use std::time::SystemTime; use clap::{App, Arg, ArgMatches, SubCommand}; use rust_util::{util_msg, XResult}; use rust_util::util_clap::{Command, CommandError}; use serde::{Deserialize, Serialize}; use spki::der::Encode; use x509_parser::nom::AsBytes; use yubikey::{Key, YubiKey}; use yubikey::piv::{sign_data, SlotId}; use crate::{argsutil, pivutil}; use crate::digest::sha256_bytes; use crate::util::base64_encode; pub const SIMPLE_SIG_V1: &str = "v1"; pub const SIMPLE_SIG_SPECIFICATION: &str = "https://openwebstandard.org/simple-sign-file/v1"; pub const HASH_ALGORITHM_SHA256: &str = "sha256"; pub const SIGNATURE_ALGORITHM_SHA256_WITH_ECDSA: &str = "SHA256withECDSA"; pub const CERTIFICATES_SEARCH_URL: &str = "https://hatter.ink/ca/fetch_certificates.json?fingerprint="; pub struct SignFileRequest { pub filename: Option, pub digest: Vec, pub timestamp: i64, pub attributes: Option, pub comment: Option, } impl SignFileRequest { pub fn get_tobe_signed(&self) -> Vec { let mut tobe_signed = vec![]; // "v1"||TLV(filename)||TLV(timestamp)||TLV(attributes)||TLV(comment)||TLV(digest) debugging!("Tobe signed version: {}", SIMPLE_SIG_V1); tobe_signed.extend_from_slice(SIMPLE_SIG_V1.as_bytes()); let tobe_signed_filename = SignFileTlv::Filename(self.filename.clone()).to_byes(); debugging!("Tobe signed filename: {} ({:?})", hex::encode(&tobe_signed_filename), &self.filename); tobe_signed.extend_from_slice(&tobe_signed_filename); let tobe_signed_timestamp = SignFileTlv::Timestamp(self.timestamp.clone()).to_byes(); debugging!("Tobe signed timestamp: {} ({})", hex::encode(&tobe_signed_timestamp), &self.timestamp); tobe_signed.extend_from_slice(&tobe_signed_timestamp); let tobe_signed_attributes = SignFileTlv::Attributes(self.attributes.clone()).to_byes(); debugging!("Tobe signed attributes: {} ({:?})", hex::encode(&tobe_signed_attributes), &self.attributes); tobe_signed.extend_from_slice(&tobe_signed_attributes); let tobe_signed_comment = SignFileTlv::Comment(self.comment.clone()).to_byes(); debugging!("Tobe signed comment: {} ({:?})", hex::encode(&tobe_signed_comment), &self.comment); tobe_signed.extend_from_slice(&tobe_signed_comment); let tobe_signed_digest = SignFileTlv::Digest(self.digest.clone()).to_byes(); debugging!("Tobe signed digest: {}", hex::encode(&tobe_signed_digest)); tobe_signed.extend_from_slice(&tobe_signed_digest); tobe_signed } } pub enum SignFileTlv { Filename(Option), Timestamp(i64), Attributes(Option), Comment(Option), Digest(Vec), } impl SignFileTlv { pub fn tag(&self) -> u8 { match self { SignFileTlv::Filename(_) => 0, SignFileTlv::Timestamp(_) => 1, SignFileTlv::Attributes(_) => 2, SignFileTlv::Comment(_) => 3, SignFileTlv::Digest(_) => 254, } } pub fn to_byes(&self) -> Vec { let mut bytes = vec![]; bytes.push(self.tag()); match self { SignFileTlv::Timestamp(timestamp) => { bytes.extend_from_slice(×tamp.to_be_bytes()); } SignFileTlv::Filename(value) | SignFileTlv::Attributes(value) | SignFileTlv::Comment(value) => { Self::extends_bytes(&mut bytes, match value { None => &[], Some(value) => value.as_bytes(), }); } SignFileTlv::Digest(digest) => { Self::extends_bytes(&mut bytes, digest); } } bytes } fn extends_bytes(bytes: &mut Vec, b: &[u8]) { if b.len() > u16::MAX as usize { panic!("Cannot more than: {}", u16::MAX); } bytes.extend_from_slice(&(b.len() as u16).to_be_bytes()); bytes.extend_from_slice(b); } } #[derive(Serialize)] pub struct SimpleSignFileSignature { pub algorithm: String, pub signature: String, pub certificates: Vec, } #[derive(Serialize)] pub struct SimpleSignFile { pub specification: String, #[serde(skip_serializing_if = "Option::is_none")] pub filename: Option, pub digest: String, pub timestamp: i64, #[serde(skip_serializing_if = "Option::is_none")] pub attributes: Option, #[serde(skip_serializing_if = "Option::is_none")] pub comment: Option, pub signatures: Vec, } pub struct CommandImpl; // Format: // { // "specification": "https://openwebstandard.org/simple-sign-file/v1", // "version": "v1", // "filename": "example.zip", // "digest": "HEX(SHA256(filename-content))", // "timestamp": 1700964163340, // "attributes": "****", // "comment": "***", // "signatures": [{ // "algorithm": "SHA256withECDSA", // "signature": "Base64(Sign(SHA256("v1"||TLV(filename)||TLV(timestamp)||TLV(attributes)||TLV(comment)||TLV(digest))))", // "certificates": ["-----BEGIN CERTIFICATE-----\n*****\n-----END CERTIFICATE-----", ...] // }] // } // v1 only support SHA256 // all hex is in lower case default // file ext: *.simple-sig impl Command for CommandImpl { fn name(&self) -> &str { "sign-file" } fn subcommand<'a>(&self) -> App<'a, 'a> { SubCommand::with_name(self.name()).about("PIV Sign(with SHA256) subcommand") .arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user pin")) .arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).required(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e")) .arg(Arg::with_name("file").short("f").long("file").takes_value(true).required(true).help("Input file")) .arg(Arg::with_name("filename").short("n").long("filename").takes_value(true).help("Filename")) .arg(Arg::with_name("comment").short("c").long("comment").takes_value(true).help("Comment")) .arg(Arg::with_name("attributes").short("a").long("attributes").takes_value(true).help("Attributes")) } fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError { util_msg::set_logger_std_out(false); let filename_opt = sub_arg_matches.value_of("filename").map(ToString::to_string); let comment_opt = sub_arg_matches.value_of("comment").map(ToString::to_string); let attributes_opt = sub_arg_matches.value_of("attributes").map(ToString::to_string); let pin_opt = sub_arg_matches.value_of("pin"); let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"); // TODO read from stream not in memory let file_digest = argsutil::get_sha256_digest_or_hash(sub_arg_matches)?; debugging!("File digest: {}", hex::encode(&file_digest)); let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}"); let slot_id = pivutil::get_slot_id(slot)?; let key = find_key(&mut yk, &slot_id)?; let key = opt_value_result!(key, "Cannot find key in slot: {}", slot_id); let certificate = key.certificate(); let tbs_certificate = &certificate.cert.tbs_certificate; let spki_der = opt_result!(tbs_certificate.subject_public_key_info.to_der(), "SPKI to DER failed: {}"); debugging!("Slot public DER: {}", hex::encode(&spki_der)); let spki_der_fingerprint = hex::encode(sha256_bytes(&spki_der)); debugging!("Slot public fingerprint: {}", &spki_der_fingerprint); let certificates = fetch_certificates(&spki_der_fingerprint)?; let algorithm_id = opt_result!( pivutil::get_algorithm_id_by_certificate(certificate), "Get slot key algorithm failed: {}"); debugging!("PIV algorithm: {:?}", algorithm_id); if let Some(pin) = pin_opt { debugging!("PIN is assigned."); opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}"); } let sign_file_request = SignFileRequest { filename: filename_opt, digest: file_digest.clone(), timestamp: SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_millis() as i64, attributes: attributes_opt, comment: comment_opt, }; let tobe_signed = sign_file_request.get_tobe_signed(); debugging!("Tobe signed: {}", hex::encode(&tobe_signed)); let tobe_signed_digest = sha256_bytes(&tobe_signed); debugging!("Tobe signed digest: {}", hex::encode(&tobe_signed_digest)); let signed_data = opt_result!(sign_data(&mut yk, &tobe_signed_digest, algorithm_id, slot_id), "Sign PIV failed: {}"); let signature_bytes = signed_data.as_slice(); debugging!("Tobe signed signature: {}", hex::encode(&signature_bytes)); let signature = SimpleSignFileSignature { algorithm: SIGNATURE_ALGORITHM_SHA256_WITH_ECDSA.to_string(), signature: format!("{}", base64_encode(&signature_bytes)), certificates, }; let simple_sig = SimpleSignFile { specification: SIMPLE_SIG_SPECIFICATION.to_string(), filename: sign_file_request.filename.clone(), digest: format!("{}-{}", HASH_ALGORITHM_SHA256, hex::encode(&sign_file_request.digest)), timestamp: sign_file_request.timestamp, attributes: sign_file_request.attributes.clone(), comment: sign_file_request.comment.clone(), signatures: vec![signature], }; println!("{}", serde_json::to_string_pretty(&simple_sig).unwrap()); Ok(None) } } #[derive(Deserialize)] struct FetchCertificateResponseData { pub certificates: Vec, } #[derive(Deserialize)] struct FetchCertificateResponse { pub status: i32, pub message: String, pub data: Option, } fn fetch_certificates(fingerprint: &str) -> XResult> { let url = format!("{}{}", CERTIFICATES_SEARCH_URL, fingerprint); let certificates_response = opt_result!( reqwest::blocking::get(&url), "Fetch certificates failed: {}"); let certificates_response_bytes = opt_result!(certificates_response.bytes(), "Fetch certificates failed: {}"); let response = opt_result!( serde_json::from_slice::(certificates_response_bytes.as_bytes()), "Parse fetch certificates response failed: {}"); if response.status != 200 { return simple_error!("Fetch certificates failed, status: {}, message: {}", response.status, response.message); } match response.data { None => simple_error!("Fetch certificates failed, empty."), Some(data) => Ok(data.certificates), } } fn find_key(yk: &mut YubiKey, slot_id: &SlotId) -> XResult> { match Key::list(yk) { Err(e) => warning!("List keys failed: {}", e), Ok(keys) => for k in keys { let slot_str = format!("{:x}", Into::::into(k.slot())); if pivutil::slot_equals(slot_id, &slot_str) { return Ok(Some(k)); } } } Ok(None) }