use bech32::{ToBase32, Variant}; use p256::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint}; use yubikey::{certificate::PublicKeyInfo, Certificate}; use std::fmt; use crate::recipient::{static_tag, TAG_BYTES}; const RECIPIENT_PREFIX: &str = "age1yubikey"; /// Wrapper around a compressed secp256r1 curve point. #[derive(Clone)] pub struct Recipient(p256::PublicKey); impl fmt::Debug for Recipient { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { write!(f, "Recipient({:?})", self.to_encoded().as_bytes()) } } impl fmt::Display for Recipient { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.write_str( bech32::encode( RECIPIENT_PREFIX, self.to_encoded().as_bytes().to_base32(), Variant::Bech32, ) .expect("HRP is valid") .as_str(), ) } } impl Recipient { /// Attempts to parse a valid YubiKey recipient from its compressed SEC-1 byte encoding. pub(crate) fn from_bytes(bytes: &[u8]) -> Option { let encoded = p256::EncodedPoint::from_bytes(bytes).ok()?; if encoded.is_compressed() { Self::from_encoded(&encoded) } else { None } } pub(crate) fn from_certificate(cert: &Certificate) -> Option { Self::from_spki(cert.subject_pki()) } pub(crate) fn from_spki(spki: &PublicKeyInfo) -> Option { match spki { PublicKeyInfo::EcP256(pubkey) => Self::from_encoded(pubkey), _ => None, } } /// Attempts to parse a valid YubiKey recipient from its SEC-1 encoding. /// /// This accepts both compressed (as used by the plugin) and uncompressed (as used in /// the YubiKey certificate) encodings. fn from_encoded(encoded: &p256::EncodedPoint) -> Option { Option::from(p256::PublicKey::from_encoded_point(encoded)).map(Recipient) } /// Returns the compressed SEC-1 encoding of this recipient. pub(crate) fn to_encoded(&self) -> p256::EncodedPoint { self.0.to_encoded_point(true) } pub(crate) fn tag(&self) -> [u8; TAG_BYTES] { static_tag(self.to_encoded().as_bytes()) } /// Exposes the wrapped public key. pub(crate) fn public_key(&self) -> &p256::PublicKey { &self.0 } }