hatter/yubikey-piv-pkcs11
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: update pkcs11 piv

Browse Source
This commit is contained in:
Hatter Jiang
2024-07-07 10:15:23 +08:00
parent 781d173b86
commit e1e72ed097
5 changed files with 217 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
Cargo.lock generated
View File

@@ -257,7 +257,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba"
dependencies = [ dependencies = [
"libc", "libc",
"windows-sys", "windows-sys 0.52.0",
] ]
[[package]] [[package]]
@@ -351,7 +351,7 @@ version = "0.5.9"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5" checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5"
dependencies = [ dependencies = [
"windows-sys", "windows-sys 0.52.0",
] ]
[[package]] [[package]]
@@ -409,7 +409,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
"windows-targets", "windows-targets 0.52.5",
] ]
[[package]] [[package]]
@@ -502,8 +502,11 @@ version = "0.2.18"
dependencies = [ dependencies = [
"native-pkcs11-traits", "native-pkcs11-traits",
"p256", "p256",
"pinentry",
"rand", "rand",
"rpassword",
"rsa", "rsa",
"secrecy",
"serial_test", "serial_test",
"spki", "spki",
"thiserror", "thiserror",
@@ -646,7 +649,7 @@ dependencies = [
"libc", "libc",
"redox_syscall", "redox_syscall",
"smallvec", "smallvec",
"windows-targets", "windows-targets 0.52.5",
] ]
[[package]] [[package]]
@@ -687,12 +690,32 @@ dependencies = [
"base64ct", "base64ct",
] ]
[[package]]
name = "percent-encoding"
version = "2.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
[[package]] [[package]]
name = "pin-project-lite" name = "pin-project-lite"
version = "0.2.14" version = "0.2.14"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02"
[[package]]
name = "pinentry"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bfa5b8bc68be6a5e2ba84ee86db53f816cba1905b94fcb7c236e606221cc8fc8"
dependencies = [
"log",
"nom",
"percent-encoding",
"secrecy",
"which",
"zeroize",
]
[[package]] [[package]]
name = "pkcs1" name = "pkcs1"
version = "0.7.5" version = "0.7.5"
@@ -863,6 +886,17 @@ dependencies = [
"subtle", "subtle",
] ]
[[package]]
name = "rpassword"
version = "7.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "80472be3c897911d0137b2d2b9055faf6eeac5b14e324073d83bc17b191d7e3f"
dependencies = [
"libc",
"rtoolbox",
"windows-sys 0.48.0",
]
[[package]] [[package]]
name = "rsa" name = "rsa"
version = "0.9.6" version = "0.9.6"
@@ -884,6 +918,16 @@ dependencies = [
"zeroize", "zeroize",
] ]
[[package]]
name = "rtoolbox"
version = "0.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c247d24e63230cdb56463ae328478bd5eac8b8faa8c69461a77e8e323afac90e"
dependencies = [
"libc",
"windows-sys 0.48.0",
]
[[package]] [[package]]
name = "rustc-hash" name = "rustc-hash"
version = "1.1.0" version = "1.1.0"
@@ -900,7 +944,7 @@ dependencies = [
"errno", "errno",
"libc", "libc",
"linux-raw-sys", "linux-raw-sys",
"windows-sys", "windows-sys 0.52.0",
] ]
[[package]] [[package]]
@@ -1307,13 +1351,37 @@ version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows-sys"
version = "0.48.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
dependencies = [
"windows-targets 0.48.5",
]
[[package]] [[package]]
name = "windows-sys" name = "windows-sys"
version = "0.52.0" version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
dependencies = [ dependencies = [
"windows-targets", "windows-targets 0.52.5",
]
[[package]]
name = "windows-targets"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
dependencies = [
"windows_aarch64_gnullvm 0.48.5",
"windows_aarch64_msvc 0.48.5",
"windows_i686_gnu 0.48.5",
"windows_i686_msvc 0.48.5",
"windows_x86_64_gnu 0.48.5",
"windows_x86_64_gnullvm 0.48.5",
"windows_x86_64_msvc 0.48.5",
] ]
[[package]] [[package]]
@@ -1322,28 +1390,46 @@ version = "0.52.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb"
dependencies = [ dependencies = [
"windows_aarch64_gnullvm", "windows_aarch64_gnullvm 0.52.5",
"windows_aarch64_msvc", "windows_aarch64_msvc 0.52.5",
"windows_i686_gnu", "windows_i686_gnu 0.52.5",
"windows_i686_gnullvm", "windows_i686_gnullvm",
"windows_i686_msvc", "windows_i686_msvc 0.52.5",
"windows_x86_64_gnu", "windows_x86_64_gnu 0.52.5",
"windows_x86_64_gnullvm", "windows_x86_64_gnullvm 0.52.5",
"windows_x86_64_msvc", "windows_x86_64_msvc 0.52.5",
] ]
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
[[package]] [[package]]
name = "windows_aarch64_gnullvm" name = "windows_aarch64_gnullvm"
version = "0.52.5" version = "0.52.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263"
[[package]]
name = "windows_aarch64_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
[[package]] [[package]]
name = "windows_aarch64_msvc" name = "windows_aarch64_msvc"
version = "0.52.5" version = "0.52.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6"
[[package]]
name = "windows_i686_gnu"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
[[package]] [[package]]
name = "windows_i686_gnu" name = "windows_i686_gnu"
version = "0.52.5" version = "0.52.5"
@@ -1356,24 +1442,48 @@ version = "0.52.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9"
[[package]]
name = "windows_i686_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
[[package]] [[package]]
name = "windows_i686_msvc" name = "windows_i686_msvc"
version = "0.52.5" version = "0.52.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf"
[[package]]
name = "windows_x86_64_gnu"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
[[package]] [[package]]
name = "windows_x86_64_gnu" name = "windows_x86_64_gnu"
version = "0.52.5" version = "0.52.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
[[package]] [[package]]
name = "windows_x86_64_gnullvm" name = "windows_x86_64_gnullvm"
version = "0.52.5" version = "0.52.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596"
[[package]]
name = "windows_x86_64_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
[[package]] [[package]]
name = "windows_x86_64_msvc" name = "windows_x86_64_msvc"
version = "0.52.5" version = "0.52.5"

3
native-pkcs11-piv/Cargo.toml
View File

@@ -15,8 +15,11 @@ p256 = { version = "0.13.2", default-features = false, features = [
"pkcs8", "pkcs8",
"std", "std",
] } ] }
pinentry = "0.5.0"
rand = "0.8.5" rand = "0.8.5"
rpassword = "7.3.1"
rsa = { version = "0.9.6", default-features = false, features = ["std"] } rsa = { version = "0.9.6", default-features = false, features = ["std"] }
secrecy = "0.8.0"
# TODO: temporary workaround for RustCrypto/traits#1262, remove after upgrading # TODO: temporary workaround for RustCrypto/traits#1262, remove after upgrading
# the p256 package past 0.13.0. # the p256 package past 0.13.0.
spki = { version = "0.7.3", features = ["std"] } spki = { version = "0.7.3", features = ["std"] }

43
native-pkcs11-piv/src/piv/backend.rs
View File

@@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
use std::sync::Arc; use std::sync::{Arc, Mutex};
use tracing::instrument; use tracing::instrument;
use yubikey::YubiKey; use yubikey::YubiKey;
@@ -27,14 +27,49 @@ use native_pkcs11_traits::Result as P11Result;
#[derive(Debug, Default)] #[derive(Debug, Default)]
pub struct YubikeyPivBackend { pub struct YubikeyPivBackend {
yubikey: Option<YubiKey>, cached_pin: Mutex<Option<String>>,
yubikey: Mutex<Option<YubiKey>>,
} }
impl YubikeyPivBackend { impl YubikeyPivBackend {
pub fn new() -> Self { pub fn new() -> Self {
YubikeyPivBackend { YubikeyPivBackend::default()
yubikey: None }
fn run_with_yubikey<F>(&self, verify: bool, mut callback: F) -> P11Result<()>
where
F: FnMut(&mut YubiKey) -> P11Result<()>,
{
let mut yubikey = self.yubikey.lock().unwrap();
if yubikey.is_none() {
*yubikey = Some(YubiKey::open()?);
} }
let mut yk = yubikey.as_mut().unwrap();
if verify {
let pin = self.prepare_pin()?;
let verify_result = yk.verify_pin(pin.as_bytes());
if verify_result.is_err() {
self.clear_pin();
}
verify_result?;
}
callback(&mut yk)
}
fn clear_pin(&self) -> () {
let mut cached_pin = self.cached_pin.lock().unwrap();
if cached_pin.is_some() {
*cached_pin = None;
}
}
fn prepare_pin(&self) -> P11Result<String> {
let mut cached_pin = self.cached_pin.lock().unwrap();
if cached_pin.is_none() {
let pin = crate::piv::pinentry::get_pin()?;
*cached_pin = Some(pin);
}
Ok(cached_pin.as_deref().unwrap().to_string())
} }
} }

1
native-pkcs11-piv/src/piv/mod.rs
View File

@@ -23,6 +23,7 @@ use native_pkcs11_traits::SignatureAlgorithm;
mod backend; mod backend;
pub mod certificate; pub mod certificate;
pub mod key; pub mod key;
mod pinentry;
pub type Result<T> = std::result::Result<T, Error>; pub type Result<T> = std::result::Result<T, Error>;

51
native-pkcs11-piv/src/piv/pinentry.rs Normal file
View File

@@ -0,0 +1,51 @@
use std::{env, fs};
use pinentry::PassphraseInput;
use secrecy::ExposeSecret;
const PIN_ENTRY_ENV: &str = "PIN_ENTRY_CMD";
const PIN_ENTRY_1: &str = "/usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac";
const PIN_ENTRY_DEFAULT: &str = "pinentry";
pub fn get_pin() -> Result<String, String> {
let pin_entry = get_pin_entry();
let description = "Please input PIN";
let prompt = "PIN: ";
if let Some(mut input) = PassphraseInput::with_binary(pin_entry) {
let secret = input
.with_description(&format!("{}.", description))
.with_prompt(prompt)
.interact();
match secret {
Ok(secret_string) => {
Ok(secret_string.expose_secret().to_string())
}
Err(e) => {
Err(format!("Read PIN failed: {}", e))
}
}
} else {
match rpassword::prompt_password(format!("{}: ", description)) {
Ok(pin) => {
Ok(pin)
}
Err(e) => {
Err(format!("Read PIN2 failed: {}", e))
}
}
}
}
fn get_pin_entry() -> String {
if let Ok(pin_entry) = env::var(PIN_ENTRY_ENV) {
return pin_entry;
}
if let Ok(m) = fs::metadata(PIN_ENTRY_1) {
if m.is_file() {
return PIN_ENTRY_1.to_string();
}
}
PIN_ENTRY_DEFAULT.to_string()
}