From 31efd4e78c14bd93c217eaa2bd43fcf2a6360841 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Sun, 8 Dec 2019 09:32:57 -0800 Subject: [PATCH] Finish eliminating `consts` module Either moves constants into their relevant modules, or puts the remaining ones into `lib.rs` --- src/certificate.rs | 12 ++++++++++-- src/config.rs | 9 ++++++++- src/consts.rs | 22 ---------------------- src/container.rs | 6 +++++- src/key.rs | 10 ++++++++-- src/lib.rs | 30 +++++++++++++++++++++++++++++- src/metadata.rs | 8 +++++++- src/mgm.rs | 7 ++++++- src/msroots.rs | 6 +++++- src/transaction.rs | 4 ++-- src/yubikey.rs | 19 ++++++------------- 11 files changed, 86 insertions(+), 47 deletions(-) diff --git a/src/certificate.rs b/src/certificate.rs index 3372ac0..85389a4 100644 --- a/src/certificate.rs +++ b/src/certificate.rs @@ -31,13 +31,12 @@ // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. use crate::{ - consts::*, error::Error, key::{AlgorithmId, SlotId}, serialization::*, transaction::Transaction, yubikey::YubiKey, - Buffer, + Buffer, CB_OBJ_TAG_MIN, }; use elliptic_curve::weierstrass::{ curve::{NistP256, NistP384}, @@ -49,6 +48,9 @@ use std::fmt; use x509_parser::{parse_x509_der, x509::SubjectPublicKeyInfo}; use zeroize::Zeroizing; +#[cfg(feature = "untested")] +use crate::CB_OBJ_MAX; + // TODO: Make these der_parser::oid::Oid constants when it has const fn support. const OID_RSA_ENCRYPTION: &str = "1.2.840.113549.1.1.1"; const OID_EC_PUBLIC_KEY: &str = "1.2.840.10045.2.1"; @@ -60,6 +62,12 @@ const CERTINFO_UNCOMPRESSED: u8 = 0; #[cfg(feature = "untested")] const CERTINFO_GZIP: u8 = 1; +const TAG_CERT: u8 = 0x70; +#[cfg(feature = "untested")] +const TAG_CERT_COMPRESS: u8 = 0x71; +#[cfg(feature = "untested")] +const TAG_CERT_LRC: u8 = 0xFE; + /// Information about a public key within a [`Certificate`]. #[derive(Clone, Eq, PartialEq)] pub enum PublicKeyInfo { diff --git a/src/config.rs b/src/config.rs index 1720f70..028c02f 100644 --- a/src/config.rs +++ b/src/config.rs @@ -30,7 +30,14 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -use crate::{consts::*, error::Error, metadata, mgm::MgmType, yubikey::YubiKey}; +use crate::{ + error::Error, + metadata, + mgm::{MgmType, ADMIN_FLAGS_1_PROTECTED_MGM}, + yubikey::{YubiKey, ADMIN_FLAGS_1_PUK_BLOCKED}, + TAG_ADMIN, TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_ADMIN_TIMESTAMP, TAG_PROTECTED, + TAG_PROTECTED_FLAGS_1, TAG_PROTECTED_MGM, +}; use log::error; use std::{ convert::TryInto, diff --git a/src/consts.rs b/src/consts.rs index 39af892..e432fea 100644 --- a/src/consts.rs +++ b/src/consts.rs @@ -35,29 +35,7 @@ #![allow(missing_docs, non_upper_case_globals)] #![cfg_attr(not(feature = "untested"), allow(dead_code))] -pub const ADMIN_FLAGS_1_PUK_BLOCKED: u8 = 0x01; -pub const ADMIN_FLAGS_1_PROTECTED_MGM: u8 = 0x02; -pub const CB_BUF_MAX: usize = 3072; -pub const CB_OBJ_MAX: usize = CB_BUF_MAX - 9; -pub const CB_OBJ_TAG_MIN: usize = 2; // 1 byte tag + 1 byte len -pub const CB_OBJ_TAG_MAX: usize = (CB_OBJ_TAG_MIN + 2); // 1 byte tag + 3 bytes len -pub const TAG_CERT: u8 = 0x70; -pub const TAG_CERT_COMPRESS: u8 = 0x71; -pub const TAG_CERT_LRC: u8 = 0xFE; -pub const TAG_ADMIN: u8 = 0x80; -pub const TAG_ADMIN_FLAGS_1: u8 = 0x81; -pub const TAG_ADMIN_SALT: u8 = 0x82; -pub const TAG_ADMIN_TIMESTAMP: u8 = 0x83; -pub const TAG_PROTECTED: u8 = 0x88; -pub const TAG_PROTECTED_FLAGS_1: u8 = 0x81; -pub const TAG_PROTECTED_MGM: u8 = 0x89; -pub const TAG_MSCMAP: u8 = 0x81; -pub const TAG_MSROOTS_END: u8 = 0x82; -pub const TAG_MSROOTS_MID: u8 = 0x83; -pub const TAG_RSA_MODULUS: u8 = 0x81; -pub const TAG_RSA_EXP: u8 = 0x82; -pub const TAG_ECC_POINT: u8 = 0x86; diff --git a/src/container.rs b/src/container.rs index 6f62fe9..2511fc4 100644 --- a/src/container.rs +++ b/src/container.rs @@ -33,7 +33,9 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -use crate::{consts::*, error::Error, key::SlotId, serialization::*, yubikey::YubiKey}; +use crate::{ + error::Error, key::SlotId, serialization::*, yubikey::YubiKey, CB_OBJ_MAX, CB_OBJ_TAG_MIN, +}; use log::error; use std::{ convert::{TryFrom, TryInto}, @@ -48,6 +50,8 @@ const CONTAINER_REC_LEN: usize = (2 * CONTAINER_NAME_LEN) + 27; const OBJ_MSCMAP: u32 = 0x005f_ff10; +const TAG_MSCMAP: u8 = 0x81; + /// MS Container Map(?) Records #[derive(Copy, Clone)] pub struct Container { diff --git a/src/key.rs b/src/key.rs index 4cfac02..561349a 100644 --- a/src/key.rs +++ b/src/key.rs @@ -49,10 +49,9 @@ use std::convert::TryFrom; #[cfg(feature = "untested")] use crate::{ apdu::{Ins, StatusWords}, - consts::*, policy::{PinPolicy, TouchPolicy}, serialization::*, - settings, Buffer, + settings, Buffer, CB_OBJ_MAX, }; #[cfg(feature = "untested")] use log::{error, warn}; @@ -64,6 +63,13 @@ const CB_ECC_POINTP256: usize = 65; #[cfg(feature = "untested")] const CB_ECC_POINTP384: usize = 97; +#[cfg(feature = "untested")] +const TAG_RSA_MODULUS: u8 = 0x81; +#[cfg(feature = "untested")] +const TAG_RSA_EXP: u8 = 0x82; +#[cfg(feature = "untested")] +const TAG_ECC_POINT: u8 = 0x86; + /// Slot identifiers. /// #[derive(Clone, Copy, Debug, PartialEq)] diff --git a/src/lib.rs b/src/lib.rs index 1e88312..c763f21 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -140,7 +140,6 @@ pub mod cccid; pub mod certificate; pub mod chuid; pub mod config; -mod consts; #[cfg(feature = "untested")] pub mod container; pub mod error; @@ -164,3 +163,32 @@ pub type ObjectId = u32; /// Buffer type (self-zeroizing byte vector) pub(crate) type Buffer = zeroize::Zeroizing>; + +/// YubiKey max buffer size +pub(crate) const CB_BUF_MAX: usize = 3072; + +/// YubiKey max object size +#[cfg(feature = "untested")] +pub(crate) const CB_OBJ_MAX: usize = CB_BUF_MAX - 9; +pub(crate) const CB_OBJ_TAG_MIN: usize = 2; // 1 byte tag + 1 byte len +#[cfg(feature = "untested")] +pub(crate) const CB_OBJ_TAG_MAX: usize = (CB_OBJ_TAG_MIN + 2); // 1 byte tag + 3 bytes len + +pub(crate) const TAG_ADMIN: u8 = 0x80; +pub(crate) const TAG_ADMIN_FLAGS_1: u8 = 0x81; +pub(crate) const TAG_ADMIN_SALT: u8 = 0x82; +pub(crate) const TAG_ADMIN_TIMESTAMP: u8 = 0x83; +pub(crate) const TAG_PROTECTED: u8 = 0x88; +pub(crate) const TAG_PROTECTED_FLAGS_1: u8 = 0x81; +pub(crate) const TAG_PROTECTED_MGM: u8 = 0x89; + +/// PIV Applet ID +pub(crate) const PIV_AID: [u8; 5] = [0xa0, 0x00, 0x00, 0x03, 0x08]; + +/// MGMT Applet ID. +/// +#[cfg(feature = "untested")] +pub(crate) const MGMT_AID: [u8; 8] = [0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17]; + +/// YubiKey OTP Applet ID. Needed to query serial on YK4. +pub(crate) const YK_AID: [u8; 8] = [0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01]; diff --git a/src/metadata.rs b/src/metadata.rs index c3a6ef2..e6877b3 100644 --- a/src/metadata.rs +++ b/src/metadata.rs @@ -30,7 +30,13 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -use crate::{consts::*, error::Error, serialization::*, transaction::Transaction, Buffer}; +use crate::{ + error::Error, serialization::*, transaction::Transaction, Buffer, CB_OBJ_TAG_MIN, TAG_ADMIN, + TAG_PROTECTED, +}; + +#[cfg(feature = "untested")] +use crate::{CB_OBJ_MAX, CB_OBJ_TAG_MAX}; #[cfg(feature = "untested")] use zeroize::Zeroizing; diff --git a/src/mgm.rs b/src/mgm.rs index 4de5171..75ecacb 100644 --- a/src/mgm.rs +++ b/src/mgm.rs @@ -37,7 +37,10 @@ use std::convert::{TryFrom, TryInto}; use zeroize::{Zeroize, Zeroizing}; #[cfg(feature = "untested")] -use crate::{consts::*, metadata, yubikey::YubiKey}; +use crate::{ + metadata, yubikey::YubiKey, CB_BUF_MAX, CB_OBJ_MAX, TAG_ADMIN, TAG_ADMIN_FLAGS_1, + TAG_ADMIN_SALT, TAG_PROTECTED, TAG_PROTECTED_MGM, +}; #[cfg(feature = "untested")] use des::{ block_cipher_trait::{generic_array::GenericArray, BlockCipher}, @@ -50,6 +53,8 @@ use pbkdf2::pbkdf2; #[cfg(feature = "untested")] use sha1::Sha1; +pub(crate) const ADMIN_FLAGS_1_PROTECTED_MGM: u8 = 0x02; + #[cfg(feature = "untested")] const CB_ADMIN_SALT: usize = 16; diff --git a/src/msroots.rs b/src/msroots.rs index 21dc484..407c278 100644 --- a/src/msroots.rs +++ b/src/msroots.rs @@ -37,7 +37,8 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -use crate::{consts::*, error::Error, serialization::*, yubikey::YubiKey}; +use crate::{error::Error, serialization::*, yubikey::YubiKey}; +use crate::{CB_OBJ_MAX, CB_OBJ_TAG_MAX, CB_OBJ_TAG_MIN}; use log::error; const OBJ_MSROOTS1: u32 = 0x005f_ff11; @@ -49,6 +50,9 @@ const OBJ_MSROOTS3: u32 = 0x005f_ff13; const OBJ_MSROOTS4: u32 = 0x005f_ff14; const OBJ_MSROOTS5: u32 = 0x005f_ff15; +const TAG_MSROOTS_END: u8 = 0x82; +const TAG_MSROOTS_MID: u8 = 0x83; + /// `msroots` file: PKCS#7-formatted certificate store for enterprise trust roots pub struct MsRoots(Vec); diff --git a/src/transaction.rs b/src/transaction.rs index 3c36d0b..3f31c0c 100644 --- a/src/transaction.rs +++ b/src/transaction.rs @@ -3,11 +3,10 @@ use crate::{ apdu::Response, apdu::{Ins, StatusWords, APDU}, - consts::*, error::Error, serialization::*, yubikey::*, - Buffer, ObjectId, + Buffer, ObjectId, CB_BUF_MAX, PIV_AID, YK_AID, }; use log::{error, trace}; use std::convert::TryInto; @@ -17,6 +16,7 @@ use zeroize::Zeroizing; use crate::{ key::{AlgorithmId, SlotId}, mgm::{MgmKey, DES_LEN_3DES}, + CB_OBJ_MAX, }; const CB_PIN_MAX: usize = 8; diff --git a/src/yubikey.rs b/src/yubikey.rs index b0bf4bf..7926670 100644 --- a/src/yubikey.rs +++ b/src/yubikey.rs @@ -48,10 +48,10 @@ use std::{ #[cfg(feature = "untested")] use crate::{ apdu::{Ins, StatusWords, APDU}, - consts::*, metadata, mgm::MgmKey, - Buffer, ObjectId, + Buffer, ObjectId, CB_BUF_MAX, CB_OBJ_MAX, MGMT_AID, TAG_ADMIN, TAG_ADMIN_FLAGS_1, + TAG_ADMIN_TIMESTAMP, }; #[cfg(feature = "untested")] use getrandom::getrandom; @@ -63,6 +63,9 @@ use std::{ time::{SystemTime, UNIX_EPOCH}, }; +/// Flag for PUK blocked +pub(crate) const ADMIN_FLAGS_1_PUK_BLOCKED: u8 = 0x01; + /// 3DES authentication #[cfg(feature = "untested")] pub(crate) const ALGO_3DES: u8 = 0x03; @@ -78,16 +81,8 @@ pub(crate) const CHREF_ACT_UNBLOCK_PIN: i32 = 1; #[cfg(feature = "untested")] pub(crate) const CHREF_ACT_CHANGE_PUK: i32 = 2; -/// PIV Applet ID -pub(crate) const PIV_AID: [u8; 5] = [0xa0, 0x00, 0x00, 0x03, 0x08]; - -/// MGMT Applet ID. -/// #[cfg(feature = "untested")] -pub(crate) const MGMT_AID: [u8; 8] = [0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17]; - -/// YubiKey OTP Applet ID. Needed to query serial on YK4. -pub(crate) const YK_AID: [u8; 8] = [0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01]; +const TAG_DYN_AUTH: u8 = 0x7c; /// Cached YubiKey PIN pub type CachedPin = secrecy::SecretVec; @@ -249,8 +244,6 @@ impl YubiKey { pub fn authenticate(&mut self, mgm_key: MgmKey) -> Result<(), Error> { let txn = self.begin_transaction()?; - const TAG_DYN_AUTH: u8 = 0x7c; - // get a challenge from the card let challenge = APDU::new(Ins::Authenticate) .params(ALGO_3DES, KEY_CARDMGM)