feat: v1.5.0, add piv-ecsign subcommand

src/cmd_pivecsign.rs

@@ -0,0 +1,65 @@
+use std::collections::BTreeMap;
+use std::str::FromStr;
+
+use clap::{App, Arg, ArgMatches, SubCommand};
+use rust_util::util_clap::{Command, CommandError};
+use rust_util::util_msg;
+use x509_parser::nom::AsBytes;
+use yubikey::YubiKey;
+use yubikey::piv::{AlgorithmId, RetiredSlotId, sign_data, SlotId};
+
+pub struct CommandImpl;
+
+impl Command for CommandImpl {
+    fn name(&self) -> &str { "piv-ecsign" }
+
+    fn subcommand<'a>(&self) -> App<'a, 'a> {
+        SubCommand::with_name(self.name()).about("PIV EC Sign subcommand")
+            .arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user pin"))
+            .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ..."))
+            .arg(Arg::with_name("hash-hex").long("hash-hex").takes_value(true).help("Hash"))
+            .arg(Arg::with_name("json").long("json").help("JSON output"))
+    }
+
+    fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
+        let json_output = sub_arg_matches.is_present("json");
+        if json_output { util_msg::set_logger_std_out(false); }
+
+        let mut json = BTreeMap::<&'_ str, String>::new();
+
+        let pin_opt = sub_arg_matches.value_of("pin");
+
+        let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ...");
+        let hash_hex = opt_value_result!(sub_arg_matches.value_of("hash-hex"), "--hash-hex must assigned");
+
+        let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
+        let retired_slot_id = opt_result!(RetiredSlotId::from_str(slot), "Slot not found: {}");
+        debugging!("Slot id: {}", retired_slot_id);
+        let slot_id = SlotId::Retired(retired_slot_id);
+
+        if let Some(pin) = pin_opt {
+            opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}");
+        }
+
+        let hash_bytes = opt_result!(hex::decode(hash_hex), "Parse epk failed: {}");
+
+        let signed_data = opt_result!(sign_data(&mut yk, &hash_bytes, AlgorithmId::EccP256, slot_id), "Sign piv failed: {}");
+
+        if json_output {
+            json.insert("slot", slot.to_string());
+            json.insert("hash_hex", hex::encode(&hash_bytes));
+            json.insert("signed_data_hex", hex::encode(&signed_data.as_bytes()));
+            json.insert("signed_data_base64", base64::encode(&signed_data.as_bytes()));
+        } else {
+            information!("Slot: {}", slot);
+            information!("Hash hex: {}", hex::encode(&hash_bytes));
+            information!("Signed data base64: {}", base64::encode(&signed_data.as_bytes()));
+            information!("Signed data hex: {}", hex::encode(&signed_data.as_bytes()));
+        }
+
+        if json_output {
+            println!("{}", serde_json::to_string_pretty(&json).unwrap());
+        }
+        Ok(None)
+    }
+}

src/main.rs

@@ -26,6 +26,7 @@ mod cmd_piv;
 mod cmd_pivmeta;
 mod cmd_pivsign;
 mod cmd_pivecdh;
+mod cmd_pivecsign;
 mod cmd_pivdecrypt;
 mod cmd_pivgenerate;
 mod cmd_chall;
@@ -70,6 +71,7 @@ fn inner_main() -> CommandError {
         Box::new(cmd_pivmeta::CommandImpl),
         Box::new(cmd_pivsign::CommandImpl),
         Box::new(cmd_pivecdh::CommandImpl),
+        Box::new(cmd_pivecsign::CommandImpl),
         Box::new(cmd_pivdecrypt::CommandImpl),
         Box::new(cmd_pivgenerate::CommandImpl),
         Box::new(cmd_u2fregister::CommandImpl),