feat: v1.4.0, support PIV RSA key

2023-12-10 09:58:08 +08:00
parent b15b9a5b32
commit d0218ee233
11 changed files with 90 additions and 15 deletions
--- a/src/cmd_decrypt.rs
+++ b/src/cmd_decrypt.rs
@@ -28,7 +28,7 @@ use crate::consts::{
 };
 use crate::crypto_cryptor::{Cryptor, KeyNonce};
 use crate::spec::{EncEncryptedMeta, TinyEncryptEnvelop, TinyEncryptEnvelopType, TinyEncryptMeta};
-use crate::util::SecVec;
+use crate::util::{decode_base64, SecVec};
 use crate::util_digest::DigestWrite;
 #[cfg(feature = "secure-enclave")]
 use crate::util_keychainkey;
@@ -439,6 +439,7 @@ pub fn try_decrypt_key(config: &Option<TinyEncryptConfig>,
        TinyEncryptEnvelopType::PivP256 | TinyEncryptEnvelopType::PivP384 => try_decrypt_piv_key_ecdh(config, envelop, pin, slot),
        #[cfg(feature = "secure-enclave")]
        TinyEncryptEnvelopType::KeyP256 => try_decrypt_se_key_ecdh(config, envelop),
+        TinyEncryptEnvelopType::PivRsa => try_decrypt_piv_key_rsa(config, envelop, pin, slot),
        unknown_type => simple_error!("Unknown or unsupported type: {}", unknown_type.get_name()),
    }
 }
@@ -483,6 +484,42 @@ fn try_decrypt_piv_key_ecdh(config: &Option<TinyEncryptConfig>,
    Ok(decrypted_key)
 }

+fn try_decrypt_piv_key_rsa(config: &Option<TinyEncryptConfig>,
+                           envelop: &TinyEncryptEnvelop,
+                           pin: &Option<String>,
+                           slot: &Option<String>) -> XResult<Vec<u8>> {
+    let encrypted_key_bytes = opt_result!(decode_base64(&envelop.encrypted_key), "Decode encrypt key failed: {}");
+
+    let slot = util_piv::read_piv_slot(config, &envelop.kid, slot)?;
+    let pin = util::read_pin(pin);
+
+    let mut yk = opt_result!(YubiKey::open(), "YubiKey not found: {}");
+    let slot_id = util_piv::get_slot_id(&slot)?;
+    opt_result!(yk.verify_pin(pin.as_bytes()), "YubiKey verify pin failed: {}");
+
+    let key = opt_result!(decrypt_data(
+                &mut yk,
+                &encrypted_key_bytes,
+                AlgorithmId::Rsa2048,
+                slot_id,
+            ), "Decrypt via PIV card failed: {}");
+    let key_bytes = key.as_slice();
+    if !key_bytes.starts_with(&[0x00, 0x02]) {
+        return simple_error!("RSA decrypted in error format: {}", hex::encode(key_bytes));
+    }
+    let after_2nd_0_bytes = key_bytes.iter()
+        .skip(1)
+        .skip_while(|b| **b != 0x00)
+        .skip(1)
+        .copied()
+        .collect::<Vec<_>>();
+
+    information!(">>>>>>>> {:?}", &after_2nd_0_bytes);
+    util::zeroize(pin);
+    util::zeroize(key);
+    Ok(after_2nd_0_bytes)
+}
+
 #[cfg(feature = "secure-enclave")]
 fn try_decrypt_se_key_ecdh(config: &Option<TinyEncryptConfig>,
                           envelop: &TinyEncryptEnvelop) -> XResult<Vec<u8>> {