Rework Recipient to wrap p256::PublicKey

This commit is contained in:
Jack Grigg
2021-04-04 16:13:57 +12:00
parent a08f23a3e8
commit c7f173b43e
3 changed files with 18 additions and 24 deletions
+1 -1
View File
@@ -113,7 +113,7 @@ impl IdentityBuilder {
let recipient = match &generated { let recipient = match &generated {
PublicKeyInfo::EcP256(pubkey) => { PublicKeyInfo::EcP256(pubkey) => {
Recipient::from_pubkey(*pubkey).expect("YubiKey generates a valid pubkey") Recipient::from_encoded(pubkey).expect("YubiKey generates a valid pubkey")
} }
_ => unreachable!(), _ => unreachable!(),
}; };
+4 -4
View File
@@ -137,7 +137,7 @@ fn identity(opts: PluginOptions) -> Result<(), Error> {
// - Only P-256 keys are compatible with us. // - Only P-256 keys are compatible with us.
match (key.slot(), key.certificate().subject_pki()) { match (key.slot(), key.certificate().subject_pki()) {
(SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => { (SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => {
p256::Recipient::from_pubkey(*pubkey).map(|r| (key, slot, r)) p256::Recipient::from_encoded(pubkey).map(|r| (key, slot, r))
} }
_ => None, _ => None,
} }
@@ -205,7 +205,7 @@ fn list(all: bool) -> Result<(), Error> {
// Only P-256 keys are compatible with us. // Only P-256 keys are compatible with us.
let recipient = match key.certificate().subject_pki() { let recipient = match key.certificate().subject_pki() {
PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_pubkey(*pubkey) { PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_encoded(pubkey) {
Some(recipient) => recipient, Some(recipient) => recipient,
None => continue, None => continue,
}, },
@@ -342,7 +342,7 @@ fn main() -> Result<(), Error> {
.find(|key| key.slot() == SlotId::Retired(slot)) .find(|key| key.slot() == SlotId::Retired(slot))
.map(|key| match key.certificate().subject_pki() { .map(|key| match key.certificate().subject_pki() {
PublicKeyInfo::EcP256(pubkey) => { PublicKeyInfo::EcP256(pubkey) => {
p256::Recipient::from_pubkey(*pubkey).map(|_| { p256::Recipient::from_encoded(pubkey).map(|_| {
// Cache the details we need to display to the user. // Cache the details we need to display to the user.
let (_, cert) = let (_, cert) =
x509_parser::parse_x509_certificate(key.certificate().as_ref()) x509_parser::parse_x509_certificate(key.certificate().as_ref())
@@ -394,7 +394,7 @@ fn main() -> Result<(), Error> {
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) { if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) {
let recipient = match key.certificate().subject_pki() { let recipient = match key.certificate().subject_pki() {
PublicKeyInfo::EcP256(pubkey) => { PublicKeyInfo::EcP256(pubkey) => {
p256::Recipient::from_pubkey(*pubkey).expect("We checked this above") p256::Recipient::from_encoded(pubkey).expect("We checked this above")
} }
_ => unreachable!(), _ => unreachable!(),
}; };
+13 -19
View File
@@ -1,6 +1,5 @@
use bech32::{ToBase32, Variant}; use bech32::{ToBase32, Variant};
use elliptic_curve::sec1::EncodedPoint; use elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
use p256::NistP256;
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use std::convert::TryInto; use std::convert::TryInto;
use std::fmt; use std::fmt;
@@ -11,11 +10,11 @@ pub(crate) const TAG_BYTES: usize = 4;
/// Wrapper around a compressed secp256r1 curve point. /// Wrapper around a compressed secp256r1 curve point.
#[derive(Clone)] #[derive(Clone)]
pub struct Recipient(EncodedPoint<NistP256>); pub struct Recipient(p256::PublicKey);
impl fmt::Debug for Recipient { impl fmt::Debug for Recipient {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "Recipient({:?})", self.as_bytes()) write!(f, "Recipient({:?})", self.to_encoded().as_bytes())
} }
} }
@@ -24,7 +23,7 @@ impl fmt::Display for Recipient {
f.write_str( f.write_str(
bech32::encode( bech32::encode(
RECIPIENT_PREFIX, RECIPIENT_PREFIX,
self.as_bytes().to_base32(), self.to_encoded().as_bytes().to_base32(),
Variant::Bech32, Variant::Bech32,
) )
.expect("HRP is valid") .expect("HRP is valid")
@@ -34,22 +33,17 @@ impl fmt::Display for Recipient {
} }
impl Recipient { impl Recipient {
/// Attempts to parse a valid secp256r1 public key from its SEC-1 encoding. /// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding.
pub(crate) fn from_pubkey(pubkey: EncodedPoint<NistP256>) -> Option<Self> { ///
if pubkey.is_compressed() { /// This accepts both compressed (as used by the plugin) and uncompressed (as used in
if pubkey.decompress().is_some().into() { /// the YubiKey certificate) encodings.
Some(Recipient(pubkey)) pub(crate) fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
} else { p256::PublicKey::from_encoded_point(&encoded).map(Recipient)
None
}
} else {
Some(Recipient(pubkey.compress()))
}
} }
/// Returns the compressed SEC-1 encoding of this public key. /// Returns the compressed SEC-1 encoding of this recipient.
pub(crate) fn as_bytes(&self) -> &[u8] { pub(crate) fn to_encoded(&self) -> p256::EncodedPoint {
self.0.as_bytes() self.0.to_encoded_point(true)
} }
pub(crate) fn tag(&self) -> [u8; TAG_BYTES] { pub(crate) fn tag(&self) -> [u8; TAG_BYTES] {