diff --git a/Cargo.lock b/Cargo.lock index d7bd332..0548b37 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -481,7 +481,7 @@ dependencies = [ [[package]] name = "card-cli" -version = "1.9.13" +version = "1.10.0" dependencies = [ "authenticator 0.3.1", "base64 0.21.7", diff --git a/Cargo.toml b/Cargo.toml index 92cbaf8..e9e3779 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "card-cli" -version = "1.9.13" +version = "1.10.0" authors = ["Hatter Jiang "] edition = "2018" diff --git a/README.md b/README.md index b188e8b..49fbc45 100644 --- a/README.md +++ b/README.md @@ -173,6 +173,29 @@ $ card-cli pgp-age-address [OK ] Age address: age10l464vxcpnkjguctvylnmp5jg4swhncn4quda0qxta3ud8pycc0qeaj2te ``` +# SSH CA + +## Generate SSH root CA + +```shell +card-cli ssh-pub-key --ca -s r15 +``` + +Outputs: +``` +cert-authority,principals="root" ecdsa-sha2-nistp384 AAAAE2VjZHNh****** Yubikey-PIV-R15 +``` + +## Generate SSH user CA + +```shell +ssh-keygen -f id_user + +card-cli ssh-piv-cert --pub id_user.pub -s r15 + +ssh -i id_user root@example.com +``` +

diff --git a/src/cmd_sshpivcert.rs b/src/cmd_sshpivcert.rs index c8de243..d920c4e 100644 --- a/src/cmd_sshpivcert.rs +++ b/src/cmd_sshpivcert.rs @@ -7,6 +7,7 @@ use sshcerts::ssh::{CurveKind, PublicKeyKind, SSHCertificateSigner}; use sshcerts::utils::format_signature_for_ssh; use sshcerts::x509::extract_ssh_pubkey_from_x509_certificate; use sshcerts::{CertType, Certificate, PublicKey}; +use std::fs; use std::sync::Mutex; use std::time::SystemTime; use yubikey::piv::{sign_data, AlgorithmId, SlotId}; @@ -29,13 +30,15 @@ impl Command for CommandImpl { .arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN")) .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e")) .arg(Arg::with_name("key-id").short("k").long("key-id").takes_value(true).help("SSH user CA key id")) - .arg(Arg::with_name("principal").short("P").long("principal").takes_value(true).help("SSH user CA principal")) + .arg(Arg::with_name("principal").short("P").long("principal").takes_value(true).default_value("root").help("SSH user CA principal")) .arg(Arg::with_name("pub").long("pub").required(true).takes_value(true).help("SSH public key file")) + .arg(Arg::with_name("validity").long("validity").takes_value(true).default_value("3600").help("Validity in seconds")) } fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError { - let ssh_pub = util::read_file_or_stdin(sub_arg_matches.value_of("pub").unwrap())?; - let ssh_pub_str = String::from_utf8(ssh_pub).expect("Read SSh pub file failed: {}"); + let ssh_pub_file = sub_arg_matches.value_of("pub").unwrap(); + let ssh_pub_bytes = util::read_file_or_stdin(ssh_pub_file)?; + let ssh_pub_str = String::from_utf8(ssh_pub_bytes).expect("Read SSh pub file failed: {}"); let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"); let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}"); @@ -48,7 +51,8 @@ impl Command for CommandImpl { let cert_der = find_cert(&mut yk, slot_id)?; let ca_ssh_pub_key = opt_result!(extract_ssh_pubkey_from_x509_certificate(&cert_der), "Extract SSH public key failed: {}"); - let tobe_signed_ssh_pub_key = opt_result!(PublicKey::from_string(&ssh_pub_str), "Parse tobe signed SSH public key failed: {}"); + debugging!("SSH CA: {}", ca_ssh_pub_key); + debugging!("SSH CA fingerprint: {}", ca_ssh_pub_key.fingerprint()); let ca_ssh_pub_algorithm_id = get_ssh_key_type(&ca_ssh_pub_key)?; let ssh_yubikey_signer = SshYubikeySinger::new( @@ -63,25 +67,41 @@ impl Command for CommandImpl { let key_id = sub_arg_matches.value_of("key-id").unwrap_or("default_key_id"); let principals = sub_arg_matches.values_of("principal") .map(|ps| ps.map(|p| p.to_string()).collect::>()) - .unwrap_or_else(|| vec!["default_principal".to_string()]); - debugging!("Serial: {}", serial); - debugging!("Key ID: {}", key_id); - debugging!("Principals: {:?}", principals); + .unwrap_or_else(|| vec!["root".to_string()]); let now_secs = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); + let validity = sub_arg_matches.value_of("validity").unwrap_or("3600"); + let validity_u64: u64 = opt_result!(validity.parse(), "Parse validity failed: {}"); + information!("Serial: {}", serial); + information!("Key ID: {}", key_id); + information!("Principals: {:?}", principals); + information!("Validity: {} seconds", validity_u64); + + let tobe_signed_ssh_pub_key = opt_result!(PublicKey::from_string(&ssh_pub_str), "Parse tobe signed SSH public key failed: {}"); let user_cert_result = Certificate::builder(&tobe_signed_ssh_pub_key, CertType::User, &ca_ssh_pub_key) .unwrap() .serial(serial) .key_id(key_id) .set_principals(&principals) - .valid_after(now_secs - 100) - .valid_before(now_secs + 60000) + .valid_after(now_secs - 1) + .valid_before(now_secs + validity_u64) .set_extensions(Certificate::standard_extensions()) .sign(&ssh_yubikey_signer); + // View *-cert.pub: + // ssh-keygen -L -f *-cert.pub let user_cert = opt_result!(user_cert_result, "Sign SSH user CA failed: {}"); - println!("{}", user_cert.to_string()); + + if ssh_pub_file.ends_with(".pub") { + let ssh_cert_file = format!("{}-cert.pub", String::from_utf8(ssh_pub_file.as_bytes()[0..ssh_pub_file.len() - 4].to_vec()).unwrap()); + if fs::metadata(&ssh_cert_file).is_ok() { + return simple_error!("Target file: {} exists", &ssh_cert_file); + } + opt_result!(fs::write(&ssh_cert_file, user_cert.to_string()), "Write file: {} failed: {}", &ssh_cert_file); + } else { + println!("{}", user_cert); + } Ok(None) } @@ -149,6 +169,6 @@ impl SSHCertificateSigner for SshYubikeySinger { let signature = sign_data(&mut yubikey, &digest, self.ca_ssh_pub_algorithm_id, self.ca_ssh_pub_slot_id).expect("SSH user CA sign failed: {}"); - format_signature_for_ssh(&self.ca_ssh_pub_key, &signature.to_vec()) + format_signature_for_ssh(&self.ca_ssh_pub_key, signature.as_ref()) } } diff --git a/src/cmd_sshpubkey.rs b/src/cmd_sshpubkey.rs index 4970351..4415dad 100644 --- a/src/cmd_sshpubkey.rs +++ b/src/cmd_sshpubkey.rs @@ -72,7 +72,7 @@ impl Command for CommandImpl { // // [identifier] will be nistp256 or nistp384 let mut ssh_pub_key = vec![]; - ssh_pub_key.write_string(&format!("ecdsa-sha2-{}", ssh_algorithm).as_bytes()); + ssh_pub_key.write_string(format!("ecdsa-sha2-{}", ssh_algorithm).as_bytes()); let mut ecc_key_blob = vec![]; ecc_key_blob.write_string(ssh_algorithm.as_bytes()); ecc_key_blob.write_string(&ec_key_point); @@ -85,7 +85,7 @@ impl Command for CommandImpl { println!( "{}ecdsa-sha2-{} {} Yubikey-PIV-{}", - if ca { "cert-authority " } else { "" }, + if ca { "cert-authority,principals=\"root\" " } else { "" }, ssh_algorithm, STANDARD.encode(&ssh_pub_key), slot_id diff --git a/src/sshutil.rs b/src/sshutil.rs index b1cc030..ee93280 100644 --- a/src/sshutil.rs +++ b/src/sshutil.rs @@ -21,21 +21,21 @@ pub fn append_slice_with_len(v: &mut Vec, s: &[u8]) { } pub trait SshVecWriter { - fn write_bytes(&mut self, bytes: &[u8]) -> (); - fn write_u32(&mut self, num: u32) -> (); - fn write_string(&mut self, bytes: &[u8]) -> (); + fn write_bytes(&mut self, bytes: &[u8]); + fn write_u32(&mut self, num: u32); + fn write_string(&mut self, bytes: &[u8]); } impl SshVecWriter for Vec { - fn write_bytes(&mut self, bytes: &[u8]) -> () { + fn write_bytes(&mut self, bytes: &[u8]) { self.extend_from_slice(bytes); } - fn write_u32(&mut self, num: u32) -> () { + fn write_u32(&mut self, num: u32) { self.write_bytes(&num.to_be_bytes()); } - fn write_string(&mut self, bytes: &[u8]) -> () { + fn write_string(&mut self, bytes: &[u8]) { self.write_u32(bytes.len() as u32); self.write_bytes(bytes); }