hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: v1.4.4, add piv-meta

Browse Source
This commit is contained in:
Hatter Jiang
2023-03-16 00:03:19 +08:00
parent 90d4723f86
commit 7348e6d51f
4 changed files with 157 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
src/cmd_pivmeta.rs Normal file
View File

@@ -0,0 +1,151 @@
use std::collections::BTreeMap;
use std::str::FromStr;
use clap::{App, Arg, ArgMatches, SubCommand};
use hex::ToHex;
use rust_util::util_clap::{Command, CommandError};
use rust_util::util_msg;
use rust_util::util_msg::MessageType;
use x509::SubjectPublicKeyInfo;
use yubikey::{Key, PinPolicy, TouchPolicy, YubiKey};
use yubikey::certificate::PublicKeyInfo;
use yubikey::piv::{AlgorithmId, ManagementAlgorithmId, metadata, Origin, RetiredSlotId, SlotId};
pub struct CommandImpl;
impl Command for CommandImpl {
fn name(&self) -> &str { "piv-meta" }
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("PIV meta subcommand")
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ..."))
.arg(Arg::with_name("json").long("json").help("JSON output"))
}
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
let json_output = sub_arg_matches.is_present("json");
if json_output { util_msg::set_logger_std_out(false); }
let mut json = BTreeMap::<&'_ str, String>::new();
let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ...");
let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
let retired_slot_id = opt_result!(RetiredSlotId::from_str(slot), "Slot not found: {}");
debugging!("Slot id: {}", retired_slot_id);
let slot_id = SlotId::Retired(retired_slot_id);
json.insert("slot", slot.to_string());
if let Ok(meta) = metadata(&mut yk, slot_id) {
debugging!("PIV meta: {:?}", meta);
let algorithm_str = match meta.algorithm {
ManagementAlgorithmId::PinPuk => "pin_puk",
ManagementAlgorithmId::ThreeDes => "three_des",
ManagementAlgorithmId::Asymmetric(AlgorithmId::Rsa1024) => "rsa1024",
ManagementAlgorithmId::Asymmetric(AlgorithmId::Rsa2048) => "rsa2048",
ManagementAlgorithmId::Asymmetric(AlgorithmId::EccP256) => "p256",
ManagementAlgorithmId::Asymmetric(AlgorithmId::EccP384) => "p384",
};
if json_output {
json.insert("algorithm", algorithm_str.to_string());
} else {
information!("Algorithm: {}", algorithm_str);
}
if let Some((pin_policy, touch_policy)) = meta.policy {
let pin_policy_str = match pin_policy {
PinPolicy::Default => "default",
PinPolicy::Never => "never",
PinPolicy::Once => "once",
PinPolicy::Always => "always",
};
let touch_policy_str = match touch_policy {
TouchPolicy::Default => "default",
TouchPolicy::Never => "never",
TouchPolicy::Always => "always",
TouchPolicy::Cached => "cached",
};
if json_output {
json.insert("pin_policy", pin_policy_str.to_string());
json.insert("touch_policy", touch_policy_str.to_string());
} else {
information!("PIN policy: {}", pin_policy_str);
information!("Touch policy: {}", touch_policy_str);
}
}
let origin_str = match meta.origin {
None => "none",
Some(Origin::Imported) => "imported",
Some(Origin::Generated) => "generated",
};
if json_output {
json.insert("origin", origin_str.to_string());
} else {
information!("Origin: {}", origin_str);
}
if let Some(public_key) = &meta.public {
match public_key {
PublicKeyInfo::Rsa { algorithm, pubkey } => {
failure_and_exit!("RSA not supported, {:?}, {:?}", algorithm, pubkey);
}
PublicKeyInfo::EcP256(pubkey) => {
if json_output {
json.insert("pk_point_hex", hex::encode(pubkey.as_bytes()));
} else {
information!("EC-P256, {}", hex::encode(pubkey.as_bytes()));
}
}
PublicKeyInfo::EcP384(pubkey) => {
if json_output {
json.insert("pk_point_hex", hex::encode(pubkey.as_bytes()));
} else {
information!("EC-P384, {}", hex::encode(pubkey.as_bytes()));
}
}
}
}
} else {
warning!("Get slot: {} meta data failed", slot);
}
match Key::list(&mut yk) {
Err(e) => warning!("List keys failed: {}", e),
Ok(keys) => for k in &keys {
let slot_str = format!("{:x}", Into::<u8>::into(k.slot()));
if slot_str == slot {
if !json.contains_key("pk_point_hex") {
let public_key_hex = &k.certificate().subject_pki().public_key();
json.insert("pk_point_hex", hex::encode(&public_key_hex));
let algorithm_str = match k.certificate().subject_pki().algorithm() {
AlgorithmId::Rsa1024 => "rsa1024",
AlgorithmId::Rsa2048 => "rsa2048",
AlgorithmId::EccP256 => "p256",
AlgorithmId::EccP384 => "p384",
};
json.insert("algorithm", algorithm_str.to_string());
}
json.insert("subject", k.certificate().subject().to_string());
json.insert("issuer", k.certificate().issuer().to_string());
json.insert("serial", k.certificate().serial().to_string());
json.insert("certificate_hex", k.certificate().encode_hex::<String>());
} else {
util_msg::when(MessageType::DEBUG, || {
debugging!("Slot: {:x}", Into::<u8>::into(k.slot()));
let cert_hex = k.certificate().encode_hex::<String>();
let public_key_hex = &k.certificate().subject_pki().public_key();
debugging!("Certificate: {}", &cert_hex);
debugging!("Public key: {}", hex::encode(&public_key_hex));
});
}
},
}
if json_output {
println!("{}", serde_json::to_string_pretty(&json).unwrap());
}
Ok(None)
}
}

2
src/main.rs
View File

@@ -23,6 +23,7 @@ mod cmd_pgpcardsign;
mod cmd_pgpcarddecrypt;
mod cmd_pgpcardmake;
mod cmd_piv;
mod cmd_pivmeta;
mod cmd_pivsign;
mod cmd_pivecdh;
mod cmd_pivdecrypt;
@@ -66,6 +67,7 @@ fn inner_main() -> CommandError {
Box::new(cmd_pgpcarddecrypt::CommandImpl),
Box::new(cmd_pgpcardmake::CommandImpl),
Box::new(cmd_piv::CommandImpl),
Box::new(cmd_pivmeta::CommandImpl),
Box::new(cmd_pivsign::CommandImpl),
Box::new(cmd_pivecdh::CommandImpl),
Box::new(cmd_pivdecrypt::CommandImpl),