feat: v1.12.6

src/cmd_external_public_key.rs

@@ -1,5 +1,5 @@
 use crate::keyutil::{parse_key_uri, KeyUri, KeyUsage};
-use crate::util::base64_encode;
+use crate::util::{base64_decode, base64_encode};
 use crate::yubikeyutil::find_key_or_error;
 use crate::{cmdutil, ecdsautil, hmacutil, seutil, util, yubikeyutil};
 use clap::{App, ArgMatches, SubCommand};
@@ -8,7 +8,10 @@ use rust_util::util_clap::{Command, CommandError};
 use rust_util::XResult;
 use serde_json::Value;
 use std::collections::BTreeMap;
+use rsa::RsaPrivateKey;
+use spki::EncodePublicKey;
 use x509_parser::parse_x509_certificate;
+use crate::pivutil::ToStr;
 
 pub struct CommandImpl;
 
@@ -68,21 +71,31 @@ fn fetch_public_key(parameter: &str, serial_opt: &Option<&str>) -> XResult<Vec<u
             simple_error!("Slot {} not found", key.slot)
         }
         KeyUri::YubikeyHmacEncSoftKey(key) => {
-            let private_key = hmacutil::try_hmac_decrypt_to_string(&key.hmac_enc_private_key)?;
-            let p256_public_key = ecdsautil::parse_p256_private_key_to_public_key(&private_key).ok();
-            let p384_public_key = ecdsautil::parse_p384_private_key_to_public_key(&private_key).ok();
-            let p521_public_key = ecdsautil::parse_p521_private_key_to_public_key(&private_key).ok();
+            if key.algorithm.is_ecc() {
+                let private_key = hmacutil::try_hmac_decrypt_to_string(&key.hmac_enc_private_key)?;
+                let p256_public_key = ecdsautil::parse_p256_private_key_to_public_key(&private_key).ok();
+                let p384_public_key = ecdsautil::parse_p384_private_key_to_public_key(&private_key).ok();
+                let p521_public_key = ecdsautil::parse_p521_private_key_to_public_key(&private_key).ok();
 
-            if let Some(p256_public_key) = p256_public_key {
-                return Ok(p256_public_key);
+                if let Some(p256_public_key) = p256_public_key {
+                    return Ok(p256_public_key);
+                }
+                if let Some(p384_public_key) = p384_public_key {
+                    return Ok(p384_public_key);
+                }
+                if let Some(p521_public_key) = p521_public_key {
+                    return Ok(p521_public_key);
+                }
+                simple_error!("Invalid hmac enc private key")
+            } else if key.algorithm.is_rsa() {
+                use rsa::pkcs8::DecodePrivateKey;
+                let private_key = hmacutil::try_hmac_decrypt_to_string(&key.hmac_enc_private_key)?;
+                let private_key_der = base64_decode(&private_key)?;
+                let rsa_private_key = RsaPrivateKey::from_pkcs8_der(&private_key_der)?;
+                Ok(rsa_private_key.to_public_key().to_public_key_der()?.to_vec())
+            } else {
+                simple_error!("Invalid algorithm: {}", key.algorithm.to_str())
             }
-            if let Some(p384_public_key) = p384_public_key {
-                return Ok(p384_public_key);
-            }
-            if let Some(p521_public_key) = p521_public_key {
-                return Ok(p521_public_key);
-            }
-            simple_error!("Invalid hmac enc private key")
         }
     }
 }