30 Commits

Author SHA1 Message Date
str4d fc2081c216 Merge pull request #98 from str4d/release-0.3.2
CI checks / Test on linux (push) Has been cancelled
CI checks / Test on macos (push) Has been cancelled
CI checks / Test on windows (push) Has been cancelled
CI checks / Clippy (1.56.0) (push) Has been cancelled
CI checks / Clippy (nightly) (push) Has been cancelled
CI checks / Code coverage (push) Has been cancelled
CI checks / Intra-doc links (push) Has been cancelled
CI checks / Rustfmt (push) Has been cancelled
Publish release binaries / Publish for macos-arm64 (push) Has been cancelled
Publish release binaries / Publish for macos-x86_64 (push) Has been cancelled
Publish release binaries / Publish for linux (push) Has been cancelled
Publish release binaries / Publish for windows (push) Has been cancelled
Publish release binaries / Debian linux (push) Has been cancelled
Release 0.3.2
2023-01-01 13:53:55 +00:00
Jack Grigg 367a081eea Release 0.3.2 2023-01-01 13:45:21 +00:00
str4d cfb1e5e3d5 Merge pull request #97 from str4d/more-cleanups
More cleanups
2023-01-01 13:44:15 +00:00
Jack Grigg 1dfadc7e27 Clean up key::filter_connected 2023-01-01 13:29:30 +00:00
Jack Grigg fc66d9f6fd Add helper methods for filtering available keys 2023-01-01 13:27:10 +00:00
Jack Grigg d8eb198e97 Move certificate parsing into Metadata::extract 2023-01-01 13:27:10 +00:00
str4d c8f9df1b45 Merge pull request #95 from str4d/94-yubikey-agent-sighup
Extend "sharing violation" logic to send SIGHUP to `yubikey-agent` processes
2023-01-01 13:24:57 +00:00
Jack Grigg 3597d96332 Correctly hunt agents in plugin mode 2023-01-01 13:18:41 +00:00
Jack Grigg 1913838f8e Hunt for yubikey-agent 2023-01-01 12:52:17 +00:00
Jack Grigg 6e47448560 Generalise code for hunting agents that may be holding YubiKeys 2023-01-01 12:52:17 +00:00
str4d 4d4d8cc183 Merge pull request #96 from str4d/refactors-and-cleanups
Refactors and cleanups
2022-12-31 16:41:21 +00:00
Jack Grigg ac7b04a61d Add keyword argument support to fl! and wlnfl! macros 2022-12-31 14:31:25 +00:00
Jack Grigg 493479344c De-duplicate parsing recipients from SubjectPublicKeyInfo 2022-12-31 12:49:44 +00:00
str4d d4f8993988 Merge pull request #93 from str4d/release-0.3.1
CI checks / Test on linux (push) Has been cancelled
CI checks / Test on macos (push) Has been cancelled
CI checks / Test on windows (push) Has been cancelled
CI checks / Clippy (1.56.0) (push) Has been cancelled
CI checks / Clippy (nightly) (push) Has been cancelled
CI checks / Code coverage (push) Has been cancelled
CI checks / Intra-doc links (push) Has been cancelled
CI checks / Rustfmt (push) Has been cancelled
Publish release binaries / Publish for macos-arm64 (push) Has been cancelled
Publish release binaries / Publish for macos-x86_64 (push) Has been cancelled
Publish release binaries / Publish for linux (push) Has been cancelled
Publish release binaries / Publish for windows (push) Has been cancelled
Publish release binaries / Debian linux (push) Has been cancelled
Release 0.3.1
2022-12-30 12:04:50 +00:00
Jack Grigg 876afecc5c Release 0.3.1 2022-12-30 11:57:17 +00:00
str4d 539111c30c Merge pull request #91 from str4d/tdes-mgmkey-advice
Clarify that non-TDES management keys are unsupported
2022-12-30 10:51:52 +00:00
Jack Grigg 647a620a9c Clarify that non-TDES management keys are unsupported
Supporting them is blocked on iqlusioninc/yubikey.rs#330.
2022-12-30 10:39:34 +00:00
str4d 0eee944c64 Merge pull request #90 from str4d/21-mgmkey-advice
Give guidance on reconfiguring YubiKeys with unprotected management keys
2022-12-30 10:23:51 +00:00
Jack Grigg e4ef700263 Give guidance on reconfiguring YubiKeys with unprotected management keys
Closes str4d/age-plugin-yubikey#21.
2022-12-30 10:18:17 +00:00
str4d 492612fc8b Merge pull request #89 from str4d/82-stop-scdaemon
Stop scdaemon if it is holding exclusive access to a YubiKey
2022-12-30 09:36:47 +00:00
Jack Grigg 15c53e42df Stop scdaemon if it is holding exclusive access to a YubiKey
Closes str4d/age-plugin-yubikey#82.
2022-12-30 09:28:24 +00:00
str4d 5d6b618d5f Merge pull request #87 from str4d/71-m1-binaries
CI: Build release binaries for Apple ARM64
2022-12-30 03:44:24 +00:00
Jack Grigg 0ee618cdfd CI: Build release binaries for Apple ARM64
Closes str4d/age-plugin-yubikey#71.
2022-12-30 03:38:40 +00:00
str4d ed6273d781 Merge pull request #86 from str4d/83-improve-missing-service-error
Inform users when `pcscd` is required
2022-12-29 10:10:42 +00:00
Jack Grigg d38743a2fc Inform users when pcscd is required
Closes str4d/age-plugin-yubikey#83.
2022-12-29 05:09:47 +00:00
str4d aaa445c4ac Merge pull request #74 from str4d/dependabot/github_actions/svenstaro/upload-release-action-2.3.0
Bump svenstaro/upload-release-action from 2.2.1 to 2.3.0
2022-12-28 14:01:29 +00:00
Jack Grigg e415ce4ae9 CI: Remove upload-release-action fields that match defaults 2022-12-28 13:53:56 +00:00
str4d 145237003e Merge pull request #79 from str4d/dependabot/github_actions/codecov/codecov-action-3.1.1
Bump codecov/codecov-action from 3.1.0 to 3.1.1
2022-12-28 13:48:15 +00:00
dependabot[bot] 9338b320a4 Bump codecov/codecov-action from 3.1.0 to 3.1.1
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v3.1.0...v3.1.1)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-20 08:29:52 +00:00
dependabot[bot] aae48c4f6c Bump svenstaro/upload-release-action from 2.2.1 to 2.3.0
Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.2.1 to 2.3.0.
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/svenstaro/upload-release-action/compare/2.2.1...2.3.0)

---
updated-dependencies:
- dependency-name: svenstaro/upload-release-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-06-06 08:56:16 +00:00
14 changed files with 486 additions and 319 deletions
+1 -1
View File
@@ -105,7 +105,7 @@ jobs:
with: with:
args: --release --timeout 180 --out Xml args: --release --timeout 180 --out Xml
- name: Upload coverage to Codecov - name: Upload coverage to Codecov
uses: codecov/codecov-action@v3.1.0 uses: codecov/codecov-action@v3.1.1
with: with:
token: ${{secrets.CODECOV_TOKEN}} token: ${{secrets.CODECOV_TOKEN}}
+15 -8
View File
@@ -17,7 +17,11 @@ jobs:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
matrix: matrix:
name: [linux, windows, macos] name:
- linux
- macos-arm64
- macos-x86_64
- windows
include: include:
- name: linux - name: linux
os: ubuntu-18.04 os: ubuntu-18.04
@@ -31,7 +35,14 @@ jobs:
archive_name: age-plugin-yubikey.zip archive_name: age-plugin-yubikey.zip
asset_suffix: x86_64-windows.zip asset_suffix: x86_64-windows.zip
- name: macos - name: macos-arm64
os: macos-latest
target: aarch64-apple-darwin
build_flags: --target aarch64-apple-darwin
archive_name: age-plugin-yubikey.tar.gz
asset_suffix: arm64-darwin.tar.gz
- name: macos-x86_64
os: macos-latest os: macos-latest
archive_name: age-plugin-yubikey.tar.gz archive_name: age-plugin-yubikey.tar.gz
asset_suffix: x86_64-darwin.tar.gz asset_suffix: x86_64-darwin.tar.gz
@@ -76,12 +87,10 @@ jobs:
if: matrix.name == 'windows' if: matrix.name == 'windows'
- name: Upload archive to release - name: Upload archive to release
uses: svenstaro/upload-release-action@2.2.1 uses: svenstaro/upload-release-action@2.3.0
with: with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ matrix.archive_name }} file: ${{ matrix.archive_name }}
asset_name: age-plugin-yubikey-$tag-${{ matrix.asset_suffix }} asset_name: age-plugin-yubikey-$tag-${{ matrix.asset_suffix }}
tag: ${{ github.ref }}
prerelease: true prerelease: true
if: github.event.inputs.test != 'true' if: github.event.inputs.test != 'true'
@@ -137,11 +146,9 @@ jobs:
args: --package age-plugin-yubikey --no-build --target ${{ matrix.target }} args: --package age-plugin-yubikey --no-build --target ${{ matrix.target }}
- name: Upload Debian package to release - name: Upload Debian package to release
uses: svenstaro/upload-release-action@2.2.1 uses: svenstaro/upload-release-action@2.3.0
with: with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: target/${{ matrix.target }}/debian/*.deb file: target/${{ matrix.target }}/debian/*.deb
tag: ${{ github.ref }}
file_glob: true file_glob: true
prerelease: true prerelease: true
if: github.event.inputs.test != 'true' if: github.event.inputs.test != 'true'
+19
View File
@@ -8,6 +8,25 @@ to 0.3.0 are beta releases.
## [Unreleased] ## [Unreleased]
## [0.3.2] - 2023-01-01
### Changed
- The "sharing violation" logic now also sends SIGHUP to any `yubikey-agent`
that is running, to have them release any YubiKey locks they are holding.
### Fixed
- The "sharing violation" logic now runs during plugin mode as intended. In the
previous release it only ran during direct `age-plugin-yubikey` usage.
## [0.3.1] - 2022-12-30
### Changed
- If a "sharing violation" error is encountered while opening a connection to a
YubiKey, and `scdaemon` is running (which can hold exclusive access to a
YubiKey indefinitely), `age-plugin-yubikey` now attempts to stop `scdaemon` by
interrupting it (or killing it on Windows), and then tries again to open the
connection.
- Several error messages were enhanced with guidance on how to resolve their
respective issue.
## [0.3.0] - 2022-05-02 ## [0.3.0] - 2022-05-02
First non-beta release! First non-beta release!
Generated
+106 -1
View File
@@ -49,7 +49,7 @@ dependencies = [
[[package]] [[package]]
name = "age-plugin-yubikey" name = "age-plugin-yubikey"
version = "0.3.0" version = "0.3.2"
dependencies = [ dependencies = [
"age-core", "age-core",
"age-plugin", "age-plugin",
@@ -71,6 +71,7 @@ dependencies = [
"rand", "rand",
"rust-embed", "rust-embed",
"sha2 0.9.9", "sha2 0.9.9",
"sysinfo",
"which", "which",
"x509", "x509",
"x509-parser", "x509-parser",
@@ -246,6 +247,12 @@ version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "396de984970346b0d9e93d1415082923c679e5ae5c3ee3dcbd104f5610af126b" checksum = "396de984970346b0d9e93d1415082923c679e5ae5c3ee3dcbd104f5610af126b"
[[package]]
name = "core-foundation-sys"
version = "0.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc"
[[package]] [[package]]
name = "cpufeatures" name = "cpufeatures"
version = "0.2.2" version = "0.2.2"
@@ -264,6 +271,49 @@ dependencies = [
"cfg-if", "cfg-if",
] ]
[[package]]
name = "crossbeam-channel"
version = "0.5.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c2dd04ddaf88237dc3b8d8f9a3c1004b506b54b3313403944054d23c0870c521"
dependencies = [
"cfg-if",
"crossbeam-utils",
]
[[package]]
name = "crossbeam-deque"
version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "715e8152b692bba2d374b53d4875445368fdf21a94751410af607a5ac677d1fc"
dependencies = [
"cfg-if",
"crossbeam-epoch",
"crossbeam-utils",
]
[[package]]
name = "crossbeam-epoch"
version = "0.9.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "01a9af1f4c2ef74bb8aa1f7e19706bc72d03598c8a570bb5de72243c7a9d9d5a"
dependencies = [
"autocfg 1.1.0",
"cfg-if",
"crossbeam-utils",
"memoffset",
"scopeguard",
]
[[package]]
name = "crossbeam-utils"
version = "0.8.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4fb766fa798726286dbbb842f174001dab8abc7b627a1dd86e0b7222a95d929f"
dependencies = [
"cfg-if",
]
[[package]] [[package]]
name = "crypto-bigint" name = "crypto-bigint"
version = "0.2.11" version = "0.2.11"
@@ -808,6 +858,15 @@ version = "2.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a" checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
[[package]]
name = "memoffset"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4"
dependencies = [
"autocfg 1.1.0",
]
[[package]] [[package]]
name = "minimal-lexical" name = "minimal-lexical"
version = "0.2.1" version = "0.2.1"
@@ -834,6 +893,15 @@ dependencies = [
"minimal-lexical", "minimal-lexical",
] ]
[[package]]
name = "ntapi"
version = "0.3.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c28774a7fd2fbb4f0babd8237ce554b73af68021b5f695a3cebd6c59bac0980f"
dependencies = [
"winapi",
]
[[package]] [[package]]
name = "num-bigint" name = "num-bigint"
version = "0.4.3" version = "0.4.3"
@@ -1154,6 +1222,28 @@ dependencies = [
"getrandom", "getrandom",
] ]
[[package]]
name = "rayon"
version = "1.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6db3a213adf02b3bcfd2d3846bb41cb22857d131789e01df434fb7e7bc0759b7"
dependencies = [
"either",
"rayon-core",
]
[[package]]
name = "rayon-core"
version = "1.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cac410af5d00ab6884528b4ab69d1e8e146e8d471201800fa1b4524126de6ad3"
dependencies = [
"crossbeam-channel",
"crossbeam-deque",
"crossbeam-utils",
"num_cpus",
]
[[package]] [[package]]
name = "redox_syscall" name = "redox_syscall"
version = "0.2.11" version = "0.2.11"
@@ -1426,6 +1516,21 @@ dependencies = [
"unicode-xid", "unicode-xid",
] ]
[[package]]
name = "sysinfo"
version = "0.26.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "49086f670c15221b510c3f8c47e04e49714c56820d5ca78e2f58419e9fbb0f1b"
dependencies = [
"cfg-if",
"core-foundation-sys",
"libc",
"ntapi",
"once_cell",
"rayon",
"winapi",
]
[[package]] [[package]]
name = "tempfile" name = "tempfile"
version = "3.3.0" version = "3.3.0"
+5 -1
View File
@@ -1,7 +1,7 @@
[package] [package]
name = "age-plugin-yubikey" name = "age-plugin-yubikey"
description = "YubiKey plugin for age clients" description = "YubiKey plugin for age clients"
version = "0.3.0" version = "0.3.2"
authors = ["Jack Grigg <thestr4d@gmail.com>"] authors = ["Jack Grigg <thestr4d@gmail.com>"]
repository = "https://github.com/str4d/age-plugin-yubikey" repository = "https://github.com/str4d/age-plugin-yubikey"
readme = "README.md" readme = "README.md"
@@ -9,6 +9,7 @@ keywords = ["age", "cli", "encryption", "yubikey"]
categories = ["command-line-utilities", "cryptography"] categories = ["command-line-utilities", "cryptography"]
license = "MIT OR Apache-2.0" license = "MIT OR Apache-2.0"
edition = "2021" edition = "2021"
rust-version = "1.56" # MSRV
[package.metadata.deb] [package.metadata.deb]
extended-description = """\ extended-description = """\
@@ -46,6 +47,9 @@ i18n-embed-fl = "0.6"
lazy_static = "1" lazy_static = "1"
rust-embed = "6" rust-embed = "6"
# GnuPG coexistence
sysinfo = ">=0.26, <0.26.4"
[dev-dependencies] [dev-dependencies]
flate2 = "1" flate2 = "1"
man = "0.3" man = "0.3"
+9
View File
@@ -18,6 +18,15 @@ cargo install age-plugin-yubikey
Help from new packagers is very welcome. Help from new packagers is very welcome.
### Linux, BSD, etc.
On non-Windows, non-macOS systems, you need to ensure that the `pcscd` service
is installed and running. On Debian or Ubuntu, you can do this with:
```
$ sudo apt-get install pcscd
```
### Windows Subsystem for Linux (WSL) ### Windows Subsystem for Linux (WSL)
WSL does not currently provide native support for USB devices. However, Windows WSL does not currently provide native support for USB devices. However, Windows
+25 -1
View File
@@ -12,6 +12,7 @@
-yubikey = YubiKey -yubikey = YubiKey
-yubikeys = YubiKeys -yubikeys = YubiKeys
-age-plugin-yubikey = age-plugin-yubikey -age-plugin-yubikey = age-plugin-yubikey
-pcscd = pcscd
## CLI commands and flags ## CLI commands and flags
@@ -169,7 +170,14 @@ plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yub
## Errors ## Errors
err-custom-mgmt-key = Custom unprotected management keys are not supported. err-custom-mgmt-key = Custom unprotected non-TDES management keys are not supported.
rec-custom-mgmt-key =
You can use the {-yubikey} Manager CLI to change to a protected management key:
{" "}{$cmd}
See here for more information about {-yubikey} Manager:
{" "}{$url}
err-invalid-flag-command = Flag '{$flag}' cannot be used with '{$command}'. err-invalid-flag-command = Flag '{$flag}' cannot be used with '{$command}'.
err-invalid-flag-tui = Flag '{$flag}' cannot be used with the interactive interface. err-invalid-flag-tui = Flag '{$flag}' cannot be used with the interactive interface.
err-invalid-pin-length = The PIN needs to be 1-8 characters. err-invalid-pin-length = The PIN needs to be 1-8 characters.
@@ -185,6 +193,22 @@ err-slot-has-no-identity = Slot {$slot} does not contain an {-age} identity or c
err-slot-is-not-empty = Slot {$slot} is not empty. Use {-flag-force} to overwrite the slot. err-slot-is-not-empty = Slot {$slot} is not empty. Use {-flag-force} to overwrite the slot.
err-timed-out = Timed out while waiting for a {-yubikey} to be inserted. err-timed-out = Timed out while waiting for a {-yubikey} to be inserted.
err-use-list-for-single = Use {-cmd-list} to print the recipient for a single slot. err-use-list-for-single = Use {-cmd-list} to print the recipient for a single slot.
err-yk-no-service-macos = The Crypto Token Kit service is not running.
rec-yk-no-service-macos =
You may need to restart it. See this Stack Exchange answer for more help:
{" "}{$url}
err-yk-no-service-pcscd = {-pcscd} is not running.
rec-yk-no-service-pcscd =
If you are on Debian or Ubuntu, you can install it with:
{" "}{$apt}
err-yk-no-service-win = The Smart Cards for Windows service is not running.
rec-yk-no-service-win =
See this troubleshooting guide for more help:
{" "}{$url}
err-yk-not-found = Please insert the {-yubikey} you want to set up err-yk-not-found = Please insert the {-yubikey} you want to set up
err-yk-wrong-pin = Invalid PIN ({$tries} tries remaining before it is blocked) err-yk-wrong-pin = Invalid PIN ({$tries} tries remaining before it is blocked)
err-yk-general = Error while communicating with {-yubikey}: {$err} err-yk-general = Error while communicating with {-yubikey}: {$err}
+2 -8
View File
@@ -1,7 +1,7 @@
use rand::{rngs::OsRng, RngCore}; use rand::{rngs::OsRng, RngCore};
use x509::RelativeDistinguishedName; use x509::RelativeDistinguishedName;
use yubikey::{ use yubikey::{
certificate::{Certificate, PublicKeyInfo}, certificate::Certificate,
piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId}, piv::{generate as yubikey_generate, AlgorithmId, RetiredSlotId, SlotId},
Key, PinPolicy, TouchPolicy, YubiKey, Key, PinPolicy, TouchPolicy, YubiKey,
}; };
@@ -106,12 +106,7 @@ impl IdentityBuilder {
touch_policy, touch_policy,
)?; )?;
let recipient = match &generated { let recipient = Recipient::from_spki(&generated).expect("YubiKey generates a valid pubkey");
PublicKeyInfo::EcP256(pubkey) => {
Recipient::from_encoded(pubkey).expect("YubiKey generates a valid pubkey")
}
_ => unreachable!(),
};
let stub = Stub::new(yubikey.serial(), slot, &recipient); let stub = Stub::new(yubikey.serial(), slot, &recipient);
// Pick a random serial for the new self-signed certificate. // Pick a random serial for the new self-signed certificate.
@@ -139,7 +134,6 @@ impl IdentityBuilder {
)], )],
)?; )?;
let (_, cert) = x509_parser::parse_x509_certificate(cert.as_ref()).unwrap();
let metadata = Metadata::extract(yubikey, slot, &cert, false).unwrap(); let metadata = Metadata::extract(yubikey, slot, &cert, false).unwrap();
Ok(( Ok((
+47 -95
View File
@@ -1,4 +1,3 @@
use i18n_embed_fl::fl;
use std::fmt; use std::fmt;
use std::io; use std::io;
use yubikey::{piv::RetiredSlotId, Serial}; use yubikey::{piv::RetiredSlotId, Serial};
@@ -9,6 +8,9 @@ macro_rules! wlnfl {
($f:ident, $message_id:literal) => { ($f:ident, $message_id:literal) => {
writeln!($f, "{}", $crate::fl!($message_id)) writeln!($f, "{}", $crate::fl!($message_id))
}; };
($f:ident, $message_id:literal, $($kwarg:expr),* $(,)*) => {{
writeln!($f, "{}", $crate::fl!($message_id, $($kwarg,)*))
}};
} }
pub enum Error { pub enum Error {
@@ -48,125 +50,75 @@ impl From<yubikey::Error> for Error {
impl fmt::Debug for Error { impl fmt::Debug for Error {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self { match self {
Error::CustomManagementKey => wlnfl!(f, "err-custom-mgmt-key")?, Error::CustomManagementKey => {
Error::InvalidFlagCommand(flag, command) => writeln!( wlnfl!(f, "err-custom-mgmt-key")?;
let cmd = "ykman piv access change-management-key --protect";
let url = "https://developers.yubico.com/yubikey-manager/";
wlnfl!(f, "rec-custom-mgmt-key", cmd = cmd, url = url)?;
}
Error::InvalidFlagCommand(flag, command) => wlnfl!(
f, f,
"{}",
fl!(
crate::LANGUAGE_LOADER,
"err-invalid-flag-command", "err-invalid-flag-command",
flag = flag.as_str(), flag = flag.as_str(),
command = command.as_str(), command = command.as_str(),
),
)?,
Error::InvalidFlagTui(flag) => writeln!(
f,
"{}",
fl!(
crate::LANGUAGE_LOADER,
"err-invalid-flag-tui",
flag = flag.as_str(),
),
)?, )?,
Error::InvalidFlagTui(flag) => wlnfl!(f, "err-invalid-flag-tui", flag = flag.as_str())?,
Error::InvalidPinLength => wlnfl!(f, "err-invalid-pin-length")?, Error::InvalidPinLength => wlnfl!(f, "err-invalid-pin-length")?,
Error::InvalidPinPolicy(s) => writeln!( Error::InvalidPinPolicy(s) => wlnfl!(
f, f,
"{}",
fl!(
crate::LANGUAGE_LOADER,
"err-invalid-pin-policy", "err-invalid-pin-policy",
policy = s.as_str(), policy = s.as_str(),
expected = "always, once, never", expected = "always, once, never",
),
)?, )?,
Error::InvalidSlot(slot) => writeln!( Error::InvalidSlot(slot) => wlnfl!(f, "err-invalid-slot", slot = slot)?,
Error::InvalidTouchPolicy(s) => wlnfl!(
f, f,
"{}",
fl!(crate::LANGUAGE_LOADER, "err-invalid-slot", slot = slot),
)?,
Error::InvalidTouchPolicy(s) => writeln!(
f,
"{}",
fl!(
crate::LANGUAGE_LOADER,
"err-invalid-touch-policy", "err-invalid-touch-policy",
policy = s.as_str(), policy = s.as_str(),
expected = "always, cached, never", expected = "always, cached, never",
),
)?,
Error::Io(e) => writeln!(
f,
"{}",
fl!(crate::LANGUAGE_LOADER, "err-io", err = e.to_string()),
)?, )?,
Error::Io(e) => wlnfl!(f, "err-io", err = e.to_string())?,
Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?, Error::MultipleCommands => wlnfl!(f, "err-multiple-commands")?,
Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?, Error::MultipleYubiKeys => wlnfl!(f, "err-multiple-yubikeys")?,
Error::NoEmptySlots(serial) => writeln!( Error::NoEmptySlots(serial) => {
f, wlnfl!(f, "err-no-empty-slots", serial = serial.to_string())?
"{}", }
fl!( Error::NoMatchingSerial(serial) => {
crate::LANGUAGE_LOADER, wlnfl!(f, "err-no-matching-serial", serial = serial.to_string())?
"err-no-empty-slots", }
serial = serial.to_string(), Error::SlotHasNoIdentity(slot) => {
), wlnfl!(f, "err-slot-has-no-identity", slot = slot_to_ui(slot))?
)?, }
Error::NoMatchingSerial(serial) => writeln!( Error::SlotIsNotEmpty(slot) => {
f, wlnfl!(f, "err-slot-is-not-empty", slot = slot_to_ui(slot))?
"{}", }
fl!(
crate::LANGUAGE_LOADER,
"err-no-matching-serial",
serial = serial.to_string(),
),
)?,
Error::SlotHasNoIdentity(slot) => writeln!(
f,
"{}",
fl!(
crate::LANGUAGE_LOADER,
"err-slot-has-no-identity",
slot = slot_to_ui(slot),
),
)?,
Error::SlotIsNotEmpty(slot) => writeln!(
f,
"{}",
fl!(
crate::LANGUAGE_LOADER,
"err-slot-is-not-empty",
slot = slot_to_ui(slot),
),
)?,
Error::TimedOut => wlnfl!(f, "err-timed-out")?, Error::TimedOut => wlnfl!(f, "err-timed-out")?,
Error::UseListForSingleSlot => wlnfl!(f, "err-use-list-for-single")?, Error::UseListForSingleSlot => wlnfl!(f, "err-use-list-for-single")?,
Error::YubiKey(e) => match e { Error::YubiKey(e) => match e {
yubikey::Error::NotFound => wlnfl!(f, "err-yk-not-found")?, yubikey::Error::NotFound => wlnfl!(f, "err-yk-not-found")?,
yubikey::Error::WrongPin { tries } => writeln!( yubikey::Error::PcscError {
f, inner: Some(pcsc::Error::NoService),
"{}", } => {
fl!(crate::LANGUAGE_LOADER, "err-yk-wrong-pin", tries = tries), if cfg!(windows) {
)?, wlnfl!(f, "err-yk-no-service-win")?;
let url = "https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-debugging-information#smart-card-service";
wlnfl!(f, "rec-yk-no-service-win", url = url)?;
} else if cfg!(target_os = "macos") {
wlnfl!(f, "err-yk-no-service-macos")?;
let url = "https://apple.stackexchange.com/a/438198";
wlnfl!(f, "rec-yk-no-service-macos", url = url)?;
} else {
wlnfl!(f, "err-yk-no-service-pcscd")?;
let apt = "sudo apt-get install pcscd";
wlnfl!(f, "rec-yk-no-service-pcscd", apt = apt)?;
}
}
yubikey::Error::WrongPin { tries } => wlnfl!(f, "err-yk-wrong-pin", tries = tries)?,
e => { e => {
writeln!( wlnfl!(f, "err-yk-general", err = e.to_string())?;
f,
"{}",
fl!(
crate::LANGUAGE_LOADER,
"err-yk-general",
err = e.to_string(),
),
)?;
use std::error::Error; use std::error::Error;
if let Some(inner) = e.source() { if let Some(inner) = e.source() {
writeln!( wlnfl!(f, "err-yk-general-cause", inner_err = inner.to_string())?;
f,
"{}",
fl!(
crate::LANGUAGE_LOADER,
"err-yk-general-cause",
inner_err = inner.to_string(),
),
)?;
} }
} }
}, },
+183 -67
View File
@@ -8,17 +8,17 @@ use age_core::{
use age_plugin::{identity, Callbacks}; use age_plugin::{identity, Callbacks};
use bech32::{ToBase32, Variant}; use bech32::{ToBase32, Variant};
use dialoguer::Password; use dialoguer::Password;
use log::warn; use log::{debug, error, warn};
use std::fmt; use std::fmt;
use std::io; use std::io;
use std::iter; use std::iter;
use std::thread::sleep; use std::thread::sleep;
use std::time::{Duration, Instant, SystemTime}; use std::time::{Duration, Instant, SystemTime};
use yubikey::{ use yubikey::{
certificate::{Certificate, PublicKeyInfo}, certificate::Certificate,
piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId}, piv::{decrypt_data, AlgorithmId, RetiredSlotId, SlotId},
reader::{Context, Reader}, reader::{Context, Reader},
MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey, Key, MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
}; };
use crate::{ use crate::{
@@ -39,25 +39,16 @@ pub(crate) fn is_connected(reader: Reader) -> bool {
pub(crate) fn filter_connected(reader: &Reader) -> bool { pub(crate) fn filter_connected(reader: &Reader) -> bool {
match reader.open() { match reader.open() {
Ok(_) => true, Err(yubikey::Error::PcscError {
Err(e) => { inner: Some(pcsc::Error::RemovedCard),
use std::error::Error; }) => {
if let Some(pcsc::Error::RemovedCard) =
e.source().and_then(|inner| inner.downcast_ref())
{
warn!( warn!(
"{}", "{}",
i18n_embed_fl::fl!( fl!("warn-yk-not-connected", yubikey_name = reader.name())
crate::LANGUAGE_LOADER,
"warn-yk-not-connected",
yubikey_name = reader.name(),
)
); );
false false
} else {
true
}
} }
_ => true,
} }
} }
@@ -77,16 +68,136 @@ pub(crate) fn wait_for_readers() -> Result<Context, Error> {
} }
} }
/// Looks for agent processes that might be holding exclusive access to a YubiKey, and
/// asks them as nicely as possible to release it.
///
/// Returns `true` if any known agent was running and was successfully interrupted (or
/// killed if the platform doesn't support interrupts).
fn hunt_agents() -> bool {
debug!("Sharing violation encountered, looking for agent processes");
use sysinfo::{ProcessExt, ProcessRefreshKind, RefreshKind, Signal, System, SystemExt};
let mut interrupted = false;
let sys =
System::new_with_specifics(RefreshKind::new().with_processes(ProcessRefreshKind::new()));
for process in sys.processes().values() {
match process.name() {
"scdaemon" | "scdaemon.exe" => {
// gpg-agent runs scdaemon to interact with smart cards. The canonical way
// to reload it is `gpgconf --reload scdaemon`, which kills and restarts
// the process. We emulate that here with SIGINT (which it listens to).
if process
.kill_with(Signal::Interrupt)
.unwrap_or_else(|| process.kill())
{
debug!("Stopped scdaemon (PID {})", process.pid());
interrupted = true;
}
}
"yubikey-agent" | "yubikey-agent.exe" => {
// yubikey-agent releases all YubiKey locks when it receives a SIGHUP.
match process.kill_with(Signal::Hangup) {
Some(true) => {
debug!("Sent SIGHUP to yubikey-agent (PID {})", process.pid());
interrupted = true;
}
Some(false) => (),
None => debug!(
"Found yubikey-agent (PID {}) but platform doesn't support SIGHUP",
process.pid(),
),
}
}
_ => (),
}
}
// If we did interrupt an agent, pause briefly to allow it to finish up.
if interrupted {
sleep(Duration::from_millis(100));
}
interrupted
}
fn open_sesame(
op: impl Fn() -> Result<YubiKey, yubikey::Error>,
) -> Result<YubiKey, yubikey::Error> {
op().or_else(|e| match e {
yubikey::Error::PcscError {
inner: Some(pcsc::Error::SharingViolation),
} if hunt_agents() => op(),
_ => Err(e),
})
}
/// Opens a connection to this reader, returning a `YubiKey` if successful.
///
/// This is equivalent to [`Reader::open`], but additionally handles the presence of
/// agents (which can indefinitely hold exclusive access to a YubiKey).
pub(crate) fn open_connection(reader: &Reader) -> Result<YubiKey, yubikey::Error> {
open_sesame(|| reader.open())
}
/// Opens a YubiKey with a specific serial number.
///
/// This is equivalent to [`YubiKey::open_by_serial`], but additionally handles the
/// presence of agents (which can indefinitely hold exclusive access to a YubiKey).
fn open_by_serial(serial: Serial) -> Result<YubiKey, yubikey::Error> {
// `YubiKey::open_by_serial` has a bug where it ignores all opening errors, even if
// it potentially could have found a matching YubiKey if not for an error, and thus
// returns `Error::NotFound` if another agent is holding exclusive access to the
// required YubiKey. This gives misleading UX behaviour where age-plugin-yubikey asks
// the user to insert a YubiKey they have already inserted.
//
// For now, we instead implement the correct behaviour manually. Once MSRV has been
// raised to 1.60, we can upstream this into the `yubikey` crate.
open_sesame(|| {
let mut readers = Context::open()?;
let mut open_error = None;
for reader in readers.iter()? {
let yubikey = match reader.open() {
Ok(yk) => yk,
Err(e) => {
// Save the first error we see that indicates we might have been able
// to find a matching YubiKey.
if open_error.is_none() {
if let yubikey::Error::PcscError {
inner: Some(pcsc::Error::SharingViolation),
} = e
{
open_error = Some(e);
}
}
continue;
}
};
if serial == yubikey.serial() {
return Ok(yubikey);
}
}
Err(if let Some(e) = open_error {
e
} else {
error!("no YubiKey detected with serial: {}", serial);
yubikey::Error::NotFound
})
})
}
pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> { pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
if !Context::open()?.iter()?.any(is_connected) { if !Context::open()?.iter()?.any(is_connected) {
if let Some(serial) = serial { if let Some(serial) = serial {
eprintln!( eprintln!(
"{}", "{}",
i18n_embed_fl::fl!( fl!("open-yk-with-serial", yubikey_serial = serial.to_string())
crate::LANGUAGE_LOADER,
"open-yk-with-serial",
yubikey_serial = serial.to_string(),
)
); );
} else { } else {
eprintln!("{}", fl!("open-yk-without-serial")); eprintln!("{}", fl!("open-yk-without-serial"));
@@ -99,9 +210,9 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
// connected, an error is returned. // connected, an error is returned.
let yubikey = match (readers_iter.next(), readers_iter.next(), serial) { let yubikey = match (readers_iter.next(), readers_iter.next(), serial) {
(None, _, _) => unreachable!(), (None, _, _) => unreachable!(),
(Some(reader), None, None) => reader.open()?, (Some(reader), None, None) => open_connection(&reader)?,
(Some(reader), None, Some(serial)) => { (Some(reader), None, Some(serial)) => {
let yubikey = reader.open()?; let yubikey = open_connection(&reader)?;
if yubikey.serial() != serial { if yubikey.serial() != serial {
return Err(Error::NoMatchingSerial(serial)); return Err(Error::NoMatchingSerial(serial));
} }
@@ -112,12 +223,12 @@ pub(crate) fn open(serial: Option<Serial>) -> Result<YubiKey, Error> {
.chain(Some(a)) .chain(Some(a))
.chain(Some(b)) .chain(Some(b))
.chain(readers_iter) .chain(readers_iter)
.find(|reader| match reader.open() { .find(|reader| match open_connection(reader) {
Ok(yk) => yk.serial() == serial, Ok(yk) => yk.serial() == serial,
_ => false, _ => false,
}) })
.ok_or(Error::NoMatchingSerial(serial))?; .ok_or(Error::NoMatchingSerial(serial))?;
reader.open()? open_connection(&reader)?
} }
(Some(_), Some(_), None) => return Err(Error::MultipleYubiKeys), (Some(_), Some(_), None) => return Err(Error::MultipleYubiKeys),
}; };
@@ -131,8 +242,7 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
eprintln!(); eprintln!();
let pin = Password::new() let pin = Password::new()
.with_prompt(i18n_embed_fl::fl!( .with_prompt(fl!(
crate::LANGUAGE_LOADER,
"mgr-enter-pin", "mgr-enter-pin",
yubikey_serial = yubikey.serial().to_string(), yubikey_serial = yubikey.serial().to_string(),
default_pin = DEFAULT_PIN, default_pin = DEFAULT_PIN,
@@ -146,11 +256,7 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
eprintln!("{}", fl!("mgr-change-default-pin")); eprintln!("{}", fl!("mgr-change-default-pin"));
eprintln!(); eprintln!();
let current_puk = Password::new() let current_puk = Password::new()
.with_prompt(i18n_embed_fl::fl!( .with_prompt(fl!("mgr-enter-current-puk", default_puk = DEFAULT_PUK))
crate::LANGUAGE_LOADER,
"mgr-enter-current-puk",
default_puk = DEFAULT_PUK,
))
.interact()?; .interact()?;
let new_pin = Password::new() let new_pin = Password::new()
.with_prompt(fl!("mgr-choose-new-pin")) .with_prompt(fl!("mgr-choose-new-pin"))
@@ -179,8 +285,7 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
mgm_key.set_protected(yubikey).map_err(|e| { mgm_key.set_protected(yubikey).map_err(|e| {
eprintln!( eprintln!(
"{}", "{}",
i18n_embed_fl::fl!( fl!(
crate::LANGUAGE_LOADER,
"mgr-changing-mgmt-key-error", "mgr-changing-mgmt-key-error",
management_key = hex::encode(mgm_key.as_ref()), management_key = hex::encode(mgm_key.as_ref()),
) )
@@ -193,6 +298,32 @@ pub(crate) fn manage(yubikey: &mut YubiKey) -> Result<(), Error> {
Ok(()) Ok(())
} }
/// Returns an iterator of keys that are occupying plugin-compatible slots, along with the
/// corresponding recipient if the key is compatible with this plugin.
pub(crate) fn list_slots(
yubikey: &mut YubiKey,
) -> Result<impl Iterator<Item = (Key, RetiredSlotId, Option<Recipient>)>, Error> {
Ok(Key::list(yubikey)?.into_iter().filter_map(|key| {
// We only use the retired slots.
match key.slot() {
SlotId::Retired(slot) => {
// Only P-256 keys are compatible with us.
let recipient = Recipient::from_certificate(key.certificate());
Some((key, slot, recipient))
}
_ => None,
}
}))
}
/// Returns an iterator of keys that are compatible with this plugin.
pub(crate) fn list_compatible(
yubikey: &mut YubiKey,
) -> Result<impl Iterator<Item = (Key, RetiredSlotId, Recipient)>, Error> {
list_slots(yubikey)
.map(|iter| iter.filter_map(|(key, slot, res)| res.map(|recipient| (key, slot, recipient))))
}
/// A reference to an age key stored in a YubiKey. /// A reference to an age key stored in a YubiKey.
#[derive(Debug)] #[derive(Debug)]
pub struct Stub { pub struct Stub {
@@ -272,14 +403,10 @@ impl Stub {
&self, &self,
callbacks: &mut dyn Callbacks<E>, callbacks: &mut dyn Callbacks<E>,
) -> io::Result<Result<Option<Connection>, identity::Error>> { ) -> io::Result<Result<Option<Connection>, identity::Error>> {
let mut yubikey = match YubiKey::open_by_serial(self.serial) { let mut yubikey = match open_by_serial(self.serial) {
Ok(yk) => yk, Ok(yk) => yk,
Err(yubikey::Error::NotFound) => { Err(yubikey::Error::NotFound) => {
let mut message = i18n_embed_fl::fl!( let mut message = fl!("plugin-insert-yk", yubikey_serial = self.serial.to_string());
crate::LANGUAGE_LOADER,
"plugin-insert-yk",
yubikey_serial = self.serial.to_string(),
);
// If the `confirm` command is available, we loop until either the YubiKey // If the `confirm` command is available, we loop until either the YubiKey
// we want is inserted, or the used explicitly skips. // we want is inserted, or the used explicitly skips.
@@ -294,14 +421,13 @@ impl Stub {
// User told us to skip this key. // User told us to skip this key.
Ok(false) => return Ok(Ok(None)), Ok(false) => return Ok(Ok(None)),
// User said they plugged it in; try it. // User said they plugged it in; try it.
Ok(true) => match YubiKey::open_by_serial(self.serial) { Ok(true) => match open_by_serial(self.serial) {
Ok(yubikey) => break Some(yubikey), Ok(yubikey) => break Some(yubikey),
Err(yubikey::Error::NotFound) => (), Err(yubikey::Error::NotFound) => (),
Err(_) => { Err(_) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: i18n_embed_fl::fl!( message: fl!(
crate::LANGUAGE_LOADER,
"plugin-err-yk-opening", "plugin-err-yk-opening",
yubikey_serial = self.serial.to_string(), yubikey_serial = self.serial.to_string(),
), ),
@@ -312,8 +438,7 @@ impl Stub {
Err(age_core::plugin::Error::Fail) => { Err(age_core::plugin::Error::Fail) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: i18n_embed_fl::fl!( message: fl!(
crate::LANGUAGE_LOADER,
"plugin-err-yk-opening", "plugin-err-yk-opening",
yubikey_serial = self.serial.to_string(), yubikey_serial = self.serial.to_string(),
), ),
@@ -323,8 +448,7 @@ impl Stub {
// We're going to loop around, meaning that the first attempt failed. // We're going to loop around, meaning that the first attempt failed.
// Change the message to indicate this to the user. // Change the message to indicate this to the user.
message = i18n_embed_fl::fl!( message = fl!(
crate::LANGUAGE_LOADER,
"plugin-insert-yk-retry", "plugin-insert-yk-retry",
yubikey_serial = self.serial.to_string(), yubikey_serial = self.serial.to_string(),
); );
@@ -337,8 +461,7 @@ impl Stub {
if callbacks.message(&message)?.is_err() { if callbacks.message(&message)?.is_err() {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: i18n_embed_fl::fl!( message: fl!(
crate::LANGUAGE_LOADER,
"plugin-err-yk-not-found", "plugin-err-yk-not-found",
yubikey_serial = self.serial.to_string(), yubikey_serial = self.serial.to_string(),
), ),
@@ -348,14 +471,13 @@ impl Stub {
// Start a 15-second timer waiting for the YubiKey to be inserted // Start a 15-second timer waiting for the YubiKey to be inserted
let start = SystemTime::now(); let start = SystemTime::now();
loop { loop {
match YubiKey::open_by_serial(self.serial) { match open_by_serial(self.serial) {
Ok(yubikey) => break yubikey, Ok(yubikey) => break yubikey,
Err(yubikey::Error::NotFound) => (), Err(yubikey::Error::NotFound) => (),
Err(_) => { Err(_) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: i18n_embed_fl::fl!( message: fl!(
crate::LANGUAGE_LOADER,
"plugin-err-yk-opening", "plugin-err-yk-opening",
yubikey_serial = self.serial.to_string(), yubikey_serial = self.serial.to_string(),
), ),
@@ -367,8 +489,7 @@ impl Stub {
Ok(end) if end >= FIFTEEN_SECONDS => { Ok(end) if end >= FIFTEEN_SECONDS => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: i18n_embed_fl::fl!( message: fl!(
crate::LANGUAGE_LOADER,
"plugin-err-yk-timed-out", "plugin-err-yk-timed-out",
yubikey_serial = self.serial.to_string(), yubikey_serial = self.serial.to_string(),
), ),
@@ -382,8 +503,7 @@ impl Stub {
Err(_) => { Err(_) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: i18n_embed_fl::fl!( message: fl!(
crate::LANGUAGE_LOADER,
"plugin-err-yk-opening", "plugin-err-yk-opening",
yubikey_serial = self.serial.to_string(), yubikey_serial = self.serial.to_string(),
), ),
@@ -394,11 +514,10 @@ impl Stub {
// Read the pubkey from the YubiKey slot and check it still matches. // Read the pubkey from the YubiKey slot and check it still matches.
let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot)) let (cert, pk) = match Certificate::read(&mut yubikey, SlotId::Retired(self.slot))
.ok() .ok()
.and_then(|cert| match cert.subject_pki() { .and_then(|cert| {
PublicKeyInfo::EcP256(pubkey) => Recipient::from_encoded(pubkey) Recipient::from_certificate(&cert)
.filter(|pk| pk.tag() == self.tag) .filter(|pk| pk.tag() == self.tag)
.map(|pk| (cert, pk)), .map(|pk| (cert, pk))
_ => None,
}) { }) {
Some(pk) => pk, Some(pk) => pk,
None => { None => {
@@ -444,9 +563,8 @@ impl Connection {
) -> io::Result<Result<(), identity::Error>> { ) -> io::Result<Result<(), identity::Error>> {
// Check if we can skip requesting a PIN. // Check if we can skip requesting a PIN.
if self.cached_metadata.is_none() { if self.cached_metadata.is_none() {
let (_, cert) = x509_parser::parse_x509_certificate(self.cert.as_ref()).unwrap();
self.cached_metadata = self.cached_metadata =
match Metadata::extract(&mut self.yubikey, self.slot, &cert, true) { match Metadata::extract(&mut self.yubikey, self.slot, &self.cert, true) {
None => { None => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
@@ -463,8 +581,7 @@ impl Connection {
// The policy requires a PIN, so request it. // The policy requires a PIN, so request it.
// Note that we can't distinguish between PinPolicy::Once and PinPolicy::Always // Note that we can't distinguish between PinPolicy::Once and PinPolicy::Always
// because this plugin is ephemeral, so we always request the PIN. // because this plugin is ephemeral, so we always request the PIN.
let enter_pin_msg = i18n_embed_fl::fl!( let enter_pin_msg = fl!(
crate::LANGUAGE_LOADER,
"plugin-enter-pin", "plugin-enter-pin",
yubikey_serial = self.yubikey.serial().to_string(), yubikey_serial = self.yubikey.serial().to_string(),
); );
@@ -490,8 +607,7 @@ impl Connection {
Err(_) => { Err(_) => {
return Ok(Err(identity::Error::Identity { return Ok(Err(identity::Error::Identity {
index: self.identity_index, index: self.identity_index,
message: i18n_embed_fl::fl!( message: fl!(
crate::LANGUAGE_LOADER,
"plugin-err-pin-required", "plugin-err-pin-required",
yubikey_serial = self.yubikey.serial().to_string(), yubikey_serial = self.yubikey.serial().to_string(),
), ),
+28 -97
View File
@@ -12,12 +12,7 @@ use i18n_embed::{
}; };
use lazy_static::lazy_static; use lazy_static::lazy_static;
use rust_embed::RustEmbed; use rust_embed::RustEmbed;
use yubikey::{ use yubikey::{piv::RetiredSlotId, reader::Context, PinPolicy, Serial, TouchPolicy};
certificate::PublicKeyInfo,
piv::{RetiredSlotId, SlotId},
reader::Context,
Key, PinPolicy, Serial, TouchPolicy,
};
mod builder; mod builder;
mod error; mod error;
@@ -73,6 +68,9 @@ macro_rules! fl {
($message_id:literal) => {{ ($message_id:literal) => {{
i18n_embed_fl::fl!($crate::LANGUAGE_LOADER, $message_id) i18n_embed_fl::fl!($crate::LANGUAGE_LOADER, $message_id)
}}; }};
($message_id:literal, $($kwarg:expr),* $(,)*) => {{
i18n_embed_fl::fl!($crate::LANGUAGE_LOADER, $message_id, $($kwarg,)*)
}};
} }
#[derive(Debug, Options)] #[derive(Debug, Options)]
@@ -193,26 +191,12 @@ fn print_single(
) -> Result<(), Error> { ) -> Result<(), Error> {
let mut yubikey = key::open(serial)?; let mut yubikey = key::open(serial)?;
let mut keys = Key::list(&mut yubikey)?.into_iter().filter_map(|key| { let (key, slot, recipient) = key::list_compatible(&mut yubikey)?
// - We only use the retired slots.
// - Only P-256 keys are compatible with us.
match (key.slot(), key.certificate().subject_pki()) {
(SlotId::Retired(slot), PublicKeyInfo::EcP256(pubkey)) => {
p256::Recipient::from_encoded(pubkey).map(|r| (key, slot, r))
}
_ => None,
}
});
let (key, slot, recipient) = keys
.find(|(_, s, _)| s == &slot) .find(|(_, s, _)| s == &slot)
.ok_or(Error::SlotHasNoIdentity(slot))?; .ok_or(Error::SlotHasNoIdentity(slot))?;
let stub = key::Stub::new(yubikey.serial(), slot, &recipient); let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
let metadata = x509_parser::parse_x509_certificate(key.certificate().as_ref()) let metadata = util::Metadata::extract(&mut yubikey, slot, key.certificate(), true).unwrap();
.ok()
.and_then(|(_, cert)| util::Metadata::extract(&mut yubikey, slot, &cert, true))
.unwrap();
printer(stub, recipient, metadata); printer(stub, recipient, metadata);
@@ -229,33 +213,16 @@ fn print_multiple(
let mut printed = 0; let mut printed = 0;
for reader in readers.iter()?.filter(key::filter_connected) { for reader in readers.iter()?.filter(key::filter_connected) {
let mut yubikey = reader.open()?; let mut yubikey = key::open_connection(&reader)?;
if let Some(serial) = serial { if let Some(serial) = serial {
if yubikey.serial() != serial { if yubikey.serial() != serial {
continue; continue;
} }
} }
for key in Key::list(&mut yubikey)? { for (key, slot, recipient) in key::list_compatible(&mut yubikey)? {
// We only use the retired slots.
let slot = match key.slot() {
SlotId::Retired(slot) => slot,
_ => continue,
};
// Only P-256 keys are compatible with us.
let recipient = match key.certificate().subject_pki() {
PublicKeyInfo::EcP256(pubkey) => match p256::Recipient::from_encoded(pubkey) {
Some(recipient) => recipient,
None => continue,
},
_ => continue,
};
let stub = key::Stub::new(yubikey.serial(), slot, &recipient); let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
let metadata = match x509_parser::parse_x509_certificate(key.certificate().as_ref()) let metadata = match util::Metadata::extract(&mut yubikey, slot, key.certificate(), all)
.ok()
.and_then(|(_, cert)| util::Metadata::extract(&mut yubikey, slot, &cert, all))
{ {
Some(res) => res, Some(res) => res,
None => continue, None => continue,
@@ -268,15 +235,7 @@ fn print_multiple(
println!(); println!();
} }
if printed > 1 { if printed > 1 {
eprintln!( eprintln!("{}", fl!("printed-multiple", kind = kind, count = printed));
"{}",
i18n_embed_fl::fl!(
LANGUAGE_LOADER,
"printed-multiple",
kind = kind,
count = printed,
)
);
} }
Ok(()) Ok(())
@@ -382,8 +341,7 @@ fn main() -> Result<(), Error> {
eprintln!( eprintln!(
"{}", "{}",
i18n_embed_fl::fl!( fl!(
LANGUAGE_LOADER,
"cli-setup-intro", "cli-setup-intro",
generate_usage = "age-plugin-yubikey --generate", generate_usage = "age-plugin-yubikey --generate",
) )
@@ -401,9 +359,8 @@ fn main() -> Result<(), Error> {
let reader_names = readers_list let reader_names = readers_list
.iter() .iter()
.map(|reader| { .map(|reader| {
reader.open().map(|yk| { key::open_connection(reader).map(|yk| {
i18n_embed_fl::fl!( fl!(
LANGUAGE_LOADER,
"cli-setup-yk-name", "cli-setup-yk-name",
yubikey_name = reader.name(), yubikey_name = reader.name(),
yubikey_serial = yk.serial().to_string(), yubikey_serial = yk.serial().to_string(),
@@ -421,17 +378,16 @@ fn main() -> Result<(), Error> {
None => return Ok(()), None => return Ok(()),
}; };
let keys = Key::list(&mut yubikey)?; let keys = key::list_slots(&mut yubikey)?.collect::<Vec<_>>();
// Identify slots that we can't allow the user to select. // Identify slots that we can't allow the user to select.
let slot_details: Vec<_> = USABLE_SLOTS let slot_details: Vec<_> = USABLE_SLOTS
.iter() .iter()
.map(|&slot| { .map(|&slot| {
keys.iter() keys.iter()
.find(|key| key.slot() == SlotId::Retired(slot)) .find(|(_, s, _)| s == &slot)
.map(|key| match key.certificate().subject_pki() { .map(|(key, _, recipient)| {
PublicKeyInfo::EcP256(pubkey) => { recipient.as_ref().map(|_| {
p256::Recipient::from_encoded(pubkey).map(|_| {
// Cache the details we need to display to the user. // Cache the details we need to display to the user.
let (_, cert) = let (_, cert) =
x509_parser::parse_x509_certificate(key.certificate().as_ref()) x509_parser::parse_x509_certificate(key.certificate().as_ref())
@@ -441,8 +397,6 @@ fn main() -> Result<(), Error> {
format!("{}, created: {}", name, created) format!("{}, created: {}", name, created)
}) })
}
_ => None,
}) })
}) })
.collect(); .collect();
@@ -455,20 +409,13 @@ fn main() -> Result<(), Error> {
let i = i + 1; let i = i + 1;
match occupied { match occupied {
Some(Some(name)) => i18n_embed_fl::fl!( Some(Some(name)) => fl!(
LANGUAGE_LOADER,
"cli-setup-slot-usable", "cli-setup-slot-usable",
slot_index = i, slot_index = i,
slot_name = name.as_str(), slot_name = name.as_str(),
), ),
Some(None) => i18n_embed_fl::fl!( Some(None) => fl!("cli-setup-slot-unusable", slot_index = i),
LANGUAGE_LOADER, None => fl!("cli-setup-slot-empty", slot_index = i),
"cli-setup-slot-unusable",
slot_index = i,
),
None => {
i18n_embed_fl::fl!(LANGUAGE_LOADER, "cli-setup-slot-empty", slot_index = i)
}
} }
}) })
.collect(); .collect();
@@ -491,27 +438,17 @@ fn main() -> Result<(), Error> {
} }
}; };
if let Some(key) = keys.iter().find(|key| key.slot() == SlotId::Retired(slot)) { if let Some((key, _, recipient)) = keys.into_iter().find(|(_, s, _)| s == &slot) {
let recipient = match key.certificate().subject_pki() { let recipient = recipient.expect("We checked this above");
PublicKeyInfo::EcP256(pubkey) => {
p256::Recipient::from_encoded(pubkey).expect("We checked this above")
}
_ => unreachable!(),
};
if Confirm::new() if Confirm::new()
.with_prompt(i18n_embed_fl::fl!( .with_prompt(fl!("cli-setup-use-existing", slot_index = slot_index))
LANGUAGE_LOADER,
"cli-setup-use-existing",
slot_index = slot_index,
))
.interact()? .interact()?
{ {
let stub = key::Stub::new(yubikey.serial(), slot, &recipient); let stub = key::Stub::new(yubikey.serial(), slot, &recipient);
let (_, cert) =
x509_parser::parse_x509_certificate(key.certificate().as_ref()).unwrap();
let metadata = let metadata =
util::Metadata::extract(&mut yubikey, slot, &cert, true).unwrap(); util::Metadata::extract(&mut yubikey, slot, key.certificate(), true)
.unwrap();
((stub, recipient, metadata), false) ((stub, recipient, metadata), false)
} else { } else {
@@ -576,11 +513,7 @@ fn main() -> Result<(), Error> {
}; };
if Confirm::new() if Confirm::new()
.with_prompt(i18n_embed_fl::fl!( .with_prompt(fl!("cli-setup-generate-new", slot_index = slot_index))
LANGUAGE_LOADER,
"cli-setup-generate-new",
slot_index = slot_index,
))
.interact()? .interact()?
{ {
eprintln!(); eprintln!();
@@ -632,8 +565,7 @@ fn main() -> Result<(), Error> {
writeln!( writeln!(
file, file,
"{}", "{}",
i18n_embed_fl::fl!( fl!(
LANGUAGE_LOADER,
"yubikey-identity", "yubikey-identity",
yubikey_metadata = metadata.to_string(), yubikey_metadata = metadata.to_string(),
recipient = recipient.to_string(), recipient = recipient.to_string(),
@@ -668,8 +600,7 @@ fn main() -> Result<(), Error> {
eprintln!(); eprintln!();
eprintln!( eprintln!(
"{}", "{}",
i18n_embed_fl::fl!( fl!(
LANGUAGE_LOADER,
"cli-setup-finished", "cli-setup-finished",
is_new = if is_new { "true" } else { "false" }, is_new = if is_new { "true" } else { "false" },
recipient = recipient.to_string(), recipient = recipient.to_string(),
+14 -1
View File
@@ -1,6 +1,8 @@
use bech32::{ToBase32, Variant}; use bech32::{ToBase32, Variant};
use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint}; use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use yubikey::{certificate::PublicKeyInfo, Certificate};
use std::fmt; use std::fmt;
use crate::RECIPIENT_PREFIX; use crate::RECIPIENT_PREFIX;
@@ -42,11 +44,22 @@ impl Recipient {
} }
} }
pub(crate) fn from_certificate(cert: &Certificate) -> Option<Self> {
Self::from_spki(cert.subject_pki())
}
pub(crate) fn from_spki(spki: &PublicKeyInfo) -> Option<Self> {
match spki {
PublicKeyInfo::EcP256(pubkey) => Self::from_encoded(pubkey),
_ => None,
}
}
/// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding. /// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding.
/// ///
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in /// This accepts both compressed (as used by the plugin) and uncompressed (as used in
/// the YubiKey certificate) encodings. /// the YubiKey certificate) encodings.
pub(crate) fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> { fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
p256::PublicKey::from_encoded_point(encoded).map(Recipient) p256::PublicKey::from_encoded_point(encoded).map(Recipient)
} }
+1 -2
View File
@@ -71,8 +71,7 @@ impl RecipientPluginV1 for RecipientPlugin {
Ok(Some(conn)) => yk_recipients.push(conn.recipient().clone()), Ok(Some(conn)) => yk_recipients.push(conn.recipient().clone()),
Ok(None) => yk_errors.push(recipient::Error::Identity { Ok(None) => yk_errors.push(recipient::Error::Identity {
index: stub.identity_index, index: stub.identity_index,
message: i18n_embed_fl::fl!( message: fl!(
crate::LANGUAGE_LOADER,
"plugin-err-yk-opening", "plugin-err-yk-opening",
yubikey_serial = stub.serial.to_string(), yubikey_serial = stub.serial.to_string(),
), ),
+10 -16
View File
@@ -4,7 +4,7 @@ use std::iter;
use x509_parser::{certificate::X509Certificate, der_parser::oid::Oid}; use x509_parser::{certificate::X509Certificate, der_parser::oid::Oid};
use yubikey::{ use yubikey::{
piv::{RetiredSlotId, SlotId}, piv::{RetiredSlotId, SlotId},
PinPolicy, Serial, TouchPolicy, YubiKey, Certificate, PinPolicy, Serial, TouchPolicy, YubiKey,
}; };
use crate::fl; use crate::fl;
@@ -112,9 +112,11 @@ impl Metadata {
pub(crate) fn extract( pub(crate) fn extract(
yubikey: &mut YubiKey, yubikey: &mut YubiKey,
slot: RetiredSlotId, slot: RetiredSlotId,
cert: &X509Certificate, cert: &Certificate,
all: bool, all: bool,
) -> Option<Self> { ) -> Option<Self> {
let (_, cert) = x509_parser::parse_x509_certificate(cert.as_ref()).ok()?;
// We store the PIN and touch policies for identities in their certificates // We store the PIN and touch policies for identities in their certificates
// using the same certificate extension as PIV attestations. // using the same certificate extension as PIV attestations.
// https://developers.yubico.com/PIV/Introduction/PIV_attestation.html // https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
@@ -143,10 +145,10 @@ impl Metadata {
.unwrap_or((None, None)) .unwrap_or((None, None))
}; };
extract_name(cert, all) extract_name(&cert, all)
.map(|(name, ours)| { .map(|(name, ours)| {
if ours { if ours {
let (pin_policy, touch_policy) = policies(cert); let (pin_policy, touch_policy) = policies(&cert);
(name, pin_policy, touch_policy) (name, pin_policy, touch_policy)
} else { } else {
// We can extract the PIN and touch policies via an attestation. This // We can extract the PIN and touch policies via an attestation. This
@@ -180,8 +182,7 @@ impl fmt::Display for Metadata {
write!( write!(
f, f,
"{}", "{}",
i18n_embed_fl::fl!( fl!(
crate::LANGUAGE_LOADER,
"yubikey-metadata", "yubikey-metadata",
serial = self.serial.to_string(), serial = self.serial.to_string(),
slot = slot_to_ui(&self.slot), slot = slot_to_ui(&self.slot),
@@ -197,20 +198,13 @@ impl fmt::Display for Metadata {
pub(crate) fn print_identity(stub: Stub, recipient: Recipient, metadata: Metadata) { pub(crate) fn print_identity(stub: Stub, recipient: Recipient, metadata: Metadata) {
let recipient = recipient.to_string(); let recipient = recipient.to_string();
if !console::user_attended() { if !console::user_attended() {
eprintln!( let recipient = recipient.as_str();
"{}", eprintln!("{}", fl!("print-recipient", recipient = recipient));
i18n_embed_fl::fl!(
crate::LANGUAGE_LOADER,
"print-recipient",
recipient = recipient.as_str(),
)
);
} }
println!( println!(
"{}", "{}",
i18n_embed_fl::fl!( fl!(
crate::LANGUAGE_LOADER,
"yubikey-identity", "yubikey-identity",
yubikey_metadata = metadata.to_string(), yubikey_metadata = metadata.to_string(),
recipient = recipient, recipient = recipient,