De-duplicate parsing recipients from SubjectPublicKeyInfo
This commit is contained in:
+2
-7
@@ -1,7 +1,7 @@
|
|||||||
use rand::{rngs::OsRng, RngCore};
|
use rand::{rngs::OsRng, RngCore};
|
||||||
use x509::RelativeDistinguishedName;
|
use x509::RelativeDistinguishedName;
|
||||||
use yubikey::{
|
use yubikey::{
|
||||||
certificate::{Certificate, PublicKeyInfo},
|
certificate::Certificate,
|
||||||
piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId},
|
piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId},
|
||||||
Key, PinPolicy, TouchPolicy, YubiKey,
|
Key, PinPolicy, TouchPolicy, YubiKey,
|
||||||
};
|
};
|
||||||
@@ -106,12 +106,7 @@ impl IdentityBuilder {
|
|||||||
touch_policy,
|
touch_policy,
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
let recipient = match &generated {
|
let recipient = Recipient::from_spki(&generated).expect("YubiKey generates a valid pubkey");
|
||||||
PublicKeyInfo::EcP256(pubkey) => {
|
|
||||||
Recipient::from_encoded(pubkey).expect("YubiKey generates a valid pubkey")
|
|
||||||
}
|
|
||||||
_ => unreachable!(),
|
|
||||||
};
|
|
||||||
let stub = Stub::new(yubikey.serial(), slot, &recipient);
|
let stub = Stub::new(yubikey.serial(), slot, &recipient);
|
||||||
|
|
||||||
// Pick a random serial for the new self-signed certificate.
|
// Pick a random serial for the new self-signed certificate.
|
||||||
|
|||||||
+4
-5
@@ -15,7 +15,7 @@ use std::iter;
|
|||||||
use std::thread::sleep;
|
use std::thread::sleep;
|
||||||
use std::time::{Duration, Instant, SystemTime};
|
use std::time::{Duration, Instant, SystemTime};
|
||||||
use yubikey::{
|
use yubikey::{
|
||||||
certificate::{Certificate, PublicKeyInfo},
|
certificate::Certificate,
|
||||||
piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId},
|
piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId},
|
||||||
reader::{Context, Reader},
|
reader::{Context, Reader},
|
||||||
MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
|
MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
|
||||||
@@ -459,11 +459,10 @@ impl Stub {
|
|||||||
// Read the pubkey from the YubiKey slot and check it still matches.
|
// Read the pubkey from the YubiKey slot and check it still matches.
|
||||||
let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot))
|
let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot))
|
||||||
.ok()
|
.ok()
|
||||||
.and_then(|cert| match cert.subject_pki() {
|
.and_then(|cert| {
|
||||||
PublicKeyInfo::EcP256(pubkey) => Recipient::from_encoded(pubkey)
|
Recipient::from_certificate(&cert)
|
||||||
.filter(|pk| pk.tag() == self.tag)
|
.filter(|pk| pk.tag() == self.tag)
|
||||||
.map(|pk| (cert, pk)),
|
.map(|pk| (cert, pk))
|
||||||
_ => None,
|
|
||||||
}) {
|
}) {
|
||||||
Some(pk) => pk,
|
Some(pk) => pk,
|
||||||
None => {
|
None => {
|
||||||
|
|||||||
+8
-19
@@ -13,7 +13,6 @@ use i18n_embed::{
|
|||||||
use lazy_static::lazy_static;
|
use lazy_static::lazy_static;
|
||||||
use rust_embed::RustEmbed;
|
use rust_embed::RustEmbed;
|
||||||
use yubikey::{
|
use yubikey::{
|
||||||
certificate::PublicKeyInfo,
|
|
||||||
piv::{RetiredSlotId, SlotId},
|
piv::{RetiredSlotId, SlotId},
|
||||||
reader::Context,
|
reader::Context,
|
||||||
Key, PinPolicy, Serial, TouchPolicy,
|
Key, PinPolicy, Serial, TouchPolicy,
|
||||||
@@ -196,9 +195,9 @@ fn print_single(
|
|||||||
let mut keys = Key::list(&mut yubikey)?.into_iter().filter_map(|key| {
|
let mut keys = Key::list(&mut yubikey)?.into_iter().filter_map(|key| {
|
||||||
// - We only use the retired slots.
|
// - We only use the retired slots.
|
||||||
// - Only P-256 keys are compatible with us.
|
// - Only P-256 keys are compatible with us.
|
||||||
match (key.slot(), key.certificate().subject_pki()) {
|
match key.slot() {
|
||||||
(SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => {
|
SlotId::Retired(slot) => {
|
||||||
p256::Recipient::from_encoded(pubkey).map(|r| (key, slot, r))
|
p256::Recipient::from_certificate(key.certificate()).map(|r| (key, slot, r))
|
||||||
}
|
}
|
||||||
_ => None,
|
_ => None,
|
||||||
}
|
}
|
||||||
@@ -244,12 +243,9 @@ fn print_multiple(
|
|||||||
};
|
};
|
||||||
|
|
||||||
// Only P-256 keys are compatible with us.
|
// Only P-256 keys are compatible with us.
|
||||||
let recipient = match key.certificate().subject_pki() {
|
let recipient = match p256::Recipient::from_certificate(key.certificate()) {
|
||||||
PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_encoded(pubkey) {
|
|
||||||
Some(recipient) => recipient,
|
Some(recipient) => recipient,
|
||||||
None => continue,
|
None => continue,
|
||||||
},
|
|
||||||
_ => continue,
|
|
||||||
};
|
};
|
||||||
|
|
||||||
let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
|
let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
|
||||||
@@ -429,9 +425,8 @@ fn main() -> Result<(), Error> {
|
|||||||
.map(|&slot| {
|
.map(|&slot| {
|
||||||
keys.iter()
|
keys.iter()
|
||||||
.find(|key| key.slot() == SlotId::Retired(slot))
|
.find(|key| key.slot() == SlotId::Retired(slot))
|
||||||
.map(|key| match key.certificate().subject_pki() {
|
.map(|key| {
|
||||||
PublicKeyInfo::EcP256(pubkey) => {
|
p256::Recipient::from_certificate(key.certificate()).map(|_| {
|
||||||
p256::Recipient::from_encoded(pubkey).map(|_| {
|
|
||||||
// Cache the details we need to display to the user.
|
// Cache the details we need to display to the user.
|
||||||
let (_, cert) =
|
let (_, cert) =
|
||||||
x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
||||||
@@ -441,8 +436,6 @@ fn main() -> Result<(), Error> {
|
|||||||
|
|
||||||
format!("{}, created: {}", name, created)
|
format!("{}, created: {}", name, created)
|
||||||
})
|
})
|
||||||
}
|
|
||||||
_ => None,
|
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
.collect();
|
.collect();
|
||||||
@@ -492,12 +485,8 @@ fn main() -> Result<(), Error> {
|
|||||||
};
|
};
|
||||||
|
|
||||||
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) {
|
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) {
|
||||||
let recipient = match key.certificate().subject_pki() {
|
let recipient = p256::Recipient::from_certificate(key.certificate())
|
||||||
PublicKeyInfo::EcP256(pubkey) => {
|
.expect("We checked this above");
|
||||||
p256::Recipient::from_encoded(pubkey).expect("We checked this above")
|
|
||||||
}
|
|
||||||
_ => unreachable!(),
|
|
||||||
};
|
|
||||||
|
|
||||||
if Confirm::new()
|
if Confirm::new()
|
||||||
.with_prompt(i18n_embed_fl::fl!(
|
.with_prompt(i18n_embed_fl::fl!(
|
||||||
|
|||||||
+14
-1
@@ -1,6 +1,8 @@
|
|||||||
use bech32::{ToBase32, Variant};
|
use bech32::{ToBase32, Variant};
|
||||||
use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
|
use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
|
||||||
use sha2::{Digest, Sha256};
|
use sha2::{Digest, Sha256};
|
||||||
|
use yubikey::{certificate::PublicKeyInfo, Certificate};
|
||||||
|
|
||||||
use std::fmt;
|
use std::fmt;
|
||||||
|
|
||||||
use crate::RECIPIENT_PREFIX;
|
use crate::RECIPIENT_PREFIX;
|
||||||
@@ -42,11 +44,22 @@ impl Recipient {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub(crate) fn from_certificate(cert: &Certificate) -> Option<Self> {
|
||||||
|
Self::from_spki(cert.subject_pki())
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn from_spki(spki: &PublicKeyInfo) -> Option<Self> {
|
||||||
|
match spki {
|
||||||
|
PublicKeyInfo::EcP256(pubkey) => Self::from_encoded(pubkey),
|
||||||
|
_ => None,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding.
|
/// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding.
|
||||||
///
|
///
|
||||||
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in
|
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in
|
||||||
/// the YubiKey certificate) encodings.
|
/// the YubiKey certificate) encodings.
|
||||||
pub(crate) fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
|
fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
|
||||||
p256::PublicKey::from_encoded_point(encoded).map(Recipient)
|
p256::PublicKey::from_encoded_point(encoded).map(Recipient)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user