65 Commits

Author SHA1 Message Date
str4d fc2081c216 Merge pull request #98 from str4d/release-0.3.2
CI checks / Test on linux (push) Has been cancelled
CI checks / Test on macos (push) Has been cancelled
CI checks / Test on windows (push) Has been cancelled
CI checks / Clippy (1.56.0) (push) Has been cancelled
CI checks / Clippy (nightly) (push) Has been cancelled
CI checks / Code coverage (push) Has been cancelled
CI checks / Intra-doc links (push) Has been cancelled
CI checks / Rustfmt (push) Has been cancelled
Publish release binaries / Publish for macos-arm64 (push) Has been cancelled
Publish release binaries / Publish for macos-x86_64 (push) Has been cancelled
Publish release binaries / Publish for linux (push) Has been cancelled
Publish release binaries / Publish for windows (push) Has been cancelled
Publish release binaries / Debian linux (push) Has been cancelled
Release 0.3.2
2023-01-01 13:53:55 +00:00
Jack Grigg 367a081eea Release 0.3.2 2023-01-01 13:45:21 +00:00
str4d cfb1e5e3d5 Merge pull request #97 from str4d/more-cleanups
More cleanups
2023-01-01 13:44:15 +00:00
Jack Grigg 1dfadc7e27 Clean up key::filter_connected 2023-01-01 13:29:30 +00:00
Jack Grigg fc66d9f6fd Add helper methods for filtering available keys 2023-01-01 13:27:10 +00:00
Jack Grigg d8eb198e97 Move certificate parsing into Metadata::extract 2023-01-01 13:27:10 +00:00
str4d c8f9df1b45 Merge pull request #95 from str4d/94-yubikey-agent-sighup
Extend "sharing violation" logic to send SIGHUP to `yubikey-agent` processes
2023-01-01 13:24:57 +00:00
Jack Grigg 3597d96332 Correctly hunt agents in plugin mode 2023-01-01 13:18:41 +00:00
Jack Grigg 1913838f8e Hunt for yubikey-agent 2023-01-01 12:52:17 +00:00
Jack Grigg 6e47448560 Generalise code for hunting agents that may be holding YubiKeys 2023-01-01 12:52:17 +00:00
str4d 4d4d8cc183 Merge pull request #96 from str4d/refactors-and-cleanups
Refactors and cleanups
2022-12-31 16:41:21 +00:00
Jack Grigg ac7b04a61d Add keyword argument support to fl! and wlnfl! macros 2022-12-31 14:31:25 +00:00
Jack Grigg 493479344c De-duplicate parsing recipients from SubjectPublicKeyInfo 2022-12-31 12:49:44 +00:00
str4d d4f8993988 Merge pull request #93 from str4d/release-0.3.1
CI checks / Test on linux (push) Has been cancelled
CI checks / Test on macos (push) Has been cancelled
CI checks / Test on windows (push) Has been cancelled
CI checks / Clippy (1.56.0) (push) Has been cancelled
CI checks / Clippy (nightly) (push) Has been cancelled
CI checks / Code coverage (push) Has been cancelled
CI checks / Intra-doc links (push) Has been cancelled
CI checks / Rustfmt (push) Has been cancelled
Publish release binaries / Publish for macos-arm64 (push) Has been cancelled
Publish release binaries / Publish for macos-x86_64 (push) Has been cancelled
Publish release binaries / Publish for linux (push) Has been cancelled
Publish release binaries / Publish for windows (push) Has been cancelled
Publish release binaries / Debian linux (push) Has been cancelled
Release 0.3.1
2022-12-30 12:04:50 +00:00
Jack Grigg 876afecc5c Release 0.3.1 2022-12-30 11:57:17 +00:00
str4d 539111c30c Merge pull request #91 from str4d/tdes-mgmkey-advice
Clarify that non-TDES management keys are unsupported
2022-12-30 10:51:52 +00:00
Jack Grigg 647a620a9c Clarify that non-TDES management keys are unsupported
Supporting them is blocked on iqlusioninc/yubikey.rs#330.
2022-12-30 10:39:34 +00:00
str4d 0eee944c64 Merge pull request #90 from str4d/21-mgmkey-advice
Give guidance on reconfiguring YubiKeys with unprotected management keys
2022-12-30 10:23:51 +00:00
Jack Grigg e4ef700263 Give guidance on reconfiguring YubiKeys with unprotected management keys
Closes str4d/age-plugin-yubikey#21.
2022-12-30 10:18:17 +00:00
str4d 492612fc8b Merge pull request #89 from str4d/82-stop-scdaemon
Stop scdaemon if it is holding exclusive access to a YubiKey
2022-12-30 09:36:47 +00:00
Jack Grigg 15c53e42df Stop scdaemon if it is holding exclusive access to a YubiKey
Closes str4d/age-plugin-yubikey#82.
2022-12-30 09:28:24 +00:00
str4d 5d6b618d5f Merge pull request #87 from str4d/71-m1-binaries
CI: Build release binaries for Apple ARM64
2022-12-30 03:44:24 +00:00
Jack Grigg 0ee618cdfd CI: Build release binaries for Apple ARM64
Closes str4d/age-plugin-yubikey#71.
2022-12-30 03:38:40 +00:00
str4d ed6273d781 Merge pull request #86 from str4d/83-improve-missing-service-error
Inform users when `pcscd` is required
2022-12-29 10:10:42 +00:00
Jack Grigg d38743a2fc Inform users when pcscd is required
Closes str4d/age-plugin-yubikey#83.
2022-12-29 05:09:47 +00:00
str4d aaa445c4ac Merge pull request #74 from str4d/dependabot/github_actions/svenstaro/upload-release-action-2.3.0
Bump svenstaro/upload-release-action from 2.2.1 to 2.3.0
2022-12-28 14:01:29 +00:00
Jack Grigg e415ce4ae9 CI: Remove upload-release-action fields that match defaults 2022-12-28 13:53:56 +00:00
str4d 145237003e Merge pull request #79 from str4d/dependabot/github_actions/codecov/codecov-action-3.1.1
Bump codecov/codecov-action from 3.1.0 to 3.1.1
2022-12-28 13:48:15 +00:00
dependabot[bot] 9338b320a4 Bump codecov/codecov-action from 3.1.0 to 3.1.1
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v3.1.0...v3.1.1)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-20 08:29:52 +00:00
dependabot[bot] aae48c4f6c Bump svenstaro/upload-release-action from 2.2.1 to 2.3.0
Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.2.1 to 2.3.0.
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/svenstaro/upload-release-action/compare/2.2.1...2.3.0)

---
updated-dependencies:
- dependency-name: svenstaro/upload-release-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-06 08:56:16 +00:00
Jack Grigg 08ba0aa1ec Update Cargo.lock
CI checks / Test on linux (push) Has been cancelled
CI checks / Test on macos (push) Has been cancelled
CI checks / Test on windows (push) Has been cancelled
CI checks / Clippy (1.56.0) (push) Has been cancelled
CI checks / Clippy (nightly) (push) Has been cancelled
CI checks / Code coverage (push) Has been cancelled
CI checks / Intra-doc links (push) Has been cancelled
CI checks / Rustfmt (push) Has been cancelled
Publish release binaries / Publish for macos (push) Has been cancelled
Publish release binaries / Publish for linux (push) Has been cancelled
Publish release binaries / Publish for windows (push) Has been cancelled
Publish release binaries / Debian linux (push) Has been cancelled
2022-05-02 01:35:10 +00:00
Jack Grigg 71bd3b1afb v0.3.0 2022-05-02 01:24:53 +00:00
Jack Grigg 8199a7bcfc age-plugin 0.3 2022-05-02 01:21:52 +00:00
str4d b825956bf8 Merge pull request #67 from str4d/48-fix-panic-with-default
Check the length of the bytes passed to `Stub::from_bytes`
2022-05-01 21:28:14 +01:00
Jack Grigg fb5a1060bd Check the length of the bytes passed to Stub::from_bytes
This will be zero-length when the client uses `-j yubikey`.

Closes str4d/age-plugin-yubikey#48.
2022-05-01 17:59:24 +00:00
str4d b9842213da Merge pull request #63 from str4d/skippable-yubikeys
Enable users to skip YubiKeys at plugging-in time
2022-05-01 16:20:32 +01:00
Jack Grigg f8314c5d6d Enable users to skip YubiKeys at plugging-in time
This requires the `confirm` plugin command to be supported by the age
client; otherwise we fall back to the previous message-plus-timer
method.
2022-05-01 15:14:36 +00:00
str4d 3b0da8bd25 Merge pull request #64 from str4d/remove-touch-request-message
Don't print message if YubiKey is waiting for touch
2022-05-01 15:54:42 +01:00
Jack Grigg 345c155bb4 Don't print message if YubiKey is waiting for touch
The user call-to-action will instead be implemented on the client side,
where it can be done in a more forgiving way (allowing the user some
time to react before prompting them that it is waiting on the plugin).
2022-05-01 14:47:55 +00:00
str4d 1ad79cb577 Merge pull request #66 from str4d/57-translations
Add translation support via Fluent
2022-05-01 15:46:26 +01:00
Jack Grigg a92a843e14 Tag all strings for translation 2022-05-01 14:40:05 +00:00
Jack Grigg c4fe3f6b1a Add support for translations 2022-05-01 11:49:06 +00:00
str4d 9db9c65bf7 Merge pull request #65 from str4d/42-list-supported-yubikeys
List supported YubiKey variants
2022-05-01 01:36:26 +01:00
Jack Grigg 1b5db6f871 List supported YubiKey variants
Closes str4d/age-plugin-yubikey#42.
2022-05-01 00:35:11 +00:00
str4d 5f07cb318d Merge pull request #53 from str4d/dependabot/github_actions/svenstaro/upload-release-action-2.2.1
Bump svenstaro/upload-release-action from 2.2.0 to 2.2.1
2022-04-30 21:07:08 +01:00
str4d 71227314f4 Merge pull request #61 from str4d/dependabot/github_actions/codecov/codecov-action-3.1.0
Bump codecov/codecov-action from 1.0.3 to 3.1.0
2022-04-30 21:06:56 +01:00
dependabot[bot] f2f0b40af8 Bump codecov/codecov-action from 1.0.3 to 3.1.0
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 1.0.3 to 3.1.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v1.0.3...v3.1.0)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-22 08:33:17 +00:00
str4d fe5bab1277 Merge pull request #56 from str4d/edition-2021
Migrate to 2021 edition
2022-03-20 16:58:41 +00:00
Jack Grigg 5afec288c9 Forbid unsafe code 2022-03-20 16:53:39 +00:00
Jack Grigg 7d2e3a6829 Remove trait imports that are in the 2021 edition prelude 2022-03-20 16:53:39 +00:00
Jack Grigg 74b76d3f5e Migrate to 2021 edition
Closes str4d/age-plugin-yubikey#52.
2022-03-20 16:53:39 +00:00
str4d 6fd6a205ca Merge pull request #55 from str4d/msrv-1.56
Bump MSRV to 1.56.0
2022-03-20 16:43:00 +00:00
Jack Grigg 0b930efc49 cargo update 2022-03-20 16:24:29 +00:00
Jack Grigg 2fd5af8538 Bump MSRV to 1.56.0
Closes str4d/age-plugin-yubikey#51.
2022-03-20 16:23:52 +00:00
dependabot[bot] 5814f5f1a0 Bump svenstaro/upload-release-action from 2.2.0 to 2.2.1
Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.2.0 to 2.2.1.
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/svenstaro/upload-release-action/compare/2.2.0...2.2.1)

---
updated-dependencies:
- dependency-name: svenstaro/upload-release-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-20 15:25:25 +00:00
str4d 37c813e0a7 Merge pull request #50 from str4d/ci-updates
CI updates
2022-03-20 15:25:06 +00:00
Jack Grigg 60b36e39c8 CI: Use ubuntu-18.04 for Linux release builder
GitHub removed `ubuntu-16.04` in September 2021, which causes the
release workflow to hang waiting on a runner that will never be made
available.
2022-03-20 15:18:19 +00:00
Jack Grigg da9212c135 CI: Add Dependabot config to keep GitHub Actions up-to-date 2022-03-20 15:18:19 +00:00
Jack Grigg dcdf306d3a CI: Refactor rustfmt CI job 2022-03-20 15:18:19 +00:00
Jack Grigg f0ba5724bf CI: Migrate to actions/checkout@v3 2022-03-20 15:18:19 +00:00
str4d f1bb46d274 Merge pull request #46 from str4d/37-ignore-otp-string
Detect invalid PIN lengths and ask the user again
2022-03-20 14:57:48 +00:00
str4d b3590f4ce1 Merge pull request #45 from str4d/44-request-touch
Print message if YubiKey is waiting for touch
2021-12-20 03:23:49 +00:00
Jack Grigg 2fc2dcd1c3 Unify the touch request messages
This is also a good test for sending emojis through the age plugin IPC
protocol.
2021-12-20 03:22:25 +00:00
Jack Grigg 68ac19017e Detect invalid PIN lengths and ask the user again
We also detect the specific case where the PIN returned by the user is
likely a YubiKey OTP, generated by the user touching it early.

Closes str4d/age-plugin-yubikey#37.
2021-12-19 01:31:54 +00:00
Jack Grigg e5bdffa5cc Print message if YubiKey is waiting for touch
Closes str4d/age-plugin-yubikey#44.
2021-12-19 00:28:27 +00:00
18 changed files with 1756 additions and 530 deletions
+12
View File
@@ -0,0 +1,12 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: daily
timezone: Etc/UTC
open-pull-requests-limit: 10
reviewers:
- str4d
assignees:
- str4d
+16 -15
View File
@@ -22,10 +22,10 @@ jobs:
os: macos-latest os: macos-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
toolchain: 1.51.0 toolchain: 1.56.0
override: true override: true
- name: Install build dependencies - name: Install build dependencies
run: sudo apt install ${{ matrix.build_deps }} run: sudo apt install ${{ matrix.build_deps }}
@@ -46,14 +46,14 @@ jobs:
args: --verbose args: --verbose
clippy: clippy:
name: Clippy (1.51.0) name: Clippy (1.56.0)
timeout-minutes: 30 timeout-minutes: 30
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
toolchain: 1.51.0 toolchain: 1.56.0
components: clippy components: clippy
override: true override: true
- name: Install build dependencies - name: Install build dependencies
@@ -61,7 +61,7 @@ jobs:
- name: Run clippy - name: Run clippy
uses: actions-rs/clippy-check@v1 uses: actions-rs/clippy-check@v1
with: with:
name: Clippy (1.51.0) name: Clippy (1.56.0)
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
args: --all-features --all-targets -- -D warnings args: --all-features --all-targets -- -D warnings
@@ -71,7 +71,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
continue-on-error: true continue-on-error: true
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
toolchain: nightly toolchain: nightly
@@ -92,7 +92,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v3
# Use stable for this to ensure that cargo-tarpaulin can be built. # Use stable for this to ensure that cargo-tarpaulin can be built.
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
@@ -105,7 +105,7 @@ jobs:
with: with:
args: --release --timeout 180 --out Xml args: --release --timeout 180 --out Xml
- name: Upload coverage to Codecov - name: Upload coverage to Codecov
uses: codecov/codecov-action@v1.0.3 uses: codecov/codecov-action@v3.1.1
with: with:
token: ${{secrets.CODECOV_TOKEN}} token: ${{secrets.CODECOV_TOKEN}}
@@ -114,10 +114,10 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
toolchain: 1.51.0 toolchain: 1.56.0
override: true override: true
- name: Install build dependencies - name: Install build dependencies
run: sudo apt install libpcsclite-dev run: sudo apt install libpcsclite-dev
@@ -139,13 +139,14 @@ jobs:
timeout-minutes: 30 timeout-minutes: 30
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
toolchain: 1.51.0 toolchain: 1.56.0
components: rustfmt
override: true override: true
- run: rustup component add rustfmt - name: Check formatting
- uses: actions-rs/cargo@v1 uses: actions-rs/cargo@v1
with: with:
command: fmt command: fmt
args: -- --check args: -- --check
+18 -11
View File
@@ -17,10 +17,14 @@ jobs:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
matrix: matrix:
name: [linux, windows, macos] name:
- linux
- macos-arm64
- macos-x86_64
- windows
include: include:
- name: linux - name: linux
os: ubuntu-16.04 os: ubuntu-18.04
build_deps: > build_deps: >
libpcsclite-dev libpcsclite-dev
archive_name: age-plugin-yubikey.tar.gz archive_name: age-plugin-yubikey.tar.gz
@@ -31,13 +35,20 @@ jobs:
archive_name: age-plugin-yubikey.zip archive_name: age-plugin-yubikey.zip
asset_suffix: x86_64-windows.zip asset_suffix: x86_64-windows.zip
- name: macos - name: macos-arm64
os: macos-latest
target: aarch64-apple-darwin
build_flags: --target aarch64-apple-darwin
archive_name: age-plugin-yubikey.tar.gz
asset_suffix: arm64-darwin.tar.gz
- name: macos-x86_64
os: macos-latest os: macos-latest
archive_name: age-plugin-yubikey.tar.gz archive_name: age-plugin-yubikey.tar.gz
asset_suffix: x86_64-darwin.tar.gz asset_suffix: x86_64-darwin.tar.gz
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
toolchain: stable toolchain: stable
@@ -76,12 +87,10 @@ jobs:
if: matrix.name == 'windows' if: matrix.name == 'windows'
- name: Upload archive to release - name: Upload archive to release
uses: svenstaro/upload-release-action@2.2.0 uses: svenstaro/upload-release-action@2.3.0
with: with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ matrix.archive_name }} file: ${{ matrix.archive_name }}
asset_name: age-plugin-yubikey-$tag-${{ matrix.asset_suffix }} asset_name: age-plugin-yubikey-$tag-${{ matrix.asset_suffix }}
tag: ${{ github.ref }}
prerelease: true prerelease: true
if: github.event.inputs.test != 'true' if: github.event.inputs.test != 'true'
@@ -98,7 +107,7 @@ jobs:
libpcsclite-dev libpcsclite-dev
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
toolchain: stable toolchain: stable
@@ -137,11 +146,9 @@ jobs:
args: --package age-plugin-yubikey --no-build --target ${{ matrix.target }} args: --package age-plugin-yubikey --no-build --target ${{ matrix.target }}
- name: Upload Debian package to release - name: Upload Debian package to release
uses: svenstaro/upload-release-action@2.2.0 uses: svenstaro/upload-release-action@2.3.0
with: with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: target/${{ matrix.target }}/debian/*.deb file: target/${{ matrix.target }}/debian/*.deb
tag: ${{ github.ref }}
file_glob: true file_glob: true
prerelease: true prerelease: true
if: github.event.inputs.test != 'true' if: github.event.inputs.test != 'true'
+37 -1
View File
@@ -4,10 +4,46 @@ All notable changes to this crate will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to Rust's notion of and this project adheres to Rust's notion of
[Semantic Versioning](https://semver.org/spec/v2.0.0.html). All versions prior [Semantic Versioning](https://semver.org/spec/v2.0.0.html). All versions prior
to 1.0.0 are beta releases. to 0.3.0 are beta releases.
## [Unreleased] ## [Unreleased]
## [0.3.2] - 2023-01-01
### Changed
- The "sharing violation" logic now also sends SIGHUP to any `yubikey-agent`
that is running, to have them release any YubiKey locks they are holding.
### Fixed
- The "sharing violation" logic now runs during plugin mode as intended. In the
previous release it only ran during direct `age-plugin-yubikey` usage.
## [0.3.1] - 2022-12-30
### Changed
- If a "sharing violation" error is encountered while opening a connection to a
YubiKey, and `scdaemon` is running (which can hold exclusive access to a
YubiKey indefinitely), `age-plugin-yubikey` now attempts to stop `scdaemon` by
interrupting it (or killing it on Windows), and then tries again to open the
connection.
- Several error messages were enhanced with guidance on how to resolve their
respective issue.
## [0.3.0] - 2022-05-02
First non-beta release!
### Changed
- MSRV is now 1.56.0.
- During decryption, when asked to insert a YubiKey, you can now choose to skip
it, allowing the client to move on to the next identity instead of returning
an error.
- Certain kinds of PIN invalidity will now cause the plugin to re-request the
PIN instead of aborting: if the PIN is too short or too long, or if the user
touched the YubiKey early and "typed" an OTP.
### Fixed
- The "default" identity (provided by clients that invoke `age-plugin-yubikey`
using `-j yubikey`) previously caused a panic. It is now correctly treated as
an invalid identity (because this plugin does not support default identities).
## [0.2.0] - 2021-11-22 ## [0.2.0] - 2021-11-22
### Fixed ### Fixed
- Attempts-before-blocked counter is now returned as part of the invalid PIN - Attempts-before-blocked counter is now returned as part of the invalid PIN
Generated
+738 -107
View File
File diff suppressed because it is too large Load Diff
+16 -7
View File
@@ -1,19 +1,19 @@
[package] [package]
name = "age-plugin-yubikey" name = "age-plugin-yubikey"
description = "[BETA] YubiKey plugin for age clients" description = "YubiKey plugin for age clients"
version = "0.2.0" version = "0.3.2"
authors = ["Jack Grigg <thestr4d@gmail.com>"] authors = ["Jack Grigg <thestr4d@gmail.com>"]
repository = "https://github.com/str4d/age-plugin-yubikey" repository = "https://github.com/str4d/age-plugin-yubikey"
readme = "README.md" readme = "README.md"
keywords = ["age", "cli", "encryption", "yubikey"] keywords = ["age", "cli", "encryption", "yubikey"]
categories = ["command-line-utilities", "cryptography"] categories = ["command-line-utilities", "cryptography"]
license = "MIT OR Apache-2.0" license = "MIT OR Apache-2.0"
edition = "2018" edition = "2021"
rust-version = "1.56" # MSRV
[package.metadata.deb] [package.metadata.deb]
extended-description = """\ extended-description = """\
An age plugin adding support for YubiKeys and other PIV hardware tokens. \ An age plugin adding support for YubiKeys and other PIV hardware tokens."""
Currently in BETA; we strongly recommend using this with a new YubiKey."""
section = "utils" section = "utils"
assets = [ assets = [
["target/release/age-plugin-yubikey", "usr/bin/", "755"], ["target/release/age-plugin-yubikey", "usr/bin/", "755"],
@@ -22,8 +22,8 @@ assets = [
] ]
[dependencies] [dependencies]
age-core = "0.7" age-core = "0.8"
age-plugin = "0.2" age-plugin = "0.3"
base64 = "0.13" base64 = "0.13"
bech32 = "0.8" bech32 = "0.8"
console = { version = "0.15", default-features = false } console = { version = "0.15", default-features = false }
@@ -41,6 +41,15 @@ x509 = "0.2"
x509-parser = "0.12" x509-parser = "0.12"
yubikey = { version = "0.5", features = ["untested"] } yubikey = { version = "0.5", features = ["untested"] }
# Translations
i18n-embed = { version = "0.13", features = ["desktop-requester", "fluent-system"] }
i18n-embed-fl = "0.6"
lazy_static = "1"
rust-embed = "6"
# GnuPG coexistence
sysinfo = ">=0.26, <0.26.4"
[dev-dependencies] [dev-dependencies]
flate2 = "1" flate2 = "1"
man = "0.3" man = "0.3"
+19 -6
View File
@@ -4,15 +4,12 @@
like [`age`](https://age-encryption.org) and [`rage`](https://str4d.xyz/rage), like [`age`](https://age-encryption.org) and [`rage`](https://str4d.xyz/rage),
which enables files to be encrypted to age identities stored on YubiKeys. which enables files to be encrypted to age identities stored on YubiKeys.
This plugin is in **BETA**; we strongly recommend using this with a new YubiKey,
or one that you do not care about.
## Installation ## Installation
On Windows, Linux, and macOS, you can use the On Windows, Linux, and macOS, you can use the
[pre-built binaries](https://github.com/str4d/age-plugin-yubikey/releases). [pre-built binaries](https://github.com/str4d/age-plugin-yubikey/releases).
If your system has Rust 1.51+ installed (either via `rustup` or a system If your system has Rust 1.56+ installed (either via `rustup` or a system
package), you can build directly from source: package), you can build directly from source:
``` ```
@@ -21,6 +18,15 @@ cargo install age-plugin-yubikey
Help from new packagers is very welcome. Help from new packagers is very welcome.
### Linux, BSD, etc.
On non-Windows, non-macOS systems, you need to ensure that the `pcscd` service
is installed and running. On Debian or Ubuntu, you can do this with:
```
$ sudo apt-get install pcscd
```
### Windows Subsystem for Linux (WSL) ### Windows Subsystem for Linux (WSL)
WSL does not currently provide native support for USB devices. However, Windows WSL does not currently provide native support for USB devices. However, Windows
@@ -98,8 +104,15 @@ enabling YubiKeys to be used simultaneously with age and SSH.
### Manual setup and technical details ### Manual setup and technical details
`age-plugin-yubikey` only officially supports YubiKeys set up either via the `age-plugin-yubikey` only officially supports the following YubiKey variants,
text interface or the `--generate` flag. set up either via the text interface or the `--generate` flag:
- YubiKey 4 series
- YubiKey 5 series
NOTE: Nano and USB-C variants of the above are also supported. The pre-YK4
YubiKey NEO series is **NOT** supported. The blue "Security Key by Yubico" will
also not work (as it doesn't support PIV).
In practice, any PIV token with an ECDSA P-256 key and certificate in one of the In practice, any PIV token with an ECDSA P-256 key and certificate in one of the
20 "retired" slots should work. You can list all age-compatible keys with: 20 "retired" slots should work. You can list all age-compatible keys with:
+4
View File
@@ -0,0 +1,4 @@
fallback_language = "en-US"
[fluent]
assets_dir = "i18n"
+220
View File
@@ -0,0 +1,220 @@
# Copyright 2022 Jack Grigg
#
# Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
# http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
# <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
# option. This file may not be copied, modified, or distributed
# except according to those terms.
### Localization for strings in age-plugin-yubikey
-age = age
-yubikey = YubiKey
-yubikeys = YubiKeys
-age-plugin-yubikey = age-plugin-yubikey
-pcscd = pcscd
## CLI commands and flags
-cmd-generate = --generate
-cmd-identity = --identity
-cmd-list = --list
-cmd-list-all = --list-all
-flag-force = --force
-flag-serial = --serial
-flag-slot = --slot
## YubiKey metadata
pin-policy-always = Always (A PIN is required for every decryption, if set)
pin-policy-once = Once (A PIN is required once per session, if set)
pin-policy-never = Never (A PIN is NOT required to decrypt)
touch-policy-always = Always (A physical touch is required for every decryption)
touch-policy-cached = Cached (A physical touch is required for decryption, and is cached for 15 seconds)
touch-policy-never = Never (A physical touch is NOT required to decrypt)
unknown-policy = Unknown
yubikey-metadata =
# Serial: {$serial}, Slot: {$slot}
# Name: {$name}
# Created: {$created}
# PIN policy: {$pin_policy}
# Touch policy: {$touch_policy}
yubikey-identity =
{$yubikey_metadata}
# Recipient: {$recipient}
{$identity}
## CLI setup via text interface
cli-setup-intro =
✨ Let's get your {-yubikey} set up for {-age}! ✨
This tool can create a new {-age} identity in a free slot of your {-yubikey}.
It will generate an identity file that you can use with an {-age} client,
along with the corresponding recipient. You can also do this directly
with:
{" "}{$generate_usage}
If you are already using a {-yubikey} with {-age}, you can select an existing
slot to recreate its corresponding identity file and recipient.
When asked below to select an option, use the up/down arrow keys to
make your choice, or press [Esc] or [q] to quit.
cli-setup-insert-yk = ⏳ Please insert the {-yubikey} you want to set up.
cli-setup-yk-name = {$yubikey_name} (Serial: {$yubikey_serial})
cli-setup-select-yk = 🔑 Select a {-yubikey}
cli-setup-slot-usable = Slot {$slot_index} ({$slot_name})
cli-setup-slot-unusable = Slot {$slot_index} (Unusable)
cli-setup-slot-empty = Slot {$slot_index} (Empty)
cli-setup-select-slot = 🕳️ Select a slot for your {-age} identity
cli-setup-name-identity = 📛 Name this identity
cli-setup-select-pin-policy = 🔤 Select a PIN policy
cli-setup-select-touch-policy = 👆 Select a touch policy
cli-setup-generate-new = Generate new identity in slot {$slot_index}?
cli-setup-use-existing = Use existing identity in slot {$slot_index}?
cli-setup-identity-file-name = 📝 File name to write this identity to
cli-setup-identity-file-exists = File exists. Overwrite it?
cli-setup-finished =
✅ Done! This {-yubikey} identity is ready to go.
🔑 { $is_new ->
[true] Here's your shiny new {-yubikey} recipient:
*[false] Here's the corresponding {-yubikey} recipient:
}
{" "}{$recipient}
Here are some example things you can do with it:
- Encrypt a file to this identity:
{" "}{$encrypt_usage}
- Decrypt a file with this identity:
{" "}{$decrypt_usage}
- Recreate the identity file:
{" "}{$identity_usage}
- Recreate the recipient:
{" "}{$recipient_usage}
💭 Remember: everything breaks, have a backup plan for when this {-yubikey} does.
## Programmatic usage
open-yk-with-serial = ⏳ Please insert the {-yubikey} with serial {$yubikey_serial}.
open-yk-without-serial = ⏳ Please insert the {-yubikey}.
warn-yk-not-connected = Ignoring {$yubikey_name}: not connected
print-recipient = Recipient: {$recipient}
printed-kind-identities = identities
printed-kind-recipients = recipients
printed-multiple = Generated {$kind} for {$count} slots. If you intended to select a slot, use {-flag-slot}.
## YubiKey management
mgr-enter-pin = Enter PIN for {-yubikey} with serial {$yubikey_serial} (default is {$default_pin})
mgr-change-default-pin =
✨ Your {-yubikey} is using the default PIN. Let's change it!
✨ We'll also set the PUK equal to the PIN.
🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!
❌ Your keys will be lost if the PIN and PUK are locked after 3 incorrect tries.
mgr-enter-current-puk = Enter current PUK (default is {$default_puk})
mgr-choose-new-pin = Choose a new PIN/PUK
mgr-repeat-new-pin = Repeat the PIN/PUK
mgr-pin-mismatch = PINs don't match
mgr-changing-mgmt-key =
✨ Your {-yubikey} is using the default management key.
✨ We'll migrate it to a PIN-protected management key.
mgr-changing-mgmt-key-error =
An error occurred while setting the new management key.
⚠️ SAVE THIS MANAGEMENT KEY - YOU MAY NEED IT TO MANAGE YOUR {-yubikey}! ⚠️
{" "}{$management_key}
mgr-changing-mgmt-key-success = Success!
## Plugin usage
plugin-err-invalid-recipient = Invalid recipient
plugin-err-invalid-identity = Invalid {-yubikey} stub
plugin-err-invalid-stanza = Invalid {-yubikey} stanza
plugin-err-decryption-failed = Failed to decrypt {-yubikey} stanza
plugin-insert-yk = Please insert {-yubikey} with serial {$yubikey_serial}
plugin-yk-is-plugged-in = {-yubikey} is plugged in
plugin-skip-this-yk = Skip this {-yubikey}
plugin-insert-yk-retry = Could not open {-yubikey}. Please insert {-yubikey} with serial {$yubikey_serial}
plugin-err-yk-not-found = Could not find {-yubikey} with serial {$yubikey_serial}
plugin-err-yk-opening = Could not open {-yubikey} with serial {$yubikey_serial}
plugin-err-yk-timed-out = Timed out while waiting for {-yubikey} with serial {$yubikey_serial} to be inserted
plugin-err-yk-stub-mismatch = A {-yubikey} stub did not match the {-yubikey}
plugin-err-yk-invalid-pin-policy = Certificate for {-yubikey} identity contains an invalid PIN policy
plugin-enter-pin = Enter PIN for {-yubikey} with serial {$yubikey_serial}
plugin-err-accidental-touch = Did you touch the {-yubikey} by accident?
plugin-err-pin-too-short = PIN was too short.
plugin-err-pin-too-long = PIN was too long.
plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yubikey_serial}
## Errors
err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
rec-custom-mgmt-key =
You can use the {-yubikey} Manager CLI to change to a protected management key:
{" "}{$cmd}
See here for more information about {-yubikey} Manager:
{" "}{$url}
err-invalid-flag-command = Flag '{$flag}' cannot be used with '{$command}'.
err-invalid-flag-tui = Flag '{$flag}' cannot be used with the interactive interface.
err-invalid-pin-length = The PIN needs to be 1-8 characters.
err-invalid-pin-policy = Invalid PIN policy '{$policy}' (expected [{$expected}]).
err-invalid-slot = Invalid slot '{$slot}' (expected number between 1 and 20).
err-invalid-touch-policy = Invalid touch policy '{$policy}' (expected [{$expected}]).
err-io = Failed to set up {-yubikey}: {$err}
err-multiple-commands = Only one of {-cmd-generate}, {-cmd-identity}, {-cmd-list}, {-cmd-list-all} can be specified.
err-multiple-yubikeys = Multiple {-yubikeys} are plugged in. Use {-flag-serial} to select a single {-yubikey}.
err-no-empty-slots = {-yubikey} with serial {$serial} has no empty slots.
err-no-matching-serial = Could not find {-yubikey} with serial {$serial}.
err-slot-has-no-identity = Slot {$slot} does not contain an {-age} identity or compatible key.
err-slot-is-not-empty = Slot {$slot} is not empty. Use {-flag-force} to overwrite the slot.
err-timed-out = Timed out while waiting for a {-yubikey} to be inserted.
err-use-list-for-single = Use {-cmd-list} to print the recipient for a single slot.
err-yk-no-service-macos = The Crypto Token Kit service is not running.
rec-yk-no-service-macos =
You may need to restart it. See this Stack Exchange answer for more help:
{" "}{$url}
err-yk-no-service-pcscd = {-pcscd} is not running.
rec-yk-no-service-pcscd =
If you are on Debian or Ubuntu, you can install it with:
{" "}{$apt}
err-yk-no-service-win = The Smart Cards for Windows service is not running.
rec-yk-no-service-win =
See this troubleshooting guide for more help:
{" "}{$url}
err-yk-not-found = Please insert the {-yubikey} you want to set up
err-yk-wrong-pin = Invalid PIN ({$tries} tries remaining before it is blocked)
err-yk-general = Error while communicating with {-yubikey}: {$err}
err-yk-general-cause = Cause: {$inner_err}
err-ux-A = Did this not do what you expected? Could an error be more useful?
err-ux-B = Tell us
# Put (len(A) - len(B) - 46) spaces here.
err-ux-C = {" "}
+1 -1
View File
@@ -1 +1 @@
1.51.0 1.56.0
+2 -8
View File
@@ -1,7 +1,7 @@
use rand::{rngs::OsRng, RngCore}; use rand::{rngs::OsRng, RngCore};
use x509::RelativeDistinguishedName; use x509::RelativeDistinguishedName;
use yubikey::{ use yubikey::{
certificate::{Certificate, PublicKeyInfo}, certificate::Certificate,
piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId}, piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId},
Key, PinPolicy, TouchPolicy, YubiKey, Key, PinPolicy, TouchPolicy, YubiKey,
}; };
@@ -106,12 +106,7 @@ impl IdentityBuilder {
touch_policy, touch_policy,
)?; )?;
let recipient = match &generated { let recipient = Recipient::from_spki(&generated).expect("YubiKey generates a valid pubkey");
PublicKeyInfo::EcP256(pubkey) => {
Recipient::from_encoded(pubkey).expect("YubiKey generates a valid pubkey")
}
_ => unreachable!(),
};
let stub = Stub::new(yubikey.serial(), slot, &recipient); let stub = Stub::new(yubikey.serial(), slot, &recipient);
// Pick a random serial for the new self-signed certificate. // Pick a random serial for the new self-signed certificate.
@@ -139,7 +134,6 @@ impl IdentityBuilder {
)], )],
)?; )?;
let (_, cert) = x509_parser::parse_x509_certificate(cert.as_ref()).unwrap();
let metadata = Metadata::extract(yubikey, slot, &cert, false).unwrap(); let metadata = Metadata::extract(yubikey, slot, &cert, false).unwrap();
Ok(( Ok((
+63 -58
View File
@@ -4,6 +4,15 @@ use yubikey::{piv::RetiredSlotId, Serial};
use crate::util::slot_to_ui; use crate::util::slot_to_ui;
macro_rules! wlnfl {
($f:ident, $message_id:literal) => {
writeln!($f, "{}", $crate::fl!($message_id))
};
($f:ident, $message_id:literal, $($kwarg:expr),* $(,)*) => {{
writeln!($f, "{}", $crate::fl!($message_id, $($kwarg,)*))
}};
}
pub enum Error { pub enum Error {
CustomManagementKey, CustomManagementKey,
InvalidFlagCommand(String, String), InvalidFlagCommand(String, String),
@@ -42,89 +51,85 @@ impl fmt::Debug for Error {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self { match self {
Error::CustomManagementKey => { Error::CustomManagementKey => {
writeln!(f, "Custom unprotected management keys are not supported.")? wlnfl!(f, "err-custom-mgmt-key")?;
let cmd = "ykman piv access change-management-key --protect";
let url = "https://developers.yubico.com/yubikey-manager/";
wlnfl!(f, "rec-custom-mgmt-key", cmd = cmd, url = url)?;
} }
Error::InvalidFlagCommand(flag, command) => { Error::InvalidFlagCommand(flag, command) => wlnfl!(
writeln!(f, "Flag '{}' cannot be used with '{}'.", flag, command)?
}
Error::InvalidFlagTui(flag) => writeln!(
f, f,
"Flag '{}' cannot be used with the interactive interface.", "err-invalid-flag-command",
flag flag = flag.as_str(),
command = command.as_str(),
)?, )?,
Error::InvalidPinLength => writeln!(f, "The PIN needs to be 1-8 characters.")?, Error::InvalidFlagTui(flag) => wlnfl!(f, "err-invalid-flag-tui", flag = flag.as_str())?,
Error::InvalidPinPolicy(s) => writeln!( Error::InvalidPinLength => wlnfl!(f, "err-invalid-pin-length")?,
Error::InvalidPinPolicy(s) => wlnfl!(
f, f,
"Invalid PIN policy '{}' (expected [always, once, never]).", "err-invalid-pin-policy",
s policy = s.as_str(),
expected = "always, once, never",
)?, )?,
Error::InvalidSlot(slot) => writeln!( Error::InvalidSlot(slot) => wlnfl!(f, "err-invalid-slot", slot = slot)?,
Error::InvalidTouchPolicy(s) => wlnfl!(
f, f,
"Invalid slot '{}' (expected number between 1 and 20).", "err-invalid-touch-policy",
slot policy = s.as_str(),
)?, expected = "always, cached, never",
Error::InvalidTouchPolicy(s) => writeln!(
f,
"Invalid touch policy '{}' (expected [always, cached, never]).",
s
)?,
Error::Io(e) => writeln!(f, "Failed to set up YubiKey: {}", e)?,
Error::MultipleCommands => writeln!(
f,
"Only one of --generate, --identity, --list, --list-all can be specified."
)?,
Error::MultipleYubiKeys => writeln!(
f,
"Multiple YubiKeys are plugged in. Use --serial to select a single YubiKey."
)?, )?,
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
Error::NoEmptySlots(serial) => { Error::NoEmptySlots(serial) => {
writeln!(f, "YubiKey with serial {} has no empty slots.", serial)? wlnfl!(f, "err-no-empty-slots", serial = serial.to_string())?
} }
Error::NoMatchingSerial(serial) => { Error::NoMatchingSerial(serial) => {
writeln!(f, "Could not find YubiKey with serial {}.", serial)? wlnfl!(f, "err-no-matching-serial", serial = serial.to_string())?
} }
Error::SlotHasNoIdentity(slot) => writeln!( Error::SlotHasNoIdentity(slot) => {
f, wlnfl!(f, "err-slot-has-no-identity", slot = slot_to_ui(slot))?
"Slot {} does not contain an age identity or compatible key.",
slot_to_ui(slot)
)?,
Error::SlotIsNotEmpty(slot) => writeln!(
f,
"Slot {} is not empty. Use --force to overwrite the slot.",
slot_to_ui(slot)
)?,
Error::TimedOut => {
writeln!(f, "Timed out while waiting for a YubiKey to be inserted.")?
} }
Error::UseListForSingleSlot => { Error::SlotIsNotEmpty(slot) => {
writeln!(f, "Use --list to print the recipient for a single slot.")? wlnfl!(f, "err-slot-is-not-empty", slot = slot_to_ui(slot))?
} }
Error::TimedOut => wlnfl!(f, "err-timed-out")?,
Error::UseListForSingleSlot => wlnfl!(f, "err-use-list-for-single")?,
Error::YubiKey(e) => match e { Error::YubiKey(e) => match e {
yubikey::Error::NotFound => { yubikey::Error::NotFound => wlnfl!(f, "err-yk-not-found")?,
writeln!(f, "Please insert the YubiKey you want to set up")? yubikey::Error::PcscError {
inner: Some(pcsc::Error::NoService),
} => {
if cfg!(windows) {
wlnfl!(f, "err-yk-no-service-win")?;
let url = "https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-debugging-information#smart-card-service";
wlnfl!(f, "rec-yk-no-service-win", url = url)?;
} else if cfg!(target_os = "macos") {
wlnfl!(f, "err-yk-no-service-macos")?;
let url = "https://apple.stackexchange.com/a/438198";
wlnfl!(f, "rec-yk-no-service-macos", url = url)?;
} else {
wlnfl!(f, "err-yk-no-service-pcscd")?;
let apt = "sudo apt-get install pcscd";
wlnfl!(f, "rec-yk-no-service-pcscd", apt = apt)?;
} }
yubikey::Error::WrongPin { tries } => writeln!( }
f, yubikey::Error::WrongPin { tries } => wlnfl!(f, "err-yk-wrong-pin", tries = tries)?,
"Invalid PIN ({} tries remaining before it is blocked)",
tries
)?,
e => { e => {
writeln!(f, "Error while communicating with YubiKey: {}", e)?; wlnfl!(f, "err-yk-general", err = e.to_string())?;
use std::error::Error; use std::error::Error;
if let Some(inner) = e.source() { if let Some(inner) = e.source() {
writeln!(f, "Cause: {}", inner)?; wlnfl!(f, "err-yk-general-cause", inner_err = inner.to_string())?;
} }
} }
}, },
} }
writeln!(f)?; writeln!(f)?;
writeln!( writeln!(f, "[ {} ]", crate::fl!("err-ux-A"))?;
f,
"[ Did this not do what you expected? Could an error be more useful? ]"
)?;
write!( write!(
f, f,
"[ Tell us: https://str4d.xyz/age-plugin-yubikey/report ]" "[ {}: https://str4d.xyz/age-plugin-yubikey/report {} ]",
crate::fl!("err-ux-B"),
crate::fl!("err-ux-C")
) )
} }
} }
-1
View File
@@ -5,7 +5,6 @@ use age_core::{
}; };
use p256::{ecdh::EphemeralSecret, elliptic_curve::sec1::ToEncodedPoint}; use p256::{ecdh::EphemeralSecret, elliptic_curve::sec1::ToEncodedPoint};
use rand::rngs::OsRng; use rand::rngs::OsRng;
use std::convert::TryInto;
use crate::{p256::Recipient, STANZA_TAG}; use crate::{p256::Recipient, STANZA_TAG};
+341 -85
View File
@@ -8,25 +8,25 @@ use age_core::{
use age_plugin::{identity, Callbacks}; use age_plugin::{identity, Callbacks};
use bech32::{ToBase32, Variant}; use bech32::{ToBase32, Variant};
use dialoguer::Password; use dialoguer::Password;
use log::warn; use log::{debug, error, warn};
use std::convert::TryInto;
use std::fmt; use std::fmt;
use std::io; use std::io;
use std::iter; use std::iter;
use std::thread::sleep; use std::thread::sleep;
use std::time::{Duration, SystemTime}; use std::time::{Duration, Instant, SystemTime};
use yubikey::{ use yubikey::{
certificate::{Certificate, PublicKeyInfo}, certificate::Certificate,
piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId}, piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId},
reader::{Context, Reader}, reader::{Context, Reader},
MgmKey, PinPolicy, Serial, YubiKey, Key, MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
}; };
use crate::{ use crate::{
error::Error, error::Error,
fl,
format::{RecipientLine, STANZA_KEY_LABEL}, format::{RecipientLine, STANZA_KEY_LABEL},
p256::{Recipient, TAG_BYTES}, p256::{Recipient, TAG_BYTES},
util::Metadata, util::{otp_serial_prefix, Metadata},
IDENTITY_PREFIX, IDENTITY_PREFIX,
}; };
@@ -39,18 +39,16 @@ pub(crate) fn is_connected(reader: Reader) -> bool {
pub(crate) fn filter_connected(reader: &Reader) -> bool { pub(crate) fn filter_connected(reader: &Reader) -> bool {
match reader.open() { match reader.open() {
Ok(_) => true, Err(yubikey::Error::PcscError {
Err(e) => { inner: Some(pcsc::Error::RemovedCard),
use std::error::Error; }) => {
if let Some(pcsc::Error::RemovedCard) = warn!(
e.source().and_then(|inner| inner.downcast_ref()) "{}",
{ fl!("warn-yk-not-connected", yubikey_name = reader.name())
warn!("Ignoring {}: not connected", reader.name()); );
false false
} else {
true
}
} }
_ => true,
} }
} }
@@ -70,12 +68,139 @@ pub(crate) fn wait_for_readers() -> Result<Context, Error> {
} }
} }
/// Looks for agent processes that might be holding exclusive access to a YubiKey, and
/// asks them as nicely as possible to release it.
///
/// Returns `true` if any known agent was running and was successfully interrupted (or
/// killed if the platform doesn't support interrupts).
fn hunt_agents() -> bool {
debug!("Sharing violation encountered, looking for agent processes");
use sysinfo::{ProcessExt, ProcessRefreshKind, RefreshKind, Signal, System, SystemExt};
let mut interrupted = false;
let sys =
System::new_with_specifics(RefreshKind::new().with_processes(ProcessRefreshKind::new()));
for process in sys.processes().values() {
match process.name() {
"scdaemon" | "scdaemon.exe" => {
// gpg-agent runs scdaemon to interact with smart cards. The canonical way
// to reload it is `gpgconf --reload scdaemon`, which kills and restarts
// the process. We emulate that here with SIGINT (which it listens to).
if process
.kill_with(Signal::Interrupt)
.unwrap_or_else(|| process.kill())
{
debug!("Stopped scdaemon (PID {})", process.pid());
interrupted = true;
}
}
"yubikey-agent" | "yubikey-agent.exe" => {
// yubikey-agent releases all YubiKey locks when it receives a SIGHUP.
match process.kill_with(Signal::Hangup) {
Some(true) => {
debug!("Sent SIGHUP to yubikey-agent (PID {})", process.pid());
interrupted = true;
}
Some(false) => (),
None => debug!(
"Found yubikey-agent (PID {}) but platform doesn't support SIGHUP",
process.pid(),
),
}
}
_ => (),
}
}
// If we did interrupt an agent, pause briefly to allow it to finish up.
if interrupted {
sleep(Duration::from_millis(100));
}
interrupted
}
fn open_sesame(
op: impl Fn() -> Result<YubiKey, yubikey::Error>,
) -> Result<YubiKey, yubikey::Error> {
op().or_else(|e| match e {
yubikey::Error::PcscError {
inner: Some(pcsc::Error::SharingViolation),
} if hunt_agents() => op(),
_ => Err(e),
})
}
/// Opens a connection to this reader, returning a `YubiKey` if successful.
///
/// This is equivalent to [`Reader::open`], but additionally handles the presence of
/// agents (which can indefinitely hold exclusive access to a YubiKey).
pub(crate) fn open_connection(reader: &Reader) -> Result<YubiKey, yubikey::Error> {
open_sesame(|| reader.open())
}
/// Opens a YubiKey with a specific serial number.
///
/// This is equivalent to [`YubiKey::open_by_serial`], but additionally handles the
/// presence of agents (which can indefinitely hold exclusive access to a YubiKey).
fn open_by_serial(serial: Serial) -> Result<YubiKey, yubikey::Error> {
// `YubiKey::open_by_serial` has a bug where it ignores all opening errors, even if
// it potentially could have found a matching YubiKey if not for an error, and thus
// returns `Error::NotFound` if another agent is holding exclusive access to the
// required YubiKey. This gives misleading UX behaviour where age-plugin-yubikey asks
// the user to insert a YubiKey they have already inserted.
//
// For now, we instead implement the correct behaviour manually. Once MSRV has been
// raised to 1.60, we can upstream this into the `yubikey` crate.
open_sesame(|| {
let mut readers = Context::open()?;
let mut open_error = None;
for reader in readers.iter()? {
let yubikey = match reader.open() {
Ok(yk) => yk,
Err(e) => {
// Save the first error we see that indicates we might have been able
// to find a matching YubiKey.
if open_error.is_none() {
if let yubikey::Error::PcscError {
inner: Some(pcsc::Error::SharingViolation),
} = e
{
open_error = Some(e);
}
}
continue;
}
};
if serial == yubikey.serial() {
return Ok(yubikey);
}
}
Err(if let Some(e) = open_error {
e
} else {
error!("no YubiKey detected with serial: {}", serial);
yubikey::Error::NotFound
})
})
}
pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> { pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
if !Context::open()?.iter()?.any(is_connected) { if !Context::open()?.iter()?.any(is_connected) {
if let Some(serial) = serial { if let Some(serial) = serial {
eprintln!("⏳ Please insert the YubiKey with serial {}.", serial); eprintln!(
"{}",
fl!("open-yk-with-serial", yubikey_serial = serial.to_string())
);
} else { } else {
eprintln!("⏳ Please insert the YubiKey."); eprintln!("{}", fl!("open-yk-without-serial"));
} }
} }
let mut readers = wait_for_readers()?; let mut readers = wait_for_readers()?;
@@ -85,9 +210,9 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
// connected, an error is returned. // connected, an error is returned.
let yubikey = match (readers_iter.next(), readers_iter.next(), serial) { let yubikey = match (readers_iter.next(), readers_iter.next(), serial) {
(None, _, _) => unreachable!(), (None, _, _) => unreachable!(),
(Some(reader), None, None) => reader.open()?, (Some(reader), None, None) => open_connection(&reader)?,
(Some(reader), None, Some(serial)) => { (Some(reader), None, Some(serial)) => {
let yubikey = reader.open()?; let yubikey = open_connection(&reader)?;
if yubikey.serial() != serial { if yubikey.serial() != serial {
return Err(Error::NoMatchingSerial(serial)); return Err(Error::NoMatchingSerial(serial));
} }
@@ -98,12 +223,12 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
.chain(Some(a)) .chain(Some(a))
.chain(Some(b)) .chain(Some(b))
.chain(readers_iter) .chain(readers_iter)
.find(|reader| match reader.open() { .find(|reader| match open_connection(reader) {
Ok(yk) => yk.serial() == serial, Ok(yk) => yk.serial() == serial,
_ => false, _ => false,
}) })
.ok_or(Error::NoMatchingSerial(serial))?; .ok_or(Error::NoMatchingSerial(serial))?;
reader.open()? open_connection(&reader)?
} }
(Some(_), Some(_), None) => return Err(Error::MultipleYubiKeys), (Some(_), Some(_), None) => return Err(Error::MultipleYubiKeys),
}; };
@@ -112,32 +237,30 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
} }
pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> { pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
const DEFAULT_PIN: &str = "123456";
const DEFAULT_PUK: &str = "12345678";
eprintln!(); eprintln!();
let pin = Password::new() let pin = Password::new()
.with_prompt(&format!( .with_prompt(fl!(
"Enter PIN for YubiKey with serial {} (default is 123456)", "mgr-enter-pin",
yubikey.serial(), yubikey_serial = yubikey.serial().to_string(),
default_pin = DEFAULT_PIN,
)) ))
.interact()?; .interact()?;
yubikey.verify_pin(pin.as_bytes())?; yubikey.verify_pin(pin.as_bytes())?;
// If the user is using the default PIN, help them to change it. // If the user is using the default PIN, help them to change it.
if pin == "123456" { if pin == DEFAULT_PIN {
eprintln!(); eprintln!();
eprintln!("✨ Your YubiKey is using the default PIN. Let's change it!"); eprintln!("{}", fl!("mgr-change-default-pin"));
eprintln!("✨ We'll also set the PUK equal to the PIN.");
eprintln!();
eprintln!("🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!");
eprintln!(
"❌ Your keys will be lost if the PIN and PUK are locked after 3 incorrect tries."
);
eprintln!(); eprintln!();
let current_puk = Password::new() let current_puk = Password::new()
.with_prompt("Enter current PUK (default is 12345678)") .with_prompt(fl!("mgr-enter-current-puk", default_puk = DEFAULT_PUK))
.interact()?; .interact()?;
let new_pin = Password::new() let new_pin = Password::new()
.with_prompt("Choose a new PIN/PUK") .with_prompt(fl!("mgr-choose-new-pin"))
.with_confirmation("Repeat the PIN/PUK", "PINs don't match") .with_confirmation(fl!("mgr-repeat-new-pin"), fl!("mgr-pin-mismatch"))
.interact()?; .interact()?;
if new_pin.len() > 8 { if new_pin.len() > 8 {
return Err(Error::InvalidPinLength); return Err(Error::InvalidPinLength);
@@ -157,28 +280,57 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
// Migrate to a PIN-protected management key. // Migrate to a PIN-protected management key.
let mgm_key = MgmKey::generate(); let mgm_key = MgmKey::generate();
eprintln!(); eprintln!();
eprintln!("✨ Your YubiKey is using the default management key."); eprintln!("{}", fl!("mgr-changing-mgmt-key"));
eprintln!("✨ We'll migrate it to a PIN-protected management key.");
eprint!("... "); eprint!("... ");
mgm_key.set_protected(yubikey).map_err(|e| { mgm_key.set_protected(yubikey).map_err(|e| {
eprintln!("An error occurred while setting the new management key."); eprintln!(
eprintln!("⚠️ SAVE THIS MANAGEMENT KEY - YOU MAY NEED IT TO MANAGE YOUR YubiKey! ⚠️"); "{}",
eprintln!(" {}", hex::encode(mgm_key.as_ref())); fl!(
"mgr-changing-mgmt-key-error",
management_key = hex::encode(mgm_key.as_ref()),
)
);
e e
})?; })?;
eprintln!("Success!"); eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
} }
Ok(()) Ok(())
} }
/// Returns an iterator of keys that are occupying plugin-compatible slots, along with the
/// corresponding recipient if the key is compatible with this plugin.
pub(crate) fn list_slots(
yubikey: &mut YubiKey,
) -> Result<impl Iterator<Item = (Key, RetiredSlotId, Option<Recipient>)>, Error> {
Ok(Key::list(yubikey)?.into_iter().filter_map(|key| {
// We only use the retired slots.
match key.slot() {
SlotId::Retired(slot) => {
// Only P-256 keys are compatible with us.
let recipient = Recipient::from_certificate(key.certificate());
Some((key, slot, recipient))
}
_ => None,
}
}))
}
/// Returns an iterator of keys that are compatible with this plugin.
pub(crate) fn list_compatible(
yubikey: &mut YubiKey,
) -> Result<impl Iterator<Item = (Key, RetiredSlotId, Recipient)>, Error> {
list_slots(yubikey)
.map(|iter| iter.filter_map(|(key, slot, res)| res.map(|recipient| (key, slot, recipient))))
}
/// A reference to an age key stored in a YubiKey. /// A reference to an age key stored in a YubiKey.
#[derive(Debug)] #[derive(Debug)]
pub struct Stub { pub struct Stub {
pub(crate) serial: Serial, pub(crate) serial: Serial,
pub(crate) slot: RetiredSlotId, pub(crate) slot: RetiredSlotId,
pub(crate) tag: [u8; TAG_BYTES], pub(crate) tag: [u8; TAG_BYTES],
identity_index: usize, pub(crate) identity_index: usize,
} }
impl fmt::Display for Stub { impl fmt::Display for Stub {
@@ -217,6 +369,9 @@ impl Stub {
} }
pub(crate) fn from_bytes(bytes: &[u8], identity_index: usize) -> Option<Self> { pub(crate) fn from_bytes(bytes: &[u8], identity_index: usize) -> Option<Self> {
if bytes.len() < 9 {
return None;
}
let serial = Serial::from(u32::from_le_bytes(bytes[0..4].try_into().unwrap())); let serial = Serial::from(u32::from_le_bytes(bytes[0..4].try_into().unwrap()));
let slot: RetiredSlotId = bytes[4].try_into().ok()?; let slot: RetiredSlotId = bytes[4].try_into().ok()?;
Some(Stub { Some(Stub {
@@ -239,38 +394,92 @@ impl Stub {
self.tag == line.tag self.tag == line.tag
} }
/// Returns:
/// - `Ok(Ok(Some(connection)))` if we successfully connected to this YubiKey.
/// - `Ok(Ok(None))` if the user told us to skip this YubiKey.
/// - `Ok(Err(_))` if we encountered an error while trying to connect to the YubiKey.
/// - `Err(_)` on communication errors with the age client.
pub(crate) fn connect<E>( pub(crate) fn connect<E>(
&self, &self,
callbacks: &mut dyn Callbacks<E>, callbacks: &mut dyn Callbacks<E>,
) -> io::Result<Result<Connection, identity::Error>> { ) -> io::Result<Result<Option<Connection>, identity::Error>> {
let mut yubikey = match YubiKey::open_by_serial(self.serial) { let mut yubikey = match open_by_serial(self.serial) {
Ok(yk) => yk, Ok(yk) => yk,
Err(yubikey::Error::NotFound) => { Err(yubikey::Error::NotFound) => {
if callbacks let mut message = fl!("plugin-insert-yk", yubikey_serial = self.serial.to_string());
.message(&format!(
"Please insert YubiKey with serial {}", // If the `confirm` command is available, we loop until either the YubiKey
self.serial // we want is inserted, or the used explicitly skips.
))? let yubikey = loop {
.is_err() match callbacks.confirm(
{ &message,
&fl!("plugin-yk-is-plugged-in"),
Some(&fl!("plugin-skip-this-yk")),
)? {
// `confirm` command is not available.
Err(age_core::plugin::Error::Unsupported) => break None,
// User told us to skip this key.
Ok(false) => return Ok(Ok(None)),
// User said they plugged it in; try it.
Ok(true) => match open_by_serial(self.serial) {
Ok(yubikey) => break Some(yubikey),
Err(yubikey::Error::NotFound) => (),
Err(_) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: format!("Could not find YubiKey with serial {}", self.serial), message: fl!(
"plugin-err-yk-opening",
yubikey_serial = self.serial.to_string(),
),
}));
}
},
// We can't communicate with the user.
Err(age_core::plugin::Error::Fail) => {
return Ok(Err(identity::Error::Identity {
index: self.identity_index,
message: fl!(
"plugin-err-yk-opening",
yubikey_serial = self.serial.to_string(),
),
}))
}
}
// We're going to loop around, meaning that the first attempt failed.
// Change the message to indicate this to the user.
message = fl!(
"plugin-insert-yk-retry",
yubikey_serial = self.serial.to_string(),
);
};
if let Some(yk) = yubikey {
yk
} else {
// `confirm` is not available; fall back to `message` with a timeout.
if callbacks.message(&message)?.is_err() {
return Ok(Err(identity::Error::Identity {
index: self.identity_index,
message: fl!(
"plugin-err-yk-not-found",
yubikey_serial = self.serial.to_string(),
),
})); }));
} }
// Start a 15-second timer waiting for the YubiKey to be inserted // Start a 15-second timer waiting for the YubiKey to be inserted
let start = SystemTime::now(); let start = SystemTime::now();
loop { loop {
match YubiKey::open_by_serial(self.serial) { match open_by_serial(self.serial) {
Ok(yubikey) => break yubikey, Ok(yubikey) => break yubikey,
Err(yubikey::Error::NotFound) => (), Err(yubikey::Error::NotFound) => (),
Err(_) => { Err(_) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: format!( message: fl!(
"Could not open YubiKey with serial {}", "plugin-err-yk-opening",
self.serial yubikey_serial = self.serial.to_string(),
), ),
})); }));
} }
@@ -280,9 +489,9 @@ impl Stub {
Ok(end) if end >= FIFTEEN_SECONDS => { Ok(end) if end >= FIFTEEN_SECONDS => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: format!( message: fl!(
"Timed out while waiting for YubiKey with serial {} to be inserted", "plugin-err-yk-timed-out",
self.serial yubikey_serial = self.serial.to_string(),
), ),
})) }))
} }
@@ -290,10 +499,14 @@ impl Stub {
} }
} }
} }
}
Err(_) => { Err(_) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: format!("Could not open YubiKey with serial {}", self.serial), message: fl!(
"plugin-err-yk-opening",
yubikey_serial = self.serial.to_string(),
),
})) }))
} }
}; };
@@ -301,29 +514,30 @@ impl Stub {
// Read the pubkey from the YubiKey slot and check it still matches. // Read the pubkey from the YubiKey slot and check it still matches.
let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot)) let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot))
.ok() .ok()
.and_then(|cert| match cert.subject_pki() { .and_then(|cert| {
PublicKeyInfo::EcP256(pubkey) => Recipient::from_encoded(pubkey) Recipient::from_certificate(&cert)
.filter(|pk| pk.tag() == self.tag) .filter(|pk| pk.tag() == self.tag)
.map(|pk| (cert, pk)), .map(|pk| (cert, pk))
_ => None,
}) { }) {
Some(pk) => pk, Some(pk) => pk,
None => { None => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: "A YubiKey stub did not match the YubiKey".to_owned(), message: fl!("plugin-err-yk-stub-mismatch"),
})) }))
} }
}; };
Ok(Ok(Connection { Ok(Ok(Some(Connection {
yubikey, yubikey,
cert, cert,
pk, pk,
slot: self.slot, slot: self.slot,
tag: self.tag, tag: self.tag,
identity_index: self.identity_index, identity_index: self.identity_index,
})) cached_metadata: None,
last_touch: None,
})))
} }
} }
@@ -334,6 +548,8 @@ pub(crate) struct Connection {
slot: RetiredSlotId, slot: RetiredSlotId,
tag: [u8; 4], tag: [u8; 4],
identity_index: usize, identity_index: usize,
cached_metadata: Option<Metadata>,
last_touch: Option<Instant>,
} }
impl Connection { impl Connection {
@@ -346,40 +562,59 @@ impl Connection {
callbacks: &mut dyn Callbacks<E>, callbacks: &mut dyn Callbacks<E>,
) -> io::Result<Result<(), identity::Error>> { ) -> io::Result<Result<(), identity::Error>> {
// Check if we can skip requesting a PIN. // Check if we can skip requesting a PIN.
let (_, cert) = x509_parser::parse_x509_certificate(self.cert.as_ref()).unwrap(); if self.cached_metadata.is_none() {
match Metadata::extract(&mut self.yubikey, self.slot, &cert, true) { self.cached_metadata =
Some(metadata) => { match Metadata::extract(&mut self.yubikey, self.slot, &self.cert, true) {
if let Some(PinPolicy::Never) = metadata.pin_policy {
return Ok(Ok(()));
}
}
None => { None => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: "Certificate for YubiKey identity contains an invalid PIN policy" message: fl!("plugin-err-yk-invalid-pin-policy"),
.to_string(),
})) }))
} }
metadata => metadata,
};
}
if let Some(PinPolicy::Never) = self.cached_metadata.as_ref().and_then(|m| m.pin_policy) {
return Ok(Ok(()));
} }
// The policy requires a PIN, so request it. // The policy requires a PIN, so request it.
// Note that we can't distinguish between PinPolicy::Once and PinPolicy::Always // Note that we can't distinguish between PinPolicy::Once and PinPolicy::Always
// because this plugin is ephemeral, so we always request the PIN. // because this plugin is ephemeral, so we always request the PIN.
let pin = match callbacks.request_secret(&format!( let enter_pin_msg = fl!(
"Enter PIN for YubiKey with serial {}", "plugin-enter-pin",
self.yubikey.serial() yubikey_serial = self.yubikey.serial().to_string(),
))? { );
Ok(pin) => pin, let mut message = enter_pin_msg.clone();
let pin = loop {
message = match callbacks.request_secret(&message)? {
Ok(pin) => match pin.expose_secret().len() {
// A PIN must be between 6 and 8 characters.
6..=8 => break pin,
// If the string is 44 bytes and starts with the YubiKey's serial
// encoded as 12-byte modhex, the user probably touched the YubiKey
// early and "typed" an OTP.
44 if pin
.expose_secret()
.starts_with(&otp_serial_prefix(self.yubikey.serial())) =>
{
format!("{} {}", fl!("plugin-err-accidental-touch"), enter_pin_msg)
}
// Otherwise, the PIN is either too short or too long.
0..=5 => format!("{} {}", fl!("plugin-err-pin-too-short"), enter_pin_msg),
_ => format!("{} {}", fl!("plugin-err-pin-too-long"), enter_pin_msg),
},
Err(_) => { Err(_) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: format!( message: fl!(
"A PIN is required for YubiKey with serial {}", "plugin-err-pin-required",
self.yubikey.serial() yubikey_serial = self.yubikey.serial().to_string(),
), ),
})) }))
} }
}; };
};
if let Err(e) = self.yubikey.verify_pin(pin.expose_secret().as_bytes()) { if let Err(e) = self.yubikey.verify_pin(pin.expose_secret().as_bytes()) {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
@@ -392,6 +627,16 @@ impl Connection {
pub(crate) fn unwrap_file_key(&mut self, line: &RecipientLine) -> Result<FileKey, ()> { pub(crate) fn unwrap_file_key(&mut self, line: &RecipientLine) -> Result<FileKey, ()> {
assert_eq!(self.tag, line.tag); assert_eq!(self.tag, line.tag);
// Check if the touch policy requires a touch.
let needs_touch = match (
self.cached_metadata.as_ref().and_then(|m| m.touch_policy),
self.last_touch,
) {
(Some(TouchPolicy::Always), _) | (Some(TouchPolicy::Cached), None) => true,
(Some(TouchPolicy::Cached), Some(last)) if last.elapsed() >= FIFTEEN_SECONDS => true,
_ => false,
};
// The YubiKey API for performing scalar multiplication takes the point in its // The YubiKey API for performing scalar multiplication takes the point in its
// uncompressed SEC-1 encoding. // uncompressed SEC-1 encoding.
let shared_secret = match decrypt_data( let shared_secret = match decrypt_data(
@@ -404,6 +649,15 @@ impl Connection {
Err(_) => return Err(()), Err(_) => return Err(()),
}; };
// If we requested a touch and reached here, the user touched the YubiKey.
if needs_touch {
if let Some(TouchPolicy::Cached) =
self.cached_metadata.as_ref().and_then(|m| m.touch_policy)
{
self.last_touch = Some(Instant::now());
}
}
let mut salt = vec![]; let mut salt = vec![];
salt.extend_from_slice(line.epk_bytes.as_bytes()); salt.extend_from_slice(line.epk_bytes.as_bytes());
salt.extend_from_slice(self.pk.to_encoded().as_bytes()); salt.extend_from_slice(self.pk.to_encoded().as_bytes());
@@ -437,6 +691,8 @@ mod tests {
}; };
let encoded = stub.to_bytes(); let encoded = stub.to_bytes();
assert_eq!(Stub::from_bytes(&[], 0), None);
assert_eq!(Stub::from_bytes(&encoded, 0), Some(stub)); assert_eq!(Stub::from_bytes(&encoded, 0), Some(stub));
assert_eq!(Stub::from_bytes(&encoded[..encoded.len() - 1], 0), None);
} }
} }
+133 -134
View File
@@ -1,16 +1,18 @@
use std::convert::{TryFrom, TryInto}; #![forbid(unsafe_code)]
use std::fs::{File, OpenOptions}; use std::fs::{File, OpenOptions};
use std::io::{self, Write}; use std::io::{self, Write};
use age_plugin::run_state_machine; use age_plugin::run_state_machine;
use dialoguer::{Confirm, Input, Select}; use dialoguer::{Confirm, Input, Select};
use gumdrop::Options; use gumdrop::Options;
use yubikey::{ use i18n_embed::{
certificate::PublicKeyInfo, fluent::{fluent_language_loader, FluentLanguageLoader},
piv::{RetiredSlotId, SlotId}, DesktopLanguageRequester,
reader::Context,
Key, PinPolicy, Serial, TouchPolicy,
}; };
use lazy_static::lazy_static;
use rust_embed::RustEmbed;
use yubikey::{piv::RetiredSlotId, reader::Context, PinPolicy, Serial, TouchPolicy};
mod builder; mod builder;
mod error; mod error;
@@ -51,6 +53,26 @@ const USABLE_SLOTS: [RetiredSlotId; 20] = [
RetiredSlotId::R20, RetiredSlotId::R20,
]; ];
#[derive(RustEmbed)]
#[folder = "i18n"]
struct Translations;
const TRANSLATIONS: Translations = Translations {};
lazy_static! {
static ref LANGUAGE_LOADER: FluentLanguageLoader = fluent_language_loader!();
}
#[macro_export]
macro_rules! fl {
($message_id:literal) => {{
i18n_embed_fl::fl!($crate::LANGUAGE_LOADER, $message_id)
}};
($message_id:literal, $($kwarg:expr),* $(,)*) => {{
i18n_embed_fl::fl!($crate::LANGUAGE_LOADER, $message_id, $($kwarg,)*)
}};
}
#[derive(Debug, Options)] #[derive(Debug, Options)]
struct PluginOptions { struct PluginOptions {
#[options(help = "Print this help message and exit.")] #[options(help = "Print this help message and exit.")]
@@ -169,26 +191,12 @@ fn print_single(
) -> Result<(), Error> { ) -> Result<(), Error> {
let mut yubikey = key::open(serial)?; let mut yubikey = key::open(serial)?;
let mut keys = Key::list(&mut yubikey)?.into_iter().filter_map(|key| { let (key, slot, recipient) = key::list_compatible(&mut yubikey)?
// - We only use the retired slots.
// - Only P-256 keys are compatible with us.
match (key.slot(), key.certificate().subject_pki()) {
(SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => {
p256::Recipient::from_encoded(pubkey).map(|r| (key, slot, r))
}
_ => None,
}
});
let (key, slot, recipient) = keys
.find(|(_, s, _)| s == &slot) .find(|(_, s, _)| s == &slot)
.ok_or(Error::SlotHasNoIdentity(slot))?; .ok_or(Error::SlotHasNoIdentity(slot))?;
let stub = key::Stub::new(yubikey.serial(), slot, &recipient); let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
let metadata = x509_parser::parse_x509_certificate(key.certificate().as_ref()) let metadata = util::Metadata::extract(&mut yubikey, slot, key.certificate(), true).unwrap();
.ok()
.and_then(|(_, cert)| util::Metadata::extract(&mut yubikey, slot, &cert, true))
.unwrap();
printer(stub, recipient, metadata); printer(stub, recipient, metadata);
@@ -205,33 +213,16 @@ fn print_multiple(
let mut printed = 0; let mut printed = 0;
for reader in readers.iter()?.filter(key::filter_connected) { for reader in readers.iter()?.filter(key::filter_connected) {
let mut yubikey = reader.open()?; let mut yubikey = key::open_connection(&reader)?;
if let Some(serial) = serial { if let Some(serial) = serial {
if yubikey.serial() != serial { if yubikey.serial() != serial {
continue; continue;
} }
} }
for key in Key::list(&mut yubikey)? { for (key, slot, recipient) in key::list_compatible(&mut yubikey)? {
// We only use the retired slots.
let slot = match key.slot() {
SlotId::Retired(slot) => slot,
_ => continue,
};
// Only P-256 keys are compatible with us.
let recipient = match key.certificate().subject_pki() {
PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_encoded(pubkey) {
Some(recipient) => recipient,
None => continue,
},
_ => continue,
};
let stub = key::Stub::new(yubikey.serial(), slot, &recipient); let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
let metadata = match x509_parser::parse_x509_certificate(key.certificate().as_ref()) let metadata = match util::Metadata::extract(&mut yubikey, slot, key.certificate(), all)
.ok()
.and_then(|(_, cert)| util::Metadata::extract(&mut yubikey, slot, &cert, all))
{ {
Some(res) => res, Some(res) => res,
None => continue, None => continue,
@@ -244,10 +235,7 @@ fn print_multiple(
println!(); println!();
} }
if printed > 1 { if printed > 1 {
eprintln!( eprintln!("{}", fl!("printed-multiple", kind = kind, count = printed));
"Generated {} for {} slots. If you intended to select a slot, use --slot.",
kind, printed,
);
} }
Ok(()) Ok(())
@@ -273,7 +261,12 @@ fn identity(flags: PluginFlags) -> Result<(), Error> {
"--identity".into(), "--identity".into(),
)); ));
} }
print_details("identities", flags, false, util::print_identity) print_details(
&fl!("printed-kind-identities"),
flags,
false,
util::print_identity,
)
} }
fn list(flags: PluginFlags, all: bool) -> Result<(), Error> { fn list(flags: PluginFlags, all: bool) -> Result<(), Error> {
@@ -287,10 +280,15 @@ fn list(flags: PluginFlags, all: bool) -> Result<(), Error> {
)); ));
} }
print_details("recipients", flags, all, |_, recipient, metadata| { print_details(
&fl!("printed-kind-recipients"),
flags,
all,
|_, recipient, metadata| {
println!("{}", metadata); println!("{}", metadata);
println!("{}", recipient.to_string()); println!("{}", recipient.to_string());
}) },
)
} }
fn main() -> Result<(), Error> { fn main() -> Result<(), Error> {
@@ -300,6 +298,12 @@ fn main() -> Result<(), Error> {
.parse_default_env() .parse_default_env()
.init(); .init();
let requested_languages = DesktopLanguageRequester::requested_languages();
i18n_embed::select(&*LANGUAGE_LOADER, &TRANSLATIONS, &requested_languages).unwrap();
// Unfortunately the common Windows terminals don't support Unicode Directionality
// Isolation Marks, so we disable them for now.
LANGUAGE_LOADER.set_use_isolating(false);
let opts = PluginOptions::parse_args_default_or_exit(); let opts = PluginOptions::parse_args_default_or_exit();
if [opts.generate, opts.identity, opts.list, opts.list_all] if [opts.generate, opts.identity, opts.list, opts.list_all]
@@ -335,23 +339,17 @@ fn main() -> Result<(), Error> {
} }
let flags: PluginFlags = opts.try_into()?; let flags: PluginFlags = opts.try_into()?;
eprintln!("✨ Let's get your YubiKey set up for age! ✨"); eprintln!(
eprintln!(); "{}",
eprintln!("This tool can create a new age identity in a free slot of your YubiKey."); fl!(
eprintln!("It will generate an identity file that you can use with an age client,"); "cli-setup-intro",
eprintln!("along with the corresponding recipient. You can also do this directly"); generate_usage = "age-plugin-yubikey --generate",
eprintln!("with:"); )
eprintln!(" age-plugin-yubikey --generate"); );
eprintln!();
eprintln!("If you are already using a YubiKey with age, you can select an existing");
eprintln!("slot to recreate its corresponding identity file and recipient.");
eprintln!();
eprintln!("When asked below to select an option, use the up/down arrow keys to");
eprintln!("make your choice, or press [Esc] or [q] to quit.");
eprintln!(); eprintln!();
if !Context::open()?.iter()?.any(key::is_connected) { if !Context::open()?.iter()?.any(key::is_connected) {
eprintln!("⏳ Please insert the YubiKey you want to set up."); eprintln!("{}", fl!("cli-setup-insert-yk"));
}; };
let mut readers = key::wait_for_readers()?; let mut readers = key::wait_for_readers()?;
@@ -361,13 +359,17 @@ fn main() -> Result<(), Error> {
let reader_names = readers_list let reader_names = readers_list
.iter() .iter()
.map(|reader| { .map(|reader| {
reader key::open_connection(reader).map(|yk| {
.open() fl!(
.map(|yk| format!("{} (Serial: {})", reader.name(), yk.serial())) "cli-setup-yk-name",
yubikey_name = reader.name(),
yubikey_serial = yk.serial().to_string(),
)
})
}) })
.collect::<Result<Vec<_>, _>>()?; .collect::<Result<Vec<_>, _>>()?;
let mut yubikey = match Select::new() let mut yubikey = match Select::new()
.with_prompt("🔑 Select a YubiKey") .with_prompt(fl!("cli-setup-select-yk"))
.items(&reader_names) .items(&reader_names)
.default(0) .default(0)
.interact_opt()? .interact_opt()?
@@ -376,17 +378,16 @@ fn main() -> Result<(), Error> {
None => return Ok(()), None => return Ok(()),
}; };
let keys = Key::list(&mut yubikey)?; let keys = key::list_slots(&mut yubikey)?.collect::<Vec<_>>();
// Identify slots that we can't allow the user to select. // Identify slots that we can't allow the user to select.
let slot_details: Vec<_> = USABLE_SLOTS let slot_details: Vec<_> = USABLE_SLOTS
.iter() .iter()
.map(|&slot| { .map(|&slot| {
keys.iter() keys.iter()
.find(|key| key.slot() == SlotId::Retired(slot)) .find(|(_, s, _)| s == &slot)
.map(|key| match key.certificate().subject_pki() { .map(|(key, _, recipient)| {
PublicKeyInfo::EcP256(pubkey) => { recipient.as_ref().map(|_| {
p256::Recipient::from_encoded(pubkey).map(|_| {
// Cache the details we need to display to the user. // Cache the details we need to display to the user.
let (_, cert) = let (_, cert) =
x509_parser::parse_x509_certificate(key.certificate().as_ref()) x509_parser::parse_x509_certificate(key.certificate().as_ref())
@@ -396,8 +397,6 @@ fn main() -> Result<(), Error> {
format!("{}, created: {}", name, created) format!("{}, created: {}", name, created)
}) })
}
_ => None,
}) })
}) })
.collect(); .collect();
@@ -410,9 +409,13 @@ fn main() -> Result<(), Error> {
let i = i + 1; let i = i + 1;
match occupied { match occupied {
Some(Some(name)) => format!("Slot {} ({})", i, name), Some(Some(name)) => fl!(
Some(None) => format!("Slot {} (Unusable)", i), "cli-setup-slot-usable",
None => format!("Slot {} (Empty)", i), slot_index = i,
slot_name = name.as_str(),
),
Some(None) => fl!("cli-setup-slot-unusable", slot_index = i),
None => fl!("cli-setup-slot-empty", slot_index = i),
} }
}) })
.collect(); .collect();
@@ -420,7 +423,7 @@ fn main() -> Result<(), Error> {
let ((stub, recipient, metadata), is_new) = { let ((stub, recipient, metadata), is_new) = {
let (slot_index, slot) = loop { let (slot_index, slot) = loop {
match Select::new() match Select::new()
.with_prompt("🕳️ Select a slot for your age identity") .with_prompt(fl!("cli-setup-select-slot"))
.items(&slots) .items(&slots)
.default(0) .default(0)
.interact_opt()? .interact_opt()?
@@ -435,23 +438,17 @@ fn main() -> Result<(), Error> {
} }
}; };
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) { if let Some((key, _, recipient)) = keys.into_iter().find(|(_, s, _)| s == &slot) {
let recipient = match key.certificate().subject_pki() { let recipient = recipient.expect("We checked this above");
PublicKeyInfo::EcP256(pubkey) => {
p256::Recipient::from_encoded(pubkey).expect("We checked this above")
}
_ => unreachable!(),
};
if Confirm::new() if Confirm::new()
.with_prompt(&format!("Use existing identity in slot {}?", slot_index)) .with_prompt(fl!("cli-setup-use-existing", slot_index = slot_index))
.interact()? .interact()?
{ {
let stub = key::Stub::new(yubikey.serial(), slot, &recipient); let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
let (_, cert) =
x509_parser::parse_x509_certificate(key.certificate().as_ref()).unwrap();
let metadata = let metadata =
util::Metadata::extract(&mut yubikey, slot, &cert, true).unwrap(); util::Metadata::extract(&mut yubikey, slot, key.certificate(), true)
.unwrap();
((stub, recipient, metadata), false) ((stub, recipient, metadata), false)
} else { } else {
@@ -460,18 +457,19 @@ fn main() -> Result<(), Error> {
} else { } else {
let name = Input::<String>::new() let name = Input::<String>::new()
.with_prompt(format!( .with_prompt(format!(
"📛 Name this identity [{}]", "{} [{}]",
fl!("cli-setup-name-identity"),
flags.name.as_deref().unwrap_or("age identity TAG_HEX") flags.name.as_deref().unwrap_or("age identity TAG_HEX")
)) ))
.allow_empty(true) .allow_empty(true)
.interact_text()?; .interact_text()?;
let pin_policy = match Select::new() let pin_policy = match Select::new()
.with_prompt("🔤 Select a PIN policy") .with_prompt(fl!("cli-setup-select-pin-policy"))
.items(&[ .items(&[
"Always (A PIN is required for every decryption, if set)", fl!("pin-policy-always"),
"Once (A PIN is required once per session, if set)", fl!("pin-policy-once"),
"Never (A PIN is NOT required to decrypt)", fl!("pin-policy-never"),
]) ])
.default( .default(
[PinPolicy::Always, PinPolicy::Once, PinPolicy::Never] [PinPolicy::Always, PinPolicy::Once, PinPolicy::Never]
@@ -491,17 +489,18 @@ fn main() -> Result<(), Error> {
}; };
let touch_policy = match Select::new() let touch_policy = match Select::new()
.with_prompt("👆 Select a touch policy") .with_prompt(fl!("cli-setup-select-touch-policy"))
.items(&[ .items(&[
"Always (A physical touch is required for every decryption)", fl!("touch-policy-always"),
"Cached (A physical touch is required for decryption, and is cached for 15 seconds)", fl!("touch-policy-cached"),
"Never (A physical touch is NOT required to decrypt)", fl!("touch-policy-never"),
]) ])
.default( .default(
[TouchPolicy::Always, TouchPolicy::Cached, TouchPolicy::Never] [TouchPolicy::Always, TouchPolicy::Cached, TouchPolicy::Never]
.iter() .iter()
.position(|p| p == &flags .position(|p| {
.touch_policy.unwrap_or(builder::DEFAULT_TOUCH_POLICY)) p == &flags.touch_policy.unwrap_or(builder::DEFAULT_TOUCH_POLICY)
})
.unwrap(), .unwrap(),
) )
.interact_opt()? .interact_opt()?
@@ -514,7 +513,7 @@ fn main() -> Result<(), Error> {
}; };
if Confirm::new() if Confirm::new()
.with_prompt(&format!("Generate new identity in slot {}?", slot_index)) .with_prompt(fl!("cli-setup-generate-new", slot_index = slot_index))
.interact()? .interact()?
{ {
eprintln!(); eprintln!();
@@ -537,7 +536,7 @@ fn main() -> Result<(), Error> {
eprintln!(); eprintln!();
let file_name = Input::<String>::new() let file_name = Input::<String>::new()
.with_prompt("📝 File name to write this identity to") .with_prompt(fl!("cli-setup-identity-file-name"))
.default(format!( .default(format!(
"age-yubikey-identity-{}.txt", "age-yubikey-identity-{}.txt",
hex::encode(stub.tag) hex::encode(stub.tag)
@@ -552,7 +551,7 @@ fn main() -> Result<(), Error> {
Ok(file) => file, Ok(file) => file,
Err(e) if e.kind() == io::ErrorKind::AlreadyExists => { Err(e) if e.kind() == io::ErrorKind::AlreadyExists => {
if Confirm::new() if Confirm::new()
.with_prompt("File exists. Overwrite it?") .with_prompt(fl!("cli-setup-identity-file-exists"))
.interact()? .interact()?
{ {
File::create(&file_name)? File::create(&file_name)?
@@ -563,54 +562,54 @@ fn main() -> Result<(), Error> {
Err(e) => return Err(e.into()), Err(e) => return Err(e.into()),
}; };
writeln!(file, "{}", metadata)?; writeln!(
writeln!(file, "# Recipient: {}", recipient)?; file,
writeln!(file, "{}", stub.to_string())?; "{}",
fl!(
"yubikey-identity",
yubikey_metadata = metadata.to_string(),
recipient = recipient.to_string(),
identity = stub.to_string(),
)
)?;
file.sync_data()?; file.sync_data()?;
// If `rage` binary is installed, use it in examples. Otherwise default to `age`. // If `rage` binary is installed, use it in examples. Otherwise default to `age`.
let age_binary = which::which("rage").map(|_| "rage").unwrap_or("age"); let age_binary = which::which("rage").map(|_| "rage").unwrap_or("age");
eprintln!(); let encrypt_usage = format!(
eprintln!("✅ Done! This YubiKey identity is ready to go."); "$ cat foo.txt | {} -r {} -o foo.txt.age",
eprintln!();
if is_new {
eprintln!("🔑 Here's your shiny new YubiKey recipient:");
} else {
eprintln!("🔑 Here's the corresponding YubiKey recipient:");
}
eprintln!(" {}", recipient);
eprintln!();
eprintln!("Here are some example things you can do with it:");
eprintln!();
eprintln!("- Encrypt a file to this identity:");
eprintln!(
" $ cat foo.txt | {} -r {} -o foo.txt.age",
age_binary, recipient age_binary, recipient
); );
eprintln!(); let decrypt_usage = format!(
eprintln!("- Decrypt a file with this identity:"); "$ cat foo.txt.age | {} -d -i {} > foo.txt",
eprintln!(
" $ cat foo.txt.age | {} -d -i {} > foo.txt",
age_binary, file_name age_binary, file_name
); );
eprintln!(); let identity_usage = format!(
eprintln!("- Recreate the identity file:"); "$ age-plugin-yubikey -i --serial {} --slot {} > {}",
eprintln!(
" $ age-plugin-yubikey -i --serial {} --slot {} > {}",
stub.serial, stub.serial,
util::slot_to_ui(&stub.slot), util::slot_to_ui(&stub.slot),
file_name, file_name,
); );
eprintln!(); let recipient_usage = format!(
eprintln!("- Recreate the recipient:"); "$ age-plugin-yubikey -l --serial {} --slot {}",
eprintln!(
" $ age-plugin-yubikey -l --serial {} --slot {}",
stub.serial, stub.serial,
util::slot_to_ui(&stub.slot), util::slot_to_ui(&stub.slot),
); );
eprintln!(); eprintln!();
eprintln!("💭 Remember: everything breaks, have a backup plan for when this YubiKey does."); eprintln!(
"{}",
fl!(
"cli-setup-finished",
is_new = if is_new { "true" } else { "false" },
recipient = recipient.to_string(),
encrypt_usage = encrypt_usage,
decrypt_usage = decrypt_usage,
identity_usage = identity_usage,
recipient_usage = recipient_usage,
)
);
Ok(()) Ok(())
} }
+14 -2
View File
@@ -1,7 +1,8 @@
use bech32::{ToBase32, Variant}; use bech32::{ToBase32, Variant};
use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint}; use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use std::convert::TryInto; use yubikey::{certificate::PublicKeyInfo, Certificate};
use std::fmt; use std::fmt;
use crate::RECIPIENT_PREFIX; use crate::RECIPIENT_PREFIX;
@@ -43,11 +44,22 @@ impl Recipient {
} }
} }
pub(crate) fn from_certificate(cert: &Certificate) -> Option<Self> {
Self::from_spki(cert.subject_pki())
}
pub(crate) fn from_spki(spki: &PublicKeyInfo) -> Option<Self> {
match spki {
PublicKeyInfo::EcP256(pubkey) => Self::from_encoded(pubkey),
_ => None,
}
}
/// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding. /// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding.
/// ///
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in /// This accepts both compressed (as used by the plugin) and uncompressed (as used in
/// the YubiKey certificate) encodings. /// the YubiKey certificate) encodings.
pub(crate) fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> { fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
p256::PublicKey::from_encoded_point(encoded).map(Recipient) p256::PublicKey::from_encoded_point(encoded).map(Recipient)
} }
+19 -8
View File
@@ -7,7 +7,7 @@ use age_plugin::{
use std::collections::HashMap; use std::collections::HashMap;
use std::io; use std::io;
use crate::{format, key, p256::Recipient, PLUGIN_NAME}; use crate::{fl, format, key, p256::Recipient, PLUGIN_NAME};
#[derive(Debug, Default)] #[derive(Debug, Default)]
pub(crate) struct RecipientPlugin { pub(crate) struct RecipientPlugin {
@@ -32,7 +32,7 @@ impl RecipientPluginV1 for RecipientPlugin {
} else { } else {
Err(recipient::Error::Recipient { Err(recipient::Error::Recipient {
index, index,
message: "Invalid recipient".to_owned(), message: fl!("plugin-err-invalid-recipient"),
}) })
} }
} }
@@ -53,7 +53,7 @@ impl RecipientPluginV1 for RecipientPlugin {
} else { } else {
Err(recipient::Error::Identity { Err(recipient::Error::Identity {
index, index,
message: "Invalid Yubikey stub".to_owned(), message: fl!("plugin-err-invalid-identity"),
}) })
} }
} }
@@ -68,7 +68,14 @@ impl RecipientPluginV1 for RecipientPlugin {
let mut yk_errors = vec![]; let mut yk_errors = vec![];
for stub in &self.yubikeys { for stub in &self.yubikeys {
match stub.connect(&mut callbacks)? { match stub.connect(&mut callbacks)? {
Ok(conn) => yk_recipients.push(conn.recipient().clone()), Ok(Some(conn)) => yk_recipients.push(conn.recipient().clone()),
Ok(None) => yk_errors.push(recipient::Error::Identity {
index: stub.identity_index,
message: fl!(
"plugin-err-yk-opening",
yubikey_serial = stub.serial.to_string(),
),
}),
Err(e) => yk_errors.push(match e { Err(e) => yk_errors.push(match e {
identity::Error::Identity { index, message } => { identity::Error::Identity { index, message } => {
recipient::Error::Identity { index, message } recipient::Error::Identity { index, message }
@@ -120,7 +127,7 @@ impl IdentityPluginV1 for IdentityPlugin {
} else { } else {
Err(identity::Error::Identity { Err(identity::Error::Identity {
index, index,
message: "Invalid Yubikey stub".to_owned(), message: fl!("plugin-err-invalid-identity"),
}) })
} }
} }
@@ -146,7 +153,7 @@ impl IdentityPluginV1 for IdentityPlugin {
res.map_err(|_| identity::Error::Stanza { res.map_err(|_| identity::Error::Stanza {
file_index: file, file_index: file,
stanza_index, stanza_index,
message: "Invalid yubikey stanza".to_owned(), message: fl!("plugin-err-invalid-stanza"),
}) })
}), }),
file_keys.contains_key(&file), file_keys.contains_key(&file),
@@ -203,7 +210,11 @@ impl IdentityPluginV1 for IdentityPlugin {
for (stub, files) in candidate_stanzas.iter() { for (stub, files) in candidate_stanzas.iter() {
let mut conn = match stub.connect(&mut callbacks)? { let mut conn = match stub.connect(&mut callbacks)? {
Ok(conn) => conn, // The user skipped this YubiKey.
Ok(None) => continue,
// We connected to this YubiKey.
Ok(Some(conn)) => conn,
// We failed to connect to this YubiKey.
Err(e) => { Err(e) => {
callbacks.error(e)?.unwrap(); callbacks.error(e)?.unwrap();
continue; continue;
@@ -232,7 +243,7 @@ impl IdentityPluginV1 for IdentityPlugin {
.error(identity::Error::Stanza { .error(identity::Error::Stanza {
file_index, file_index,
stanza_index, stanza_index,
message: "Failed to decrypt YubiKey stanza".to_owned(), message: fl!("plugin-err-decryption-failed"),
})? })?
.unwrap(), .unwrap(),
} }
+49 -32
View File
@@ -1,11 +1,13 @@
use std::fmt; use std::fmt;
use std::iter;
use x509_parser::{certificate::X509Certificate, der_parser::oid::Oid}; use x509_parser::{certificate::X509Certificate, der_parser::oid::Oid};
use yubikey::{ use yubikey::{
piv::{RetiredSlotId, SlotId}, piv::{RetiredSlotId, SlotId},
PinPolicy, Serial, TouchPolicy, YubiKey, Certificate, PinPolicy, Serial, TouchPolicy, YubiKey,
}; };
use crate::fl;
use crate::{error::Error, key::Stub, p256::Recipient, BINARY_NAME, USABLE_SLOTS}; use crate::{error::Error, key::Stub, p256::Recipient, BINARY_NAME, USABLE_SLOTS};
pub(crate) const POLICY_EXTENSION_OID: &[u64] = &[1, 3, 6, 1, 4, 1, 41482, 3, 8]; pub(crate) const POLICY_EXTENSION_OID: &[u64] = &[1, 3, 6, 1, 4, 1, 41482, 3, 8];
@@ -41,26 +43,33 @@ pub(crate) fn touch_policy_from_string(s: String) -> Result<TouchPolicy, Error>
} }
} }
pub(crate) fn pin_policy_to_str(policy: Option<PinPolicy>) -> &'static str { pub(crate) fn pin_policy_to_str(policy: Option<PinPolicy>) -> String {
match policy { match policy {
Some(PinPolicy::Always) => "Always (A PIN is required for every decryption, if set)", Some(PinPolicy::Always) => fl!("pin-policy-always"),
Some(PinPolicy::Once) => "Once (A PIN is required once per session, if set)", Some(PinPolicy::Once) => fl!("pin-policy-once"),
Some(PinPolicy::Never) => "Never (A PIN is NOT required to decrypt)", Some(PinPolicy::Never) => fl!("pin-policy-never"),
_ => "Unknown", _ => fl!("unknown-policy"),
} }
} }
pub(crate) fn touch_policy_to_str(policy: Option<TouchPolicy>) -> &'static str { pub(crate) fn touch_policy_to_str(policy: Option<TouchPolicy>) -> String {
match policy { match policy {
Some(TouchPolicy::Always) => "Always (A physical touch is required for every decryption)", Some(TouchPolicy::Always) => fl!("touch-policy-always"),
Some(TouchPolicy::Cached) => { Some(TouchPolicy::Cached) => fl!("touch-policy-cached"),
"Cached (A physical touch is required for decryption, and is cached for 15 seconds)" Some(TouchPolicy::Never) => fl!("touch-policy-never"),
} _ => fl!("unknown-policy"),
Some(TouchPolicy::Never) => "Never (A physical touch is NOT required to decrypt)",
_ => "Unknown",
} }
} }
const MODHEX: &str = "cbdefghijklnrtuv";
pub(crate) fn otp_serial_prefix(serial: Serial) -> String {
iter::repeat(0)
.take(4)
.chain((0..8).rev().map(|i| (serial.0 >> (4 * i)) & 0x0f))
.map(|i| MODHEX.char_indices().nth(i as usize).unwrap().1)
.collect()
}
pub(crate) fn extract_name(cert: &X509Certificate, all: bool) -> Option<(String, bool)> { pub(crate) fn extract_name(cert: &X509Certificate, all: bool) -> Option<(String, bool)> {
// Look at Subject Organization to determine if we created this. // Look at Subject Organization to determine if we created this.
match cert.subject().iter_organization().next() { match cert.subject().iter_organization().next() {
@@ -96,16 +105,18 @@ pub(crate) struct Metadata {
name: String, name: String,
created: String, created: String,
pub(crate) pin_policy: Option<PinPolicy>, pub(crate) pin_policy: Option<PinPolicy>,
touch_policy: Option<TouchPolicy>, pub(crate) touch_policy: Option<TouchPolicy>,
} }
impl Metadata { impl Metadata {
pub(crate) fn extract( pub(crate) fn extract(
yubikey: &mut YubiKey, yubikey: &mut YubiKey,
slot: RetiredSlotId, slot: RetiredSlotId,
cert: &X509Certificate, cert: &Certificate,
all: bool, all: bool,
) -> Option<Self> { ) -> Option<Self> {
let (_, cert) = x509_parser::parse_x509_certificate(cert.as_ref()).ok()?;
// We store the PIN and touch policies for identities in their certificates // We store the PIN and touch policies for identities in their certificates
// using the same certificate extension as PIV attestations. // using the same certificate extension as PIV attestations.
// https://developers.yubico.com/PIV/Introduction/PIV_attestation.html // https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
@@ -134,10 +145,10 @@ impl Metadata {
.unwrap_or((None, None)) .unwrap_or((None, None))
}; };
extract_name(cert, all) extract_name(&cert, all)
.map(|(name, ours)| { .map(|(name, ours)| {
if ours { if ours {
let (pin_policy, touch_policy) = policies(cert); let (pin_policy, touch_policy) = policies(&cert);
(name, pin_policy, touch_policy) (name, pin_policy, touch_policy)
} else { } else {
// We can extract the PIN and touch policies via an attestation. This // We can extract the PIN and touch policies via an attestation. This
@@ -168,19 +179,18 @@ impl Metadata {
impl fmt::Display for Metadata { impl fmt::Display for Metadata {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
writeln!(
f,
"# Serial: {}, Slot: {}",
self.serial,
slot_to_ui(&self.slot)
)?;
writeln!(f, "# Name: {}", self.name)?;
writeln!(f, "# Created: {}", self.created)?;
writeln!(f, "# PIN policy: {}", pin_policy_to_str(self.pin_policy))?;
write!( write!(
f, f,
"# Touch policy: {}", "{}",
touch_policy_to_str(self.touch_policy) fl!(
"yubikey-metadata",
serial = self.serial.to_string(),
slot = slot_to_ui(&self.slot),
name = self.name.as_str(),
created = self.created.as_str(),
pin_policy = pin_policy_to_str(self.pin_policy),
touch_policy = touch_policy_to_str(self.touch_policy),
)
) )
} }
} }
@@ -188,10 +198,17 @@ impl fmt::Display for Metadata {
pub(crate) fn print_identity(stub: Stub, recipient: Recipient, metadata: Metadata) { pub(crate) fn print_identity(stub: Stub, recipient: Recipient, metadata: Metadata) {
let recipient = recipient.to_string(); let recipient = recipient.to_string();
if !console::user_attended() { if !console::user_attended() {
eprintln!("Recipient: {}", recipient); let recipient = recipient.as_str();
eprintln!("{}", fl!("print-recipient", recipient = recipient));
} }
println!("{}", metadata); println!(
println!("# Recipient: {}", recipient); "{}",
println!("{}", stub.to_string()); fl!(
"yubikey-identity",
yubikey_metadata = metadata.to_string(),
recipient = recipient,
identity = stub.to_string(),
)
);
} }