diff --git a/Cargo.lock b/Cargo.lock index 1a760a4..e7a0d4b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -511,7 +511,7 @@ dependencies = [ [[package]] name = "card-cli" -version = "1.11.2" +version = "1.11.3" dependencies = [ "aes-gcm-stream", "authenticator 0.3.1", diff --git a/Cargo.toml b/Cargo.toml index 733e26e..a70aee0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "card-cli" -version = "1.11.2" +version = "1.11.3" authors = ["Hatter Jiang "] edition = "2018" diff --git a/src/cmd_signjwt.rs b/src/cmd_signjwt.rs index 986d40e..ad85cd1 100644 --- a/src/cmd_signjwt.rs +++ b/src/cmd_signjwt.rs @@ -42,66 +42,14 @@ impl Command for CommandImpl { let slot = opt_value_result!( sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"); - let key_id = sub_arg_matches.value_of("key-id"); - let claims = sub_arg_matches.values_of("claims"); - let payload = sub_arg_matches.value_of("payload"); - let validity = sub_arg_matches.value_of("validity"); - let jti = sub_arg_matches.is_present("jti"); - - let header = Header { - key_id: key_id.map(ToString::to_string), - type_: Some(HeaderType::JsonWebToken), - ..Default::default() - }; - let mut jwt_claims = Map::new(); - if let Some(payload) = payload { - match serde_json::from_str::(payload) { - Ok(Value::Object(claims_map)) => { - claims_map.into_iter().for_each(|(k, v)| { - jwt_claims.insert(k, v); - }); - } - Ok(value) => { warning!("Not valid payload map: {}", value); } - Err(e) => { warning!("Not valid payload value: {}", e); } - }; - } - - match (payload, claims) { - (Some(_), None) => {} - (_, Some(claims)) => { - for claim in claims { - match split_claim(claim) { - None => { warning!("Claim '{}' do not contains ':'", claim); } - Some((k, v)) => { jwt_claims.insert(k, v); } - } - } - if !jwt_claims.contains_key("sub") { - return simple_error!("Claim sub is not assigned."); - } - } - _ => return simple_error!("Payload or Claims is required."), - } - - // set jti, iat and sub - if jti && !jwt_claims.contains_key("jti") { - jwt_claims.insert("jti".to_string(), Value::String(format!("jti-{}", util_time::get_current_millis()))); - } - if let Some(validity) = validity { - match util_time::parse_duration(validity) { - None => { warning!("Bad validity: {}", validity) } - Some(validity) => { - let current_secs = (util_time::get_current_millis() / 1000) as u64; - jwt_claims.insert("iat".to_string(), Value::Number(Number::from(current_secs))); - jwt_claims.insert("exp".to_string(), Value::Number(Number::from(current_secs + validity.as_secs()))); - } - } - } + let (header, payload, jwt_claims) = build_jwt_parts(sub_arg_matches)?; let mut yk = opt_result!(YubiKey::open(), "Find YubiKey failed: {}"); let slot_id = opt_result!(pivutil::get_slot_id(slot), "Get slot id failed: {}"); let pin_opt = pivutil::check_read_pin(&mut yk, slot_id, sub_arg_matches); let token_string = sign_jwt(&mut yk, slot_id, &pin_opt, header, &payload, &jwt_claims)?; + debugging!("Singed JWT: {}", token_string); if json_output { json.insert("token", token_string.clone()); } @@ -112,8 +60,7 @@ impl Command for CommandImpl { } } - -fn sign_jwt(yk: &mut YubiKey, slot_id: SlotId, pin_opt: &Option, mut header: Header, payload: &Option<&str>, claims: &Map) -> XResult { +fn sign_jwt(yk: &mut YubiKey, slot_id: SlotId, pin_opt: &Option, mut header: Header, payload: &Option, claims: &Map) -> XResult { if let Some(pin) = pin_opt { opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}"); } @@ -135,15 +82,9 @@ fn sign_jwt(yk: &mut YubiKey, slot_id: SlotId, pin_opt: &Option, mut hea debugging!("Claims: {:?}", claims); let header = opt_result!(header.to_base64(), "Header to base64 failed: {}"); - let claims = match (payload, claims.is_empty()) { - (Some(payload), true) => Cow::Owned(util::base64_encode_url_safe_no_pad(payload.as_bytes())), - (_, _) => opt_result!(claims.to_base64(), "Claims to base64 failed: {}"), - }; + let claims = merge_payload_claims(payload, claims)?; + let tobe_signed = merge_header_claims(header.as_bytes(), claims.as_bytes()); - let mut tobe_signed = vec![]; - tobe_signed.extend_from_slice(header.as_bytes()); - tobe_signed.extend_from_slice(SEPARATOR.as_bytes()); - tobe_signed.extend_from_slice(claims.as_bytes()); let raw_in = match jwt_algorithm { AlgorithmType::Rs256 => rsautil::pkcs15_sha256_rsa_2048_padding_for_sign( &digest::sha256_bytes(&tobe_signed)), @@ -165,6 +106,79 @@ fn sign_jwt(yk: &mut YubiKey, slot_id: SlotId, pin_opt: &Option, mut hea Ok([&*header, &*claims, &signature].join(SEPARATOR)) } +pub fn merge_header_claims(header: &[u8], claims: &[u8]) -> Vec { + let mut tobe_signed = vec![]; + tobe_signed.extend_from_slice(header); + tobe_signed.extend_from_slice(SEPARATOR.as_bytes()); + tobe_signed.extend_from_slice(claims); + tobe_signed +} + +pub fn merge_payload_claims<'a>(payload: &'a Option, claims: &'a Map) -> XResult> { + Ok(match (payload, claims.is_empty()) { + (Some(payload), true) => Cow::Owned(util::base64_encode_url_safe_no_pad(payload.as_bytes())), + (_, _) => opt_result!(claims.to_base64(), "Claims to base64 failed: {}"), + }) +} + +pub fn build_jwt_parts(sub_arg_matches: &ArgMatches) -> XResult<(Header, Option, Map)> { + let key_id = sub_arg_matches.value_of("key-id"); + let claims = sub_arg_matches.values_of("claims"); + let payload = sub_arg_matches.value_of("payload"); + let validity = sub_arg_matches.value_of("validity"); + let jti = sub_arg_matches.is_present("jti"); + + let header = Header { + key_id: key_id.map(ToString::to_string), + type_: Some(HeaderType::JsonWebToken), + ..Default::default() + }; + let mut jwt_claims = Map::new(); + if let Some(payload) = payload { + match serde_json::from_str::(payload) { + Ok(Value::Object(claims_map)) => { + claims_map.into_iter().for_each(|(k, v)| { + jwt_claims.insert(k, v); + }); + } + Ok(value) => { warning!("Not valid payload map: {}", value); } + Err(e) => { warning!("Not valid payload value: {}", e); } + }; + } + + match (payload, claims) { + (Some(_), None) => {} + (_, Some(claims)) => { + for claim in claims { + match split_claim(claim) { + None => { warning!("Claim '{}' do not contains ':'", claim); } + Some((k, v)) => { jwt_claims.insert(k, v); } + } + } + if !jwt_claims.contains_key("sub") { + return simple_error!("Claim sub is not assigned."); + } + } + _ => return simple_error!("Payload or Claims is required."), + } + + // set jti, iat and sub + if jti && !jwt_claims.contains_key("jti") { + jwt_claims.insert("jti".to_string(), Value::String(format!("jti-{}", util_time::get_current_millis()))); + } + if let Some(validity) = validity { + match util_time::parse_duration(validity) { + None => { warning!("Bad validity: {}", validity) } + Some(validity) => { + let current_secs = (util_time::get_current_millis() / 1000) as u64; + jwt_claims.insert("iat".to_string(), Value::Number(Number::from(current_secs))); + jwt_claims.insert("exp".to_string(), Value::Number(Number::from(current_secs + validity.as_secs()))); + } + } + } + Ok((header, payload.map(ToString::to_string), jwt_claims)) +} + pub fn split_claim(claim: &str) -> Option<(String, Value)> { let mut k = String::new(); let mut v = String::new(); diff --git a/src/cmd_signjwtse.rs b/src/cmd_signjwtse.rs new file mode 100644 index 0000000..3eed7a2 --- /dev/null +++ b/src/cmd_signjwtse.rs @@ -0,0 +1,88 @@ +use base64::engine::general_purpose::STANDARD; +use base64::Engine; +use clap::{App, Arg, ArgMatches, SubCommand}; + +use jwt::{AlgorithmType, Header, ToBase64}; +use rust_util::util_clap::{Command, CommandError}; +use rust_util::{util_msg, XResult}; +use serde_json::{Map, Value}; +use std::collections::BTreeMap; + +use crate::cmd_signjwt::{build_jwt_parts, merge_header_claims, merge_payload_claims}; +use crate::ecdsautil::parse_ecdsa_to_rs; +use crate::{hmacutil, util}; + +const SEPARATOR: &str = "."; + +pub struct CommandImpl; + +impl Command for CommandImpl { + fn name(&self) -> &str { + "sign-jwt-se" + } + + fn subcommand<'a>(&self) -> App<'a, 'a> { + SubCommand::with_name(self.name()).about("Sign JWT subcommand") + .arg(Arg::with_name("private-key").short("k").long("private-key").takes_value(true).help("Private key representation")) + .arg(Arg::with_name("key-id").short("K").long("key-id").takes_value(true).help("Header key ID")) + .arg(Arg::with_name("claims").short("C").long("claims").takes_value(true).multiple(true).help("Claims, key:value")) + .arg(Arg::with_name("payload").short("P").long("payload").takes_value(true).help("Claims in JSON")) + .arg(Arg::with_name("jti").long("jti").help("Claims jti")) + .arg(Arg::with_name("validity").long("validity").takes_value(true).help("Claims validity period e.g. 10m means 10 minutes (s - second, m - minute, h - hour, d - day)")) + .arg(Arg::with_name("json").long("json").help("JSON output")) + } + + fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError { + let json_output = sub_arg_matches.is_present("json"); + if json_output { + util_msg::set_logger_std_out(false); + } + + let mut json = BTreeMap::<&'_ str, String>::new(); + + let private_key = opt_value_result!( + sub_arg_matches.value_of("private-key"), + "Private key PKCS#8 DER base64 encoded or PEM" + ); + let private_key = hmacutil::try_hmac_decrypt_to_string(private_key)?; + + let (header, payload, jwt_claims) = build_jwt_parts(sub_arg_matches)?; + + let token_string = sign_jwt(&private_key, header, &payload, &jwt_claims)?; + + debugging!("Singed JWT: {}", token_string); + if json_output { + json.insert("token", token_string.clone()); + } + + if json_output { + println!("{}", serde_json::to_string_pretty(&json).unwrap()); + } + Ok(None) + } +} + +fn sign_jwt( + private_key: &str, + mut header: Header, + payload: &Option, + claims: &Map, +) -> XResult { + header.algorithm = AlgorithmType::Es256; + debugging!("Header: {:?}", header); + debugging!("Claims: {:?}", claims); + + let header = opt_result!(header.to_base64(), "Header to base64 failed: {}"); + let claims = merge_payload_claims(payload, claims)?; + let tobe_signed = merge_header_claims(header.as_bytes(), claims.as_bytes()); + + let private_key_representation = STANDARD.decode(private_key)?; + let signed_data_der = + swift_secure_enclave_tool_rs::private_key_sign(&private_key_representation, &tobe_signed)?; + + let signed_data = parse_ecdsa_to_rs(signed_data_der.as_slice())?; + + let signature = util::base64_encode_url_safe_no_pad(&signed_data); + + Ok([&*header, &*claims, &signature].join(SEPARATOR)) +} diff --git a/src/cmd_signjwtsoft.rs b/src/cmd_signjwtsoft.rs index 2a1ebf5..3afdf4c 100644 --- a/src/cmd_signjwtsoft.rs +++ b/src/cmd_signjwtsoft.rs @@ -1,14 +1,13 @@ -use std::borrow::Cow; use std::collections::BTreeMap; use clap::{App, Arg, ArgMatches, SubCommand}; -use jwt::header::HeaderType; use jwt::{AlgorithmType, Header, ToBase64}; use rust_util::util_clap::{Command, CommandError}; -use rust_util::{util_msg, util_time, XResult}; -use serde_json::{Map, Number, Value}; +use rust_util::{util_msg, XResult}; +use serde_json::{Map, Value}; -use crate::{cmd_signjwt, digest, ecdsautil, hmacutil, rsautil, util}; +use crate::cmd_signjwt::{build_jwt_parts, merge_header_claims, merge_payload_claims}; +use crate::{digest, ecdsautil, hmacutil, rsautil, util}; const SEPARATOR: &str = "."; @@ -44,78 +43,10 @@ impl Command for CommandImpl { ); let private_key = hmacutil::try_hmac_decrypt_to_string(private_key)?; - let key_id = sub_arg_matches.value_of("key-id"); - let claims = sub_arg_matches.values_of("claims"); - let payload = sub_arg_matches.value_of("payload"); - let validity = sub_arg_matches.value_of("validity"); - let jti = sub_arg_matches.is_present("jti"); - - let header = Header { - key_id: key_id.map(ToString::to_string), - type_: Some(HeaderType::JsonWebToken), - ..Default::default() - }; - let mut jwt_claims = Map::new(); - if let Some(payload) = payload { - match serde_json::from_str::(payload) { - Ok(Value::Object(claims_map)) => { - claims_map.into_iter().for_each(|(k, v)| { - jwt_claims.insert(k, v); - }); - } - Ok(value) => { - warning!("Not valid payload map: {}", value); - } - Err(e) => { - warning!("Not valid payload value: {}", e); - } - }; - } - - match (payload, claims) { - (Some(_), None) => {} - (_, Some(claims)) => { - for claim in claims { - match cmd_signjwt::split_claim(claim) { - None => { - warning!("Claim '{}' do not contains ':'", claim); - } - Some((k, v)) => { - jwt_claims.insert(k, v); - } - } - } - if !jwt_claims.contains_key("sub") { - return simple_error!("Claim sub is not assigned."); - } - } - _ => return simple_error!("Payload or Claims is required."), - } - - // set jti, iat and sub - if jti && !jwt_claims.contains_key("jti") { - jwt_claims.insert( - "jti".to_string(), - Value::String(format!("jti-{}", util_time::get_current_millis())), - ); - } - if let Some(validity) = validity { - match util_time::parse_duration(validity) { - None => { - warning!("Bad validity: {}", validity) - } - Some(validity) => { - let current_secs = (util_time::get_current_millis() / 1000) as u64; - jwt_claims.insert("iat".to_string(), Value::Number(Number::from(current_secs))); - jwt_claims.insert( - "exp".to_string(), - Value::Number(Number::from(current_secs + validity.as_secs())), - ); - } - } - } + let (header, payload, jwt_claims) = build_jwt_parts(sub_arg_matches)?; let token_string = sign_jwt(&private_key, header, &payload, &jwt_claims)?; + debugging!("Singed JWT: {}", token_string); if json_output { json.insert("token", token_string.clone()); @@ -131,7 +62,7 @@ impl Command for CommandImpl { fn sign_jwt( private_key: &str, mut header: Header, - payload: &Option<&str>, + payload: &Option, claims: &Map, ) -> XResult { let p256_private_key_d = ecdsautil::parse_p256_private_key(private_key).ok(); @@ -148,17 +79,9 @@ fn sign_jwt( debugging!("Claims: {:?}", claims); let header = opt_result!(header.to_base64(), "Header to base64 failed: {}"); - let claims = match (payload, claims.is_empty()) { - (Some(payload), true) => { - Cow::Owned(util::base64_encode_url_safe_no_pad(payload.as_bytes())) - } - (_, _) => opt_result!(claims.to_base64(), "Claims to base64 failed: {}"), - }; + let claims = merge_payload_claims(payload, claims)?; + let tobe_signed = merge_header_claims(header.as_bytes(), claims.as_bytes()); - let mut tobe_signed = vec![]; - tobe_signed.extend_from_slice(header.as_bytes()); - tobe_signed.extend_from_slice(SEPARATOR.as_bytes()); - tobe_signed.extend_from_slice(claims.as_bytes()); let raw_in = match jwt_algorithm { AlgorithmType::Rs256 => { rsautil::pkcs15_sha256_rsa_2048_padding_for_sign(&digest::sha256_bytes(&tobe_signed)) diff --git a/src/main.rs b/src/main.rs index 585c5f3..08c76a9 100644 --- a/src/main.rs +++ b/src/main.rs @@ -41,6 +41,7 @@ mod cmd_se_recover; mod cmd_signfile; mod cmd_signjwt; mod cmd_signjwtsoft; +mod cmd_signjwtse; mod cmd_sshagent; mod cmd_sshparse; mod cmd_sshparsesign; @@ -131,6 +132,7 @@ fn inner_main() -> CommandError { Box::new(cmd_pgpageaddress::CommandImpl), Box::new(cmd_signjwt::CommandImpl), Box::new(cmd_signjwtsoft::CommandImpl), + Box::new(cmd_signjwtse::CommandImpl), Box::new(cmd_signfile::CommandImpl), Box::new(cmd_verifyfile::CommandImpl), Box::new(cmd_se::CommandImpl),