72 lines
3.1 KiB
Rust
72 lines
3.1 KiB
Rust
use std::collections::BTreeMap;
|
|
use std::str::FromStr;
|
|
|
|
use clap::{App, Arg, ArgMatches, SubCommand};
|
|
use rust_util::util_clap::{Command, CommandError};
|
|
use rust_util::util_msg;
|
|
use x509_parser::nom::AsBytes;
|
|
use yubikey::YubiKey;
|
|
use yubikey::piv::{AlgorithmId, RetiredSlotId, sign_data, SlotId};
|
|
use crate::digest::sha256;
|
|
|
|
pub struct CommandImpl;
|
|
|
|
impl Command for CommandImpl {
|
|
fn name(&self) -> &str { "piv-ecsign" }
|
|
|
|
fn subcommand<'a>(&self) -> App<'a, 'a> {
|
|
SubCommand::with_name(self.name()).about("PIV EC Sign subcommand")
|
|
.arg(Arg::with_name("pin").short("p").long("pin").takes_value(true).help("PIV card user pin"))
|
|
.arg(Arg::with_name("slot").short("s").long("slot").takes_value(true).help("PIV slot, e.g. 82, 83 ..."))
|
|
.arg(Arg::with_name("hash-hex").short("x").long("hash-hex").takes_value(true).help("Hash"))
|
|
.arg(Arg::with_name("input").short("i").long("input").takes_value(true).help("Input"))
|
|
.arg(Arg::with_name("json").long("json").help("JSON output"))
|
|
}
|
|
|
|
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
|
|
let json_output = sub_arg_matches.is_present("json");
|
|
if json_output { util_msg::set_logger_std_out(false); }
|
|
|
|
let mut json = BTreeMap::<&'_ str, String>::new();
|
|
|
|
let pin_opt = sub_arg_matches.value_of("pin");
|
|
|
|
let slot = opt_value_result!(sub_arg_matches.value_of("slot"), "--slot must assigned, e.g. 82, 83 ...");
|
|
let hash_hex = if let Some(input) = sub_arg_matches.value_of("input") {
|
|
hex::encode(sha256(input))
|
|
} else {
|
|
opt_value_result!(sub_arg_matches.value_of("hash-hex"), "--hash-hex must assigned").to_string()
|
|
};
|
|
|
|
let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
|
|
let retired_slot_id = opt_result!(RetiredSlotId::from_str(slot), "Slot not found: {}");
|
|
debugging!("Slot id: {}", retired_slot_id);
|
|
let slot_id = SlotId::Retired(retired_slot_id);
|
|
|
|
if let Some(pin) = pin_opt {
|
|
opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}");
|
|
}
|
|
|
|
let hash_bytes = opt_result!(hex::decode(&hash_hex), "Parse epk failed: {}");
|
|
|
|
let signed_data = opt_result!(sign_data(&mut yk, &hash_bytes, AlgorithmId::EccP256, slot_id), "Sign piv failed: {}");
|
|
|
|
if json_output {
|
|
json.insert("slot", slot.to_string());
|
|
json.insert("hash_hex", hex::encode(&hash_bytes));
|
|
json.insert("signed_data_hex", hex::encode(&signed_data.as_bytes()));
|
|
json.insert("signed_data_base64", base64::encode(&signed_data.as_bytes()));
|
|
} else {
|
|
information!("Slot: {}", slot);
|
|
information!("Hash hex: {}", hex::encode(&hash_bytes));
|
|
information!("Signed data base64: {}", base64::encode(&signed_data.as_bytes()));
|
|
information!("Signed data hex: {}", hex::encode(&signed_data.as_bytes()));
|
|
}
|
|
|
|
if json_output {
|
|
println!("{}", serde_json::to_string_pretty(&json).unwrap());
|
|
}
|
|
Ok(None)
|
|
}
|
|
}
|