hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: v1.13.21

Browse Source
This commit is contained in:
Hatter Jiang
2025-10-18 14:29:51 +08:00
parent 07e1671867
commit 8a50024285
6 changed files with 282 additions and 298 deletions
Download Patch File Download Diff File Expand all files Collapse all files

524
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

3
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "card-cli" name = "card-cli"
version = "1.13.20" version = "1.13.21"
authors = ["Hatter Jiang <jht5945@gmail.com>"] authors = ["Hatter Jiang <jht5945@gmail.com>"]
edition = "2018" edition = "2018"
@@ -68,6 +68,7 @@ tokio = "1.45.1"
ssh-encoding = { version = "0.2.0", features = ["alloc"] } ssh-encoding = { version = "0.2.0", features = ["alloc"] }
zeroize = "1.8" zeroize = "1.8"
ml-kem = { version = "0.2.1", features = ["zeroize"] } ml-kem = { version = "0.2.1", features = ["zeroize"] }
zeroizing-alloc = "0.1.0"
#lazy_static = "1.4.0" #lazy_static = "1.4.0"
#ctap-hid-fido2 = "2.1.3" #ctap-hid-fido2 = "2.1.3"

4
src/cmd_pgp_card_sign.rs
View File

@@ -1,7 +1,7 @@
use std::collections::BTreeMap; use std::collections::BTreeMap;
use std::fs::File; use std::fs::File;
use std::io::{ErrorKind, Read}; use std::io::{ErrorKind, Read};
use std::ops::Deref;
use clap::{App, Arg, ArgMatches, SubCommand}; use clap::{App, Arg, ArgMatches, SubCommand};
use digest::Digest; use digest::Digest;
use openpgp_card::crypto_data::Hash; use openpgp_card::crypto_data::Hash;
@@ -189,7 +189,7 @@ where
debugging!("File: {}, length: {}", file_name, file_len); debugging!("File: {}, length: {}", file_name, file_len);
loop { loop {
let len = match f.read(&mut buf) { let len = match f.read(&mut buf) {
Ok(0) => return Ok(hasher.finalize().as_slice().to_vec()), Ok(0) => return Ok(hasher.finalize().deref().to_vec()),
Ok(len) => len, Ok(len) => len,
Err(ref e) if e.kind() == ErrorKind::Interrupted => continue, Err(ref e) if e.kind() == ErrorKind::Interrupted => continue,
Err(e) => return simple_error!("Calc file digest failed: {}", e), Err(e) => return simple_error!("Calc file digest failed: {}", e),

30
src/cmd_se_generate.rs
View File

@@ -7,7 +7,7 @@ use p256::PublicKey;
use rust_util::util_clap::{Command, CommandError}; use rust_util::util_clap::{Command, CommandError};
use spki::DecodePublicKey; use spki::DecodePublicKey;
use std::collections::BTreeMap; use std::collections::BTreeMap;
use swift_secure_enclave_tool_rs::ControlFlag; use swift_secure_enclave_tool_rs::{ControlFlag, KeyMlKem};
pub struct CommandImpl; pub struct CommandImpl;
@@ -40,6 +40,14 @@ impl Command for CommandImpl {
.takes_value(true) .takes_value(true)
.help("Control flag, e.g. none, user-presence, device-passcode, biometry-any, biometry-current-set"), .help("Control flag, e.g. none, user-presence, device-passcode, biometry-any, biometry-current-set"),
) )
.arg(
Arg::with_name("algorithm")
.long("algorithm")
.required(true)
.takes_value(true)
.default_value("p256")
.help("Algorithm, e.g. p256, mlkem768, mlkem1024"),
)
.arg(cmdutil::build_with_hmac_encrypt_arg()) .arg(cmdutil::build_with_hmac_encrypt_arg())
.arg(cmdutil::build_with_pbe_encrypt_arg()) .arg(cmdutil::build_with_pbe_encrypt_arg())
.arg(cmdutil::build_double_pin_check_arg()) .arg(cmdutil::build_double_pin_check_arg())
@@ -68,14 +76,26 @@ impl Command for CommandImpl {
"biometry-current-set" | "bio-current" => ControlFlag::BiometryCurrentSet, "biometry-current-set" | "bio-current" => ControlFlag::BiometryCurrentSet,
_ => return simple_error!("Invalid control flag: {}", control_flag), _ => return simple_error!("Invalid control flag: {}", control_flag),
}; };
let algorithm = sub_arg_matches.value_of("algorithm").unwrap();
let (public_key_point, public_key_der, private_key) = let (public_key_point, public_key_der, private_key) = match algorithm {
seutil::generate_secure_enclave_p256_keypair(sign, control_flag)?; "p256" => {
seutil::generate_secure_enclave_p256_keypair(sign, control_flag)?
}
"mlkem768" | "mlkem1024" => {
if sign {
return simple_error!("Algorithm: {} only supports key_agreement", algorithm);
}
seutil::generate_secure_enclave_mlkem_keypair(
iff!(algorithm == "mlkem768", KeyMlKem::MlKem768, KeyMlKem::MlKem1024), control_flag)?
}
_ => return simple_error!("Unknown algorithm: {}", algorithm),
};
let private_key = cmd_hmac_encrypt::do_encrypt(&private_key, &mut None, sub_arg_matches)?; let private_key = cmd_hmac_encrypt::do_encrypt(&private_key, &mut None, sub_arg_matches)?;
let key_uri = format!( let key_uri = format!(
"key://{}:se/p256:{}:{}", "key://{}:se/{}:{}:{}",
host, host,
algorithm,
iff!(sign, "signing", "key_agreement"), iff!(sign, "signing", "key_agreement"),
private_key, private_key,
); );

5
src/main.rs
View File

@@ -86,6 +86,11 @@ mod yubikeyutil;
mod cmd_yubikey; mod cmd_yubikey;
mod mlkemutil; mod mlkemutil;
use zeroizing_alloc::ZeroAlloc;
#[global_allocator]
static ALLOC: ZeroAlloc<std::alloc::System> = ZeroAlloc(std::alloc::System);
pub struct DefaultCommandImpl; pub struct DefaultCommandImpl;
impl DefaultCommandImpl { impl DefaultCommandImpl {

14
src/seutil.rs
View File

@@ -2,7 +2,7 @@ use crate::util::{base64_decode, base64_encode};
use rust_util::XResult; use rust_util::XResult;
use se_tool::KeyPurpose; use se_tool::KeyPurpose;
use swift_secure_enclave_tool_rs as se_tool; use swift_secure_enclave_tool_rs as se_tool;
use swift_secure_enclave_tool_rs::{ControlFlag, DigestType}; use swift_secure_enclave_tool_rs::{ControlFlag, DigestType, KeyMlKem};
pub fn is_support_se() -> bool { pub fn is_support_se() -> bool {
se_tool::is_secure_enclave_supported().unwrap_or_else(|e| { se_tool::is_secure_enclave_supported().unwrap_or_else(|e| {
@@ -35,6 +35,18 @@ pub fn generate_secure_enclave_p256_keypair(
)) ))
} }
pub fn generate_secure_enclave_mlkem_keypair(
key_ml_kem: KeyMlKem,
control_flag: ControlFlag,
) -> XResult<(Vec<u8>, Vec<u8>, String)> {
let key_material = se_tool::generate_mlkem_keypair(key_ml_kem, control_flag)?;
Ok((
key_material.public_key_point,
key_material.public_key_der,
base64_encode(&key_material.private_key_representation),
))
}
pub fn recover_secure_enclave_p256_public_key( pub fn recover_secure_enclave_p256_public_key(
private_key: &str, private_key: &str,
sign: bool, sign: bool,