From 7348e6d51f484a4e560bdaa96ff4a1f5c90606ea Mon Sep 17 00:00:00 2001 From: Hatter Jiang Date: Thu, 16 Mar 2023 00:03:19 +0800 Subject: [PATCH] feat: v1.4.4, add piv-meta --- Cargo.lock | 3 +- Cargo.toml | 3 +- src/cmd_pivmeta.rs | 151 +++++++++++++++++++++++++++++++++++++++++++++ src/main.rs | 2 + 4 files changed, 157 insertions(+), 2 deletions(-) create mode 100644 src/cmd_pivmeta.rs diff --git a/Cargo.lock b/Cargo.lock index b403ef8..23375eb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -336,7 +336,7 @@ dependencies = [ [[package]] name = "card-cli" -version = "1.4.3" +version = "1.4.4" dependencies = [ "authenticator", "base64 0.13.1", @@ -359,6 +359,7 @@ dependencies = [ "sha1", "sha2", "simpledateformat", + "spki 0.7.0", "ssh-agent", "u2f", "x509", diff --git a/Cargo.toml b/Cargo.toml index 3caad22..057ffbb 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "card-cli" -version = "1.4.3" +version = "1.4.4" authors = ["Hatter Jiang "] edition = "2018" @@ -32,6 +32,7 @@ x509 = "0.2" x509-parser = "0.13" ssh-agent = { version = "0.2", features = ["agent"] } p256 = { version = "0.13.0", features = ["pem", "ecdh"] } +spki = { version = "0.7.0", features = ["pem"] } #lazy_static = "1.4.0" #ssh-key = "0.4.0" #ctap-hid-fido2 = "2.1.3" diff --git a/src/cmd_pivmeta.rs b/src/cmd_pivmeta.rs new file mode 100644 index 0000000..ae41b60 --- /dev/null +++ b/src/cmd_pivmeta.rs @@ -0,0 +1,151 @@ +use std::collections::BTreeMap; +use std::str::FromStr; + +use clap::{App, Arg, ArgMatches, SubCommand}; +use hex::ToHex; +use rust_util::util_clap::{Command, CommandError}; +use rust_util::util_msg; +use rust_util::util_msg::MessageType; +use x509::SubjectPublicKeyInfo; +use yubikey::{Key, PinPolicy, TouchPolicy, YubiKey}; +use yubikey::certificate::PublicKeyInfo; +use yubikey::piv::{AlgorithmId, ManagementAlgorithmId, metadata, Origin, RetiredSlotId, SlotId}; + +pub struct CommandImpl; + +impl Command for CommandImpl { + fn name(&self) -> &str { "piv-meta" } + + fn subcommand<'a>(&self) -> App<'a, 'a> { + SubCommand::with_name(self.name()).about("PIV meta subcommand") + .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ...")) + .arg(Arg::with_name("json").long("json").help("JSON output")) + } + + fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError { + let json_output = sub_arg_matches.is_present("json"); + if json_output { util_msg::set_logger_std_out(false); } + + let mut json = BTreeMap::<&'_ str, String>::new(); + + let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ..."); + + let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}"); + + let retired_slot_id = opt_result!(RetiredSlotId::from_str(slot), "Slot not found: {}"); + debugging!("Slot id: {}", retired_slot_id); + let slot_id = SlotId::Retired(retired_slot_id); + + json.insert("slot", slot.to_string()); + if let Ok(meta) = metadata(&mut yk, slot_id) { + debugging!("PIV meta: {:?}", meta); + let algorithm_str = match meta.algorithm { + ManagementAlgorithmId::PinPuk => "pin_puk", + ManagementAlgorithmId::ThreeDes => "three_des", + ManagementAlgorithmId::Asymmetric(AlgorithmId::Rsa1024) => "rsa1024", + ManagementAlgorithmId::Asymmetric(AlgorithmId::Rsa2048) => "rsa2048", + ManagementAlgorithmId::Asymmetric(AlgorithmId::EccP256) => "p256", + ManagementAlgorithmId::Asymmetric(AlgorithmId::EccP384) => "p384", + }; + if json_output { + json.insert("algorithm", algorithm_str.to_string()); + } else { + information!("Algorithm: {}", algorithm_str); + } + + if let Some((pin_policy, touch_policy)) = meta.policy { + let pin_policy_str = match pin_policy { + PinPolicy::Default => "default", + PinPolicy::Never => "never", + PinPolicy::Once => "once", + PinPolicy::Always => "always", + }; + let touch_policy_str = match touch_policy { + TouchPolicy::Default => "default", + TouchPolicy::Never => "never", + TouchPolicy::Always => "always", + TouchPolicy::Cached => "cached", + }; + if json_output { + json.insert("pin_policy", pin_policy_str.to_string()); + json.insert("touch_policy", touch_policy_str.to_string()); + } else { + information!("PIN policy: {}", pin_policy_str); + information!("Touch policy: {}", touch_policy_str); + } + } + + let origin_str = match meta.origin { + None => "none", + Some(Origin::Imported) => "imported", + Some(Origin::Generated) => "generated", + }; + if json_output { + json.insert("origin", origin_str.to_string()); + } else { + information!("Origin: {}", origin_str); + } + + if let Some(public_key) = &meta.public { + match public_key { + PublicKeyInfo::Rsa { algorithm, pubkey } => { + failure_and_exit!("RSA not supported, {:?}, {:?}", algorithm, pubkey); + } + PublicKeyInfo::EcP256(pubkey) => { + if json_output { + json.insert("pk_point_hex", hex::encode(pubkey.as_bytes())); + } else { + information!("EC-P256, {}", hex::encode(pubkey.as_bytes())); + } + } + PublicKeyInfo::EcP384(pubkey) => { + if json_output { + json.insert("pk_point_hex", hex::encode(pubkey.as_bytes())); + } else { + information!("EC-P384, {}", hex::encode(pubkey.as_bytes())); + } + } + } + } + } else { + warning!("Get slot: {} meta data failed", slot); + } + + match Key::list(&mut yk) { + Err(e) => warning!("List keys failed: {}", e), + Ok(keys) => for k in &keys { + let slot_str = format!("{:x}", Into::::into(k.slot())); + if slot_str == slot { + if !json.contains_key("pk_point_hex") { + let public_key_hex = &k.certificate().subject_pki().public_key(); + json.insert("pk_point_hex", hex::encode(&public_key_hex)); + let algorithm_str = match k.certificate().subject_pki().algorithm() { + AlgorithmId::Rsa1024 => "rsa1024", + AlgorithmId::Rsa2048 => "rsa2048", + AlgorithmId::EccP256 => "p256", + AlgorithmId::EccP384 => "p384", + }; + json.insert("algorithm", algorithm_str.to_string()); + } + json.insert("subject", k.certificate().subject().to_string()); + json.insert("issuer", k.certificate().issuer().to_string()); + json.insert("serial", k.certificate().serial().to_string()); + json.insert("certificate_hex", k.certificate().encode_hex::()); + } else { + util_msg::when(MessageType::DEBUG, || { + debugging!("Slot: {:x}", Into::::into(k.slot())); + let cert_hex = k.certificate().encode_hex::(); + let public_key_hex = &k.certificate().subject_pki().public_key(); + debugging!("Certificate: {}", &cert_hex); + debugging!("Public key: {}", hex::encode(&public_key_hex)); + }); + } + }, + } + + if json_output { + println!("{}", serde_json::to_string_pretty(&json).unwrap()); + } + Ok(None) + } +} diff --git a/src/main.rs b/src/main.rs index 1d85e17..9519840 100644 --- a/src/main.rs +++ b/src/main.rs @@ -23,6 +23,7 @@ mod cmd_pgpcardsign; mod cmd_pgpcarddecrypt; mod cmd_pgpcardmake; mod cmd_piv; +mod cmd_pivmeta; mod cmd_pivsign; mod cmd_pivecdh; mod cmd_pivdecrypt; @@ -66,6 +67,7 @@ fn inner_main() -> CommandError { Box::new(cmd_pgpcarddecrypt::CommandImpl), Box::new(cmd_pgpcardmake::CommandImpl), Box::new(cmd_piv::CommandImpl), + Box::new(cmd_pivmeta::CommandImpl), Box::new(cmd_pivsign::CommandImpl), Box::new(cmd_pivecdh::CommandImpl), Box::new(cmd_pivdecrypt::CommandImpl),