Change recipient type for identity encryption to p256tag

Encrypting to an identity requires the plugin binary, and there is a
reasonable expectation that the same (or a later) plugin binary version
will be used to decrypt, so we can assume support for the preferred
recipient type.
This commit is contained in:
Jack Grigg
2025-12-21 12:21:49 +00:00
parent 0057a1825e
commit 971d63957c
4 changed files with 51 additions and 12 deletions
+8 -4
View File
@@ -20,7 +20,9 @@ use yubikey::{
use crate::{
error::Error,
fl, piv_p256,
fl,
native::p256tag,
piv_p256,
recipient::TAG_BYTES,
util::{otp_serial_prefix, Metadata},
Recipient, IDENTITY_PREFIX,
@@ -592,9 +594,10 @@ impl Stub {
let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot))
.ok()
.and_then(|cert| {
piv_p256::Recipient::from_certificate(&cert)
.filter(|pk| pk.tag() == self.tag)
.map(|pk| (cert, Recipient::PivP256(pk)))
// Parse as the preferred recipient for each identity type.
p256tag::Recipient::from_certificate(&cert)
.filter(|pk| pk.static_tag() == self.tag)
.map(|pk| (cert, Recipient::P256Tag(pk)))
}) {
Some(pk) => pk,
None => {
@@ -628,6 +631,7 @@ pub(crate) struct Connection {
}
impl Connection {
/// Returns the preferred recipient for encrypting to this identity.
pub(crate) fn recipient(&self) -> &Recipient {
&self.pk
}