Merge pull request #11 from str4d/recipient-rework
Rework Recipient to wrap p256::PublicKey
This commit is contained in:
Generated
-1
@@ -47,7 +47,6 @@ dependencies = [
|
|||||||
"chrono",
|
"chrono",
|
||||||
"console",
|
"console",
|
||||||
"dialoguer",
|
"dialoguer",
|
||||||
"elliptic-curve",
|
|
||||||
"env_logger",
|
"env_logger",
|
||||||
"gumdrop",
|
"gumdrop",
|
||||||
"hex",
|
"hex",
|
||||||
|
|||||||
@@ -17,7 +17,6 @@ bech32 = "0.8"
|
|||||||
chrono = "0.4"
|
chrono = "0.4"
|
||||||
console = "0.14"
|
console = "0.14"
|
||||||
dialoguer = "0.8"
|
dialoguer = "0.8"
|
||||||
elliptic-curve = "0.8"
|
|
||||||
env_logger = "0.8"
|
env_logger = "0.8"
|
||||||
gumdrop = "0.8"
|
gumdrop = "0.8"
|
||||||
hex = "0.4"
|
hex = "0.4"
|
||||||
|
|||||||
+3
-7
@@ -78,13 +78,9 @@ impl IdentityBuilder {
|
|||||||
let keys = Key::list(yubikey)?;
|
let keys = Key::list(yubikey)?;
|
||||||
USABLE_SLOTS
|
USABLE_SLOTS
|
||||||
.iter()
|
.iter()
|
||||||
.find(|&&slot| {
|
.find(|&&slot| !keys.iter().any(|key| key.slot() == SlotId::Retired(slot)))
|
||||||
keys.iter()
|
|
||||||
.find(|key| key.slot() == SlotId::Retired(slot))
|
|
||||||
.is_none()
|
|
||||||
})
|
|
||||||
.cloned()
|
.cloned()
|
||||||
.ok_or(Error::NoEmptySlots(yubikey.serial()))?
|
.ok_or_else(|| Error::NoEmptySlots(yubikey.serial()))?
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -113,7 +109,7 @@ impl IdentityBuilder {
|
|||||||
|
|
||||||
let recipient = match &generated {
|
let recipient = match &generated {
|
||||||
PublicKeyInfo::EcP256(pubkey) => {
|
PublicKeyInfo::EcP256(pubkey) => {
|
||||||
Recipient::from_pubkey(*pubkey).expect("YubiKey generates a valid pubkey")
|
Recipient::from_encoded(pubkey).expect("YubiKey generates a valid pubkey")
|
||||||
}
|
}
|
||||||
_ => unreachable!(),
|
_ => unreachable!(),
|
||||||
};
|
};
|
||||||
|
|||||||
+13
-13
@@ -137,7 +137,7 @@ fn identity(opts: PluginOptions) -> Result<(), Error> {
|
|||||||
// - Only P-256 keys are compatible with us.
|
// - Only P-256 keys are compatible with us.
|
||||||
match (key.slot(), key.certificate().subject_pki()) {
|
match (key.slot(), key.certificate().subject_pki()) {
|
||||||
(SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => {
|
(SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => {
|
||||||
p256::Recipient::from_pubkey(*pubkey).map(|r| (key, slot, r))
|
p256::Recipient::from_encoded(pubkey).map(|r| (key, slot, r))
|
||||||
}
|
}
|
||||||
_ => None,
|
_ => None,
|
||||||
}
|
}
|
||||||
@@ -205,7 +205,7 @@ fn list(all: bool) -> Result<(), Error> {
|
|||||||
|
|
||||||
// Only P-256 keys are compatible with us.
|
// Only P-256 keys are compatible with us.
|
||||||
let recipient = match key.certificate().subject_pki() {
|
let recipient = match key.certificate().subject_pki() {
|
||||||
PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_pubkey(*pubkey) {
|
PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_encoded(pubkey) {
|
||||||
Some(recipient) => recipient,
|
Some(recipient) => recipient,
|
||||||
None => continue,
|
None => continue,
|
||||||
},
|
},
|
||||||
@@ -265,8 +265,8 @@ fn main() -> Result<(), Error> {
|
|||||||
if let Some(state_machine) = opts.age_plugin {
|
if let Some(state_machine) = opts.age_plugin {
|
||||||
run_state_machine(
|
run_state_machine(
|
||||||
&state_machine,
|
&state_machine,
|
||||||
|| plugin::RecipientPlugin::default(),
|
plugin::RecipientPlugin::default,
|
||||||
|| plugin::IdentityPlugin::default(),
|
plugin::IdentityPlugin::default,
|
||||||
)?;
|
)?;
|
||||||
Ok(())
|
Ok(())
|
||||||
} else if opts.generate {
|
} else if opts.generate {
|
||||||
@@ -279,17 +279,17 @@ fn main() -> Result<(), Error> {
|
|||||||
list(true)
|
list(true)
|
||||||
} else {
|
} else {
|
||||||
eprintln!("✨ Let's get your YubiKey set up for age! ✨");
|
eprintln!("✨ Let's get your YubiKey set up for age! ✨");
|
||||||
eprintln!("");
|
eprintln!();
|
||||||
eprintln!("This tool can create a new age identity in a free slot of your YubiKey.");
|
eprintln!("This tool can create a new age identity in a free slot of your YubiKey.");
|
||||||
eprintln!("It will generate an identity file that you can use with an age client,");
|
eprintln!("It will generate an identity file that you can use with an age client,");
|
||||||
eprintln!("along with the corresponding recipient.");
|
eprintln!("along with the corresponding recipient.");
|
||||||
eprintln!("");
|
eprintln!();
|
||||||
eprintln!("If you are already using a YubiKey with age, you can select an existing");
|
eprintln!("If you are already using a YubiKey with age, you can select an existing");
|
||||||
eprintln!("slot to recreate its corresponding identity file and recipient.");
|
eprintln!("slot to recreate its corresponding identity file and recipient.");
|
||||||
eprintln!("");
|
eprintln!();
|
||||||
eprintln!("When asked below to select an option, use the up/down arrow keys to");
|
eprintln!("When asked below to select an option, use the up/down arrow keys to");
|
||||||
eprintln!("make your choice, or press [Esc] or [q] to quit.");
|
eprintln!("make your choice, or press [Esc] or [q] to quit.");
|
||||||
eprintln!("");
|
eprintln!();
|
||||||
|
|
||||||
if Readers::open()?.iter()?.len() == 0 {
|
if Readers::open()?.iter()?.len() == 0 {
|
||||||
eprintln!("⏳ Please insert the YubiKey you want to set up.");
|
eprintln!("⏳ Please insert the YubiKey you want to set up.");
|
||||||
@@ -299,8 +299,8 @@ fn main() -> Result<(), Error> {
|
|||||||
// Filter out readers we can't connect to.
|
// Filter out readers we can't connect to.
|
||||||
let readers_list: Vec<_> = readers
|
let readers_list: Vec<_> = readers
|
||||||
.iter()?
|
.iter()?
|
||||||
.filter_map(|reader| match reader.open() {
|
.filter(|reader| match reader.open() {
|
||||||
Ok(_) => Some(reader),
|
Ok(_) => true,
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
use std::error::Error;
|
use std::error::Error;
|
||||||
let reason = if let Some(inner) = e.source() {
|
let reason = if let Some(inner) = e.source() {
|
||||||
@@ -309,7 +309,7 @@ fn main() -> Result<(), Error> {
|
|||||||
e.to_string()
|
e.to_string()
|
||||||
};
|
};
|
||||||
warn!("Ignoring {}: {}", reader.name(), reason);
|
warn!("Ignoring {}: {}", reader.name(), reason);
|
||||||
None
|
false
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
.collect();
|
.collect();
|
||||||
@@ -342,7 +342,7 @@ fn main() -> Result<(), Error> {
|
|||||||
.find(|key| key.slot() == SlotId::Retired(slot))
|
.find(|key| key.slot() == SlotId::Retired(slot))
|
||||||
.map(|key| match key.certificate().subject_pki() {
|
.map(|key| match key.certificate().subject_pki() {
|
||||||
PublicKeyInfo::EcP256(pubkey) => {
|
PublicKeyInfo::EcP256(pubkey) => {
|
||||||
p256::Recipient::from_pubkey(*pubkey).map(|_| {
|
p256::Recipient::from_encoded(pubkey).map(|_| {
|
||||||
// Cache the details we need to display to the user.
|
// Cache the details we need to display to the user.
|
||||||
let (_, cert) =
|
let (_, cert) =
|
||||||
x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
||||||
@@ -394,7 +394,7 @@ fn main() -> Result<(), Error> {
|
|||||||
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) {
|
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) {
|
||||||
let recipient = match key.certificate().subject_pki() {
|
let recipient = match key.certificate().subject_pki() {
|
||||||
PublicKeyInfo::EcP256(pubkey) => {
|
PublicKeyInfo::EcP256(pubkey) => {
|
||||||
p256::Recipient::from_pubkey(*pubkey).expect("We checked this above")
|
p256::Recipient::from_encoded(pubkey).expect("We checked this above")
|
||||||
}
|
}
|
||||||
_ => unreachable!(),
|
_ => unreachable!(),
|
||||||
};
|
};
|
||||||
|
|||||||
+13
-19
@@ -1,6 +1,5 @@
|
|||||||
use bech32::{ToBase32, Variant};
|
use bech32::{ToBase32, Variant};
|
||||||
use elliptic_curve::sec1::EncodedPoint;
|
use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
|
||||||
use p256::NistP256;
|
|
||||||
use sha2::{Digest, Sha256};
|
use sha2::{Digest, Sha256};
|
||||||
use std::convert::TryInto;
|
use std::convert::TryInto;
|
||||||
use std::fmt;
|
use std::fmt;
|
||||||
@@ -11,11 +10,11 @@ pub(crate) const TAG_BYTES: usize = 4;
|
|||||||
|
|
||||||
/// Wrapper around a compressed secp256r1 curve point.
|
/// Wrapper around a compressed secp256r1 curve point.
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
pub struct Recipient(EncodedPoint<NistP256>);
|
pub struct Recipient(p256::PublicKey);
|
||||||
|
|
||||||
impl fmt::Debug for Recipient {
|
impl fmt::Debug for Recipient {
|
||||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||||
write!(f, "Recipient({:?})", self.as_bytes())
|
write!(f, "Recipient({:?})", self.to_encoded().as_bytes())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -24,7 +23,7 @@ impl fmt::Display for Recipient {
|
|||||||
f.write_str(
|
f.write_str(
|
||||||
bech32::encode(
|
bech32::encode(
|
||||||
RECIPIENT_PREFIX,
|
RECIPIENT_PREFIX,
|
||||||
self.as_bytes().to_base32(),
|
self.to_encoded().as_bytes().to_base32(),
|
||||||
Variant::Bech32,
|
Variant::Bech32,
|
||||||
)
|
)
|
||||||
.expect("HRP is valid")
|
.expect("HRP is valid")
|
||||||
@@ -34,22 +33,17 @@ impl fmt::Display for Recipient {
|
|||||||
}
|
}
|
||||||
|
|
||||||
impl Recipient {
|
impl Recipient {
|
||||||
/// Attempts to parse a valid secp256r1 public key from its SEC-1 encoding.
|
/// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding.
|
||||||
pub(crate) fn from_pubkey(pubkey: EncodedPoint<NistP256>) -> Option<Self> {
|
///
|
||||||
if pubkey.is_compressed() {
|
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in
|
||||||
if pubkey.decompress().is_some().into() {
|
/// the YubiKey certificate) encodings.
|
||||||
Some(Recipient(pubkey))
|
pub(crate) fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
|
||||||
} else {
|
p256::PublicKey::from_encoded_point(&encoded).map(Recipient)
|
||||||
None
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
Some(Recipient(pubkey.compress()))
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Returns the compressed SEC-1 encoding of this public key.
|
/// Returns the compressed SEC-1 encoding of this recipient.
|
||||||
pub(crate) fn as_bytes(&self) -> &[u8] {
|
pub(crate) fn to_encoded(&self) -> p256::EncodedPoint {
|
||||||
self.0.as_bytes()
|
self.0.to_encoded_point(true)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) fn tag(&self) -> [u8; TAG_BYTES] {
|
pub(crate) fn tag(&self) -> [u8; TAG_BYTES] {
|
||||||
|
|||||||
+4
-4
@@ -71,7 +71,7 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
|
pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||||
eprintln!("");
|
eprintln!();
|
||||||
let pin = Password::new()
|
let pin = Password::new()
|
||||||
.with_prompt(&format!(
|
.with_prompt(&format!(
|
||||||
"Enter PIN for YubiKey with serial {} (default is 123456)",
|
"Enter PIN for YubiKey with serial {} (default is 123456)",
|
||||||
@@ -82,15 +82,15 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
|
|||||||
|
|
||||||
// If the user is using the default PIN, help them to change it.
|
// If the user is using the default PIN, help them to change it.
|
||||||
if pin == "123456" {
|
if pin == "123456" {
|
||||||
eprintln!("");
|
eprintln!();
|
||||||
eprintln!("✨ Your key is using the default PIN. Let's change it!");
|
eprintln!("✨ Your key is using the default PIN. Let's change it!");
|
||||||
eprintln!("✨ We'll also set the PUK equal to the PIN.");
|
eprintln!("✨ We'll also set the PUK equal to the PIN.");
|
||||||
eprintln!("");
|
eprintln!();
|
||||||
eprintln!("🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!");
|
eprintln!("🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!");
|
||||||
eprintln!(
|
eprintln!(
|
||||||
"❌ Your keys will be lost if the PIN and PUK are locked after 3 incorrect tries."
|
"❌ Your keys will be lost if the PIN and PUK are locked after 3 incorrect tries."
|
||||||
);
|
);
|
||||||
eprintln!("");
|
eprintln!();
|
||||||
let current_puk = Password::new()
|
let current_puk = Password::new()
|
||||||
.with_prompt("Enter current PUK (default is 12345678)")
|
.with_prompt("Enter current PUK (default is 12345678)")
|
||||||
.interact()?;
|
.interact()?;
|
||||||
|
|||||||
Reference in New Issue
Block a user