matches.value_of("pub").unwrap();
let ssh_pub_bytes = util::read_file_or_stdin(ssh_pub_file)?;
let ssh_pub_str = String::from_utf8(ssh_pub_bytes).expect("Read SSh pub file failed: {}");
let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e");
let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
@@ -48,7 +51,8 @@ impl Command for CommandImpl {
let cert_der = find_cert(&mut yk, slot_id)?;
let ca_ssh_pub_key = opt_result!(extract_ssh_pubkey_from_x509_certificate(&cert_der), "Extract SSH public key failed: {}");
let tobe_signed_ssh_pub_key = opt_result!(PublicKey::from_string(&ssh_pub_str), "Parse tobe signed SSH public key failed: {}");
debugging!("SSH CA: {}", ca_ssh_pub_key);
debugging!("SSH CA fingerprint: {}", ca_ssh_pub_key.fingerprint());
let ca_ssh_pub_algorithm_id = get_ssh_key_type(&ca_ssh_pub_key)?;
let ssh_yubikey_signer = SshYubikeySinger::new(
@@ -63,25 +67,41 @@ impl Command for CommandImpl {
let key_id = sub_arg_matches.value_of("key-id").unwrap_or("default_key_id");
let principals = sub_arg_matches.values_of("principal")
.map(|ps| ps.map(|p| p.to_string()).collect::<Vec<_>>())
.unwrap_or_else(|| vec!["default_principal".to_string()]);
debugging!("Serial: {}", serial);
debugging!("Key ID: {}", key_id);
debugging!("Principals: {:?}", principals);
.unwrap_or_else(|| vec!["root".to_string()]);
let now_secs = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
let validity = sub_arg_matches.value_of("validity").unwrap_or("3600");
let validity_u64: u64 = opt_result!(validity.parse(), "Parse validity failed: {}");
information!("Serial: {}", serial);
information!("Key ID: {}", key_id);
information!("Principals: {:?}", principals);
information!("Validity: {} seconds", validity_u64);
let tobe_signed_ssh_pub_key = opt_result!(PublicKey::from_string(&ssh_pub_str), "Parse tobe signed SSH public key failed: {}");
let user_cert_result = Certificate::builder(&tobe_signed_ssh_pub_key, CertType::User, &ca_ssh_pub_key)
.unwrap()
.serial(serial)
.key_id(key_id)
.set_principals(&principals)
.valid_after(now_secs - 100)
.valid_before(now_secs + 60000)
.valid_after(now_secs - 1)
.valid_before(now_secs + validity_u64)
.set_extensions(Certificate::standard_extensions())
.sign(&ssh_yubikey_signer);
// View *-cert.pub:
// ssh-keygen -L -f *-cert.pub
let user_cert = opt_result!(user_cert_result, "Sign SSH user CA failed: {}");
println!("{}", user_cert.to_string());
if ssh_pub_file.ends_with(".pub") {
let ssh_cert_file = format!("{}-cert.pub", String::from_utf8(ssh_pub_file.as_bytes()[0..ssh_pub_file.len() - 4].to_vec()).unwrap());
if fs::metadata(&ssh_cert_file).is_ok() {
return simple_error!("Target file: {} exists", &ssh_cert_file);
}
opt_result!(fs::write(&ssh_cert_file, user_cert.to_string()), "Write file: {} failed: {}", &ssh_cert_file);
} else {
println!("{}", user_cert);
}
Ok(None)
}
@@ -149,6 +169,6 @@ impl SSHCertificateSigner for SshYubikeySinger {
let signature = sign_data(&mut yubikey, &digest, self.ca_ssh_pub_algorithm_id, self.ca_ssh_pub_slot_id).expect("SSH user CA sign failed: {}");
format_signature_for_ssh(&self.ca_ssh_pub_key, &signature.to_vec())
format_signature_for_ssh(&self.ca_ssh_pub_key, signature.as_ref())
}
}

4
src/cmd_sshpubkey.rs
View File

@@ -72,7 +72,7 @@ impl Command for CommandImpl {
//
// [identifier] will be nistp256 or nistp384
let mut ssh_pub_key = vec![];
ssh_pub_key.write_string(&format!("ecdsa-sha2-{}", ssh_algorithm).as_bytes());
ssh_pub_key.write_string(format!("ecdsa-sha2-{}", ssh_algorithm).as_bytes());
let mut ecc_key_blob = vec![];
ecc_key_blob.write_string(ssh_algorithm.as_bytes());
ecc_key_blob.write_string(&ec_key_point);
@@ -85,7 +85,7 @@ impl Command for CommandImpl {
println!(
"{}ecdsa-sha2-{} {} Yubikey-PIV-{}",
if ca { "cert-authority " } else { "" },
if ca { "cert-authority,principals=\"root\" " } else { "" },
ssh_algorithm,
STANDARD.encode(&ssh_pub_key),
slot_id

12
src/sshutil.rs
View File

@@ -21,21 +21,21 @@ pub fn append_slice_with_len(v: &mut Vec<u8>, s: &[u8]) {
}
pub trait SshVecWriter {
fn write_bytes(&mut self, bytes: &[u8]) -> ();
fn write_u32(&mut self, num: u32) -> ();
fn write_string(&mut self, bytes: &[u8]) -> ();
fn write_bytes(&mut self, bytes: &[u8]);
fn write_u32(&mut self, num: u32);
fn write_string(&mut self, bytes: &[u8]);
}
impl SshVecWriter for Vec<u8> {
fn write_bytes(&mut self, bytes: &[u8]) -> () {
fn write_bytes(&mut self, bytes: &[u8]) {
self.extend_from_slice(bytes);
}
fn write_u32(&mut self, num: u32) -> () {
fn write_u32(&mut self, num: u32) {
self.write_bytes(&num.to_be_bytes());
}
fn write_string(&mut self, bytes: &[u8]) -> () {
fn write_string(&mut self, bytes: &[u8]) {
self.write_u32(bytes.len() as u32);
self.write_bytes(bytes);
}