97 lines
4.0 KiB
Rust
97 lines
4.0 KiB
Rust
use crate::digest::sha256_bytes;
|
|
use crate::pivutil;
|
|
use crate::pivutil::{get_algorithm_id_by_certificate, slot_equals, ToStr};
|
|
use crate::sshutil::SshVecWriter;
|
|
use base64::engine::general_purpose::STANDARD;
|
|
use base64::Engine;
|
|
use clap::{App, Arg, ArgMatches, SubCommand};
|
|
use rust_util::util_clap::{Command, CommandError};
|
|
use yubikey::piv::AlgorithmId;
|
|
use yubikey::{Key, YubiKey};
|
|
|
|
pub struct CommandImpl;
|
|
|
|
impl Command for CommandImpl {
|
|
fn name(&self) -> &str { "ssh-pub-key" }
|
|
|
|
fn subcommand<'a>(&self) -> App<'a, 'a> {
|
|
SubCommand::with_name(self.name()).about("SSH public key subcommand")
|
|
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e"))
|
|
.arg(Arg::with_name("ca").long("ca").help("SSH cert-authority"))
|
|
}
|
|
|
|
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
|
|
let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ... 95, 9a, 9c, 9d, 9e");
|
|
let ca = sub_arg_matches.is_present("ca");
|
|
let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
|
|
let slot_id = pivutil::get_slot_id(slot)?;
|
|
|
|
let mut algorithm_id_opt = None;
|
|
let mut ec_key_point = vec![];
|
|
match Key::list(&mut yk) {
|
|
Err(e) => warning!("List keys failed: {}", e),
|
|
Ok(keys) => for k in &keys {
|
|
let slot_str = format!("{:x}", Into::<u8>::into(k.slot()));
|
|
if slot_equals(&slot_id, &slot_str) {
|
|
let cert = &k.certificate().cert.tbs_certificate;
|
|
let certificate = k.certificate();
|
|
if let Ok(algorithm_id) = get_algorithm_id_by_certificate(certificate) {
|
|
match algorithm_id {
|
|
AlgorithmId::EccP256 | AlgorithmId::EccP384 => {
|
|
let public_key_bit_string = &cert.subject_public_key_info.subject_public_key;
|
|
ec_key_point.extend_from_slice(public_key_bit_string.raw_bytes());
|
|
algorithm_id_opt = Some(algorithm_id);
|
|
}
|
|
_ => return simple_error!("Not P256/384 key: {}", algorithm_id.to_str()),
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
let algorithm_id = match algorithm_id_opt {
|
|
None => return simple_error!("Slot key not found!"),
|
|
Some(algorithm_id) => algorithm_id,
|
|
};
|
|
|
|
let ssh_algorithm = match algorithm_id {
|
|
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => panic!("Not supported."),
|
|
AlgorithmId::EccP256 => "nistp256",
|
|
AlgorithmId::EccP384 => "nistp384",
|
|
};
|
|
|
|
information!("SSH algorithm: {}", ssh_algorithm);
|
|
information!("ECDSA public key: {}", hex::encode(&ec_key_point));
|
|
|
|
// ECDSA SSH public key format:
|
|
// string ecdsa-sha2-[identifier]
|
|
// byte[n] ecc_key_blob
|
|
//
|
|
// ecc_key_blob:
|
|
// string [identifier]
|
|
// string Q
|
|
//
|
|
// [identifier] will be nistp256 or nistp384
|
|
let mut ssh_pub_key = vec![];
|
|
ssh_pub_key.write_string(format!("ecdsa-sha2-{}", ssh_algorithm).as_bytes());
|
|
let mut ecc_key_blob = vec![];
|
|
ecc_key_blob.write_string(ssh_algorithm.as_bytes());
|
|
ecc_key_blob.write_string(&ec_key_point);
|
|
ssh_pub_key.write_bytes(&ecc_key_blob);
|
|
|
|
let ssh_pub_key_sha256 = sha256_bytes(&ssh_pub_key);
|
|
information!("SSH key SHA256: {} (base64)", STANDARD.encode(&ssh_pub_key_sha256));
|
|
information!("SSH key SHA256: {} (hex)", hex::encode(&ssh_pub_key_sha256));
|
|
println!();
|
|
|
|
println!(
|
|
"{}ecdsa-sha2-{} {} Yubikey-PIV-{}",
|
|
if ca { "cert-authority,principals=\"root\" " } else { "" },
|
|
ssh_algorithm,
|
|
STANDARD.encode(&ssh_pub_key),
|
|
slot_id
|
|
);
|
|
|
|
Ok(None)
|
|
}
|
|
}
|