De-duplicate parsing recipients from SubjectPublicKeyInfo

This commit is contained in:
Jack Grigg
2022-12-31 12:49:44 +00:00
parent d4f8993988
commit 493479344c
4 changed files with 38 additions and 42 deletions
+2 -7
View File
@@ -1,7 +1,7 @@
use rand::{rngs::OsRng, RngCore}; use rand::{rngs::OsRng, RngCore};
use x509::RelativeDistinguishedName; use x509::RelativeDistinguishedName;
use yubikey::{ use yubikey::{
certificate::{Certificate, PublicKeyInfo}, certificate::Certificate,
piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId}, piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId},
Key, PinPolicy, TouchPolicy, YubiKey, Key, PinPolicy, TouchPolicy, YubiKey,
}; };
@@ -106,12 +106,7 @@ impl IdentityBuilder {
touch_policy, touch_policy,
)?; )?;
let recipient = match &generated { let recipient = Recipient::from_spki(&generated).expect("YubiKey generates a valid pubkey");
PublicKeyInfo::EcP256(pubkey) => {
Recipient::from_encoded(pubkey).expect("YubiKey generates a valid pubkey")
}
_ => unreachable!(),
};
let stub = Stub::new(yubikey.serial(), slot, &recipient); let stub = Stub::new(yubikey.serial(), slot, &recipient);
// Pick a random serial for the new self-signed certificate. // Pick a random serial for the new self-signed certificate.
+4 -5
View File
@@ -15,7 +15,7 @@ use std::iter;
use std::thread::sleep; use std::thread::sleep;
use std::time::{Duration, Instant, SystemTime}; use std::time::{Duration, Instant, SystemTime};
use yubikey::{ use yubikey::{
certificate::{Certificate, PublicKeyInfo}, certificate::Certificate,
piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId}, piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId},
reader::{Context, Reader}, reader::{Context, Reader},
MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey, MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
@@ -459,11 +459,10 @@ impl Stub {
// Read the pubkey from the YubiKey slot and check it still matches. // Read the pubkey from the YubiKey slot and check it still matches.
let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot)) let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot))
.ok() .ok()
.and_then(|cert| match cert.subject_pki() { .and_then(|cert| {
PublicKeyInfo::EcP256(pubkey) => Recipient::from_encoded(pubkey) Recipient::from_certificate(&cert)
.filter(|pk| pk.tag() == self.tag) .filter(|pk| pk.tag() == self.tag)
.map(|pk| (cert, pk)), .map(|pk| (cert, pk))
_ => None,
}) { }) {
Some(pk) => pk, Some(pk) => pk,
None => { None => {
+18 -29
View File
@@ -13,7 +13,6 @@ use i18n_embed::{
use lazy_static::lazy_static; use lazy_static::lazy_static;
use rust_embed::RustEmbed; use rust_embed::RustEmbed;
use yubikey::{ use yubikey::{
certificate::PublicKeyInfo,
piv::{RetiredSlotId, SlotId}, piv::{RetiredSlotId, SlotId},
reader::Context, reader::Context,
Key, PinPolicy, Serial, TouchPolicy, Key, PinPolicy, Serial, TouchPolicy,
@@ -196,9 +195,9 @@ fn print_single(
let mut keys = Key::list(&mut yubikey)?.into_iter().filter_map(|key| { let mut keys = Key::list(&mut yubikey)?.into_iter().filter_map(|key| {
// - We only use the retired slots. // - We only use the retired slots.
// - Only P-256 keys are compatible with us. // - Only P-256 keys are compatible with us.
match (key.slot(), key.certificate().subject_pki()) { match key.slot() {
(SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => { SlotId::Retired(slot) => {
p256::Recipient::from_encoded(pubkey).map(|r| (key, slot, r)) p256::Recipient::from_certificate(key.certificate()).map(|r| (key, slot, r))
} }
_ => None, _ => None,
} }
@@ -244,12 +243,9 @@ fn print_multiple(
}; };
// Only P-256 keys are compatible with us. // Only P-256 keys are compatible with us.
let recipient = match key.certificate().subject_pki() { let recipient = match p256::Recipient::from_certificate(key.certificate()) {
PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_encoded(pubkey) { Some(recipient) => recipient,
Some(recipient) => recipient, None => continue,
None => continue,
},
_ => continue,
}; };
let stub = key::Stub::new(yubikey.serial(), slot, &recipient); let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
@@ -429,20 +425,17 @@ fn main() -> Result<(), Error> {
.map(|&slot| { .map(|&slot| {
keys.iter() keys.iter()
.find(|key| key.slot() == SlotId::Retired(slot)) .find(|key| key.slot() == SlotId::Retired(slot))
.map(|key| match key.certificate().subject_pki() { .map(|key| {
PublicKeyInfo::EcP256(pubkey) => { p256::Recipient::from_certificate(key.certificate()).map(|_| {
p256::Recipient::from_encoded(pubkey).map(|_| { // Cache the details we need to display to the user.
// Cache the details we need to display to the user. let (_, cert) =
let (_, cert) = x509_parser::parse_x509_certificate(key.certificate().as_ref())
x509_parser::parse_x509_certificate(key.certificate().as_ref()) .unwrap();
.unwrap(); let (name, _) = util::extract_name(&cert, true).unwrap();
let (name, _) = util::extract_name(&cert, true).unwrap(); let created = cert.validity().not_before.to_rfc2822();
let created = cert.validity().not_before.to_rfc2822();
format!("{}, created: {}", name, created) format!("{}, created: {}", name, created)
}) })
}
_ => None,
}) })
}) })
.collect(); .collect();
@@ -492,12 +485,8 @@ fn main() -> Result<(), Error> {
}; };
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) { if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) {
let recipient = match key.certificate().subject_pki() { let recipient = p256::Recipient::from_certificate(key.certificate())
PublicKeyInfo::EcP256(pubkey) => { .expect("We checked this above");
p256::Recipient::from_encoded(pubkey).expect("We checked this above")
}
_ => unreachable!(),
};
if Confirm::new() if Confirm::new()
.with_prompt(i18n_embed_fl::fl!( .with_prompt(i18n_embed_fl::fl!(
+14 -1
View File
@@ -1,6 +1,8 @@
use bech32::{ToBase32, Variant}; use bech32::{ToBase32, Variant};
use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint}; use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use yubikey::{certificate::PublicKeyInfo, Certificate};
use std::fmt; use std::fmt;
use crate::RECIPIENT_PREFIX; use crate::RECIPIENT_PREFIX;
@@ -42,11 +44,22 @@ impl Recipient {
} }
} }
pub(crate) fn from_certificate(cert: &Certificate) -> Option<Self> {
Self::from_spki(cert.subject_pki())
}
pub(crate) fn from_spki(spki: &PublicKeyInfo) -> Option<Self> {
match spki {
PublicKeyInfo::EcP256(pubkey) => Self::from_encoded(pubkey),
_ => None,
}
}
/// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding. /// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding.
/// ///
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in /// This accepts both compressed (as used by the plugin) and uncompressed (as used in
/// the YubiKey certificate) encodings. /// the YubiKey certificate) encodings.
pub(crate) fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> { fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
p256::PublicKey::from_encoded_point(encoded).map(Recipient) p256::PublicKey::from_encoded_point(encoded).map(Recipient)
} }