diff --git a/Cargo.lock b/Cargo.lock index 40e09d2..f34e140 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1007,7 +1007,7 @@ checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "local-mini-kms" -version = "1.0.6" +version = "1.0.7" dependencies = [ "aes-gcm-stream", "aes-kw", diff --git a/Cargo.toml b/Cargo.toml index 6d9fbfd..6923507 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "local-mini-kms" -version = "1.0.6" +version = "1.0.7" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/src/cli.rs b/src/cli.rs index a269601..e6845d1 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -6,7 +6,7 @@ use clap::{App, Arg, ArgMatches, SubCommand}; use hyper::body::Buf; use hyper::{Body, Client, Method, Request, Response, StatusCode}; use rust_util::util_clap::{Command, CommandError}; -use rust_util::{debugging, opt_value_result, simple_error, success, XResult}; +use rust_util::{debugging, opt_result, opt_value_result, simple_error, success, XResult}; use serde_json::{json, Map, Value}; use crate::jose; @@ -205,6 +205,19 @@ fn do_offline_init(_arg_matches: &ArgMatches<'_>, _sub_arg_matches: &ArgMatches< } else if line.starts_with("base64:") { let base64: String = line.chars().skip(7).collect(); STANDARD.decode(&base64)? + } else if line.starts_with("LKMS:") { + #[cfg(feature = "yubikey")] + { + use crate::yubikey_hmac; + // Yubikey Hmac encrypted key + let challenge = opt_result!( + pinentry_util::read_pin(Some("Input yubikey challenge"), Some("Challenge: ")), "Read challenge failed: {}"); + let derived_key = yubikey_hmac::yubikey_challenge_as_32_bytes(challenge.get_pin().as_bytes())?; + let (key, _) = jose::deserialize_jwe_aes(&line, &derived_key)?; + key + } + #[cfg(not(feature = "yubikey"))] + return simple_error!("Yubikey feature is not enabled."); } else { line.as_bytes().to_vec() };