Compare commits
102 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 23a1f61e5a | |||
| eb945b2849 | |||
| bf081835c4 | |||
| 9503f406ae | |||
| e77f00ff48 | |||
| 3d8a5e9076 | |||
| 00db2d1948 | |||
| d7111594a7 | |||
| 20b84b9d4e | |||
| 1182f472dd | |||
| 62f237f859 | |||
| 22fd00bd22 | |||
| b6030ec4bd | |||
| 9730e3da74 | |||
| 95657fd844 | |||
| a7bfeb9c3f | |||
| ac04615219 | |||
| cddb00ab95 | |||
| 7c532639d4 | |||
| d2a856dd48 | |||
| d5395ea4e5 | |||
| 0d0f64ff1b | |||
| edf4c5a45d | |||
| ae39e136de | |||
| defc1c1131 | |||
| af71a17f51 | |||
| 02a81adfeb | |||
| 956d3bf28a | |||
| d9c5abaa15 | |||
| c5ca61a37c | |||
| e86cd8113c | |||
| e037c1c883 | |||
| 051cace1fd | |||
| 4e053b5efc | |||
| 762adfe098 | |||
| 70c109aa1d | |||
| 355ce1cfde | |||
| 3408998283 | |||
| bf437663af | |||
| 665aedbbba | |||
| 307f5396a8 | |||
| cd03e7bda3 | |||
| 54ad666c73 | |||
| d2132b4ac2 | |||
| 80e8072624 | |||
| ff3e8e37c9 | |||
| a5178bb16e | |||
| b1710e8d69 | |||
| 8483010393 | |||
| 55bfa5dafb | |||
| 90b61682bd | |||
| 97ddfc3bea | |||
| f34c534e84 | |||
| 681cd06087 | |||
| 45f6580be4 | |||
| f5c8f7a559 | |||
| e26ed3a163 | |||
| 04c0418c02 | |||
| 00ab2c756e | |||
| 9418921dab | |||
| 87541510ad | |||
| 9ac72cd66f | |||
| 093a35733f | |||
| 082a4f976c | |||
| 3e1f3b45f5 | |||
| a6a5ad109e | |||
| 25fcd353f3 | |||
| d8ab6e373e | |||
| 0490dd3529 | |||
| f45ff653b8 | |||
| e78871d6f3 | |||
| ec83a8c9cc | |||
| fc2081c216 | |||
| 367a081eea | |||
| cfb1e5e3d5 | |||
| 1dfadc7e27 | |||
| fc66d9f6fd | |||
| d8eb198e97 | |||
| c8f9df1b45 | |||
| 3597d96332 | |||
| 1913838f8e | |||
| 6e47448560 | |||
| 4d4d8cc183 | |||
| ac7b04a61d | |||
| 493479344c | |||
| d4f8993988 | |||
| 876afecc5c | |||
| 539111c30c | |||
| 647a620a9c | |||
| 0eee944c64 | |||
| e4ef700263 | |||
| 492612fc8b | |||
| 15c53e42df | |||
| 5d6b618d5f | |||
| 0ee618cdfd | |||
| ed6273d781 | |||
| d38743a2fc | |||
| aaa445c4ac | |||
| e415ce4ae9 | |||
| 145237003e | |||
| 9338b320a4 | |||
| aae48c4f6c |
+13
-95
@@ -23,116 +23,42 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: 1.56.0
|
||||
override: true
|
||||
- name: Install build dependencies
|
||||
run: sudo apt install ${{ matrix.build_deps }}
|
||||
if: matrix.build_deps != ''
|
||||
- name: cargo fetch
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: fetch
|
||||
- name: Install test dependencies
|
||||
run: cargo install rage
|
||||
- run: cargo fetch
|
||||
- name: Build tests
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: build
|
||||
args: --verbose --tests
|
||||
run: cargo build --verbose --tests
|
||||
- name: Run tests
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: test
|
||||
args: --verbose
|
||||
|
||||
clippy:
|
||||
name: Clippy (1.56.0)
|
||||
timeout-minutes: 30
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: 1.56.0
|
||||
components: clippy
|
||||
override: true
|
||||
- name: Install build dependencies
|
||||
run: sudo apt install libpcsclite-dev
|
||||
- name: Run clippy
|
||||
uses: actions-rs/clippy-check@v1
|
||||
with:
|
||||
name: Clippy (1.56.0)
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
args: --all-features --all-targets -- -D warnings
|
||||
|
||||
clippy-nightly:
|
||||
name: Clippy (nightly)
|
||||
timeout-minutes: 30
|
||||
runs-on: ubuntu-latest
|
||||
continue-on-error: true
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: nightly
|
||||
components: clippy
|
||||
override: true
|
||||
- name: Install build dependencies
|
||||
run: sudo apt install libpcsclite-dev
|
||||
- name: Run Clippy (nightly)
|
||||
uses: actions-rs/clippy-check@v1
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: Clippy (nightly)
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
args: --all-features --all-targets
|
||||
run: cargo test --verbose
|
||||
|
||||
codecov:
|
||||
name: Code coverage
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
# Use stable for this to ensure that cargo-tarpaulin can be built.
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: stable
|
||||
override: true
|
||||
- name: Install build dependencies
|
||||
run: sudo apt install libpcsclite-dev
|
||||
- name: Install coverage dependencies
|
||||
run: cargo install cargo-tarpaulin
|
||||
- name: Generate coverage report
|
||||
uses: actions-rs/tarpaulin@v0.1
|
||||
with:
|
||||
args: --release --timeout 180 --out Xml
|
||||
run: cargo tarpaulin --engine llvm --all-features --release --timeout 600 --out Xml
|
||||
- name: Upload coverage to Codecov
|
||||
uses: codecov/codecov-action@v3.1.0
|
||||
with:
|
||||
token: ${{secrets.CODECOV_TOKEN}}
|
||||
uses: codecov/codecov-action@v3.1.1
|
||||
|
||||
doc-links:
|
||||
name: Intra-doc links
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: 1.56.0
|
||||
override: true
|
||||
- name: Install build dependencies
|
||||
run: sudo apt install libpcsclite-dev
|
||||
- name: cargo fetch
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: fetch
|
||||
|
||||
# Ensure intra-documentation links all resolve correctly
|
||||
# Requires #![deny(intra_doc_link_resolution_failure)] in crates.
|
||||
- run: cargo fetch
|
||||
# Requires #![deny(rustdoc::broken_intra_doc_links)] in crates.
|
||||
- name: Check intra-doc links
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: doc
|
||||
args: --document-private-items
|
||||
run: cargo doc --document-private-items
|
||||
|
||||
fmt:
|
||||
name: Rustfmt
|
||||
@@ -140,13 +66,5 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: 1.56.0
|
||||
components: rustfmt
|
||||
override: true
|
||||
- name: Check formatting
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: fmt
|
||||
args: -- --check
|
||||
run: cargo fmt -- --check
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
name: Beta lints
|
||||
|
||||
# We only run these lints on trial-merges of PRs to reduce noise.
|
||||
on: pull_request
|
||||
|
||||
jobs:
|
||||
clippy-beta:
|
||||
name: Clippy (beta)
|
||||
timeout-minutes: 30
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: dtolnay/rust-toolchain@beta
|
||||
id: toolchain
|
||||
- run: rustup override set ${{steps.toolchain.outputs.name}}
|
||||
- name: Install build dependencies
|
||||
run: sudo apt install libpcsclite-dev
|
||||
- name: Clippy (beta)
|
||||
uses: actions-rs/clippy-check@v1
|
||||
with:
|
||||
name: Clippy (beta)
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
args: --all-features --all-targets -- -W clippy::all
|
||||
@@ -0,0 +1,20 @@
|
||||
name: Stable lints
|
||||
|
||||
# We only run these lints on trial-merges of PRs to reduce noise.
|
||||
on: pull_request
|
||||
|
||||
jobs:
|
||||
clippy:
|
||||
name: Clippy (MSRV)
|
||||
timeout-minutes: 30
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Install build dependencies
|
||||
run: sudo apt install libpcsclite-dev
|
||||
- name: Run clippy
|
||||
uses: actions-rs/clippy-check@v1
|
||||
with:
|
||||
name: Clippy (MSRV)
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
args: --all-features --all-targets -- -D warnings
|
||||
@@ -17,7 +17,11 @@ jobs:
|
||||
runs-on: ${{ matrix.os }}
|
||||
strategy:
|
||||
matrix:
|
||||
name: [linux, windows, macos]
|
||||
name:
|
||||
- linux
|
||||
- macos-arm64
|
||||
- macos-x86_64
|
||||
- windows
|
||||
include:
|
||||
- name: linux
|
||||
os: ubuntu-18.04
|
||||
@@ -31,7 +35,14 @@ jobs:
|
||||
archive_name: age-plugin-yubikey.zip
|
||||
asset_suffix: x86_64-windows.zip
|
||||
|
||||
- name: macos
|
||||
- name: macos-arm64
|
||||
os: macos-latest
|
||||
target: aarch64-apple-darwin
|
||||
build_flags: --target aarch64-apple-darwin
|
||||
archive_name: age-plugin-yubikey.tar.gz
|
||||
asset_suffix: arm64-darwin.tar.gz
|
||||
|
||||
- name: macos-x86_64
|
||||
os: macos-latest
|
||||
archive_name: age-plugin-yubikey.tar.gz
|
||||
asset_suffix: x86_64-darwin.tar.gz
|
||||
@@ -76,12 +87,10 @@ jobs:
|
||||
if: matrix.name == 'windows'
|
||||
|
||||
- name: Upload archive to release
|
||||
uses: svenstaro/upload-release-action@2.2.1
|
||||
uses: svenstaro/upload-release-action@2.5.0
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
file: ${{ matrix.archive_name }}
|
||||
asset_name: age-plugin-yubikey-$tag-${{ matrix.asset_suffix }}
|
||||
tag: ${{ github.ref }}
|
||||
prerelease: true
|
||||
if: github.event.inputs.test != 'true'
|
||||
|
||||
@@ -137,11 +146,9 @@ jobs:
|
||||
args: --package age-plugin-yubikey --no-build --target ${{ matrix.target }}
|
||||
|
||||
- name: Upload Debian package to release
|
||||
uses: svenstaro/upload-release-action@2.2.1
|
||||
uses: svenstaro/upload-release-action@2.5.0
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
file: target/${{ matrix.target }}/debian/*.deb
|
||||
tag: ${{ github.ref }}
|
||||
file_glob: true
|
||||
prerelease: true
|
||||
if: github.event.inputs.test != 'true'
|
||||
|
||||
@@ -8,6 +8,59 @@ to 0.3.0 are beta releases.
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
## [0.3.4], [0.4.1] - 2026-04-08
|
||||
### Fixed
|
||||
- `age-plugin-yubikey` now completely ignores any identity that has unrecognised
|
||||
critical extensions in its certificate, to ensure it doesn't misuse a newer
|
||||
identity type.
|
||||
|
||||
## [0.4.0] - 2023-04-09
|
||||
### Changed
|
||||
- MSRV is now 1.65.0.
|
||||
- The YubiKey PIV PIN and touch caches are now preserved across processes in
|
||||
most cases. See [README.md](README.md#agent-support) for exceptions. This has
|
||||
several usability effects (not applicable to YubiKey 4 series):
|
||||
- If a YubiKey's PIN is cached by an agent like `yubikey-agent`, and then
|
||||
`age-plugin-yubikey` is run (either directly or as a plugin), the agent
|
||||
won't request a PIN entry on its next use.
|
||||
- If a YubiKey's PIN was requested by either a previous invocation of
|
||||
`age-plugin-yubikey` or an agent like `yubikey-agent`, subsequent calls to
|
||||
`age-plugin-yubikey` won't request a PIN entry to decrypt a file with an
|
||||
identity that has a PIN policy of `once`.
|
||||
|
||||
### Fixed
|
||||
- Identities can now be generated with a PIN policy of "always" (in previous
|
||||
versions of `age-plugin-yubikey` this would cause an error).
|
||||
|
||||
## [0.3.3] - 2023-02-11
|
||||
### Fixed
|
||||
- When `age-plugin-yubikey` assists the user in changing their PIN from the
|
||||
default PIN, it no longer tells the user that PINs shorter than 6 characters
|
||||
are allowed, and instead loops until the user enters a PIN of valid length.
|
||||
It also now prevents the user from setting their PIN to the default PIN, to
|
||||
avoid creating a cycle.
|
||||
- More kinds of SmartCard readers are ignored when they have no SmartCard
|
||||
inserted.
|
||||
|
||||
## [0.3.2] - 2023-01-01
|
||||
### Changed
|
||||
- The "sharing violation" logic now also sends SIGHUP to any `yubikey-agent`
|
||||
that is running, to have them release any YubiKey locks they are holding.
|
||||
|
||||
### Fixed
|
||||
- The "sharing violation" logic now runs during plugin mode as intended. In the
|
||||
previous release it only ran during direct `age-plugin-yubikey` usage.
|
||||
|
||||
## [0.3.1] - 2022-12-30
|
||||
### Changed
|
||||
- If a "sharing violation" error is encountered while opening a connection to a
|
||||
YubiKey, and `scdaemon` is running (which can hold exclusive access to a
|
||||
YubiKey indefinitely), `age-plugin-yubikey` now attempts to stop `scdaemon` by
|
||||
interrupting it (or killing it on Windows), and then tries again to open the
|
||||
connection.
|
||||
- Several error messages were enhanced with guidance on how to resolve their
|
||||
respective issue.
|
||||
|
||||
## [0.3.0] - 2022-05-02
|
||||
First non-beta release!
|
||||
|
||||
|
||||
Generated
+1607
-414
File diff suppressed because it is too large
Load Diff
+18
-11
@@ -1,7 +1,7 @@
|
||||
[package]
|
||||
name = "age-plugin-yubikey"
|
||||
description = "YubiKey plugin for age clients"
|
||||
version = "0.3.0"
|
||||
version = "0.4.1"
|
||||
authors = ["Jack Grigg <thestr4d@gmail.com>"]
|
||||
repository = "https://github.com/str4d/age-plugin-yubikey"
|
||||
readme = "README.md"
|
||||
@@ -9,6 +9,7 @@ keywords = ["age", "cli", "encryption", "yubikey"]
|
||||
categories = ["command-line-utilities", "cryptography"]
|
||||
license = "MIT OR Apache-2.0"
|
||||
edition = "2021"
|
||||
rust-version = "1.65" # MSRV
|
||||
|
||||
[package.metadata.deb]
|
||||
extended-description = """\
|
||||
@@ -21,24 +22,24 @@ assets = [
|
||||
]
|
||||
|
||||
[dependencies]
|
||||
age-core = "0.8"
|
||||
age-plugin = "0.3"
|
||||
base64 = "0.13"
|
||||
bech32 = "0.8"
|
||||
age-core = "0.9"
|
||||
age-plugin = "0.4"
|
||||
base64 = "0.21"
|
||||
bech32 = "0.9"
|
||||
console = { version = "0.15", default-features = false }
|
||||
dialoguer = { version = "0.9", default-features = false, features = ["password"] }
|
||||
env_logger = "0.9"
|
||||
dialoguer = { version = "0.10", default-features = false, features = ["password"] }
|
||||
env_logger = "0.10"
|
||||
gumdrop = "0.8"
|
||||
hex = "0.4"
|
||||
log = "0.4"
|
||||
p256 = { version = "0.9", features = ["ecdh"] }
|
||||
p256 = { version = "0.13", features = ["ecdh"] }
|
||||
pcsc = "2.4"
|
||||
rand = "0.8"
|
||||
sha2 = "0.9"
|
||||
sha2 = "0.10"
|
||||
which = "4.1"
|
||||
x509 = "0.2"
|
||||
x509-parser = "0.12"
|
||||
yubikey = { version = "0.5", features = ["untested"] }
|
||||
x509-parser = "0.14"
|
||||
yubikey = { version = "=0.8.0-pre.0", features = ["untested"] }
|
||||
|
||||
# Translations
|
||||
i18n-embed = { version = "0.13", features = ["desktop-requester", "fluent-system"] }
|
||||
@@ -46,6 +47,12 @@ i18n-embed-fl = "0.6"
|
||||
lazy_static = "1"
|
||||
rust-embed = "6"
|
||||
|
||||
# GnuPG coexistence
|
||||
sysinfo = "0.28"
|
||||
|
||||
[dev-dependencies]
|
||||
flate2 = "1"
|
||||
man = "0.3"
|
||||
tempfile = "3"
|
||||
test-with = "0.9"
|
||||
which = "4"
|
||||
|
||||
@@ -6,18 +6,35 @@ which enables files to be encrypted to age identities stored on YubiKeys.
|
||||
|
||||
## Installation
|
||||
|
||||
| Environment | CLI command |
|
||||
|-------------|-------------|
|
||||
| Cargo (Rust 1.65+) | `cargo install age-plugin-yubikey` |
|
||||
| Homebrew (macOS or Linux) | `brew install age-plugin-yubikey` |
|
||||
|
||||
On Windows, Linux, and macOS, you can use the
|
||||
[pre-built binaries](https://github.com/str4d/age-plugin-yubikey/releases).
|
||||
|
||||
If your system has Rust 1.56+ installed (either via `rustup` or a system
|
||||
package), you can build directly from source:
|
||||
|
||||
```
|
||||
cargo install age-plugin-yubikey
|
||||
```
|
||||
|
||||
Help from new packagers is very welcome.
|
||||
|
||||
### Linux, BSD, etc.
|
||||
|
||||
On non-Windows, non-macOS systems, you need to ensure that the `pcscd` service
|
||||
is installed and running.
|
||||
|
||||
| Environment | CLI command |
|
||||
|-------------|-------------|
|
||||
| Debian or Ubuntu | `sudo apt-get install pcscd` |
|
||||
| OpenBSD | As ```root``` do:<br>`pkg_add pcsc-lite ccid`<br>`rcctl enable pcscd`<br>`rcctl start pcscd` |
|
||||
| FreeBSD | As ```root``` do:<br>`pkg install pcsc-lite libccid`<br>`service pcscd enable`<br>`service pcscd start` |
|
||||
|
||||
When installing via Cargo, you also need to ensure that the development headers
|
||||
for the `pcsc-lite` library are available, so that the `pcsc-sys` crate can be
|
||||
compiled.
|
||||
|
||||
| Environment | CLI command |
|
||||
|-------------|-------------|
|
||||
| Debian or Ubuntu | `sudo apt-get install libpcsclite-dev` |
|
||||
|
||||
### Windows Subsystem for Linux (WSL)
|
||||
|
||||
WSL does not currently provide native support for USB devices. However, Windows
|
||||
@@ -35,7 +52,12 @@ YubiKey:
|
||||
|
||||
## Configuration
|
||||
|
||||
There are two ways to configure a YubiKey as an `age` identity. You can run the
|
||||
`age-plugin-yubikey` identities have two parts:
|
||||
- The secret key material, which is stored inside a YubiKey.
|
||||
- An age identity file, which contains information that an age client can use to
|
||||
figure out which YubiKey secret key should be used.
|
||||
|
||||
There are two ways to configure a YubiKey as an age identity. You can run the
|
||||
plugin binary directly to use a simple text interface, which will create an age
|
||||
identity file:
|
||||
|
||||
@@ -61,6 +83,14 @@ Once an identity has been created, you can regenerate it later:
|
||||
$ age-plugin-yubikey --identity [--serial SERIAL] --slot SLOT
|
||||
```
|
||||
|
||||
To use the identity with an age client, it needs to be stored in a file. When
|
||||
using the above programmatic flags, you can do this by redirecting standard
|
||||
output to a file. On a Unix system like macOS or Ubuntu:
|
||||
|
||||
```
|
||||
$ age-plugin-yubikey --identity --slot SLOT > yubikey-identity.txt
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
The age recipients contained in all connected YubiKeys can be printed on
|
||||
@@ -85,13 +115,27 @@ age client as normal (e.g. `rage -d -i yubikey-identity.txt`).
|
||||
### Agent support
|
||||
|
||||
`age-plugin-yubikey` does not provide or interact with an agent for decryption.
|
||||
As age plugin binaries have short lifetimes (they only run while the age client
|
||||
is running), this means that YubiKey identities configured with a PIN policy of
|
||||
`once` will actually prompt for the PIN on every decryption.
|
||||
It does however attempt to preserve the PIN cache by not soft-resetting the
|
||||
YubiKey after a decryption or read-only operation, which enables YubiKey
|
||||
identities configured with a PIN policy of `once` to not prompt for the PIN on
|
||||
every decryption. **This does not work for YubiKey 4 series.**
|
||||
|
||||
A decryption agent will most likely be implemented as a separate age plugin that
|
||||
interacts with [`yubikey-agent`](https://github.com/FiloSottile/yubikey-agent),
|
||||
enabling YubiKeys to be used simultaneously with age and SSH.
|
||||
The session that corresponds to the `once` policy can be ended in several ways,
|
||||
not all of which are necessarily intuitive:
|
||||
|
||||
- Unplugging the YubiKey (the obvious way).
|
||||
- Using a different applet (e.g. FIDO2). This causes the PIV applet to be closed
|
||||
which clears its state.
|
||||
- This is why the YubiKey 4 series does not support PIN cache preservation:
|
||||
their serial can only be obtained by switching to the OTP applet.
|
||||
- Generating a new age identity via `age-plugin-yubikey --generate` or the CLI
|
||||
interface. This is to avoid leaving the YubiKey authenticated with the
|
||||
management key.
|
||||
|
||||
If the current PIN UX proves to be insufficient, a decryption agent will most
|
||||
likely be implemented as a separate age plugin that interacts with
|
||||
[`yubikey-agent`](https://github.com/FiloSottile/yubikey-agent), enabling
|
||||
YubiKeys to be used simultaneously with age and SSH.
|
||||
|
||||
### Manual setup and technical details
|
||||
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
-yubikey = YubiKey
|
||||
-yubikeys = YubiKeys
|
||||
-age-plugin-yubikey = age-plugin-yubikey
|
||||
-pcscd = pcscd
|
||||
|
||||
## CLI commands and flags
|
||||
|
||||
@@ -75,6 +76,14 @@ cli-setup-name-identity = 📛 Name this identity
|
||||
cli-setup-select-pin-policy = 🔤 Select a PIN policy
|
||||
cli-setup-select-touch-policy = 👆 Select a touch policy
|
||||
|
||||
cli-setup-yk4-pin-policy =
|
||||
⚠️ Your {-yubikey} is a {-yubikey} 4 series. With ephemeral applications like
|
||||
{-age-plugin-yubikey}, a PIN policy of "Once" behaves like a PIN policy of
|
||||
"Always", and your PIN will be requested for every decryption. However, you
|
||||
might still benefit from a PIN policy of "Once" in long-running applications
|
||||
like agents.
|
||||
cli-setup-yk4-pin-policy-confirm = Use PIN policy of "Once" with {-yubikey} 4?
|
||||
|
||||
cli-setup-generate-new = Generate new identity in slot {$slot_index}?
|
||||
cli-setup-use-existing = Use existing identity in slot {$slot_index}?
|
||||
|
||||
@@ -111,6 +120,7 @@ cli-setup-finished =
|
||||
open-yk-with-serial = ⏳ Please insert the {-yubikey} with serial {$yubikey_serial}.
|
||||
open-yk-without-serial = ⏳ Please insert the {-yubikey}.
|
||||
warn-yk-not-connected = Ignoring {$yubikey_name}: not connected
|
||||
warn-yk-missing-applet = Ignoring {$yubikey_name}: Missing {$applet_name} applet
|
||||
|
||||
print-recipient = Recipient: {$recipient}
|
||||
|
||||
@@ -126,13 +136,15 @@ mgr-change-default-pin =
|
||||
✨ Your {-yubikey} is using the default PIN. Let's change it!
|
||||
✨ We'll also set the PUK equal to the PIN.
|
||||
|
||||
🔐 The PIN is up to 8 numbers, letters, or symbols. Not just numbers!
|
||||
🔐 The PIN can be numbers, letters, or symbols. Not just numbers!
|
||||
📏 The PIN must be at least 6 and at most 8 characters in length.
|
||||
❌ Your keys will be lost if the PIN and PUK are locked after 3 incorrect tries.
|
||||
|
||||
mgr-enter-current-puk = Enter current PUK (default is {$default_puk})
|
||||
mgr-choose-new-pin = Choose a new PIN/PUK
|
||||
mgr-repeat-new-pin = Repeat the PIN/PUK
|
||||
mgr-pin-mismatch = PINs don't match
|
||||
mgr-nope-default-pin = You entered the default PIN again. You need to change it.
|
||||
|
||||
mgr-changing-mgmt-key =
|
||||
✨ Your {-yubikey} is using the default management key.
|
||||
@@ -143,6 +155,12 @@ mgr-changing-mgmt-key-error =
|
||||
{" "}{$management_key}
|
||||
mgr-changing-mgmt-key-success = Success!
|
||||
|
||||
## YubiKey keygen
|
||||
|
||||
builder-gen-key = 🎲 Generating key...
|
||||
builder-gen-cert = 🔏 Generating certificate...
|
||||
builder-touch-yk = 👆 Please touch the {-yubikey}
|
||||
|
||||
## Plugin usage
|
||||
|
||||
plugin-err-invalid-recipient = Invalid recipient
|
||||
@@ -169,10 +187,20 @@ plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yub
|
||||
|
||||
## Errors
|
||||
|
||||
err-custom-mgmt-key = Custom unprotected management keys are not supported.
|
||||
err-mgmt-key-auth = Failed to authenticate with the PIN-protected management key.
|
||||
rec-mgmt-key-auth =
|
||||
Check whether your management key is using the TDES algorithm.
|
||||
AES is not supported yet: {$aes_url}
|
||||
err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
|
||||
rec-change-mgmt-key =
|
||||
You can use the {-yubikey} Manager CLI to change to a protected management key:
|
||||
{" "}{$cmd}
|
||||
|
||||
See here for more information about {-yubikey} Manager:
|
||||
{" "}{$url}
|
||||
|
||||
err-invalid-flag-command = Flag '{$flag}' cannot be used with '{$command}'.
|
||||
err-invalid-flag-tui = Flag '{$flag}' cannot be used with the interactive interface.
|
||||
err-invalid-pin-length = The PIN needs to be 1-8 characters.
|
||||
err-invalid-pin-policy = Invalid PIN policy '{$policy}' (expected [{$expected}]).
|
||||
err-invalid-slot = Invalid slot '{$slot}' (expected number between 1 and 20).
|
||||
err-invalid-touch-policy = Invalid touch policy '{$policy}' (expected [{$expected}]).
|
||||
@@ -185,11 +213,38 @@ err-slot-has-no-identity = Slot {$slot} does not contain an {-age} identity or c
|
||||
err-slot-is-not-empty = Slot {$slot} is not empty. Use {-flag-force} to overwrite the slot.
|
||||
err-timed-out = Timed out while waiting for a {-yubikey} to be inserted.
|
||||
err-use-list-for-single = Use {-cmd-list} to print the recipient for a single slot.
|
||||
|
||||
err-yk-no-service-macos = The Crypto Token Kit service is not running.
|
||||
rec-yk-no-service-macos =
|
||||
You may need to restart it. See this Stack Exchange answer for more help:
|
||||
{" "}{$url}
|
||||
|
||||
err-yk-no-service-pcscd = {-pcscd} is not running.
|
||||
rec-yk-no-service-pcscd =
|
||||
If you are on Debian or Ubuntu, you can install it with:
|
||||
{" "}{$apt}
|
||||
|
||||
rec-yk-no-service-pcscd-bsd =
|
||||
You can install and run it as root with:
|
||||
{" "}{$pkg}
|
||||
{" "}{$service_enable}
|
||||
{" "}{$service_start}
|
||||
|
||||
err-yk-no-service-win = The Smart Cards for Windows service is not running.
|
||||
rec-yk-no-service-win =
|
||||
See this troubleshooting guide for more help:
|
||||
{" "}{$url}
|
||||
|
||||
err-yk-not-found = Please insert the {-yubikey} you want to set up
|
||||
err-yk-wrong-pin = Invalid PIN ({$tries} tries remaining before it is blocked)
|
||||
err-yk-general = Error while communicating with {-yubikey}: {$err}
|
||||
err-yk-general-cause = Cause: {$inner_err}
|
||||
|
||||
err-yk-wrong-pin = Invalid {$pin_kind} ({$tries ->
|
||||
[one] {$tries} try remaining
|
||||
*[other] {$tries} tries remaining
|
||||
} before it is blocked)
|
||||
err-yk-pin-locked = {$pin_kind} locked
|
||||
|
||||
err-ux-A = Did this not do what you expected? Could an error be more useful?
|
||||
err-ux-B = Tell us
|
||||
# Put (len(A) - len(B) - 46) spaces here.
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
1.56.0
|
||||
@@ -0,0 +1,3 @@
|
||||
[toolchain]
|
||||
channel = "1.65.0"
|
||||
components = ["clippy", "rustfmt"]
|
||||
+26
-14
@@ -1,13 +1,15 @@
|
||||
use dialoguer::Password;
|
||||
use rand::{rngs::OsRng, RngCore};
|
||||
use x509::RelativeDistinguishedName;
|
||||
use yubikey::{
|
||||
certificate::{Certificate, PublicKeyInfo},
|
||||
certificate::Certificate,
|
||||
piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId},
|
||||
Key, PinPolicy, TouchPolicy, YubiKey,
|
||||
};
|
||||
|
||||
use crate::{
|
||||
error::Error,
|
||||
fl,
|
||||
key::{self, Stub},
|
||||
p256::Recipient,
|
||||
util::{Metadata, POLICY_EXTENSION_OID},
|
||||
@@ -86,17 +88,13 @@ impl IdentityBuilder {
|
||||
let pin_policy = self.pin_policy.unwrap_or(DEFAULT_PIN_POLICY);
|
||||
let touch_policy = self.touch_policy.unwrap_or(DEFAULT_TOUCH_POLICY);
|
||||
|
||||
eprintln!("{}", fl!("builder-gen-key"));
|
||||
|
||||
// No need to ask for users to enter their PIN if the PIN policy requires it,
|
||||
// because here we _always_ require them to enter their PIN in order to access the
|
||||
// protected management key (which is necessary in order to generate identities).
|
||||
key::manage(yubikey)?;
|
||||
|
||||
if let TouchPolicy::Never = touch_policy {
|
||||
// No need to touch YubiKey
|
||||
} else {
|
||||
eprintln!("👆 Please touch the YubiKey");
|
||||
}
|
||||
|
||||
// Generate a new key in the selected slot.
|
||||
let generated = yubikey_generate(
|
||||
yubikey,
|
||||
@@ -106,14 +104,12 @@ impl IdentityBuilder {
|
||||
touch_policy,
|
||||
)?;
|
||||
|
||||
let recipient = match &generated {
|
||||
PublicKeyInfo::EcP256(pubkey) => {
|
||||
Recipient::from_encoded(pubkey).expect("YubiKey generates a valid pubkey")
|
||||
}
|
||||
_ => unreachable!(),
|
||||
};
|
||||
let recipient = Recipient::from_spki(&generated).expect("YubiKey generates a valid pubkey");
|
||||
let stub = Stub::new(yubikey.serial(), slot, &recipient);
|
||||
|
||||
eprintln!();
|
||||
eprintln!("{}", fl!("builder-gen-cert"));
|
||||
|
||||
// Pick a random serial for the new self-signed certificate.
|
||||
let mut serial = [0; 20];
|
||||
OsRng.fill_bytes(&mut serial);
|
||||
@@ -122,6 +118,23 @@ impl IdentityBuilder {
|
||||
.name
|
||||
.unwrap_or(format!("age identity {}", hex::encode(stub.tag)));
|
||||
|
||||
if let PinPolicy::Always = pin_policy {
|
||||
// We need to enter the PIN again.
|
||||
let pin = Password::new()
|
||||
.with_prompt(fl!(
|
||||
"plugin-enter-pin",
|
||||
yubikey_serial = yubikey.serial().to_string(),
|
||||
))
|
||||
.report(true)
|
||||
.interact()?;
|
||||
yubikey.verify_pin(pin.as_bytes())?;
|
||||
}
|
||||
if let TouchPolicy::Never = touch_policy {
|
||||
// No need to touch YubiKey
|
||||
} else {
|
||||
eprintln!("{}", fl!("builder-touch-yk"));
|
||||
}
|
||||
|
||||
let cert = Certificate::generate_self_signed(
|
||||
yubikey,
|
||||
SlotId::Retired(slot),
|
||||
@@ -139,7 +152,6 @@ impl IdentityBuilder {
|
||||
)],
|
||||
)?;
|
||||
|
||||
let (_, cert) = x509_parser::parse_x509_certificate(cert.as_ref()).unwrap();
|
||||
let metadata = Metadata::extract(yubikey, slot, &cert, false).unwrap();
|
||||
|
||||
Ok((
|
||||
|
||||
+108
-106
@@ -1,4 +1,3 @@
|
||||
use i18n_embed_fl::fl;
|
||||
use std::fmt;
|
||||
use std::io;
|
||||
use yubikey::{piv::RetiredSlotId, Serial};
|
||||
@@ -9,25 +8,30 @@ macro_rules! wlnfl {
|
||||
($f:ident, $message_id:literal) => {
|
||||
writeln!($f, "{}", $crate::fl!($message_id))
|
||||
};
|
||||
($f:ident, $message_id:literal, $($kwarg:expr),* $(,)*) => {{
|
||||
writeln!($f, "{}", $crate::fl!($message_id, $($kwarg,)*))
|
||||
}};
|
||||
}
|
||||
|
||||
pub enum Error {
|
||||
CustomManagementKey,
|
||||
InvalidFlagCommand(String, String),
|
||||
InvalidFlagTui(String),
|
||||
InvalidPinLength,
|
||||
InvalidPinPolicy(String),
|
||||
InvalidSlot(u8),
|
||||
InvalidTouchPolicy(String),
|
||||
Io(io::Error),
|
||||
ManagementKeyAuth,
|
||||
MultipleCommands,
|
||||
MultipleYubiKeys,
|
||||
NoEmptySlots(Serial),
|
||||
NoMatchingSerial(Serial),
|
||||
PukLocked,
|
||||
SlotHasNoIdentity(RetiredSlotId),
|
||||
SlotIsNotEmpty(RetiredSlotId),
|
||||
TimedOut,
|
||||
UseListForSingleSlot,
|
||||
WrongPuk(u8),
|
||||
YubiKey(yubikey::Error),
|
||||
}
|
||||
|
||||
@@ -47,126 +51,124 @@ impl From<yubikey::Error> for Error {
|
||||
// manually to provide the error output we want.
|
||||
impl fmt::Debug for Error {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
const CHANGE_MGMT_KEY_CMD: &str =
|
||||
"ykman piv access change-management-key -a TDES --protect";
|
||||
const CHANGE_MGMT_KEY_URL: &str = "https://developers.yubico.com/yubikey-manager/";
|
||||
|
||||
match self {
|
||||
Error::CustomManagementKey => wlnfl!(f, "err-custom-mgmt-key")?,
|
||||
Error::InvalidFlagCommand(flag, command) => writeln!(
|
||||
Error::CustomManagementKey => {
|
||||
wlnfl!(f, "err-custom-mgmt-key")?;
|
||||
wlnfl!(
|
||||
f,
|
||||
"rec-change-mgmt-key",
|
||||
cmd = CHANGE_MGMT_KEY_CMD,
|
||||
url = CHANGE_MGMT_KEY_URL
|
||||
)?;
|
||||
}
|
||||
Error::InvalidFlagCommand(flag, command) => wlnfl!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-invalid-flag-command",
|
||||
flag = flag.as_str(),
|
||||
command = command.as_str(),
|
||||
),
|
||||
"err-invalid-flag-command",
|
||||
flag = flag.as_str(),
|
||||
command = command.as_str(),
|
||||
)?,
|
||||
Error::InvalidFlagTui(flag) => writeln!(
|
||||
Error::InvalidFlagTui(flag) => wlnfl!(f, "err-invalid-flag-tui", flag = flag.as_str())?,
|
||||
Error::InvalidPinPolicy(s) => wlnfl!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-invalid-flag-tui",
|
||||
flag = flag.as_str(),
|
||||
),
|
||||
"err-invalid-pin-policy",
|
||||
policy = s.as_str(),
|
||||
expected = "always, once, never",
|
||||
)?,
|
||||
Error::InvalidPinLength => wlnfl!(f, "err-invalid-pin-length")?,
|
||||
Error::InvalidPinPolicy(s) => writeln!(
|
||||
Error::InvalidSlot(slot) => wlnfl!(f, "err-invalid-slot", slot = slot)?,
|
||||
Error::InvalidTouchPolicy(s) => wlnfl!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-invalid-pin-policy",
|
||||
policy = s.as_str(),
|
||||
expected = "always, once, never",
|
||||
),
|
||||
)?,
|
||||
Error::InvalidSlot(slot) => writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(crate::LANGUAGE_LOADER, "err-invalid-slot", slot = slot),
|
||||
)?,
|
||||
Error::InvalidTouchPolicy(s) => writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-invalid-touch-policy",
|
||||
policy = s.as_str(),
|
||||
expected = "always, cached, never",
|
||||
),
|
||||
)?,
|
||||
Error::Io(e) => writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(crate::LANGUAGE_LOADER, "err-io", err = e.to_string()),
|
||||
"err-invalid-touch-policy",
|
||||
policy = s.as_str(),
|
||||
expected = "always, cached, never",
|
||||
)?,
|
||||
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
|
||||
Error::ManagementKeyAuth => {
|
||||
let aes_url = "https://github.com/str4d/age-plugin-yubikey/issues/92";
|
||||
wlnfl!(f, "err-mgmt-key-auth")?;
|
||||
wlnfl!(f, "rec-mgmt-key-auth", aes_url = aes_url)?;
|
||||
wlnfl!(
|
||||
f,
|
||||
"rec-change-mgmt-key",
|
||||
cmd = CHANGE_MGMT_KEY_CMD,
|
||||
url = CHANGE_MGMT_KEY_URL
|
||||
)?;
|
||||
}
|
||||
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
|
||||
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
|
||||
Error::NoEmptySlots(serial) => writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-no-empty-slots",
|
||||
serial = serial.to_string(),
|
||||
),
|
||||
)?,
|
||||
Error::NoMatchingSerial(serial) => writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-no-matching-serial",
|
||||
serial = serial.to_string(),
|
||||
),
|
||||
)?,
|
||||
Error::SlotHasNoIdentity(slot) => writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-slot-has-no-identity",
|
||||
slot = slot_to_ui(slot),
|
||||
),
|
||||
)?,
|
||||
Error::SlotIsNotEmpty(slot) => writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-slot-is-not-empty",
|
||||
slot = slot_to_ui(slot),
|
||||
),
|
||||
)?,
|
||||
Error::NoEmptySlots(serial) => {
|
||||
wlnfl!(f, "err-no-empty-slots", serial = serial.to_string())?
|
||||
}
|
||||
Error::NoMatchingSerial(serial) => {
|
||||
wlnfl!(f, "err-no-matching-serial", serial = serial.to_string())?
|
||||
}
|
||||
Error::PukLocked => wlnfl!(f, "err-yk-pin-locked", pin_kind = "PUK")?,
|
||||
Error::SlotHasNoIdentity(slot) => {
|
||||
wlnfl!(f, "err-slot-has-no-identity", slot = slot_to_ui(slot))?
|
||||
}
|
||||
Error::SlotIsNotEmpty(slot) => {
|
||||
wlnfl!(f, "err-slot-is-not-empty", slot = slot_to_ui(slot))?
|
||||
}
|
||||
Error::TimedOut => wlnfl!(f, "err-timed-out")?,
|
||||
Error::UseListForSingleSlot => wlnfl!(f, "err-use-list-for-single")?,
|
||||
Error::WrongPuk(tries) => {
|
||||
wlnfl!(f, "err-yk-wrong-pin", pin_kind = "PUK", tries = tries)?
|
||||
}
|
||||
Error::YubiKey(e) => match e {
|
||||
yubikey::Error::NotFound => wlnfl!(f, "err-yk-not-found")?,
|
||||
yubikey::Error::WrongPin { tries } => writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(crate::LANGUAGE_LOADER, "err-yk-wrong-pin", tries = tries),
|
||||
)?,
|
||||
yubikey::Error::PcscError {
|
||||
inner: Some(pcsc::Error::NoService),
|
||||
} => {
|
||||
if cfg!(windows) {
|
||||
wlnfl!(f, "err-yk-no-service-win")?;
|
||||
let url = "https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-debugging-information#smart-card-service";
|
||||
wlnfl!(f, "rec-yk-no-service-win", url = url)?;
|
||||
} else if cfg!(target_os = "macos") {
|
||||
wlnfl!(f, "err-yk-no-service-macos")?;
|
||||
let url = "https://apple.stackexchange.com/a/438198";
|
||||
wlnfl!(f, "rec-yk-no-service-macos", url = url)?;
|
||||
} else if cfg!(target_os = "openbsd") {
|
||||
wlnfl!(f, "err-yk-no-service-pcscd")?;
|
||||
let pkg = "pkg_add pcsc-lite ccid";
|
||||
let service_enable = "rcctl enable pcscd";
|
||||
let service_start = "rcctl start pcscd";
|
||||
wlnfl!(
|
||||
f,
|
||||
"rec-yk-no-service-pcscd-bsd",
|
||||
pkg = pkg,
|
||||
service_enable = service_enable,
|
||||
service_start = service_start
|
||||
)?;
|
||||
} else if cfg!(target_os = "freebsd") {
|
||||
wlnfl!(f, "err-yk-no-service-pcscd")?;
|
||||
let pkg = "pkg install pcsc-lite libccid";
|
||||
let service_enable = "service pcscd enable";
|
||||
let service_start = "service pcscd start";
|
||||
wlnfl!(
|
||||
f,
|
||||
"rec-yk-no-service-pcscd-bsd",
|
||||
pkg = pkg,
|
||||
service_enable = service_enable,
|
||||
service_start = service_start
|
||||
)?;
|
||||
} else {
|
||||
wlnfl!(f, "err-yk-no-service-pcscd")?;
|
||||
let apt = "sudo apt-get install pcscd";
|
||||
wlnfl!(f, "rec-yk-no-service-pcscd", apt = apt)?;
|
||||
}
|
||||
}
|
||||
yubikey::Error::PinLocked => wlnfl!(f, "err-yk-pin-locked", pin_kind = "PIN")?,
|
||||
yubikey::Error::WrongPin { tries } => {
|
||||
wlnfl!(f, "err-yk-wrong-pin", pin_kind = "PIN", tries = tries)?
|
||||
}
|
||||
e => {
|
||||
writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-yk-general",
|
||||
err = e.to_string(),
|
||||
),
|
||||
)?;
|
||||
wlnfl!(f, "err-yk-general", err = e.to_string())?;
|
||||
use std::error::Error;
|
||||
if let Some(inner) = e.source() {
|
||||
writeln!(
|
||||
f,
|
||||
"{}",
|
||||
fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"err-yk-general-cause",
|
||||
inner_err = inner.to_string(),
|
||||
),
|
||||
)?;
|
||||
wlnfl!(f, "err-yk-general-cause", inner_err = inner.to_string())?;
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
+30
-13
@@ -1,10 +1,15 @@
|
||||
use age_core::{
|
||||
format::{FileKey, Stanza},
|
||||
primitives::{aead_encrypt, hkdf},
|
||||
primitives::aead_encrypt,
|
||||
secrecy::ExposeSecret,
|
||||
};
|
||||
use p256::{ecdh::EphemeralSecret, elliptic_curve::sec1::ToEncodedPoint};
|
||||
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
|
||||
use p256::{
|
||||
ecdh::EphemeralSecret,
|
||||
elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint},
|
||||
};
|
||||
use rand::rngs::OsRng;
|
||||
use sha2::Sha256;
|
||||
|
||||
use crate::{p256::Recipient, STANZA_TAG};
|
||||
|
||||
@@ -22,8 +27,12 @@ pub(crate) struct EphemeralKeyBytes(p256::EncodedPoint);
|
||||
|
||||
impl EphemeralKeyBytes {
|
||||
fn from_bytes(bytes: [u8; EPK_BYTES]) -> Option<Self> {
|
||||
let encoded = p256::EncodedPoint::from_bytes(&bytes).ok()?;
|
||||
if encoded.is_compressed() && encoded.decompress().is_some() {
|
||||
let encoded = p256::EncodedPoint::from_bytes(bytes).ok()?;
|
||||
if encoded.is_compressed()
|
||||
&& p256::PublicKey::from_encoded_point(&encoded)
|
||||
.is_some()
|
||||
.into()
|
||||
{
|
||||
Some(EphemeralKeyBytes(encoded))
|
||||
} else {
|
||||
None
|
||||
@@ -39,9 +48,9 @@ impl EphemeralKeyBytes {
|
||||
}
|
||||
|
||||
pub(crate) fn decompress(&self) -> p256::EncodedPoint {
|
||||
self.0
|
||||
.decompress()
|
||||
.expect("EphemeralKeyBytes is a valid compressed encoding by construction")
|
||||
// EphemeralKeyBytes is a valid compressed encoding by construction.
|
||||
let p = p256::PublicKey::from_encoded_point(&self.0).unwrap();
|
||||
p.to_encoded_point(false)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -57,8 +66,8 @@ impl From<RecipientLine> for Stanza {
|
||||
Stanza {
|
||||
tag: STANZA_TAG.to_owned(),
|
||||
args: vec![
|
||||
base64::encode_config(&r.tag, base64::STANDARD_NO_PAD),
|
||||
base64::encode_config(r.epk_bytes.as_bytes(), base64::STANDARD_NO_PAD),
|
||||
BASE64_STANDARD_NO_PAD.encode(r.tag),
|
||||
BASE64_STANDARD_NO_PAD.encode(r.epk_bytes.as_bytes()),
|
||||
],
|
||||
body: r.encrypted_file_key.to_vec(),
|
||||
}
|
||||
@@ -76,9 +85,10 @@ impl RecipientLine {
|
||||
return None;
|
||||
}
|
||||
|
||||
base64::decode_config_slice(arg, base64::STANDARD_NO_PAD, buf.as_mut())
|
||||
BASE64_STANDARD_NO_PAD
|
||||
.decode_slice_unchecked(arg, buf.as_mut())
|
||||
.ok()
|
||||
.map(|_| buf)
|
||||
.and_then(|len| (len == buf.as_mut().len()).then_some(buf))
|
||||
}
|
||||
|
||||
let (tag, epk_bytes) = match &s.args[..] {
|
||||
@@ -101,7 +111,7 @@ impl RecipientLine {
|
||||
}
|
||||
|
||||
pub(crate) fn wrap_file_key(file_key: &FileKey, pk: &Recipient) -> Self {
|
||||
let esk = EphemeralSecret::random(OsRng);
|
||||
let esk = EphemeralSecret::random(&mut OsRng);
|
||||
let epk = esk.public_key();
|
||||
let epk_bytes = EphemeralKeyBytes::from_public_key(&epk);
|
||||
|
||||
@@ -111,7 +121,14 @@ impl RecipientLine {
|
||||
salt.extend_from_slice(epk_bytes.as_bytes());
|
||||
salt.extend_from_slice(pk.to_encoded().as_bytes());
|
||||
|
||||
let enc_key = hkdf(&salt, STANZA_KEY_LABEL, shared_secret.as_bytes());
|
||||
let enc_key = {
|
||||
let mut okm = [0; 32];
|
||||
shared_secret
|
||||
.extract::<Sha256>(Some(&salt))
|
||||
.expand(STANZA_KEY_LABEL, &mut okm)
|
||||
.expect("okm is the correct length");
|
||||
okm
|
||||
};
|
||||
|
||||
let encrypted_file_key = {
|
||||
let mut key = [0; ENCRYPTED_FILE_KEY_BYTES];
|
||||
|
||||
+370
-139
@@ -3,22 +3,24 @@
|
||||
use age_core::{
|
||||
format::{FileKey, FILE_KEY_BYTES},
|
||||
primitives::{aead_decrypt, hkdf},
|
||||
secrecy::ExposeSecret,
|
||||
secrecy::{ExposeSecret, SecretString},
|
||||
};
|
||||
use age_plugin::{identity, Callbacks};
|
||||
use bech32::{ToBase32, Variant};
|
||||
use dialoguer::Password;
|
||||
use log::warn;
|
||||
use log::{debug, error, warn};
|
||||
use std::convert::Infallible;
|
||||
use std::fmt;
|
||||
use std::io;
|
||||
use std::iter;
|
||||
use std::thread::sleep;
|
||||
use std::time::{Duration, Instant, SystemTime};
|
||||
use x509_parser::der_parser::oid::Oid;
|
||||
use yubikey::{
|
||||
certificate::{Certificate, PublicKeyInfo},
|
||||
certificate::Certificate,
|
||||
piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId},
|
||||
reader::{Context, Reader},
|
||||
MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
|
||||
Key, MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
|
||||
};
|
||||
|
||||
use crate::{
|
||||
@@ -26,37 +28,48 @@ use crate::{
|
||||
fl,
|
||||
format::{RecipientLine, STANZA_KEY_LABEL},
|
||||
p256::{Recipient, TAG_BYTES},
|
||||
util::{otp_serial_prefix, Metadata},
|
||||
util::{otp_serial_prefix, Metadata, POLICY_EXTENSION_OID},
|
||||
IDENTITY_PREFIX,
|
||||
};
|
||||
|
||||
const ONE_SECOND: Duration = Duration::from_secs(1);
|
||||
const FIFTEEN_SECONDS: Duration = Duration::from_secs(15);
|
||||
|
||||
/// The set of OIDs that we understand and use when parsing YubiKey slot certificates.
|
||||
const KNOWN_OIDS: &[&[u64]] = &[POLICY_EXTENSION_OID];
|
||||
|
||||
pub(crate) fn is_connected(reader: Reader) -> bool {
|
||||
filter_connected(&reader)
|
||||
}
|
||||
|
||||
pub(crate) fn filter_connected(reader: &Reader) -> bool {
|
||||
match reader.open() {
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
use std::error::Error;
|
||||
if let Some(pcsc::Error::RemovedCard) =
|
||||
e.source().and_then(|inner| inner.downcast_ref())
|
||||
{
|
||||
warn!(
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"warn-yk-not-connected",
|
||||
yubikey_name = reader.name(),
|
||||
)
|
||||
);
|
||||
false
|
||||
} else {
|
||||
true
|
||||
}
|
||||
Err(yubikey::Error::PcscError {
|
||||
inner: Some(pcsc::Error::NoSmartcard | pcsc::Error::RemovedCard),
|
||||
}) => {
|
||||
warn!(
|
||||
"{}",
|
||||
fl!("warn-yk-not-connected", yubikey_name = reader.name())
|
||||
);
|
||||
false
|
||||
}
|
||||
Err(yubikey::Error::AppletNotFound { applet_name }) => {
|
||||
warn!(
|
||||
"{}",
|
||||
fl!(
|
||||
"warn-yk-missing-applet",
|
||||
yubikey_name = reader.name(),
|
||||
applet_name = applet_name,
|
||||
),
|
||||
);
|
||||
false
|
||||
}
|
||||
Err(_) => true,
|
||||
Ok(yubikey) => {
|
||||
// We only connected as a side-effect of confirming that we can connect, so
|
||||
// avoid resetting the YubiKey.
|
||||
disconnect_without_reset(yubikey);
|
||||
true
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -77,16 +90,139 @@ pub(crate) fn wait_for_readers() -> Result<Context, Error> {
|
||||
}
|
||||
}
|
||||
|
||||
/// Looks for agent processes that might be holding exclusive access to a YubiKey, and
|
||||
/// asks them as nicely as possible to release it.
|
||||
///
|
||||
/// Returns `true` if any known agent was running and was successfully interrupted (or
|
||||
/// killed if the platform doesn't support interrupts).
|
||||
fn hunt_agents() -> bool {
|
||||
debug!("Sharing violation encountered, looking for agent processes");
|
||||
|
||||
use sysinfo::{ProcessExt, ProcessRefreshKind, RefreshKind, Signal, System, SystemExt};
|
||||
|
||||
let mut interrupted = false;
|
||||
|
||||
let sys =
|
||||
System::new_with_specifics(RefreshKind::new().with_processes(ProcessRefreshKind::new()));
|
||||
|
||||
for process in sys.processes().values() {
|
||||
match process.name() {
|
||||
"scdaemon" | "scdaemon.exe" => {
|
||||
// gpg-agent runs scdaemon to interact with smart cards. The canonical way
|
||||
// to reload it is `gpgconf --reload scdaemon`, which kills and restarts
|
||||
// the process. We emulate that here with SIGINT (which it listens to).
|
||||
if process
|
||||
.kill_with(Signal::Interrupt)
|
||||
.unwrap_or_else(|| process.kill())
|
||||
{
|
||||
debug!("Stopped scdaemon (PID {})", process.pid());
|
||||
interrupted = true;
|
||||
}
|
||||
}
|
||||
"yubikey-agent" | "yubikey-agent.exe" => {
|
||||
// yubikey-agent releases all YubiKey locks when it receives a SIGHUP.
|
||||
match process.kill_with(Signal::Hangup) {
|
||||
Some(true) => {
|
||||
debug!("Sent SIGHUP to yubikey-agent (PID {})", process.pid());
|
||||
interrupted = true;
|
||||
}
|
||||
Some(false) => (),
|
||||
None => debug!(
|
||||
"Found yubikey-agent (PID {}) but platform doesn't support SIGHUP",
|
||||
process.pid(),
|
||||
),
|
||||
}
|
||||
}
|
||||
_ => (),
|
||||
}
|
||||
}
|
||||
|
||||
// If we did interrupt an agent, pause briefly to allow it to finish up.
|
||||
if interrupted {
|
||||
sleep(Duration::from_millis(100));
|
||||
}
|
||||
|
||||
interrupted
|
||||
}
|
||||
|
||||
fn open_sesame(
|
||||
op: impl Fn() -> Result<YubiKey, yubikey::Error>,
|
||||
) -> Result<YubiKey, yubikey::Error> {
|
||||
op().or_else(|e| match e {
|
||||
yubikey::Error::PcscError {
|
||||
inner: Some(pcsc::Error::SharingViolation),
|
||||
} if hunt_agents() => op(),
|
||||
_ => Err(e),
|
||||
})
|
||||
}
|
||||
|
||||
/// Opens a connection to this reader, returning a `YubiKey` if successful.
|
||||
///
|
||||
/// This is equivalent to [`Reader::open`], but additionally handles the presence of
|
||||
/// agents (which can indefinitely hold exclusive access to a YubiKey).
|
||||
pub(crate) fn open_connection(reader: &Reader) -> Result<YubiKey, yubikey::Error> {
|
||||
open_sesame(|| reader.open())
|
||||
}
|
||||
|
||||
/// Opens a YubiKey with a specific serial number.
|
||||
///
|
||||
/// This is equivalent to [`YubiKey::open_by_serial`], but additionally handles the
|
||||
/// presence of agents (which can indefinitely hold exclusive access to a YubiKey).
|
||||
fn open_by_serial(serial: Serial) -> Result<YubiKey, yubikey::Error> {
|
||||
// `YubiKey::open_by_serial` has a bug where it ignores all opening errors, even if
|
||||
// it potentially could have found a matching YubiKey if not for an error, and thus
|
||||
// returns `Error::NotFound` if another agent is holding exclusive access to the
|
||||
// required YubiKey. This gives misleading UX behaviour where age-plugin-yubikey asks
|
||||
// the user to insert a YubiKey they have already inserted.
|
||||
//
|
||||
// For now, we instead implement the correct behaviour manually. Once MSRV has been
|
||||
// raised to 1.60, we can upstream this into the `yubikey` crate.
|
||||
open_sesame(|| {
|
||||
let mut readers = Context::open()?;
|
||||
|
||||
let mut open_error = None;
|
||||
|
||||
for reader in readers.iter()? {
|
||||
let yubikey = match reader.open() {
|
||||
Ok(yk) => yk,
|
||||
Err(e) => {
|
||||
// Save the first error we see that indicates we might have been able
|
||||
// to find a matching YubiKey.
|
||||
if open_error.is_none() {
|
||||
if let yubikey::Error::PcscError {
|
||||
inner: Some(pcsc::Error::SharingViolation),
|
||||
} = e
|
||||
{
|
||||
open_error = Some(e);
|
||||
}
|
||||
}
|
||||
continue;
|
||||
}
|
||||
};
|
||||
|
||||
if serial == yubikey.serial() {
|
||||
return Ok(yubikey);
|
||||
} else {
|
||||
// We didn't want this YubiKey; don't reset it.
|
||||
disconnect_without_reset(yubikey);
|
||||
}
|
||||
}
|
||||
|
||||
Err(if let Some(e) = open_error {
|
||||
e
|
||||
} else {
|
||||
error!("no YubiKey detected with serial: {}", serial);
|
||||
yubikey::Error::NotFound
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
|
||||
if !Context::open()?.iter()?.any(is_connected) {
|
||||
if let Some(serial) = serial {
|
||||
eprintln!(
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"open-yk-with-serial",
|
||||
yubikey_serial = serial.to_string(),
|
||||
)
|
||||
fl!("open-yk-with-serial", yubikey_serial = serial.to_string())
|
||||
);
|
||||
} else {
|
||||
eprintln!("{}", fl!("open-yk-without-serial"));
|
||||
@@ -99,9 +235,9 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
|
||||
// connected, an error is returned.
|
||||
let yubikey = match (readers_iter.next(), readers_iter.next(), serial) {
|
||||
(None, _, _) => unreachable!(),
|
||||
(Some(reader), None, None) => reader.open()?,
|
||||
(Some(reader), None, None) => open_connection(&reader)?,
|
||||
(Some(reader), None, Some(serial)) => {
|
||||
let yubikey = reader.open()?;
|
||||
let yubikey = open_connection(&reader)?;
|
||||
if yubikey.serial() != serial {
|
||||
return Err(Error::NoMatchingSerial(serial));
|
||||
}
|
||||
@@ -112,12 +248,12 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
|
||||
.chain(Some(a))
|
||||
.chain(Some(b))
|
||||
.chain(readers_iter)
|
||||
.find(|reader| match reader.open() {
|
||||
.find(|reader| match open_connection(reader) {
|
||||
Ok(yk) => yk.serial() == serial,
|
||||
_ => false,
|
||||
})
|
||||
.ok_or(Error::NoMatchingSerial(serial))?;
|
||||
reader.open()?
|
||||
open_connection(&reader)?
|
||||
}
|
||||
(Some(_), Some(_), None) => return Err(Error::MultipleYubiKeys),
|
||||
};
|
||||
@@ -125,18 +261,60 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
|
||||
Ok(yubikey)
|
||||
}
|
||||
|
||||
/// Disconnect from the YubiKey without resetting it.
|
||||
///
|
||||
/// This can be used to preserve the YubiKey's PIN and touch caches. There are two cases
|
||||
/// where we want to do this:
|
||||
///
|
||||
/// - We connected to this YubiKey in a read-only context, so we have not made any changes
|
||||
/// to the YubiKey's state. However, we might have asked an agent to release the YubiKey
|
||||
/// in `key::open_connection`, and we want to allow any state it may have left behind
|
||||
/// (such as cached PINs or touches) to persist beyond our execution, for usability.
|
||||
/// - We opened this connection in a decryption context, so the only changes to the
|
||||
/// YubiKey's state were to potentially cache the PIN and/or touch (depending on the
|
||||
/// policies of the slot). We want to allow these to persist beyond our execution, for
|
||||
/// usability.
|
||||
pub(crate) fn disconnect_without_reset(yubikey: YubiKey) {
|
||||
let _ = yubikey.disconnect(pcsc::Disposition::LeaveCard);
|
||||
}
|
||||
|
||||
fn request_pin<E>(
|
||||
mut prompt: impl FnMut(Option<String>) -> io::Result<Result<SecretString, E>>,
|
||||
serial: Serial,
|
||||
) -> io::Result<Result<SecretString, E>> {
|
||||
let mut prev_error = None;
|
||||
loop {
|
||||
prev_error = Some(match prompt(prev_error)? {
|
||||
Ok(pin) => match pin.expose_secret().len() {
|
||||
// A PIN must be between 6 and 8 characters.
|
||||
6..=8 => break Ok(Ok(pin)),
|
||||
// If the string is 44 bytes and starts with the YubiKey's serial
|
||||
// encoded as 12-byte modhex, the user probably touched the YubiKey
|
||||
// early and "typed" an OTP.
|
||||
44 if pin.expose_secret().starts_with(&otp_serial_prefix(serial)) => {
|
||||
fl!("plugin-err-accidental-touch")
|
||||
}
|
||||
// Otherwise, the PIN is either too short or too long.
|
||||
0..=5 => fl!("plugin-err-pin-too-short"),
|
||||
_ => fl!("plugin-err-pin-too-long"),
|
||||
},
|
||||
Err(e) => break Ok(Err(e)),
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||
const DEFAULT_PIN: &str = "123456";
|
||||
const DEFAULT_PUK: &str = "12345678";
|
||||
|
||||
eprintln!();
|
||||
let pin = Password::new()
|
||||
.with_prompt(i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
.with_prompt(fl!(
|
||||
"mgr-enter-pin",
|
||||
yubikey_serial = yubikey.serial().to_string(),
|
||||
default_pin = DEFAULT_PIN,
|
||||
))
|
||||
.report(true)
|
||||
.interact()?;
|
||||
yubikey.verify_pin(pin.as_bytes())?;
|
||||
|
||||
@@ -146,53 +324,123 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||
eprintln!("{}", fl!("mgr-change-default-pin"));
|
||||
eprintln!();
|
||||
let current_puk = Password::new()
|
||||
.with_prompt(i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"mgr-enter-current-puk",
|
||||
default_puk = DEFAULT_PUK,
|
||||
))
|
||||
.with_prompt(fl!("mgr-enter-current-puk", default_puk = DEFAULT_PUK))
|
||||
.interact()?;
|
||||
let new_pin = Password::new()
|
||||
.with_prompt(fl!("mgr-choose-new-pin"))
|
||||
.with_confirmation(fl!("mgr-repeat-new-pin"), fl!("mgr-pin-mismatch"))
|
||||
.interact()?;
|
||||
if new_pin.len() > 8 {
|
||||
return Err(Error::InvalidPinLength);
|
||||
}
|
||||
yubikey.change_puk(current_puk.as_bytes(), new_pin.as_bytes())?;
|
||||
let new_pin = loop {
|
||||
let pin = request_pin(
|
||||
|prev_error| {
|
||||
if let Some(err) = prev_error {
|
||||
eprintln!("{}", err);
|
||||
}
|
||||
Password::new()
|
||||
.with_prompt(fl!("mgr-choose-new-pin"))
|
||||
.with_confirmation(fl!("mgr-repeat-new-pin"), fl!("mgr-pin-mismatch"))
|
||||
.interact()
|
||||
.map(|pin| Result::<_, Infallible>::Ok(SecretString::new(pin)))
|
||||
},
|
||||
yubikey.serial(),
|
||||
)?
|
||||
.unwrap();
|
||||
if pin.expose_secret() == DEFAULT_PIN {
|
||||
eprintln!("{}", fl!("mgr-nope-default-pin"));
|
||||
} else {
|
||||
break pin;
|
||||
}
|
||||
};
|
||||
let new_pin = new_pin.expose_secret();
|
||||
yubikey
|
||||
.change_puk(current_puk.as_bytes(), new_pin.as_bytes())
|
||||
.map_err(|e| match e {
|
||||
yubikey::Error::PinLocked => Error::PukLocked,
|
||||
yubikey::Error::WrongPin { tries } => Error::WrongPuk(tries),
|
||||
_ => Error::YubiKey(e),
|
||||
})?;
|
||||
yubikey.change_pin(pin.as_bytes(), new_pin.as_bytes())?;
|
||||
}
|
||||
|
||||
if let Ok(mgm_key) = MgmKey::get_protected(yubikey) {
|
||||
yubikey.authenticate(mgm_key)?;
|
||||
} else {
|
||||
// Try to authenticate with the default management key.
|
||||
yubikey
|
||||
.authenticate(MgmKey::default())
|
||||
.map_err(|_| Error::CustomManagementKey)?;
|
||||
match MgmKey::get_protected(yubikey) {
|
||||
Ok(mgm_key) => yubikey.authenticate(mgm_key).map_err(|e| match e {
|
||||
yubikey::Error::AuthenticationError => Error::ManagementKeyAuth,
|
||||
_ => e.into(),
|
||||
})?,
|
||||
Err(yubikey::Error::AuthenticationError) => Err(Error::ManagementKeyAuth)?,
|
||||
_ => {
|
||||
// Try to authenticate with the default management key.
|
||||
yubikey
|
||||
.authenticate(MgmKey::default())
|
||||
.map_err(|_| Error::CustomManagementKey)?;
|
||||
|
||||
// Migrate to a PIN-protected management key.
|
||||
let mgm_key = MgmKey::generate();
|
||||
eprintln!();
|
||||
eprintln!("{}", fl!("mgr-changing-mgmt-key"));
|
||||
eprint!("... ");
|
||||
mgm_key.set_protected(yubikey).map_err(|e| {
|
||||
eprintln!(
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"mgr-changing-mgmt-key-error",
|
||||
management_key = hex::encode(mgm_key.as_ref()),
|
||||
)
|
||||
);
|
||||
e
|
||||
})?;
|
||||
eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
|
||||
// Migrate to a PIN-protected management key.
|
||||
let mgm_key = MgmKey::generate();
|
||||
eprintln!();
|
||||
eprintln!("{}", fl!("mgr-changing-mgmt-key"));
|
||||
eprint!("... ");
|
||||
mgm_key.set_protected(yubikey).map_err(|e| {
|
||||
eprintln!(
|
||||
"{}",
|
||||
fl!(
|
||||
"mgr-changing-mgmt-key-error",
|
||||
management_key = hex::encode(mgm_key.as_ref()),
|
||||
)
|
||||
);
|
||||
e
|
||||
})?;
|
||||
eprintln!("{}", fl!("mgr-changing-mgmt-key-success"));
|
||||
}
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Parses the certificate to identify the preferred recipient type it corresponds to.
|
||||
pub(crate) fn identify_recipient(cert: &Certificate) -> Option<Recipient> {
|
||||
let known_oids = KNOWN_OIDS
|
||||
.iter()
|
||||
.map(|oid| Oid::from(oid).unwrap())
|
||||
.collect::<Vec<_>>();
|
||||
|
||||
// If the certificate contains any unrecognised critical extensions, reject it: we
|
||||
// don't know how to correctly use the identity. In particular, some identities store
|
||||
// parts of their private key material in certificate extensions to work around
|
||||
// hardware limitations. Not understanding these extensions could lead to encrypting
|
||||
// with the wrong protocol and violating security assumptions.
|
||||
let (_, c) = x509_parser::parse_x509_certificate(cert.as_ref()).ok()?;
|
||||
if c.tbs_certificate
|
||||
.extensions()
|
||||
.iter()
|
||||
.any(|ext| ext.critical && !known_oids.contains(&ext.oid))
|
||||
{
|
||||
return None;
|
||||
}
|
||||
|
||||
Recipient::from_certificate(cert)
|
||||
}
|
||||
|
||||
/// Returns an iterator of keys that are occupying plugin-compatible slots, along with the
|
||||
/// corresponding recipient if the key is compatible with this plugin.
|
||||
pub(crate) fn list_slots(
|
||||
yubikey: &mut YubiKey,
|
||||
) -> Result<impl Iterator<Item = (Key, RetiredSlotId, Option<Recipient>)>, Error> {
|
||||
Ok(Key::list(yubikey)?.into_iter().filter_map(|key| {
|
||||
// We only use the retired slots.
|
||||
match key.slot() {
|
||||
SlotId::Retired(slot) => {
|
||||
let recipient = identify_recipient(key.certificate());
|
||||
Some((key, slot, recipient))
|
||||
}
|
||||
_ => None,
|
||||
}
|
||||
}))
|
||||
}
|
||||
|
||||
/// Returns an iterator of keys that are compatible with this plugin.
|
||||
pub(crate) fn list_compatible(
|
||||
yubikey: &mut YubiKey,
|
||||
) -> Result<impl Iterator<Item = (Key, RetiredSlotId, Recipient)>, Error> {
|
||||
list_slots(yubikey)
|
||||
.map(|iter| iter.filter_map(|(key, slot, res)| res.map(|recipient| (key, slot, recipient))))
|
||||
}
|
||||
|
||||
/// A reference to an age key stored in a YubiKey.
|
||||
#[derive(Debug)]
|
||||
pub struct Stub {
|
||||
@@ -272,14 +520,10 @@ impl Stub {
|
||||
&self,
|
||||
callbacks: &mut dyn Callbacks<E>,
|
||||
) -> io::Result<Result<Option<Connection>, identity::Error>> {
|
||||
let mut yubikey = match YubiKey::open_by_serial(self.serial) {
|
||||
let mut yubikey = match open_by_serial(self.serial) {
|
||||
Ok(yk) => yk,
|
||||
Err(yubikey::Error::NotFound) => {
|
||||
let mut message = i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"plugin-insert-yk",
|
||||
yubikey_serial = self.serial.to_string(),
|
||||
);
|
||||
let mut message = fl!("plugin-insert-yk", yubikey_serial = self.serial.to_string());
|
||||
|
||||
// If the `confirm` command is available, we loop until either the YubiKey
|
||||
// we want is inserted, or the used explicitly skips.
|
||||
@@ -294,14 +538,13 @@ impl Stub {
|
||||
// User told us to skip this key.
|
||||
Ok(false) => return Ok(Ok(None)),
|
||||
// User said they plugged it in; try it.
|
||||
Ok(true) => match YubiKey::open_by_serial(self.serial) {
|
||||
Ok(true) => match open_by_serial(self.serial) {
|
||||
Ok(yubikey) => break Some(yubikey),
|
||||
Err(yubikey::Error::NotFound) => (),
|
||||
Err(_) => {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
message: i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
message: fl!(
|
||||
"plugin-err-yk-opening",
|
||||
yubikey_serial = self.serial.to_string(),
|
||||
),
|
||||
@@ -312,8 +555,7 @@ impl Stub {
|
||||
Err(age_core::plugin::Error::Fail) => {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
message: i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
message: fl!(
|
||||
"plugin-err-yk-opening",
|
||||
yubikey_serial = self.serial.to_string(),
|
||||
),
|
||||
@@ -323,8 +565,7 @@ impl Stub {
|
||||
|
||||
// We're going to loop around, meaning that the first attempt failed.
|
||||
// Change the message to indicate this to the user.
|
||||
message = i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
message = fl!(
|
||||
"plugin-insert-yk-retry",
|
||||
yubikey_serial = self.serial.to_string(),
|
||||
);
|
||||
@@ -337,8 +578,7 @@ impl Stub {
|
||||
if callbacks.message(&message)?.is_err() {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
message: i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
message: fl!(
|
||||
"plugin-err-yk-not-found",
|
||||
yubikey_serial = self.serial.to_string(),
|
||||
),
|
||||
@@ -348,14 +588,13 @@ impl Stub {
|
||||
// Start a 15-second timer waiting for the YubiKey to be inserted
|
||||
let start = SystemTime::now();
|
||||
loop {
|
||||
match YubiKey::open_by_serial(self.serial) {
|
||||
match open_by_serial(self.serial) {
|
||||
Ok(yubikey) => break yubikey,
|
||||
Err(yubikey::Error::NotFound) => (),
|
||||
Err(_) => {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
message: i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
message: fl!(
|
||||
"plugin-err-yk-opening",
|
||||
yubikey_serial = self.serial.to_string(),
|
||||
),
|
||||
@@ -367,8 +606,7 @@ impl Stub {
|
||||
Ok(end) if end >= FIFTEEN_SECONDS => {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
message: i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
message: fl!(
|
||||
"plugin-err-yk-timed-out",
|
||||
yubikey_serial = self.serial.to_string(),
|
||||
),
|
||||
@@ -382,8 +620,7 @@ impl Stub {
|
||||
Err(_) => {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
message: i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
message: fl!(
|
||||
"plugin-err-yk-opening",
|
||||
yubikey_serial = self.serial.to_string(),
|
||||
),
|
||||
@@ -394,11 +631,10 @@ impl Stub {
|
||||
// Read the pubkey from the YubiKey slot and check it still matches.
|
||||
let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot))
|
||||
.ok()
|
||||
.and_then(|cert| match cert.subject_pki() {
|
||||
PublicKeyInfo::EcP256(pubkey) => Recipient::from_encoded(pubkey)
|
||||
.filter(|pk| pk.tag() == self.tag)
|
||||
.map(|pk| (cert, pk)),
|
||||
_ => None,
|
||||
.and_then(|cert| {
|
||||
identify_recipient(&cert)
|
||||
.filter(|recipient| recipient.tag() == self.tag)
|
||||
.map(|r| (cert, r))
|
||||
}) {
|
||||
Some(pk) => pk,
|
||||
None => {
|
||||
@@ -444,9 +680,8 @@ impl Connection {
|
||||
) -> io::Result<Result<(), identity::Error>> {
|
||||
// Check if we can skip requesting a PIN.
|
||||
if self.cached_metadata.is_none() {
|
||||
let (_, cert) = x509_parser::parse_x509_certificate(self.cert.as_ref()).unwrap();
|
||||
self.cached_metadata =
|
||||
match Metadata::extract(&mut self.yubikey, self.slot, &cert, true) {
|
||||
match Metadata::extract(&mut self.yubikey, self.slot, &self.cert, true) {
|
||||
None => {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
@@ -456,48 +691,37 @@ impl Connection {
|
||||
metadata => metadata,
|
||||
};
|
||||
}
|
||||
if let Some(PinPolicy::Never) = self.cached_metadata.as_ref().and_then(|m| m.pin_policy) {
|
||||
return Ok(Ok(()));
|
||||
match self.cached_metadata.as_ref().and_then(|m| m.pin_policy) {
|
||||
Some(PinPolicy::Never) => return Ok(Ok(())),
|
||||
Some(PinPolicy::Once) if self.yubikey.verify_pin(&[]).is_ok() => return Ok(Ok(())),
|
||||
_ => (),
|
||||
}
|
||||
|
||||
// The policy requires a PIN, so request it.
|
||||
// Note that we can't distinguish between PinPolicy::Once and PinPolicy::Always
|
||||
// because this plugin is ephemeral, so we always request the PIN.
|
||||
let enter_pin_msg = i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"plugin-enter-pin",
|
||||
yubikey_serial = self.yubikey.serial().to_string(),
|
||||
);
|
||||
let mut message = enter_pin_msg.clone();
|
||||
let pin = loop {
|
||||
message = match callbacks.request_secret(&message)? {
|
||||
Ok(pin) => match pin.expose_secret().len() {
|
||||
// A PIN must be between 6 and 8 characters.
|
||||
6..=8 => break pin,
|
||||
// If the string is 44 bytes and starts with the YubiKey's serial
|
||||
// encoded as 12-byte modhex, the user probably touched the YubiKey
|
||||
// early and "typed" an OTP.
|
||||
44 if pin
|
||||
.expose_secret()
|
||||
.starts_with(&otp_serial_prefix(self.yubikey.serial())) =>
|
||||
{
|
||||
format!("{} {}", fl!("plugin-err-accidental-touch"), enter_pin_msg)
|
||||
}
|
||||
// Otherwise, the PIN is either too short or too long.
|
||||
0..=5 => format!("{} {}", fl!("plugin-err-pin-too-short"), enter_pin_msg),
|
||||
_ => format!("{} {}", fl!("plugin-err-pin-too-long"), enter_pin_msg),
|
||||
},
|
||||
Err(_) => {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
message: i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"plugin-err-pin-required",
|
||||
yubikey_serial = self.yubikey.serial().to_string(),
|
||||
),
|
||||
}))
|
||||
}
|
||||
};
|
||||
let pin = match request_pin(
|
||||
|prev_error| {
|
||||
callbacks.request_secret(&format!(
|
||||
"{}{}{}",
|
||||
prev_error.as_deref().unwrap_or(""),
|
||||
prev_error.as_deref().map(|_| " ").unwrap_or(""),
|
||||
fl!(
|
||||
"plugin-enter-pin",
|
||||
yubikey_serial = self.yubikey.serial().to_string(),
|
||||
)
|
||||
))
|
||||
},
|
||||
self.yubikey.serial(),
|
||||
)? {
|
||||
Ok(pin) => pin,
|
||||
Err(_) => {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
index: self.identity_index,
|
||||
message: fl!(
|
||||
"plugin-err-pin-required",
|
||||
yubikey_serial = self.yubikey.serial().to_string(),
|
||||
),
|
||||
}))
|
||||
}
|
||||
};
|
||||
if let Err(e) = self.yubikey.verify_pin(pin.expose_secret().as_bytes()) {
|
||||
return Ok(Err(identity::Error::Identity {
|
||||
@@ -557,6 +781,13 @@ impl Connection {
|
||||
Err(_) => Err(()),
|
||||
}
|
||||
}
|
||||
|
||||
/// Close this connection without resetting the YubiKey.
|
||||
///
|
||||
/// This can be used to preserve the YubiKey's PIN and touch caches.
|
||||
pub(crate) fn disconnect_without_reset(self) {
|
||||
disconnect_without_reset(self.yubikey);
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
|
||||
+114
-129
@@ -12,12 +12,7 @@ use i18n_embed::{
|
||||
};
|
||||
use lazy_static::lazy_static;
|
||||
use rust_embed::RustEmbed;
|
||||
use yubikey::{
|
||||
certificate::PublicKeyInfo,
|
||||
piv::{RetiredSlotId, SlotId},
|
||||
reader::Context,
|
||||
Key, PinPolicy, Serial, TouchPolicy,
|
||||
};
|
||||
use yubikey::{piv::RetiredSlotId, reader::Context, PinPolicy, Serial, TouchPolicy};
|
||||
|
||||
mod builder;
|
||||
mod error;
|
||||
@@ -73,6 +68,9 @@ macro_rules! fl {
|
||||
($message_id:literal) => {{
|
||||
i18n_embed_fl::fl!($crate::LANGUAGE_LOADER, $message_id)
|
||||
}};
|
||||
($message_id:literal, $($kwarg:expr),* $(,)*) => {{
|
||||
i18n_embed_fl::fl!($crate::LANGUAGE_LOADER, $message_id, $($kwarg,)*)
|
||||
}};
|
||||
}
|
||||
|
||||
#[derive(Debug, Options)]
|
||||
@@ -183,6 +181,13 @@ fn generate(flags: PluginFlags) -> Result<(), Error> {
|
||||
|
||||
util::print_identity(stub, recipient, metadata);
|
||||
|
||||
// We have written to the YubiKey, which means we've authenticated with the management
|
||||
// key. Out of an abundance of caution, we let the YubiKey be reset on disconnect,
|
||||
// which will clear its PIN and touch caches. This has as small negative UX effect,
|
||||
// but identity generation is a relatively infrequent occurrence, and users are more
|
||||
// likely to see their cached PINs reset due to switching applets (e.g. from PIV to
|
||||
// FIDO2).
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -193,29 +198,17 @@ fn print_single(
|
||||
) -> Result<(), Error> {
|
||||
let mut yubikey = key::open(serial)?;
|
||||
|
||||
let mut keys = Key::list(&mut yubikey)?.into_iter().filter_map(|key| {
|
||||
// - We only use the retired slots.
|
||||
// - Only P-256 keys are compatible with us.
|
||||
match (key.slot(), key.certificate().subject_pki()) {
|
||||
(SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => {
|
||||
p256::Recipient::from_encoded(pubkey).map(|r| (key, slot, r))
|
||||
}
|
||||
_ => None,
|
||||
}
|
||||
});
|
||||
|
||||
let (key, slot, recipient) = keys
|
||||
let (key, slot, recipient) = key::list_compatible(&mut yubikey)?
|
||||
.find(|(_, s, _)| s == &slot)
|
||||
.ok_or(Error::SlotHasNoIdentity(slot))?;
|
||||
|
||||
let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
|
||||
let metadata = x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
||||
.ok()
|
||||
.and_then(|(_, cert)| util::Metadata::extract(&mut yubikey, slot, &cert, true))
|
||||
.unwrap();
|
||||
let metadata = util::Metadata::extract(&mut yubikey, slot, key.certificate(), true).unwrap();
|
||||
|
||||
printer(stub, recipient, metadata);
|
||||
|
||||
key::disconnect_without_reset(yubikey);
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -229,33 +222,16 @@ fn print_multiple(
|
||||
|
||||
let mut printed = 0;
|
||||
for reader in readers.iter()?.filter(key::filter_connected) {
|
||||
let mut yubikey = reader.open()?;
|
||||
let mut yubikey = key::open_connection(&reader)?;
|
||||
if let Some(serial) = serial {
|
||||
if yubikey.serial() != serial {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
for key in Key::list(&mut yubikey)? {
|
||||
// We only use the retired slots.
|
||||
let slot = match key.slot() {
|
||||
SlotId::Retired(slot) => slot,
|
||||
_ => continue,
|
||||
};
|
||||
|
||||
// Only P-256 keys are compatible with us.
|
||||
let recipient = match key.certificate().subject_pki() {
|
||||
PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_encoded(pubkey) {
|
||||
Some(recipient) => recipient,
|
||||
None => continue,
|
||||
},
|
||||
_ => continue,
|
||||
};
|
||||
|
||||
for (key, slot, recipient) in key::list_compatible(&mut yubikey)? {
|
||||
let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
|
||||
let metadata = match x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
||||
.ok()
|
||||
.and_then(|(_, cert)| util::Metadata::extract(&mut yubikey, slot, &cert, all))
|
||||
let metadata = match util::Metadata::extract(&mut yubikey, slot, key.certificate(), all)
|
||||
{
|
||||
Some(res) => res,
|
||||
None => continue,
|
||||
@@ -266,17 +242,11 @@ fn print_multiple(
|
||||
println!();
|
||||
}
|
||||
println!();
|
||||
|
||||
key::disconnect_without_reset(yubikey);
|
||||
}
|
||||
if printed > 1 {
|
||||
eprintln!(
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
"printed-multiple",
|
||||
kind = kind,
|
||||
count = printed,
|
||||
)
|
||||
);
|
||||
eprintln!("{}", fl!("printed-multiple", kind = kind, count = printed));
|
||||
}
|
||||
|
||||
Ok(())
|
||||
@@ -327,7 +297,7 @@ fn list(flags: PluginFlags, all: bool) -> Result<(), Error> {
|
||||
all,
|
||||
|_, recipient, metadata| {
|
||||
println!("{}", metadata);
|
||||
println!("{}", recipient.to_string());
|
||||
println!("{}", recipient);
|
||||
},
|
||||
)
|
||||
}
|
||||
@@ -382,8 +352,7 @@ fn main() -> Result<(), Error> {
|
||||
|
||||
eprintln!(
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
fl!(
|
||||
"cli-setup-intro",
|
||||
generate_usage = "age-plugin-yubikey --generate",
|
||||
)
|
||||
@@ -401,13 +370,14 @@ fn main() -> Result<(), Error> {
|
||||
let reader_names = readers_list
|
||||
.iter()
|
||||
.map(|reader| {
|
||||
reader.open().map(|yk| {
|
||||
i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
key::open_connection(reader).map(|yk| {
|
||||
let name = fl!(
|
||||
"cli-setup-yk-name",
|
||||
yubikey_name = reader.name(),
|
||||
yubikey_serial = yk.serial().to_string(),
|
||||
)
|
||||
);
|
||||
key::disconnect_without_reset(yk);
|
||||
name
|
||||
})
|
||||
})
|
||||
.collect::<Result<Vec<_>, _>>()?;
|
||||
@@ -415,34 +385,36 @@ fn main() -> Result<(), Error> {
|
||||
.with_prompt(fl!("cli-setup-select-yk"))
|
||||
.items(&reader_names)
|
||||
.default(0)
|
||||
.report(true)
|
||||
.interact_opt()?
|
||||
{
|
||||
Some(yk) => readers_list[yk].open()?,
|
||||
None => return Ok(()),
|
||||
};
|
||||
|
||||
let keys = Key::list(&mut yubikey)?;
|
||||
let keys = key::list_slots(&mut yubikey)?.collect::<Vec<_>>();
|
||||
|
||||
// Identify slots that we can't allow the user to select.
|
||||
let slot_details: Vec<_> = USABLE_SLOTS
|
||||
.iter()
|
||||
.map(|&slot| {
|
||||
keys.iter()
|
||||
.find(|key| key.slot() == SlotId::Retired(slot))
|
||||
.map(|key| match key.certificate().subject_pki() {
|
||||
PublicKeyInfo::EcP256(pubkey) => {
|
||||
p256::Recipient::from_encoded(pubkey).map(|_| {
|
||||
// Cache the details we need to display to the user.
|
||||
let (_, cert) =
|
||||
x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
||||
.unwrap();
|
||||
let (name, _) = util::extract_name(&cert, true).unwrap();
|
||||
let created = cert.validity().not_before.to_rfc2822();
|
||||
.find(|(_, s, _)| s == &slot)
|
||||
.map(|(key, _, recipient)| {
|
||||
recipient.as_ref().map(|_| {
|
||||
// Cache the details we need to display to the user.
|
||||
let (_, cert) =
|
||||
x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
||||
.unwrap();
|
||||
let (name, _) = util::extract_name(&cert, true).unwrap();
|
||||
let created = cert
|
||||
.validity()
|
||||
.not_before
|
||||
.to_rfc2822()
|
||||
.unwrap_or_else(|e| format!("Invalid date: {}", e));
|
||||
|
||||
format!("{}, created: {}", name, created)
|
||||
})
|
||||
}
|
||||
_ => None,
|
||||
format!("{}, created: {}", name, created)
|
||||
})
|
||||
})
|
||||
})
|
||||
.collect();
|
||||
@@ -455,20 +427,13 @@ fn main() -> Result<(), Error> {
|
||||
let i = i + 1;
|
||||
|
||||
match occupied {
|
||||
Some(Some(name)) => i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
Some(Some(name)) => fl!(
|
||||
"cli-setup-slot-usable",
|
||||
slot_index = i,
|
||||
slot_name = name.as_str(),
|
||||
),
|
||||
Some(None) => i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
"cli-setup-slot-unusable",
|
||||
slot_index = i,
|
||||
),
|
||||
None => {
|
||||
i18n_embed_fl::fl!(LANGUAGE_LOADER, "cli-setup-slot-empty", slot_index = i)
|
||||
}
|
||||
Some(None) => fl!("cli-setup-slot-unusable", slot_index = i),
|
||||
None => fl!("cli-setup-slot-empty", slot_index = i),
|
||||
}
|
||||
})
|
||||
.collect();
|
||||
@@ -479,6 +444,7 @@ fn main() -> Result<(), Error> {
|
||||
.with_prompt(fl!("cli-setup-select-slot"))
|
||||
.items(&slots)
|
||||
.default(0)
|
||||
.report(true)
|
||||
.interact_opt()?
|
||||
{
|
||||
Some(slot) => {
|
||||
@@ -491,30 +457,23 @@ fn main() -> Result<(), Error> {
|
||||
}
|
||||
};
|
||||
|
||||
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) {
|
||||
let recipient = match key.certificate().subject_pki() {
|
||||
PublicKeyInfo::EcP256(pubkey) => {
|
||||
p256::Recipient::from_encoded(pubkey).expect("We checked this above")
|
||||
}
|
||||
_ => unreachable!(),
|
||||
};
|
||||
if let Some((key, _, recipient)) = keys.into_iter().find(|(_, s, _)| s == &slot) {
|
||||
let recipient = recipient.expect("We checked this above");
|
||||
|
||||
if Confirm::new()
|
||||
.with_prompt(i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
"cli-setup-use-existing",
|
||||
slot_index = slot_index,
|
||||
))
|
||||
.with_prompt(fl!("cli-setup-use-existing", slot_index = slot_index))
|
||||
.report(true)
|
||||
.interact()?
|
||||
{
|
||||
let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
|
||||
let (_, cert) =
|
||||
x509_parser::parse_x509_certificate(key.certificate().as_ref()).unwrap();
|
||||
let metadata =
|
||||
util::Metadata::extract(&mut yubikey, slot, &cert, true).unwrap();
|
||||
util::Metadata::extract(&mut yubikey, slot, key.certificate(), true)
|
||||
.unwrap();
|
||||
|
||||
key::disconnect_without_reset(yubikey);
|
||||
((stub, recipient, metadata), false)
|
||||
} else {
|
||||
key::disconnect_without_reset(yubikey);
|
||||
return Ok(());
|
||||
}
|
||||
} else {
|
||||
@@ -525,30 +484,57 @@ fn main() -> Result<(), Error> {
|
||||
flags.name.as_deref().unwrap_or("age identity TAG_HEX")
|
||||
))
|
||||
.allow_empty(true)
|
||||
.report(true)
|
||||
.interact_text()?;
|
||||
|
||||
let pin_policy = match Select::new()
|
||||
.with_prompt(fl!("cli-setup-select-pin-policy"))
|
||||
.items(&[
|
||||
fl!("pin-policy-always"),
|
||||
fl!("pin-policy-once"),
|
||||
fl!("pin-policy-never"),
|
||||
])
|
||||
.default(
|
||||
[PinPolicy::Always, PinPolicy::Once, PinPolicy::Never]
|
||||
.iter()
|
||||
.position(|p| {
|
||||
p == &flags.pin_policy.unwrap_or(builder::DEFAULT_PIN_POLICY)
|
||||
})
|
||||
.unwrap(),
|
||||
)
|
||||
.interact_opt()?
|
||||
{
|
||||
Some(0) => PinPolicy::Always,
|
||||
Some(1) => PinPolicy::Once,
|
||||
Some(2) => PinPolicy::Never,
|
||||
Some(_) => unreachable!(),
|
||||
None => return Ok(()),
|
||||
let mut displayed_yk4_warning = false;
|
||||
let pin_policy = loop {
|
||||
let pin_policy = match Select::new()
|
||||
.with_prompt(fl!("cli-setup-select-pin-policy"))
|
||||
.items(&[
|
||||
fl!("pin-policy-always"),
|
||||
fl!("pin-policy-once"),
|
||||
fl!("pin-policy-never"),
|
||||
])
|
||||
.default(
|
||||
[PinPolicy::Always, PinPolicy::Once, PinPolicy::Never]
|
||||
.iter()
|
||||
.position(|p| {
|
||||
p == &flags.pin_policy.unwrap_or(builder::DEFAULT_PIN_POLICY)
|
||||
})
|
||||
.unwrap(),
|
||||
)
|
||||
.report(true)
|
||||
.interact_opt()?
|
||||
{
|
||||
Some(0) => PinPolicy::Always,
|
||||
Some(1) => PinPolicy::Once,
|
||||
Some(2) => PinPolicy::Never,
|
||||
Some(_) => unreachable!(),
|
||||
None => return Ok(()),
|
||||
};
|
||||
|
||||
// We can't preserve the PIN cache for YubiKey 4 series, because to
|
||||
// retrieve the serial we switch to the OTP applet.
|
||||
match (pin_policy, yubikey.version().major) {
|
||||
(PinPolicy::Once, 4) => {
|
||||
if !displayed_yk4_warning {
|
||||
eprintln!();
|
||||
eprintln!("{}", fl!("cli-setup-yk4-pin-policy"));
|
||||
eprintln!();
|
||||
displayed_yk4_warning = true;
|
||||
}
|
||||
|
||||
if Confirm::new()
|
||||
.with_prompt(fl!("cli-setup-yk4-pin-policy-confirm"))
|
||||
.report(true)
|
||||
.interact()?
|
||||
{
|
||||
break pin_policy;
|
||||
}
|
||||
}
|
||||
_ => break pin_policy,
|
||||
}
|
||||
};
|
||||
|
||||
let touch_policy = match Select::new()
|
||||
@@ -566,6 +552,7 @@ fn main() -> Result<(), Error> {
|
||||
})
|
||||
.unwrap(),
|
||||
)
|
||||
.report(true)
|
||||
.interact_opt()?
|
||||
{
|
||||
Some(0) => TouchPolicy::Always,
|
||||
@@ -576,11 +563,8 @@ fn main() -> Result<(), Error> {
|
||||
};
|
||||
|
||||
if Confirm::new()
|
||||
.with_prompt(i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
"cli-setup-generate-new",
|
||||
slot_index = slot_index,
|
||||
))
|
||||
.with_prompt(fl!("cli-setup-generate-new", slot_index = slot_index))
|
||||
.report(true)
|
||||
.interact()?
|
||||
{
|
||||
eprintln!();
|
||||
@@ -596,6 +580,7 @@ fn main() -> Result<(), Error> {
|
||||
true,
|
||||
)
|
||||
} else {
|
||||
key::disconnect_without_reset(yubikey);
|
||||
return Ok(());
|
||||
}
|
||||
}
|
||||
@@ -608,6 +593,7 @@ fn main() -> Result<(), Error> {
|
||||
"age-yubikey-identity-{}.txt",
|
||||
hex::encode(stub.tag)
|
||||
))
|
||||
.report(true)
|
||||
.interact_text()?;
|
||||
|
||||
let mut file = match OpenOptions::new()
|
||||
@@ -619,6 +605,7 @@ fn main() -> Result<(), Error> {
|
||||
Err(e) if e.kind() == io::ErrorKind::AlreadyExists => {
|
||||
if Confirm::new()
|
||||
.with_prompt(fl!("cli-setup-identity-file-exists"))
|
||||
.report(true)
|
||||
.interact()?
|
||||
{
|
||||
File::create(&file_name)?
|
||||
@@ -632,8 +619,7 @@ fn main() -> Result<(), Error> {
|
||||
writeln!(
|
||||
file,
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
fl!(
|
||||
"yubikey-identity",
|
||||
yubikey_metadata = metadata.to_string(),
|
||||
recipient = recipient.to_string(),
|
||||
@@ -668,8 +654,7 @@ fn main() -> Result<(), Error> {
|
||||
eprintln!();
|
||||
eprintln!(
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
LANGUAGE_LOADER,
|
||||
fl!(
|
||||
"cli-setup-finished",
|
||||
is_new = if is_new { "true" } else { "false" },
|
||||
recipient = recipient.to_string(),
|
||||
|
||||
+15
-2
@@ -1,6 +1,8 @@
|
||||
use bech32::{ToBase32, Variant};
|
||||
use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
|
||||
use sha2::{Digest, Sha256};
|
||||
use yubikey::{certificate::PublicKeyInfo, Certificate};
|
||||
|
||||
use std::fmt;
|
||||
|
||||
use crate::RECIPIENT_PREFIX;
|
||||
@@ -42,12 +44,23 @@ impl Recipient {
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) fn from_certificate(cert: &Certificate) -> Option<Self> {
|
||||
Self::from_spki(cert.subject_pki())
|
||||
}
|
||||
|
||||
pub(crate) fn from_spki(spki: &PublicKeyInfo) -> Option<Self> {
|
||||
match spki {
|
||||
PublicKeyInfo::EcP256(pubkey) => Self::from_encoded(pubkey),
|
||||
_ => None,
|
||||
}
|
||||
}
|
||||
|
||||
/// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding.
|
||||
///
|
||||
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in
|
||||
/// the YubiKey certificate) encodings.
|
||||
pub(crate) fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
|
||||
p256::PublicKey::from_encoded_point(encoded).map(Recipient)
|
||||
fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
|
||||
Option::from(p256::PublicKey::from_encoded_point(encoded)).map(Recipient)
|
||||
}
|
||||
|
||||
/// Returns the compressed SEC-1 encoding of this recipient.
|
||||
|
||||
+3
-2
@@ -71,8 +71,7 @@ impl RecipientPluginV1 for RecipientPlugin {
|
||||
Ok(Some(conn)) => yk_recipients.push(conn.recipient().clone()),
|
||||
Ok(None) => yk_errors.push(recipient::Error::Identity {
|
||||
index: stub.identity_index,
|
||||
message: i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
message: fl!(
|
||||
"plugin-err-yk-opening",
|
||||
yubikey_serial = stub.serial.to_string(),
|
||||
),
|
||||
@@ -250,6 +249,8 @@ impl IdentityPluginV1 for IdentityPlugin {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
conn.disconnect_without_reset();
|
||||
}
|
||||
Ok(file_keys)
|
||||
}
|
||||
|
||||
+19
-18
@@ -4,7 +4,7 @@ use std::iter;
|
||||
use x509_parser::{certificate::X509Certificate, der_parser::oid::Oid};
|
||||
use yubikey::{
|
||||
piv::{RetiredSlotId, SlotId},
|
||||
PinPolicy, Serial, TouchPolicy, YubiKey,
|
||||
Certificate, PinPolicy, Serial, TouchPolicy, YubiKey,
|
||||
};
|
||||
|
||||
use crate::fl;
|
||||
@@ -112,15 +112,20 @@ impl Metadata {
|
||||
pub(crate) fn extract(
|
||||
yubikey: &mut YubiKey,
|
||||
slot: RetiredSlotId,
|
||||
cert: &X509Certificate,
|
||||
cert: &Certificate,
|
||||
all: bool,
|
||||
) -> Option<Self> {
|
||||
let (_, cert) = x509_parser::parse_x509_certificate(cert.as_ref()).ok()?;
|
||||
|
||||
// We store the PIN and touch policies for identities in their certificates
|
||||
// using the same certificate extension as PIV attestations.
|
||||
// https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
|
||||
let policies = |c: &X509Certificate| {
|
||||
c.tbs_certificate
|
||||
.find_extension(&Oid::from(POLICY_EXTENSION_OID).unwrap())
|
||||
.get_extension_unique(&Oid::from(POLICY_EXTENSION_OID).unwrap())
|
||||
// If the extension is duplicated, we assume it is invalid.
|
||||
.ok()
|
||||
.flatten()
|
||||
// If the encoded extension doesn't have 2 bytes, we assume it is invalid.
|
||||
.filter(|policy| policy.value.len() >= 2)
|
||||
.map(|policy| {
|
||||
@@ -143,10 +148,10 @@ impl Metadata {
|
||||
.unwrap_or((None, None))
|
||||
};
|
||||
|
||||
extract_name(cert, all)
|
||||
extract_name(&cert, all)
|
||||
.map(|(name, ours)| {
|
||||
if ours {
|
||||
let (pin_policy, touch_policy) = policies(cert);
|
||||
let (pin_policy, touch_policy) = policies(&cert);
|
||||
(name, pin_policy, touch_policy)
|
||||
} else {
|
||||
// We can extract the PIN and touch policies via an attestation. This
|
||||
@@ -168,7 +173,11 @@ impl Metadata {
|
||||
serial: yubikey.serial(),
|
||||
slot,
|
||||
name,
|
||||
created: cert.validity().not_before.to_rfc2822(),
|
||||
created: cert
|
||||
.validity()
|
||||
.not_before
|
||||
.to_rfc2822()
|
||||
.unwrap_or_else(|e| format!("Invalid date: {}", e)),
|
||||
pin_policy,
|
||||
touch_policy,
|
||||
})
|
||||
@@ -180,8 +189,7 @@ impl fmt::Display for Metadata {
|
||||
write!(
|
||||
f,
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
fl!(
|
||||
"yubikey-metadata",
|
||||
serial = self.serial.to_string(),
|
||||
slot = slot_to_ui(&self.slot),
|
||||
@@ -197,20 +205,13 @@ impl fmt::Display for Metadata {
|
||||
pub(crate) fn print_identity(stub: Stub, recipient: Recipient, metadata: Metadata) {
|
||||
let recipient = recipient.to_string();
|
||||
if !console::user_attended() {
|
||||
eprintln!(
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
"print-recipient",
|
||||
recipient = recipient.as_str(),
|
||||
)
|
||||
);
|
||||
let recipient = recipient.as_str();
|
||||
eprintln!("{}", fl!("print-recipient", recipient = recipient));
|
||||
}
|
||||
|
||||
println!(
|
||||
"{}",
|
||||
i18n_embed_fl::fl!(
|
||||
crate::LANGUAGE_LOADER,
|
||||
fl!(
|
||||
"yubikey-identity",
|
||||
yubikey_metadata = metadata.to_string(),
|
||||
recipient = recipient,
|
||||
|
||||
@@ -0,0 +1,125 @@
|
||||
use std::env;
|
||||
use std::io::Write;
|
||||
use std::path::Path;
|
||||
use std::process::{Command, Stdio};
|
||||
|
||||
const PLUGIN_BIN: &str = env!("CARGO_BIN_EXE_age-plugin-yubikey");
|
||||
|
||||
#[test_with::env(YUBIKEY_SERIAL, YUBIKEY_SLOT)]
|
||||
#[cfg_attr(all(unix, not(target_os = "macos")), test_with::executable(pcscd))]
|
||||
#[test]
|
||||
fn recipient_and_identity_match() {
|
||||
let recipient = Command::new(PLUGIN_BIN)
|
||||
.arg("--list")
|
||||
.arg("--serial")
|
||||
.arg(env::var("YUBIKEY_SERIAL").unwrap())
|
||||
.arg("--slot")
|
||||
.arg(env::var("YUBIKEY_SLOT").unwrap())
|
||||
.output()
|
||||
.unwrap();
|
||||
assert_eq!(recipient.status.code(), Some(0));
|
||||
|
||||
let identity = Command::new(PLUGIN_BIN)
|
||||
.arg("--identity")
|
||||
.arg("--serial")
|
||||
.arg(env::var("YUBIKEY_SERIAL").unwrap())
|
||||
.arg("--slot")
|
||||
.arg(env::var("YUBIKEY_SLOT").unwrap())
|
||||
.output()
|
||||
.unwrap();
|
||||
assert_eq!(identity.status.code(), Some(0));
|
||||
|
||||
let recipient_file = String::from_utf8_lossy(&recipient.stdout);
|
||||
let recipient = recipient_file.lines().last().unwrap();
|
||||
let identity = String::from_utf8_lossy(&identity.stdout);
|
||||
assert!(identity.contains(recipient));
|
||||
}
|
||||
|
||||
#[test_with::executable(rage)]
|
||||
#[test]
|
||||
fn plugin_encrypt() {
|
||||
let enc_file = tempfile::NamedTempFile::new_in(env!("CARGO_TARGET_TMPDIR")).unwrap();
|
||||
|
||||
let mut process = Command::new(which::which("rage").unwrap())
|
||||
.arg("-r")
|
||||
.arg("age1yubikey1q2w7u3vpya839jxxuq8g0sedh3d740d4xvn639sqhr95ejj8vu3hyfumptt")
|
||||
.arg("-o")
|
||||
.arg(enc_file.path())
|
||||
.stdin(Stdio::piped())
|
||||
.env("PATH", Path::new(PLUGIN_BIN).parent().unwrap())
|
||||
.spawn()
|
||||
.unwrap();
|
||||
|
||||
// Scope to ensure stdin is closed.
|
||||
{
|
||||
let mut stdin = process.stdin.take().unwrap();
|
||||
stdin.write_all(b"Testing YubiKey encryption").unwrap();
|
||||
stdin.flush().unwrap();
|
||||
}
|
||||
|
||||
let status = process.wait().unwrap();
|
||||
assert_eq!(status.code(), Some(0));
|
||||
}
|
||||
|
||||
#[test_with::env(YUBIKEY_SERIAL, YUBIKEY_SLOT)]
|
||||
#[test_with::executable(rage)]
|
||||
#[cfg_attr(all(unix, not(target_os = "macos")), test_with::executable(pcscd))]
|
||||
#[test]
|
||||
fn plugin_decrypt() {
|
||||
let mut identity_file = tempfile::NamedTempFile::new_in(env!("CARGO_TARGET_TMPDIR")).unwrap();
|
||||
let enc_file = tempfile::NamedTempFile::new_in(env!("CARGO_TARGET_TMPDIR")).unwrap();
|
||||
let plaintext = "Testing YubiKey encryption";
|
||||
|
||||
// Write an identity file corresponding to this YubiKey slot.
|
||||
let identity = Command::new(PLUGIN_BIN)
|
||||
.arg("--identity")
|
||||
.arg("--serial")
|
||||
.arg(env::var("YUBIKEY_SERIAL").unwrap())
|
||||
.arg("--slot")
|
||||
.arg(env::var("YUBIKEY_SLOT").unwrap())
|
||||
.output()
|
||||
.unwrap();
|
||||
assert_eq!(identity.status.code(), Some(0));
|
||||
identity_file.write_all(&identity.stdout).unwrap();
|
||||
identity_file.flush().unwrap();
|
||||
|
||||
// Encrypt to the YubiKey slot.
|
||||
let mut enc_process = Command::new(which::which("rage").unwrap())
|
||||
.arg("-e")
|
||||
.arg("-i")
|
||||
.arg(identity_file.path())
|
||||
.arg("-o")
|
||||
.arg(enc_file.path())
|
||||
.stdin(Stdio::piped())
|
||||
.env("PATH", Path::new(PLUGIN_BIN).parent().unwrap())
|
||||
.spawn()
|
||||
.unwrap();
|
||||
|
||||
// Scope to ensure stdin is closed.
|
||||
{
|
||||
let mut stdin = enc_process.stdin.take().unwrap();
|
||||
stdin.write_all(plaintext.as_bytes()).unwrap();
|
||||
stdin.flush().unwrap();
|
||||
}
|
||||
|
||||
let enc_status = enc_process.wait().unwrap();
|
||||
assert_eq!(enc_status.code(), Some(0));
|
||||
|
||||
// Decrypt with the YubiKey.
|
||||
let dec_process = Command::new(which::which("rage").unwrap())
|
||||
.arg("-d")
|
||||
.arg("-i")
|
||||
.arg(identity_file.path())
|
||||
.arg(enc_file.path())
|
||||
.stdin(Stdio::piped())
|
||||
.env("PATH", Path::new(PLUGIN_BIN).parent().unwrap())
|
||||
.output()
|
||||
.unwrap();
|
||||
|
||||
let stderr = String::from_utf8_lossy(&dec_process.stderr);
|
||||
if !stderr.is_empty() {
|
||||
assert!(stderr.contains("age-plugin-yubikey"));
|
||||
assert!(stderr.ends_with("...\n"));
|
||||
}
|
||||
assert_eq!(String::from_utf8_lossy(&dec_process.stdout), plaintext);
|
||||
}
|
||||
Reference in New Issue
Block a user