diff --git a/Cargo.lock b/Cargo.lock index 84c4d09..475b2d3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1596,18 +1596,18 @@ checksum = "f79dfe2d285b0488816f30e700a7438c5a73d816b5b7d3ac72fbc48b0d185e03" [[package]] name = "serde" -version = "1.0.217" +version = "1.0.219" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "02fc4265df13d6fa1d00ecff087228cc0a2b5f3c0e87e258d8b94a156e984c70" +checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.217" +version = "1.0.219" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a9bf7cf98d04a2b28aead066b7496853d4779c9cc183c440dbac457641e19a0" +checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00" dependencies = [ "proc-macro2", "quote", @@ -1616,9 +1616,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.138" +version = "1.0.140" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d434192e7da787e94a6ea7e9670b26a036d0ca41e0b7efb2676dd32bae872949" +checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373" dependencies = [ "itoa", "memchr", @@ -1716,13 +1716,15 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "swift-secure-enclave-tool-rs" -version = "0.1.1" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1de60ab30b0f344a083df555373a2f419a0682f1a5d76c9f845abe696230caba" +checksum = "781e2858f6440fba7a8979be69cad4dfbfd6488052f782f84d66141ec3af56a8" dependencies = [ "base64 0.22.1", "hex", "rust_util", + "serde", + "serde_json", ] [[package]] @@ -1880,7 +1882,7 @@ dependencies = [ [[package]] name = "tiny-encrypt" -version = "1.9.2" +version = "1.9.3" dependencies = [ "aes-gcm-stream", "base64 0.22.1", diff --git a/Cargo.toml b/Cargo.toml index aad39c8..5ebbfa2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "tiny-encrypt" -version = "1.9.2" +version = "1.9.3" edition = "2021" license = "MIT" description = "A simple and tiny file encrypt tool" @@ -51,7 +51,7 @@ pinentry = "0.6" secrecy = "0.10" dialoguer = "0.11" ctrlc = "3.4" -swift-secure-enclave-tool-rs = "0.1" +swift-secure-enclave-tool-rs = "1.0" [profile.release] codegen-units = 1 diff --git a/src/cmd_initkeychain.rs b/src/cmd_initkeychain.rs index 4406cbb..8e76c41 100644 --- a/src/cmd_initkeychain.rs +++ b/src/cmd_initkeychain.rs @@ -1,7 +1,7 @@ use clap::Args; use pqcrypto_traits::kem::PublicKey; use rust_util::{debugging, information, opt_result, simple_error, success, warning, XResult}; - +use swift_secure_enclave_tool_rs::ControlFlag; use crate::config::TinyEncryptConfigEnvelop; use crate::spec::TinyEncryptEnvelopType; use crate::util_keychainkey; @@ -14,6 +14,10 @@ pub struct CmdInitKeychain { #[arg(long, short = 'S')] pub secure_enclave: bool, + /// Secure Enclave control flag, e.g. none, user-presence, device-passcode, biometry-any, biometry-current-set + #[arg(long, short = 'C')] + pub secure_enclave_control_flag: Option, + /// Expose secure enclave private key data #[arg(long, short = 'E')] pub expose_secure_enclave_private_key: bool, @@ -54,7 +58,19 @@ pub fn keychain_key_se(cmd_init_keychain: CmdInitKeychain) -> XResult<()> { let service_name = cmd_init_keychain.server_name.as_deref().unwrap_or(DEFAULT_SERVICE_NAME); let key_name = &cmd_init_keychain.key_name; - let (public_key_hex, private_key_base64) = util_keychainkey::generate_se_p256_keypair()?; + let control_flag = match &cmd_init_keychain.secure_enclave_control_flag { + None => return simple_error!("Parameter --secure-enclave-control-flag required"), + Some(control_flag) => match control_flag.as_str() { + "none" => ControlFlag::None, + "user-presence" | "up" => ControlFlag::UserPresence, + "device-passcode" | "passcode" | "pass" => ControlFlag::DevicePasscode, + "biometry-any" | "bio-any" => ControlFlag::BiometryAny, + "biometry-current-set" | "bio-current" => ControlFlag::BiometryCurrentSet, + _ => return simple_error!("Invalid control flag: {}", control_flag), + } + }; + + let (public_key_hex, private_key_base64) = util_keychainkey::generate_se_p256_keypair(control_flag)?; let public_key_compressed_hex = public_key_hex.chars() .skip(2).take(public_key_hex.len() / 2 - 1).collect::(); let saved_arg0 = if cmd_init_keychain.expose_secure_enclave_private_key { diff --git a/src/util_keychainkey.rs b/src/util_keychainkey.rs index 5936c0b..a22bb8d 100644 --- a/src/util_keychainkey.rs +++ b/src/util_keychainkey.rs @@ -1,7 +1,7 @@ use base64::engine::general_purpose::STANDARD; use base64::Engine; use rust_util::{simple_error, XResult}; -use swift_secure_enclave_tool_rs::KeyPurpose; +use swift_secure_enclave_tool_rs::{ControlFlag, KeyPurpose}; pub fn is_support_se() -> bool { swift_secure_enclave_tool_rs::is_secure_enclave_supported().unwrap_or(false) @@ -19,12 +19,12 @@ pub fn decrypt_data( Ok(shared_secret) } -pub fn generate_se_p256_keypair() -> XResult<(String, String)> { +pub fn generate_se_p256_keypair(control_flag: ControlFlag) -> XResult<(String, String)> { if !is_support_se() { return simple_error!("Secure enclave is not supported."); } let key_material = - swift_secure_enclave_tool_rs::generate_keypair(KeyPurpose::KeyAgreement, true)?; + swift_secure_enclave_tool_rs::generate_keypair(KeyPurpose::KeyAgreement, control_flag)?; Ok(( hex::encode(&key_material.public_key_point), STANDARD.encode(&key_material.private_key_representation),