feat: add ssh-piv-sign, but it not works right

2024-07-03 23:58:34 +08:00
parent 8a4d030d82
commit fed67019aa
4 changed files with 232 additions and 6 deletions
--- a/src/cmd_sshpivsign.rs
+++ b/src/cmd_sshpivsign.rs
@@ -0,0 +1,171 @@
+use clap::{App, Arg, ArgMatches, SubCommand};
+use der_parser::ber::BerObjectContent;
+use pem::Pem;
+use rust_util::util_clap::{Command, CommandError};
+use yubikey::{Key, YubiKey};
+use yubikey::piv::{AlgorithmId, sign_data};
+
+use crate::{pinutil, pivutil, util};
+use crate::pivutil::{get_algorithm_id_by_certificate, slot_equals, ToStr};
+
+trait VecWriter {
+    fn write_bytes(&mut self, bytes: &[u8]) -> ();
+    fn write_u32(&mut self, num: u32) -> ();
+    fn write_string(&mut self, bytes: &[u8]) -> ();
+}
+
+impl VecWriter for Vec<u8> {
+    fn write_bytes(&mut self, bytes: &[u8]) -> () {
+        self.extend_from_slice(bytes);
+    }
+
+    fn write_u32(&mut self, num: u32) -> () {
+        self.write_bytes(&num.to_be_bytes());
+    }
+
+    fn write_string(&mut self, bytes: &[u8]) -> () {
+        self.write_u32(bytes.len() as u32);
+        self.write_bytes(bytes);
+    }
+}
+
+pub struct CommandImpl;
+
+// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig
+impl Command for CommandImpl {
+    fn name(&self) -> &str { "ssh-piv-sign" }
+
+    fn subcommand<'a>(&self) -> App<'a, 'a> {
+        SubCommand::with_name(self.name()).about("SSH parse sign subcommand")
+            .arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user PIN"))
+            .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
+            .arg(Arg::with_name("namespace").short("n").long("namespace").takes_value(true).help("Namespace"))
+            .arg(Arg::with_name("in").long("in").takes_value(true).help("In file, - for stdin"))
+            .arg(Arg::with_name("raw-in").long("raw-in").takes_value(true).help("Raw in data"))
+    }
+
+    fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
+        warning!("It NOT works in the right way, and I do not know how to fix it now");
+
+        let namespace_opt = sub_arg_matches.value_of("namespace");
+        let namespace = match namespace_opt {
+            None => return simple_error!("Namespace required"),
+            Some(namespace) => namespace,
+        };
+
+        let (is_raw_in, data) = match sub_arg_matches.value_of("in") {
+            None => match sub_arg_matches.value_of("raw-in") {
+                None => return simple_error!("--in or --raw-in must assign one"),
+                Some(raw_in) => (true, util::try_decode(raw_in)?),
+            }
+            Some(file_in) => {
+                let message = util::read_file_or_stdin(file_in)?;
+                debugging!("File in: {:?}", message);
+                debugging!("File in string: {}", String::from_utf8_lossy(&message));
+                (false, message)
+            }
+        };
+
+        let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e");
+        let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
+        let slot_id = pivutil::get_slot_id(slot)?;
+
+        let pin_opt = sub_arg_matches.value_of("pin");
+        let pin_opt = pinutil::get_pin(pin_opt);
+        let pin_opt = pin_opt.as_deref();
+
+        let mut algorithm_id_opt = None;
+        let mut ec_key_point = vec![];
+        match Key::list(&mut yk) {
+            Err(e) => warning!("List keys failed: {}", e),
+            Ok(keys) => for k in &keys {
+                let slot_str = format!("{:x}", Into::<u8>::into(k.slot()));
+                if slot_equals(&slot_id, &slot_str) {
+                    let cert = &k.certificate().cert.tbs_certificate;
+                    let certificate = k.certificate();
+                    if let Ok(algorithm_id) = get_algorithm_id_by_certificate(certificate) {
+                        match algorithm_id {
+                            AlgorithmId::EccP256 | AlgorithmId::EccP384 => {
+                                let public_key_bit_string = &cert.subject_public_key_info.subject_public_key;
+                                ec_key_point.extend_from_slice(public_key_bit_string.raw_bytes());
+                                algorithm_id_opt = Some(algorithm_id);
+                            }
+                            _ => return simple_error!("Not P256/384 key: {}", algorithm_id.to_str()),
+                        }
+                    }
+                }
+            }
+        }
+        let algorithm_id = match algorithm_id_opt {
+            None => return simple_error!("Slot key not found!"),
+            Some(algorithm_id) => algorithm_id,
+        };
+        let ec_bit_len = iff!(matches!(algorithm_id, AlgorithmId::EccP256), 256, 384);
+
+        let mut buffer = vec![];
+        buffer.write_bytes("SSHSIG".as_bytes());
+        buffer.write_u32(1);
+
+        let mut public_key = vec![];
+        public_key.write_string(format!("ecdsa-sha2-nistp{}", ec_bit_len).as_bytes());
+        public_key.write_string(format!("nistp{}", ec_bit_len).as_bytes());
+        public_key.write_string(&ec_key_point);
+        buffer.write_string(&public_key);
+        buffer.write_string(namespace.as_bytes());
+        buffer.write_string("".as_bytes());
+        // The supported hash algorithms are "sha256" and "sha512".
+        buffer.write_string("sha512".as_bytes());
+
+        let mut signature = vec![];
+        signature.write_string(format!("ecdsa-sha2-nistp{}", ec_bit_len).as_bytes());
+
+        let data = if is_raw_in {
+            data
+        } else {
+            crate::digest::sha512_bytes(&data)
+        };
+        let mut sign_message = vec![];
+        sign_message.write_bytes("SSHSIG".as_bytes());
+        sign_message.write_string(namespace.as_bytes());
+        sign_message.write_string("".as_bytes());
+        sign_message.write_string("sha512".as_bytes());
+        sign_message.write_string(&data);
+        let tobe_signed_data = if ec_bit_len == 256 {
+            crate::digest::sha256_bytes(&signature)
+        } else {
+            crate::digest::sha384_bytes(&signature)
+        };
+
+        if let Some(pin) = pin_opt {
+            opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}");
+        }
+        let mut signature_value = vec![];
+        let signed_data = opt_result!(sign_data(&mut yk, &tobe_signed_data, algorithm_id, slot_id), "Sign PIV failed: {}");
+        let (_, parsed_signature) = opt_result!(der_parser::parse_der(signed_data.as_slice()), "Parse signature failed: {}");
+        match parsed_signature.content {
+            BerObjectContent::Sequence(seq) => {
+                match &seq[0].content {
+                    BerObjectContent::Integer(x) => {
+                        signature_value.write_string(x);
+                    }
+                    _ => return simple_error!("Parse signature failed: [0]not integer"),
+                }
+                match &seq[1].content {
+                    BerObjectContent::Integer(y) => {
+                        signature_value.write_string(y);
+                    }
+                    _ => return simple_error!("Parse signature failed: [1]not integer"),
+                }
+            }
+            _ => return simple_error!("Parse signature failed: not sequence"),
+        }
+        signature.write_string(&signature_value);
+        buffer.write_string(&signature);
+
+        let ssh_sig = Pem::new("SSH SIGNATURE", buffer);
+        let ssh_sig_pem = ssh_sig.to_string();
+        println!("{}", ssh_sig_pem);
+
+        Ok(None)
+    }
+}