Compare commits

...

94 Commits

Author SHA1 Message Date
james 8c86cab372 fix 2026-06-29 02:00:08 +02:00
james 200f9be97b Patch to fix ed25519 in PIV slot. 2026-06-29 00:45:21 +02:00
Tony Arcieri (iqlusion) cafb0b2c18 v0.8.0-pre.0 (#491) 2023-03-14 17:17:07 -06:00
Tony Arcieri (iqlusion) 0c7441a81e Bump asymmetric crypto dependencies; MSRV 1.65 (#490)
Bumps the following dependencies to the latest versions:

- `elliptic-curve` v0.13
- `k256` v0.13
- `p256` v0.13
- `p384` v0.13
- `pbkdf2` v0.12
- `rsa` v0.9.0-pre.0
- `signature` v2
2023-03-14 11:53:00 -06:00
str4d a50addc15b Fix StatusWords::code output for StatusWords::VerifyFailError (#479)
* Fix `StatusWords::code` output for `StatusWords::VerifyFailError`

Closes iqlusioninc/yubikey.rs#473.

* Refactor `Transaction::transfer_data` to match on `StatusWords`

This makes the code more reliable, such that it would have avoided
the bug in iqlusioninc/yubikey.rs#473.
2023-02-12 12:02:22 -07:00
str4d 0809f300b7 Return errors from YubiKey::open_by_serial that indicate a key may exist (#477)
* Return errors from `YubiKey::open_by_serial` that indicate a key may exist

The only such error at the moment is `pcsc::Error::SharingViolation`, which
indicates a transient failure to access a specific reader that could have
been the one we needed (and so a future retry might succeed).

Closes iqlusioninc/yubikey.rs#458.

* Avoid resetting unused devices in YubiKey::open_by_serial

We only connect to readers so that we can determine their serial. We
now try to ensure that the order in which we connect to them doesn't
have an effect on their state after we are done.
2023-02-12 10:22:05 -07:00
str4d d55079f9a6 Enable library users to detect if a smart card doesn't support PIV (#476)
* Enable library users to detect if a smart card doesn't support PIV

Closes iqlusioninc/yubikey.rs#456.

* Avoid resetting the card if we fail to select PIV or fetch version/serial
2023-02-12 10:20:34 -07:00
str4d 10241230b3 Raise minimum pcsc version to remove workaround (#478)
In iqlusioninc/yubikey.rs#88 we added a workaround for what turned out
to be a bug in `pcsc`, where an error was returned if no readers were
available, instead of returning an empty iterator. `pcsc 2.3.1` was
published in 2019, so we can safely rely on it.
2023-02-12 10:18:55 -07:00
dependabot[bot] 1e02f135f0 Bump env_logger from 0.9.3 to 0.10.0 (#452)
Bumps [env_logger](https://github.com/rust-cli/env_logger) from 0.9.3 to 0.10.0.
- [Release notes](https://github.com/rust-cli/env_logger/releases)
- [Changelog](https://github.com/rust-cli/env_logger/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rust-cli/env_logger/compare/v0.9.3...v0.10.0)

---
updated-dependencies:
- dependency-name: env_logger
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-08 15:24:30 -07:00
Tony Arcieri (iqlusion) 0c2633ab31 transaction: comment cleanup in get_serial (#467)
Moves comments about each YubiKey version number above the arms of the
`match` expression
2023-01-07 13:35:52 -08:00
Tony Arcieri (iqlusion) f49c617a9d Improve parsing of serial numbers (#466)
Checks the length of the data returned when querying the serial number,
returning an error if it's longer than 4 bytes, and left-padding with
zeroes if it's too short.

This fixes some potential panics due to incorrect slice lengths as were
experienced in #465
2023-01-07 08:35:37 -08:00
Tony Arcieri (iqlusion) 1d33ea1747 Cargo.lock: bump dependencies (#463) 2023-01-02 10:22:07 -08:00
str4d 18eb4bf4f4 Add YubiKey::disconnect (#462)
This exposes `pcsc::Card::disconnect` to allow alternate disposition
methods.
2023-01-02 10:15:31 -08:00
str4d 10941bfb5b Add partial Debug impls for Context and YubiKey (#457)
This enables `yubikey::Result<T>` to be debug-formatted, for example
when wrapping the output of an API method in `dbg!()`.
2023-01-01 11:16:10 -07:00
Tony Arcieri (iqlusion) 002491193e Cargo.lock: bump dependencies + audit config (#451)
This should get the security audit passing again
2022-11-28 10:19:39 -08:00
Tony Arcieri (iqlusion) 2e5139b237 yubikey-cli v0.7.0 (#446) 2022-11-14 17:17:02 -08:00
Tony Arcieri (iqlusion) d880faaefa yubikey v0.7.0 (#444) 2022-11-14 15:53:00 -08:00
Tony Arcieri (iqlusion) cc00a10c2f img: add logo-sq.png (#445)
Square logo for use with rustdoc
2022-11-14 15:15:19 -08:00
Tony Arcieri (iqlusion) 0a2e798894 Switch from subtle-encoding to base16ct (#443) 2022-11-14 14:26:07 -08:00
Tony Arcieri (iqlusion) 5c4259023f Switch from lazy_static to once_cell (#442)
The latter will hopefully eventually be upstreamed into `std`.
2022-11-14 12:52:27 -08:00
Tony Arcieri (iqlusion) 57bb088c7d yubikey-cli: bump x509-parser to v0.14 (#441) 2022-11-14 12:30:55 -08:00
Tony Arcieri (iqlusion) ccf19a3668 Bump rsa to v0.7.1 (#440) 2022-11-14 11:08:05 -08:00
dependabot[bot] db13fce53b Bump clap from 3.2.23 to 4.0.23 (#438)
Bumps [clap](https://github.com/clap-rs/clap) from 3.2.23 to 4.0.23.
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/v3.2.23...v4.0.23)

---
updated-dependencies:
- dependency-name: clap
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-11-14 10:44:39 -08:00
Ferdinand Linnenberg 0071566097 feat: fixed incorrect issuer for certificates & added x509 prints (#437) 2022-11-14 10:42:07 -08:00
Tony Arcieri (iqlusion) d8653bc6f0 Use chrono v0.4.23 or newer (#436)
Addresses RUSTSEC-2020-0159
2022-11-12 15:42:34 -08:00
Tony Arcieri (iqlusion) 603b102932 Followups from #371 (#435)
Implements the changes I suggested in that PR, which are related to
naming conventions and documentation.
2022-11-12 15:41:58 -08:00
Tony Arcieri (iqlusion) 7470b1613a Cargo.lock: bump dependencies (#434) 2022-11-12 13:27:08 -08:00
Tony Arcieri (iqlusion) 4310cc0f9a Fix build and clippy warnings (#433) 2022-11-12 13:15:42 -08:00
Arthur Gautier 87ed7b2338 Adds support for metadata command (#371)
On firmware 5.4.3, yubikey introduced a metadata command. This returns
the policy attached to as slot as well as the public key of the pair in
the slot.

https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/metadata.html
2022-11-12 11:12:10 -08:00
Shella Stephens 7866d8d53e MSRV 1.60.0 (#423) 2022-11-07 08:58:45 -07:00
Shella Stephens 744238fd77 Cargo.lock: update dependencies & fix audit 2022-11-07 07:56:25 -07:00
william light bbb186f95e Display inner PC/SC errors (#420) 2022-10-31 15:00:21 -07:00
dependabot[bot] c89cc5acd0 Bump sha2 from 0.10.2 to 0.10.5 (#407)
Bumps [sha2](https://github.com/RustCrypto/hashes) from 0.10.2 to 0.10.5.
- [Release notes](https://github.com/RustCrypto/hashes/releases)
- [Commits](https://github.com/RustCrypto/hashes/compare/sha2-v0.10.2...sha2-v0.10.5)

---
updated-dependencies:
- dependency-name: sha2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-18 14:29:21 -07:00
dependabot[bot] 2294c1cc3a Bump chrono from 0.4.21 to 0.4.22 (#405)
Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.21 to 0.4.22.
- [Release notes](https://github.com/chronotope/chrono/releases)
- [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md)
- [Commits](https://github.com/chronotope/chrono/compare/v0.4.21...v0.4.22)

---
updated-dependencies:
- dependency-name: chrono
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-18 14:29:08 -07:00
dependabot[bot] 65e201db0f Bump uuid from 1.1.2 to 1.2.1 (#415)
Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.1.2 to 1.2.1.
- [Release notes](https://github.com/uuid-rs/uuid/releases)
- [Commits](https://github.com/uuid-rs/uuid/compare/1.1.2...1.2.1)

---
updated-dependencies:
- dependency-name: uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-18 14:28:56 -07:00
Tony Arcieri (iqlusion) b571f81007 yubikey-cli v0.6.0 (#404) 2022-08-10 17:23:41 -07:00
Tony Arcieri (iqlusion) 0a36a37ae3 yubikey v0.6.0 (#403) 2022-08-10 16:41:26 -07:00
Tony Arcieri (iqlusion) 3463d109b2 Bump der-parser to v8; x509-parser to v0.14 (#402) 2022-08-10 15:19:21 -07:00
dependabot[bot] 014b7ee6fd Bump p384 from 0.10.0 to 0.11.2 (#401)
Bumps [p384](https://github.com/RustCrypto/elliptic-curves) from 0.10.0 to 0.11.2.
- [Release notes](https://github.com/RustCrypto/elliptic-curves/releases)
- [Commits](https://github.com/RustCrypto/elliptic-curves/compare/p384/v0.10.0...p384/v0.11.2)

---
updated-dependencies:
- dependency-name: p384
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-10 14:57:39 -07:00
vdods 498de4c10d Adding some common traits for certain enum types to support maps. (#372) 2022-08-10 14:34:58 -07:00
Tony Arcieri (iqlusion) 98b038c873 Cargo.lock: bump dependencies (#400) 2022-08-10 14:26:33 -07:00
Tony Arcieri (iqlusion) fab9d25b0a cli: migrate from gumdrop to clap v3 (#379)
`gumdrop` was originally chosen for its minimalist set of dependencies,
but `clap` v3 has a slimmed down set of dependencies and better UX.
2022-05-24 21:45:26 -06:00
dependabot[bot] bb80551324 Bump uuid from 0.8.2 to 1.0.0 (#376)
Bumps [uuid](https://github.com/uuid-rs/uuid) from 0.8.2 to 1.0.0.
- [Release notes](https://github.com/uuid-rs/uuid/releases)
- [Commits](https://github.com/uuid-rs/uuid/compare/0.8.2...1.0.0)

---
updated-dependencies:
- dependency-name: uuid
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-23 20:18:58 -07:00
Tony Arcieri (iqlusion) 9e20ecfe55 RustCrypto crate upgrades; MSRV 1.57 (#378)
Updates all of the RustCrypto dependencies to the latest versions:

- `des` v0.8
- `elliptic-curve` v0.12
- `hmac` v0.12
- `num-bigint-dig` v0.8
- `pbkdf2` v0.11
- `p256` v0.11
- `p384` v0.10
- `rsa` v0.6
- `sha1` v0.10 (replacing `sha-1`)
- `sha2` v0.10
2022-05-23 20:04:12 -07:00
Tony Arcieri (iqlusion) fac83c60fb Cargo.lock: bump dependencies (#375) 2022-05-23 17:52:53 -07:00
Shella Stephens 914f9bee0d Cargo.lock: update dependencies & fix cargo audit (#365) 2022-03-07 16:29:35 -07:00
Ferdinand Linnenberg 83de59983f Add Display formatter to SlotId (#353) 2022-02-11 13:10:53 -08:00
Shella Stephens e21395c934 Cargo.lock: update dependencies (#347) 2022-01-31 08:00:16 -07:00
Tony Arcieri (iqlusion) 935fea0868 Bump p256 => v0.10; p384 => v0.9 (#344) 2022-01-17 15:08:48 -08:00
Tony Arcieri (iqlusion) dd4b1c60a4 2021 edition upgrade; MSRV 1.56 (#343)
Changes the `edition` to 2021 in both the `yubikey` and `yubikey-cli`
crates.

Removes `TryFrom`/`TryInto` imports, now that they're in the prelude.
2022-01-17 14:54:01 -08:00
Shella Stephens 74a50f0f0c Bump dependencies & fix security audit (#340)
* Bump dependencies & fix security audit

* allow dead code for issuer field #[allow(dead_code)] in Certificates struct
2022-01-10 08:40:58 -07:00
Tony Arcieri (iqlusion) 86d482b38d yubikey-cli v0.5.0 (#328) 2021-11-21 08:10:17 -08:00
Tony Arcieri (iqlusion) edf74871ba yubikey v0.5.0 (#327) 2021-11-21 07:42:39 -08:00
Tony Arcieri (iqlusion) b11d5c409b Cargo.lock: bump dependencies (#326) 2021-11-21 07:06:17 -08:00
str4d 52107281df nom 7 (#322) 2021-10-19 06:38:38 -07:00
Shella Stephens bcef792f69 Update dependencies & add RUSTSEC-2020-0071 to audit.toml (#323) 2021-10-18 17:07:32 -06:00
Tony Arcieri (iqlusion) 10a7ead932 Cargo.lock: bump dependencies (#317) 2021-09-11 13:55:34 -07:00
Benno Rice 54ce90d51d Update dependencies (#315)
* Update rsa dependency to 0.5

* Update pbkdf dependency to 0.9

* Update x509-parser dependency to 0.11

* Update crypto-bigint subdepdendency to 0.2.6
2021-09-10 10:44:59 -07:00
Tony Arcieri (iqlusion) 3905104b52 Cargo.lock: bump dependencies (#308) 2021-08-20 18:09:51 -07:00
Tony Arcieri (iqlusion) 97e15abcee Cargo.lock: bump dependencies (#304) 2021-07-26 14:52:06 -07:00
Shella Stephens da7e7af109 Add deps.rs badge (#299) 2021-07-19 15:07:41 -07:00
Shella Stephens 6e96087b93 Cargo.lock: update deps (#300) 2021-07-19 15:00:16 -07:00
Tony Arcieri (iqlusion) f3bb858a2f Cargo.lock: bump dependencies (#298) 2021-07-19 09:05:32 -07:00
Tony Arcieri (iqlusion) ac72797d1f yubikey v0.4.2 (#291) 2021-07-13 06:35:53 -07:00
Tony Arcieri (iqlusion) fdd3b8730a Make yubikey::Buffer a pub type (#290) 2021-07-13 06:05:24 -07:00
Tony Arcieri (iqlusion) d51ec0a225 Have YubiKey::block_puk take &mut self as argument (#289)
This is effectively the same signature; it just uses `self` instead of a
named argument.
2021-07-13 05:55:24 -07:00
Tony Arcieri (iqlusion) d601c33ba3 yubikey v0.4.1 (#288) 2021-07-12 19:37:12 -07:00
Tony Arcieri (iqlusion) 8e52d75992 Rename Ccc to CccId (#287) 2021-07-12 19:28:46 -07:00
Tony Arcieri (iqlusion) 42ae5fb974 Rename SettingValue to Setting. (#286)
Breaking change, but the crate is fresh and there's time to yank and
republish.
2021-07-12 17:36:42 -07:00
Tony Arcieri (iqlusion) 224d346f09 yubikey-cli v0.4.0 (#284) 2021-07-12 14:33:51 -07:00
Tony Arcieri 01e5bba33f README.md: remove gitter badge 2021-07-12 14:10:11 -07:00
Tony Arcieri 48f42780df README.md: remove maintenance badge 2021-07-12 14:07:08 -07:00
Tony Arcieri (iqlusion) 92f770805f yubikey v0.4.0 (#283) 2021-07-12 14:02:59 -07:00
Tony Arcieri (iqlusion) 563f6f9ccc Extract consts module (#282)
Extracts miscellaneous constants that were floating around in the
toplevel into their own module.
2021-07-12 12:54:54 -07:00
Tony Arcieri (iqlusion) 5f418bbd1d Doc improvements and minor cleanups (#281) 2021-07-12 11:57:42 -07:00
Tony Arcieri (iqlusion) 47776ebf0b Fix parsing local DoS (#279)
Closes #152

Adds additional checks when parsing TLV records to ensure panic-free
operation.
2021-07-12 11:19:26 -07:00
Tony Arcieri (iqlusion) 227518dd1b Rename readers module to reader; Readers => Context (#278)
Renames the `readers` module to be singular: `reader`.

Renames the former `readers::Readers` struct to `reader::Context`.
2021-07-12 11:01:12 -07:00
Tony Arcieri (iqlusion) e6cea2eca6 Rename key module to piv (#277)
Now that the crate is named `yubikey` rather than `yubikey-piv`, it
makes more sense to call this module out as PIV-related functionality.
2021-07-12 10:42:55 -07:00
Tony Arcieri (iqlusion) e249e91297 Replace getrandom with rand_core (#276)
`rand_core::OsRng` provides a facade over `getrandom` which simplifies
error handling.
2021-07-12 09:58:58 -07:00
Tony Arcieri (iqlusion) 1018127843 Fix generate_self_signed_ec_cert integration test (#275)
Unfortunately these tests can't be run in CI as they require a YubiKey
to test against.

The YubiKey generates an ASN.1 DER-encoded ECDSA signature, but the test
was using a fixed-width signature.

The test now passes live against a YubiKey.
2021-07-12 09:05:40 -07:00
Tony Arcieri (iqlusion) 1765e11bc0 Flatten API (#274)
Re-exports types from the toplevel instead of placing them in individual
modules (often which only contain one type).

This makes the API easier for users to navigate, while still retaining
the same module structure internally.

Additionally, this commit uses the `uuid` crate for modeling UUIDs.
2021-07-12 08:40:31 -07:00
Tony Arcieri (iqlusion) 1228d16439 Rename settings::BoolValue => ConfigValue; refactor/cleanup (#272)
Renames the type used for storing a configuration setting.

Also changes the internal functions to use `Option<ConfigValue>` as the
return value, rather than comparing to a default value, which makes them
slightly more idiomatic.
2021-07-11 14:53:54 -07:00
Tony Arcieri (iqlusion) de51b0cc46 Add Result alias (#271)
Adds a `yubikey::Result` alias with `yubikey::Error` as the error type.

Since we only have one `Error` type, this simplifies the return types
where a `Result` is returned.
2021-07-11 09:44:08 -07:00
Tony Arcieri (iqlusion) 1051eaf26d Rename Ccc::cccid => Ccc::card_id (#270)
Better reflects the return type
2021-07-11 09:00:58 -07:00
Tony Arcieri (iqlusion) a1d9c7afc5 Fix clippy::upper_case_acronyms nits; small cleanups (#269)
Renames the following to match Rust idioms:
- `APDU` => `Apdu`
- `CCC` => `Ccc`
- `CHUID` => `ChuId`

Also removes `Copy` from `mscmap::Container`, which fixes a clippy lint
about its usage of `to_bytes`.
2021-07-11 08:51:25 -07:00
Tony Arcieri (iqlusion) 2c06626c25 Bump elliptic-curve to v0.10; MSRV 1.51+ (#268)
Also updates the following:
- `p256` v0.9
- `p384` v0.8
2021-07-11 08:14:14 -07:00
Tony Arcieri (iqlusion) a2a912fc3c Rename to yubikey.rs (#267)
We now have publishing rights to the `yubikey` crate.

This commit renames the project to yubikey.rs

Co-authored-by: Tony Arcieri <bascule@gmail.com>
2021-07-10 17:02:59 -07:00
dependabot[bot] c9e2edc41f Bump sha-1 from 0.9.5 to 0.9.6 (#256)
Bumps [sha-1](https://github.com/RustCrypto/hashes) from 0.9.5 to 0.9.6.
- [Release notes](https://github.com/RustCrypto/hashes/releases)
- [Commits](https://github.com/RustCrypto/hashes/compare/sha-1-v0.9.5...sha-1-v0.9.6)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-05-19 11:35:31 -07:00
dependabot[bot] 20bf9b0679 Bump sha2 from 0.9.4 to 0.9.5 (#257)
Bumps [sha2](https://github.com/RustCrypto/hashes) from 0.9.4 to 0.9.5.
- [Release notes](https://github.com/RustCrypto/hashes/releases)
- [Commits](https://github.com/RustCrypto/hashes/compare/sha2-v0.9.4...sha2-v0.9.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-05-19 11:17:23 -07:00
dependabot[bot] 0d4d4f7f06 Bump p256 from 0.8.0 to 0.8.1 (#255)
Bumps [p256](https://github.com/RustCrypto/elliptic-curves) from 0.8.0 to 0.8.1.
- [Release notes](https://github.com/RustCrypto/elliptic-curves/releases)
- [Commits](https://github.com/RustCrypto/elliptic-curves/compare/p256/v0.8.0...p256/v0.8.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-05-17 14:17:17 -07:00
Shella Stephens d31872964d Cargo.lock: bump sha-1 & sha2 (#254) 2021-05-10 09:05:28 -07:00
Tony Arcieri (iqlusion) 865353f4da RustCrypto dependency updates; MSRV 1.47+ (#251)
Updates the following dependencies:
- `des` v0.7
- `elliptic-curve` v0.9
- `hmac` v0.11
- `pbkdf2` v0.8
- `p256` v0.8
- `p384` v0.7
2021-04-30 07:09:24 -07:00
Shella Stephens 1ad17bb025 .github/workflows/ci.yml: fix override: true (#250)
* .github/workflows/ci.yml: fix override: true

* cargo update
2021-04-27 14:36:20 -07:00
Shella Stephens d33e80faea Update rsa to v0.4.0 & fix cargo audit (#246)
* Bump rsa to v0.4.0
2021-03-29 09:12:33 -07:00
43 changed files with 3174 additions and 2050 deletions
+5
View File
@@ -0,0 +1,5 @@
[advisories]
ignore = [
"RUSTSEC-2020-0071", # chrono
"RUSTSEC-2021-0145", # atty
] # advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
+6 -5
View File
@@ -36,13 +36,13 @@ jobs:
toolchain: stable toolchain: stable
deps: true deps: true
- platform: ubuntu-latest - platform: ubuntu-latest
toolchain: 1.46.0 # MSRV toolchain: 1.65.0 # MSRV
deps: sudo apt-get install libpcsclite-dev deps: sudo apt-get install libpcsclite-dev
- platform: windows-latest - platform: windows-latest
toolchain: 1.46.0 # MSRV toolchain: 1.65.0 # MSRV
deps: true deps: true
- platform: macos-latest - platform: macos-latest
toolchain: 1.46.0 # MSRV toolchain: 1.65.0 # MSRV
deps: true deps: true
runs-on: ${{ matrix.platform }} runs-on: ${{ matrix.platform }}
steps: steps:
@@ -82,7 +82,8 @@ jobs:
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@v1
with: with:
profile: minimal profile: minimal
toolchain: 1.46.0 # MSRV toolchain: 1.65.0
components: clippy components: clippy
override: true
- run: sudo apt-get install libpcsclite-dev - run: sudo apt-get install libpcsclite-dev
- run: cargo clippy --all --exclude crypto_box --all-features -- -D warnings - run: cargo clippy --all --all-features -- -D warnings
+1 -1
View File
@@ -42,4 +42,4 @@ jobs:
uses: actions-rs/cargo@v1 uses: actions-rs/cargo@v1
with: with:
command: audit command: audit
args: --deny-warnings --ignore RUSTSEC-2019-0031 # spin args: --deny warnings
+187 -49
View File
@@ -4,7 +4,145 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## 0.3.0 (2021-03-22) ## Unreleased
### Added
- `YubiKey::disconnect`
- `impl Debug for {Context, YubiKey}`
- `Error::AppletNotFound`
### Changed
- `Reader::open` now returns `Error::AppletNotFound` instead of `Error::Generic`
if the PIV applet is not present on the device. This is returned by non-PIV
virtual smart cards like Windows Hello for Business, as well as some smart
card readers when no card is present.
- `Reader::open` now avoids resetting the card if an error occurs (equivalent to
calling `YubiKey::disconnect(pcsc::Disposition::LeaveCard)` if `Reader::open`
succeeds).
### Fixed
- `StatusWords::code` now returns the correct code (including embedded `tries`
count) for `StatusWords::VerifyFailError`. Previously the returned code lost
information and was not round-trip compatible with `StatusWords::from(u16)`.
## 0.7.0 (2022-11-14)
### Added
- Display inner PC/SC errors ([#420])
- Support for metadata command ([#371])
- Better `certificate::Serial` inspection ([#437])
### Changed
- MSRV 1.60.0 ([#423])
- Bump `rsa` to v0.7.1 ([#440])
- Switch from `lazy_static` to `once_cell` ([#442])
- Switch from `subtle-encoding` to `base16ct` ([#443])
### Fixed
- Use `chrono` v0.4.23 or newer ([#436])
- `Certificate::issuer` was returning the subject instead ([#437])
[#371]: https://github.com/iqlusioninc/yubikey.rs/pull/371
[#420]: https://github.com/iqlusioninc/yubikey.rs/pull/420
[#423]: https://github.com/iqlusioninc/yubikey.rs/pull/423
[#436]: https://github.com/iqlusioninc/yubikey.rs/pull/436
[#437]: https://github.com/iqlusioninc/yubikey.rs/pull/437
[#440]: https://github.com/iqlusioninc/yubikey.rs/pull/440
[#442]: https://github.com/iqlusioninc/yubikey.rs/pull/442
[#443]: https://github.com/iqlusioninc/yubikey.rs/pull/443
## 0.6.0 (2022-08-10)
### Changed
- 2021 edition upgrade ([#343])
- RustCrypto crate upgrades; MSRV 1.57 ([#378])
- `des` v0.8
- `elliptic-curve` v0.12
- `hmac` v0.12
- `num-bigint-dig` v0.8
- `pbkdf2` v0.11
- `p256` v0.11
- `p384` v0.11
- `rsa` v0.6
- `sha1` v0.10 (replacing `sha-1`)
- `sha2` v0.10
- Bump `uuid` to v1.0 ([#376])
- Bump `der-parser` to v8.0 ([#402])
- Bump `x509-parser` to v0.14 ([#402])
[#343]: https://github.com/iqlusioninc/yubikey.rs/pull/343
[#376]: https://github.com/iqlusioninc/yubikey.rs/pull/376
[#378]: https://github.com/iqlusioninc/yubikey.rs/pull/378
[#402]: https://github.com/iqlusioninc/yubikey.rs/pull/402
## 0.5.0 (2021-11-21)
### Changed
- Update `rsa` dependency to 0.5 ([#315])
- Update `pbkdf2` dependency to 0.9 ([#315])
- Update `x509-parser` dependency to 0.12 ([#315], [#322])
- Update `nom` to v7.0 ([#322])
[#315]: https://github.com/iqlusioninc/yubikey.rs/pull/315
[#322]: https://github.com/iqlusioninc/yubikey.rs/pull/322
## 0.4.2 (2021-07-13)
### Added
- Make `yubikey::Buffer` a pub type ([#290])
### Changed
- Have `YubiKey::block_puk` take `&mut self` as argument ([#289])
[#289]: https://github.com/iqlusioninc/yubikey.rs/pull/289
[#290]: https://github.com/iqlusioninc/yubikey.rs/pull/290
## 0.4.1 (2021-07-12)
### Changed
- Rename `SettingValue` to `Setting` ([#286])
- Rename `Ccc` to `CccId` ([#287])
[#286]: https://github.com/iqlusioninc/yubikey.rs/pull/286
[#287]: https://github.com/iqlusioninc/yubikey.rs/pull/287
## 0.4.0 (2021-07-12) [YANKED]
### Added
- `Result` alias ([#271])
### Changed
- Renamed crate from `yubikey-piv` => `yubikey` ([#267])
- Renamed the following:
- `APDU` => `Apdu` ([#269])
- `CCC` => `Ccc` ([#269])
- `CHUID` => `ChuId` ([#269])
- `Ccc::cccid` => `Ccc::card_id` ([#270])
- `key` => `piv` ([#277])
- `readers` => `reader` ([#278])
- `readers::Readers` => `reader::Context` ([#278])
- Bumped the following dependencies:
- `rsa` => v0.4 ([#246])
- `des` => v0.7 ([#251])
- `elliptic-curve` => v0.10 ([#268])
- `hmac` => v0.11 ([#251])
- `pbkdf2` => v0.8 ([#251])
- `p256` => v0.9 ([#268])
- `p384` => v0.8 ([#268])
- MSRV 1.51+ ([#268])
- Flatten API ([#274])
- Replace `getrandom` with `rand_core` ([#276])
### Fixed
- Potential local DoS in TLV parser ([#279])
[#246]: https://github.com/iqlusioninc/yubikey.rs/pull/246
[#251]: https://github.com/iqlusioninc/yubikey.rs/pull/251
[#267]: https://github.com/iqlusioninc/yubikey.rs/pull/267
[#268]: https://github.com/iqlusioninc/yubikey.rs/pull/268
[#269]: https://github.com/iqlusioninc/yubikey.rs/pull/269
[#270]: https://github.com/iqlusioninc/yubikey.rs/pull/270
[#271]: https://github.com/iqlusioninc/yubikey.rs/pull/271
[#274]: https://github.com/iqlusioninc/yubikey.rs/pull/274
[#276]: https://github.com/iqlusioninc/yubikey.rs/pull/276
[#277]: https://github.com/iqlusioninc/yubikey.rs/pull/277
[#278]: https://github.com/iqlusioninc/yubikey.rs/pull/278
[#279]: https://github.com/iqlusioninc/yubikey.rs/pull/279
## yubikey-piv 0.3.0 (2021-03-22)
### Added ### Added
- Typed structs for PIN-protected and admin metadata ([#223]) - Typed structs for PIN-protected and admin metadata ([#223])
- `MgmKey::set_default`/`MgmKey::set_manual` methods ([#224]) - `MgmKey::set_default`/`MgmKey::set_manual` methods ([#224])
@@ -15,10 +153,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Removed ### Removed
- `MgmKey::set` method ([#224]) - `MgmKey::set` method ([#224])
[#223]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/223 [#223]: https://github.com/iqlusioninc/yubikey.rs/pull/223
[#224]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/224 [#224]: https://github.com/iqlusioninc/yubikey.rs/pull/224
## 0.2.0 (2021-01-30) ## yubikey-piv 0.2.0 (2021-01-30)
### Changed ### Changed
- Bump `der-parser` to v5.0 ([#194]) - Bump `der-parser` to v5.0 ([#194])
- Improve self-signed certificates ([#207]) - Improve self-signed certificates ([#207])
@@ -27,12 +165,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Bump MSRV to 1.46+ ([#208]) - Bump MSRV to 1.46+ ([#208])
- Bump `pbkdf2` dependency to v0.7 ([#219]) - Bump `pbkdf2` dependency to v0.7 ([#219])
[#194]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/194 [#194]: https://github.com/iqlusioninc/yubikey.rs/pull/194
[#207]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/207 [#207]: https://github.com/iqlusioninc/yubikey.rs/pull/207
[#208]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/208 [#208]: https://github.com/iqlusioninc/yubikey.rs/pull/208
[#219]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/219 [#219]: https://github.com/iqlusioninc/yubikey.rs/pull/219
## 0.1.0 (2020-10-19) ## yubikey-piv 0.1.0 (2020-10-19)
### Added ### Added
- `Certificate::generate_self_signed` ([#80]) - `Certificate::generate_self_signed` ([#80])
- `YubiKey::open_by_serial` ([#69]) - `YubiKey::open_by_serial` ([#69])
@@ -57,24 +195,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Removed ### Removed
- YubiKey NEO support ([#63]) - YubiKey NEO support ([#63])
[#177]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/177 [#177]: https://github.com/iqlusioninc/yubikey.rs/pull/177
[#175]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/175 [#175]: https://github.com/iqlusioninc/yubikey.rs/pull/175
[#128]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/128 [#128]: https://github.com/iqlusioninc/yubikey.rs/pull/128
[#82]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/82 [#82]: https://github.com/iqlusioninc/yubikey.rs/pull/82
[#73]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/73 [#73]: https://github.com/iqlusioninc/yubikey.rs/pull/73
[#88]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/88 [#88]: https://github.com/iqlusioninc/yubikey.rs/pull/88
[#80]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/80 [#80]: https://github.com/iqlusioninc/yubikey.rs/pull/80
[#69]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/69 [#69]: https://github.com/iqlusioninc/yubikey.rs/pull/69
[#68]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/68 [#68]: https://github.com/iqlusioninc/yubikey.rs/pull/68
[#67]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/67 [#67]: https://github.com/iqlusioninc/yubikey.rs/pull/67
[#65]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/65 [#65]: https://github.com/iqlusioninc/yubikey.rs/pull/65
[#64]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/64 [#64]: https://github.com/iqlusioninc/yubikey.rs/pull/64
[#63]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/63 [#63]: https://github.com/iqlusioninc/yubikey.rs/pull/63
[#62]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/62 [#62]: https://github.com/iqlusioninc/yubikey.rs/pull/62
[#61]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/61 [#61]: https://github.com/iqlusioninc/yubikey.rs/pull/61
[#60]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/60 [#60]: https://github.com/iqlusioninc/yubikey.rs/pull/60
## 0.0.3 (2019-12-02) ## yubikey-piv 0.0.3 (2019-12-02)
### Added ### Added
- Initial `Readers` enumerator for detecting YubiKeys ([#51]) - Initial `Readers` enumerator for detecting YubiKeys ([#51])
- Certificate parsing ([#45]) - Certificate parsing ([#45])
@@ -90,19 +228,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- `Ins` (APDU instruction codes) enum ([#33]) - `Ins` (APDU instruction codes) enum ([#33])
- Factor `Response` into `apdu` module; improved debugging ([#32]) - Factor `Response` into `apdu` module; improved debugging ([#32])
[#51]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/51 [#51]: https://github.com/iqlusioninc/yubikey.rs/pull/51
[#45]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/45 [#45]: https://github.com/iqlusioninc/yubikey.rs/pull/45
[#44]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/44 [#44]: https://github.com/iqlusioninc/yubikey.rs/pull/44
[#43]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/43 [#43]: https://github.com/iqlusioninc/yubikey.rs/pull/43
[#42]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/42 [#42]: https://github.com/iqlusioninc/yubikey.rs/pull/42
[#39]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/39 [#39]: https://github.com/iqlusioninc/yubikey.rs/pull/39
[#37]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/37 [#37]: https://github.com/iqlusioninc/yubikey.rs/pull/37
[#36]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/36 [#36]: https://github.com/iqlusioninc/yubikey.rs/pull/36
[#34]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/34 [#34]: https://github.com/iqlusioninc/yubikey.rs/pull/34
[#33]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/33 [#33]: https://github.com/iqlusioninc/yubikey.rs/pull/33
[#32]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/32 [#32]: https://github.com/iqlusioninc/yubikey.rs/pull/32
## 0.0.2 (2019-11-25) ## yubikey-piv 0.0.2 (2019-11-25)
### Added ### Added
- `untested` Cargo feature to mark untested functionality ([#30]) - `untested` Cargo feature to mark untested functionality ([#30])
- Initial connect test and docs ([#19]) - Initial connect test and docs ([#19])
@@ -117,16 +255,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Use `log` crate for logging ([#7]) - Use `log` crate for logging ([#7])
- Replace `ErrorKind::Ok` with `Result` ([#6]) - Replace `ErrorKind::Ok` with `Result` ([#6])
[#30]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/30 [#30]: https://github.com/iqlusioninc/yubikey.rs/pull/30
[#19]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/19 [#19]: https://github.com/iqlusioninc/yubikey.rs/pull/19
[#17]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/17 [#17]: https://github.com/iqlusioninc/yubikey.rs/pull/17
[#15]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/15 [#15]: https://github.com/iqlusioninc/yubikey.rs/pull/15
[#13]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/13 [#13]: https://github.com/iqlusioninc/yubikey.rs/pull/13
[#10]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/10 [#10]: https://github.com/iqlusioninc/yubikey.rs/pull/10
[#9]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/9 [#9]: https://github.com/iqlusioninc/yubikey.rs/pull/9
[#8]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/8 [#8]: https://github.com/iqlusioninc/yubikey.rs/pull/8
[#7]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/7 [#7]: https://github.com/iqlusioninc/yubikey.rs/pull/7
[#6]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/6 [#6]: https://github.com/iqlusioninc/yubikey.rs/pull/6
## 0.0.1 (2019-11-18) ## yubikey-piv 0.0.1 (2019-11-18)
- Initial release - Initial release
+1 -1
View File
@@ -1,4 +1,4 @@
Copyright (c) 2014-2019 Yubico AB, Tony Arcieri Copyright (c) 2014-2021 Yubico AB, Tony Arcieri
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
Generated
+798 -513
View File
File diff suppressed because it is too large Load Diff
+34 -34
View File
@@ -1,60 +1,60 @@
[package] [package]
name = "yubikey-piv" name = "yubikey"
version = "0.3.0" # Also update html_root_url in lib.rs when bumping this version = "0.8.0-pre.0"
description = """ description = """
Pure Rust host-side driver for the YubiKey Personal Identity Verification (PIV) Pure Rust cross-platform host-side driver for YubiKey devices from Yubico with
application providing general-purpose public-key signing and encryption support for hardware-backed public-key decryption and digital signatures using
with hardware-backed private keys for RSA (2048/1024) and ECC (P-256/P-384) the Personal Identity Verification (PIV) application. Supports RSA (1024/2048)
algorithms (e.g, PKCS#1v1.5, ECDSA) or ECC (NIST P-256/P-384) algorithms e.g, PKCS#1v1.5, ECDSA
""" """
authors = ["Tony Arcieri <tony@iqlusion.io>", "Yubico AB"] authors = ["Tony Arcieri <tony@iqlusion.io>", "Yubico AB"]
edition = "2018"
license = "BSD-2-Clause" license = "BSD-2-Clause"
repository = "https://github.com/iqlusioninc/yubikey-piv.rs" repository = "https://github.com/iqlusioninc/yubikey.rs"
readme = "README.md" readme = "README.md"
categories = ["api-bindings", "cryptography", "hardware-support"] categories = ["api-bindings", "authentication", "cryptography", "hardware-support"]
keywords = ["ecdsa", "rsa", "piv", "pcsc", "yubikey"] keywords = ["ecdsa", "encryption", "rsa", "piv", "signature"]
edition = "2021"
rust-version = "1.65"
[workspace] [workspace]
members = [".", "cli"] members = [".", "cli"]
[badges]
maintenance = { status = "experimental" }
[dependencies] [dependencies]
chrono = "0.4" chrono = "0.4.23"
cookie-factory = "0.3" cookie-factory = "0.3"
der-parser = "5" der-parser = "8"
des = "0.6" des = "0.8"
elliptic-curve = "0.8" elliptic-curve = "0.13"
getrandom = "0.1" hex = { package = "base16ct", version = "0.2", features = ["alloc"] }
hmac = "0.10" hmac = "0.12"
log = "0.4" log = "0.4"
nom = "6" nom = "7"
num-bigint = { version = "0.6", features = ["rand"], package = "num-bigint-dig" } num-bigint-dig = { version = "0.8", features = ["rand"] }
num-traits = "0.2" num-traits = "0.2"
num-integer = "0.1" num-integer = "0.1"
pbkdf2 = { version = "0.7", default-features = false } p256 = "0.13"
p256 = "0.7" p384 = "0.13"
p384 = "0.6" pbkdf2 = { version = "0.12", default-features = false, features = ["hmac"] }
pcsc = "2" pcsc = "2.3.1"
rsa = "0.3" rand_core = { version = "0.6", features = ["std"] }
secrecy = "0.7" rsa = "=0.9.0-pre.0"
sha-1 = "0.9" secrecy = "0.8"
sha2 = "0.9" sha1 = { version = "0.10", features = ["oid"] }
sha2 = { version = "0.10", features = ["oid"] }
subtle = "2" subtle = "2"
subtle-encoding = "0.5" uuid = { version = "1.2", features = ["v4"] }
x509 = "0.2" x509 = "0.2"
x509-parser = "0.9" x509-parser = "0.14"
zeroize = "1" zeroize = "1"
[dev-dependencies] [dev-dependencies]
env_logger = "0.8" env_logger = "0.10"
ring = "0.16.18" once_cell = "1"
lazy_static = "1" signature = "2"
[features] [features]
untested = [] untested = []
[package.metadata.docs.rs] [package.metadata.docs.rs]
all-features = true all-features = true
rustdoc-args = ["--cfg", "docsrs"]
+106 -82
View File
@@ -1,18 +1,21 @@
<img src="https://raw.githubusercontent.com/iqlusioninc/yubikey-piv.rs/main/img/logo.png" width="150" height="110"> <img src="https://raw.githubusercontent.com/iqlusioninc/yubikey.rs/main/img/logo.png" width="150" height="110">
# yubikey-piv.rs # yubikey.rs
[![crate][crate-image]][crate-link] [![crate][crate-image]][crate-link]
[![Docs][docs-image]][docs-link] [![Docs][docs-image]][docs-link]
[![2-Clause BSD Licensed][license-image]][license-link]
![Rust Version][rustc-image]
![Maintenance Status: Experimental][maintenance-image]
[![Safety Dance][safety-image]][safety-link]
[![Build Status][build-image]][build-link] [![Build Status][build-image]][build-link]
[![Gitter Chat][gitter-image]][gitter-link] [![Safety Dance][safety-image]][safety-link]
[![Dependency Status][deps-image]][deps-link]
[![2-Clause BSD Licensed][license-image]][license-link]
![MSRV][msrv-image]
Pure Rust host-side YubiKey [Personal Identity Verification (PIV)][PIV] driver Pure Rust cross-platform host-side driver for [YubiKey] devices from [Yubico]
with general-purpose public-key encryption and signing support. with support for public-key encryption and digital signatures using the
[Personal Identity Verification (PIV)][PIV] application.
Uses the Personal Computer/Smart Card ([PC/SC]) interface with cross-platform
access provided by the [`pcsc` crate].
[Documentation][docs-link] [Documentation][docs-link]
@@ -26,17 +29,44 @@ encryption (PKCS#1v1.5/ECIES) use cases are supported for either key type.
See [Yubico's guide to PIV-enabled YubiKeys][yk-guide] for more information See [Yubico's guide to PIV-enabled YubiKeys][yk-guide] for more information
on which devices support PIV and the available functionality. on which devices support PIV and the available functionality.
If you've been wanting to use Rust to sign and/or encrypt stuff using a If you've been wanting to use Rust to sign and/or encrypt data using a
private key generated and stored on a Yubikey (with option PIN-based access), private key generated and stored on a YubiKey (with option PIN-based access),
this is the crate you've been after! this is the crate you've been after!
Note that while this project started as a fork of a [Yubico] project, Note that while this project started as a fork of a [Yubico] project,
this fork is **NOT** an official Yubico project and is in no way supported or this fork is **NOT** an official Yubico project and is in no way supported or
endorsed by Yubico. endorsed by Yubico.
## Features
### Personal Identity Verification (PIV)
[PIV] is a [NIST] standard for both *signing* and *encryption*
using SmartCards and SmartCard-based hardware tokens like YubiKeys.
PIV-related functionality can be found in the [`piv`] module.
This library natively implements the protocol used to manage and
utilize PIV encryption and signing keys which can be generated, imported,
and stored on YubiKey devices.
See [Yubico's guide to PIV-enabled YubiKeys][yk-guide] for more information
on which devices support PIV and the available functionality.
### Supported Algorithms
- **Authentication**: `3DES`
- **Encryption**:
- RSA: `RSA1024`, `RSA2048`
- ECC: `ECCP256`, `ECCP384` (NIST curves: P-256, P-384)
- **Signatures**:
- RSASSA-PKCS#1v1.5: `RSA1024`, `RSA2048`
- ECDSA: `ECCP256`, `ECCP384` (NIST curves: P-256, P-384)
NOTE: RSASSA-PSS signatures and RSA-OAEP encryption may be supportable (TBD)
## Minimum Supported Rust Version ## Minimum Supported Rust Version
- Rust **1.46** or newer Rust **1.60** or newer.
## Supported YubiKeys ## Supported YubiKeys
@@ -46,6 +76,12 @@ endorsed by Yubico.
NOTE: Nano and USB-C variants of the above are also supported. NOTE: Nano and USB-C variants of the above are also supported.
Pre-YK4 [YubiKey NEO] series is **NOT** supported (see [#18]). Pre-YK4 [YubiKey NEO] series is **NOT** supported (see [#18]).
## Supported Operating Systems
- Linux
- macOS
- Windows
## Security Warning ## Security Warning
No security audits of this crate have ever been performed. Presently it is in No security audits of this crate have ever been performed. Presently it is in
@@ -55,38 +91,14 @@ USE AT YOUR OWN RISK!
## Status ## Status
This project is a largely incomplete work-in-progress. So far the only Functionality which has been successfully tested is available by default.
functionality which has actually been tested is connecting to Yubikeys.
If you're interested helping test functionality, the table below documents Any functionality which is gated on the `untested` feature has not been
the current status of the project and relevant GitHub issues for various properly tested and is not known to function correctly.
functions of the YubiKey:
| | Module | Issue | Description | Please see the [`untested` functionality tracking issue] for current status.
|----|---------------|-------|-------------| We would appreciate any help testing this functionality and removing the
| 🚧 | `yubikey` | [#20] | Core functionality: auth, keys, PIN/PUK, encrypt, sign, attest | `untested` gating as well as writing more automated tests.
| 🚧 | `cccid` | [#21] | Cardholder Capability Container (CCC) IDs |
| 🚧️ | `certificate` | [#22] | Certificates for stored keys |
| 🚧 | `chuid` | [#23] | Cardholder Unique Identifier (CHUID) |
| ✅️ | `config` | [#24] | Support for reading on-key configuration |
| 🚧 | `key` | [#26] | Crypto key management: list, generate, import |
| 🚧 | `mgm` | [#26] | Management Key (MGM) support: set, get, derive |
| ⚠️ | `mscmap` | [#25] | MS Container Map Records |
| ⚠️ | `msroots` | [#28] | `msroots` file: PKCS#7 formatted certificate store for enterprise trusted roots |
Legend:
| | Description |
|----|------------------------------------|
| ✅ | Working |
| 🚧 | Testing and validation in progress |
| ⚠️ | Untested support |
NOTE: Commands marked ⚠️ are disabled by default as they have have not been properly tested and may contain bugs or
not work at all. USE AT YOUR OWN RISK!
Enable the `untested` feature in your `Cargo.toml` to enable features marked ⚠️
above.
## Testing ## Testing
@@ -97,7 +109,7 @@ Tests which run live against a YubiKey device are marked as `#[ignore]` by
default in order to pass when running in a CI environment. To run these default in order to pass when running in a CI environment. To run these
tests locally, invoke the following command: tests locally, invoke the following command:
``` ```shell
cargo test -- --ignored cargo test -- --ignored
``` ```
@@ -106,26 +118,26 @@ information about what is happening. If you'd like to print this logging
information while running the tests, set the `RUST_LOG` environment variable information while running the tests, set the `RUST_LOG` environment variable
to a relevant loglevel (e.g. `error`, `warn`, `info`, `debug`, `trace`): to a relevant loglevel (e.g. `error`, `warn`, `info`, `debug`, `trace`):
``` ```shell
RUST_LOG=info cargo test -- --ignored RUST_LOG=info cargo test -- --ignored
``` ```
To trace every message sent to/from the card i.e. the raw To trace every message sent to/from the card i.e. the raw
Application Protocol Data Unit (APDU) messages, use the `trace` log level: Application Protocol Data Unit (APDU) messages, use the `trace` log level:
``` ```text
running 1 test running 1 test
[INFO yubikey_piv::yubikey] trying to connect to reader 'Yubico YubiKey OTP+FIDO+CCID' [INFO yubikey::yubikey] trying to connect to reader 'Yubico YubiKey OTP+FIDO+CCID'
[INFO yubikey_piv::yubikey] connected to 'Yubico YubiKey OTP+FIDO+CCID' successfully [INFO yubikey::yubikey] connected to 'Yubico YubiKey OTP+FIDO+CCID' successfully
[TRACE yubikey_piv::apdu] >>> APDU { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] } [TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
[TRACE yubikey_piv::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8] [TRACE yubikey::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
[TRACE yubikey_piv::apdu] <<< Response { status_words: Success, data: [97, 17, 79, 6, 0, 0, 16, 0, 1, 0, 121, 7, 79, 5, 160, 0, 0, 3, 8] } [TRACE yubikey::apdu] <<< Response { status_words: Success, data: [97, 17, 79, 6, 0, 0, 16, 0, 1, 0, 121, 7, 79, 5, 160, 0, 0, 3, 8] }
[TRACE yubikey_piv::apdu] >>> APDU { cla: 0, ins: GetVersion, p1: 0, p2: 0, data: [] } [TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: GetVersion, p1: 0, p2: 0, data: [] }
[TRACE yubikey_piv::transaction] >>> [0, 253, 0, 0, 0] [TRACE yubikey::transaction] >>> [0, 253, 0, 0, 0]
[TRACE yubikey_piv::apdu] <<< Response { status_words: Success, data: [5, 1, 2] } [TRACE yubikey::apdu] <<< Response { status_words: Success, data: [5, 1, 2] }
[TRACE yubikey_piv::apdu] >>> APDU { cla: 0, ins: GetSerial, p1: 0, p2: 0, data: [] } [TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: GetSerial, p1: 0, p2: 0, data: [] }
[TRACE yubikey_piv::transaction] >>> [0, 248, 0, 0, 0] [TRACE yubikey::transaction] >>> [0, 248, 0, 0, 0]
[TRACE yubikey_piv::apdu] <<< Response { status_words: Success, data: [0, 115, 0, 178] } [TRACE yubikey::apdu] <<< Response { status_words: Success, data: [0, 115, 0, 178] }
test connect ... ok test connect ... ok
``` ```
@@ -139,6 +151,14 @@ Yubico, which was originally written in C. It was mechanically translated
from C into Rust using [Corrode], and then subsequently heavily from C into Rust using [Corrode], and then subsequently heavily
refactored into safer, more idiomatic Rust. refactored into safer, more idiomatic Rust.
For more information on [yubico-piv-tool] and background information on how
the YubiKey implementation of PIV works in general, see the
[Yubico PIV Tool Command Line Guide][piv-tool-guide].
## ⚠️ Security Warning
No security audits of this crate have ever been performed.
## Code of Conduct ## Code of Conduct
We abide by the [Contributor Covenant][cc-md] and ask that you do as well. We abide by the [Contributor Covenant][cc-md] and ask that you do as well.
@@ -147,12 +167,12 @@ For more information, please see [CODE_OF_CONDUCT.md][cc-md].
## License ## License
**yubikey-piv.rs** is a fork of and originally a mechanical translation from **yubikey.rs** is a fork of and originally a mechanical translation from
Yubico's [yubico-piv-tool], a C library/CLI program. The original library Yubico's [yubico-piv-tool], a C library/CLI program. The original library
was licensed under a [2-Clause BSD License][BSDL], which this library inherits was licensed under a [2-Clause BSD License][BSDL], which this library inherits
as a derived work. as a derived work.
Copyright (c) 2014-2020 Yubico AB, Tony Arcieri Copyright (c) 2014-2023 Yubico AB, Tony Arcieri
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
@@ -188,44 +208,48 @@ or conditions.
[//]: # (badges) [//]: # (badges)
[crate-image]: https://img.shields.io/crates/v/yubikey-piv.svg [crate-image]: https://buildstats.info/crate/yubikey
[crate-link]: https://crates.io/crates/yubikey-piv [crate-link]: https://crates.io/crates/yubikey
[docs-image]: https://docs.rs/yubikey-piv/badge.svg [docs-image]: https://docs.rs/yubikey/badge.svg
[docs-link]: https://docs.rs/yubikey-piv/ [docs-link]: https://docs.rs/yubikey/
[license-image]: https://img.shields.io/badge/license-BSD-blue.svg [license-image]: https://img.shields.io/badge/license-BSD-blue.svg
[license-link]: https://github.com/iqlusioninc/yubikey-piv.rs/blob/main/COPYING [license-link]: https://github.com/iqlusioninc/yubikey.rs/blob/main/COPYING
[rustc-image]: https://img.shields.io/badge/rustc-1.46+-blue.svg [msrv-image]: https://img.shields.io/badge/rustc-1.65+-blue.svg
[maintenance-image]: https://img.shields.io/badge/maintenance-experimental-blue.svg
[safety-image]: https://img.shields.io/badge/unsafe-forbidden-success.svg [safety-image]: https://img.shields.io/badge/unsafe-forbidden-success.svg
[safety-link]: https://github.com/rust-secure-code/safety-dance/ [safety-link]: https://github.com/rust-secure-code/safety-dance/
[build-image]: https://github.com/iqlusioninc/yubikey-piv.rs/workflows/CI/badge.svg?branch=main&event=push [build-image]: https://github.com/iqlusioninc/yubikey.rs/workflows/CI/badge.svg?branch=main&event=push
[build-link]: https://github.com/iqlusioninc/yubikey-piv.rs/actions [build-link]: https://github.com/iqlusioninc/yubikey.rs/actions
[gitter-image]: https://badges.gitter.im/badge.svg [deps-image]: https://deps.rs/repo/github/iqlusioninc/yubikey.rs/status.svg
[gitter-link]: https://gitter.im/iqlusioninc/community [deps-link]: https://deps.rs/repo/github/iqlusioninc/yubikey.rs
[//]: # (general links) [//]: # (general links)
[PIV]: https://piv.idmanagement.gov/ [YubiKey]: https://www.yubico.com/products/yubikey-hardware/
[yk-guide]: https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html
[Yubico]: https://www.yubico.com/ [Yubico]: https://www.yubico.com/
[PIV]: https://piv.idmanagement.gov/
[NIST]: https://www.nist.gov/
[PC/SC]: https://en.wikipedia.org/wiki/PC/SC
[`pcsc` crate]: https://github.com/bluetech/pcsc-rust
[yk-guide]: https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html
[YubiKey NEO]: https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo [YubiKey NEO]: https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo
[YubiKey 4]: https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4 [YubiKey 4]: https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4
[YubiKey 5]: https://www.yubico.com/products/yubikey-5-overview/ [YubiKey 5]: https://www.yubico.com/products/yubikey-5-overview/
[yubico-piv-tool]: https://github.com/Yubico/yubico-piv-tool/ [yubico-piv-tool]: https://github.com/Yubico/yubico-piv-tool/
[Corrode]: https://github.com/jameysharp/corrode [Corrode]: https://github.com/jameysharp/corrode
[cc-web]: https://contributor-covenant.org/ [cc-web]: https://contributor-covenant.org/
[cc-md]: https://github.com/iqlusioninc/yubikey-piv.rs/blob/main/CODE_OF_CONDUCT.md [cc-md]: https://github.com/iqlusioninc/yubikey.rs/blob/main/CODE_OF_CONDUCT.md
[BSDL]: https://opensource.org/licenses/BSD-2-Clause [BSDL]: https://opensource.org/licenses/BSD-2-Clause
[`untested` functionality tracking issue]: https://github.com/iqlusioninc/yubikey.rs/issues/280
[//]: # (github issues) [//]: # (github issues)
[#18]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/18 [#18]: https://github.com/iqlusioninc/yubikey.rs/issues/18
[#20]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/20 [#20]: https://github.com/iqlusioninc/yubikey.rs/issues/20
[#21]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/21 [#21]: https://github.com/iqlusioninc/yubikey.rs/issues/21
[#22]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/22 [#22]: https://github.com/iqlusioninc/yubikey.rs/issues/22
[#23]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/23 [#23]: https://github.com/iqlusioninc/yubikey.rs/issues/23
[#24]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/24 [#24]: https://github.com/iqlusioninc/yubikey.rs/issues/24
[#25]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/25 [#25]: https://github.com/iqlusioninc/yubikey.rs/issues/25
[#26]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/26 [#26]: https://github.com/iqlusioninc/yubikey.rs/issues/26
[#27]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/27 [#27]: https://github.com/iqlusioninc/yubikey.rs/issues/27
[#28]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/28 [#28]: https://github.com/iqlusioninc/yubikey.rs/issues/28
+47 -10
View File
@@ -4,36 +4,73 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## 0.7.0 (2022-11-14)
### Changed
- Bump `clap` to v4.0 ([#438])
- Bump `x509-parser` to v0.14 ([#441])
- Switch from `lazy_static` to `once_cell` ([#442])
- Switch from `subtle-encoding` to `base16ct` ([#443])
- Bump `yubikey` dependency to v0.7 ([#444])
[#438]: https://github.com/iqlusioninc/yubikey.rs/pull/438
[#441]: https://github.com/iqlusioninc/yubikey.rs/pull/441
[#442]: https://github.com/iqlusioninc/yubikey.rs/pull/442
[#443]: https://github.com/iqlusioninc/yubikey.rs/pull/443
[#444]: https://github.com/iqlusioninc/yubikey.rs/pull/444
## 0.6.0 (2022-08-10)
### Changed
- 2021 edition upgrade; MSRV 1.57 ([#343])
- Migrate from `gumdrop` to `clap` v3 ([#379])
- Bump `yubikey` dependency to v0.6 ([#403])
[#343]: https://github.com/iqlusioninc/yubikey.rs/pull/343
[#379]: https://github.com/iqlusioninc/yubikey.rs/pull/379
[#403]: https://github.com/iqlusioninc/yubikey.rs/pull/403
## 0.5.0 (2021-11-21)
### Changed
- Bump `yubikey` dependency to v0.5 ([#327])
[#327]: https://github.com/iqlusioninc/yubikey.rs/pull/327
## 0.4.0 (2021-07-12)
### Changed
- Switch to renamed `yubikey` crate ([#283])
- Bump MSRV to 1.51+ ([#283])
[#283]: https://github.com/iqlusioninc/yubikey.rs/pull/283
## 0.3.0 (2021-03-22) ## 0.3.0 (2021-03-22)
### Changed ### Changed
- Bump `yubikey-piv` dependency to v0.3 ([#240]) - Bump `yubikey-piv` dependency to v0.3 ([#240])
[#240]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/240 [#240]: https://github.com/iqlusioninc/yubikey.rs/pull/240
## 0.2.0 (2021-01-30) ## 0.2.0 (2021-01-30)
### Changed ### Changed
- Bump MSRV to 1.46+ ([#208]) - Bump MSRV to 1.46+ ([#208])
- Bump `yubikey-piv` dependency to v0.2 ([#220]) - Bump `yubikey-piv` dependency to v0.2 ([#220])
[#208]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/208 [#208]: https://github.com/iqlusioninc/yubikey.rs/pull/208
[#220]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/220 [#220]: https://github.com/iqlusioninc/yubikey.rs/pull/220
## 0.1.0 (2020-10-19) ## 0.1.0 (2020-10-19)
### Added ### Added
- `status` command ([#72], [#74]) - `status` command ([#72], [#74])
### Changed ### Changed
- Bump `yubikey-piv` to v0.1.0 ([#180]) - Bump `yubikey-piv` to v0.1 ([#180])
- Bump `x509-parser` to v0.8 ([#181]) - Bump `x509-parser` to v0.8 ([#181])
- Bump `sha2` to v0.9 ([#182]) - Bump `sha2` to v0.9 ([#182])
- Rename `list` command to `readers`; improve usage ([#71]) - Rename `list` command to `readers`; improve usage ([#71])
[#182]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/182 [#182]: https://github.com/iqlusioninc/yubikey.rs/pull/182
[#181]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/181 [#181]: https://github.com/iqlusioninc/yubikey.rs/pull/181
[#180]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/180 [#180]: https://github.com/iqlusioninc/yubikey.rs/pull/180
[#74]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/74 [#74]: https://github.com/iqlusioninc/yubikey.rs/pull/74
[#72]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/72 [#72]: https://github.com/iqlusioninc/yubikey.rs/pull/72
[#71]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/71 [#71]: https://github.com/iqlusioninc/yubikey.rs/pull/71
## 0.0.1 (2019-12-02) ## 0.0.1 (2019-12-02)
- Initial release - Initial release
+11 -10
View File
@@ -1,25 +1,26 @@
[package] [package]
name = "yubikey-cli" name = "yubikey-cli"
version = "0.3.0" version = "0.7.0"
description = """ description = """
Command-line interface for performing encryption and signing using RSA/ECC keys Command-line interface for performing encryption and signing using RSA/ECC keys
stored on YubiKey devices. stored on YubiKey devices.
""" """
authors = ["Tony Arcieri <tony@iqlusion.io>"] authors = ["Tony Arcieri <tony@iqlusion.io>"]
edition = "2018"
license = "BSD-2-Clause" license = "BSD-2-Clause"
repository = "https://github.com/iqlusioninc/yubikey-piv.rs" repository = "https://github.com/iqlusioninc/yubikey.rs"
readme = "README.md" readme = "README.md"
categories = ["command-line-utilities", "cryptography", "hardware-support"] categories = ["command-line-utilities", "cryptography", "hardware-support"]
keywords = ["ecdsa", "rsa", "piv", "pcsc", "yubikey"] keywords = ["ecdsa", "rsa", "piv", "pcsc", "yubikey"]
edition = "2021"
rust-version = "1.56"
[dependencies] [dependencies]
gumdrop = "0.8" clap = { version = "4", features = ["derive"] }
env_logger = "0.8" env_logger = "0.10"
lazy_static = "1" hex = { package = "base16ct", version = "0.2", features = ["alloc"] }
log = "0.4" log = "0.4"
sha2 = "0.9" once_cell = "1"
subtle-encoding = "0.5" sha2 = "0.10"
termcolor = "1" termcolor = "1"
x509-parser = "0.9" x509-parser = "0.14"
yubikey-piv = { version = "0.3", path = ".." } yubikey = { version = "0.8.0-pre.0", path = ".." }
+6 -10
View File
@@ -1,4 +1,4 @@
<img src="https://raw.githubusercontent.com/iqlusioninc/yubikey-piv.rs/main/img/logo.png" width="150" height="110"> <img src="https://raw.githubusercontent.com/iqlusioninc/yubikey.rs/main/img/logo.png" width="150" height="110">
# yubikey-cli.rs # yubikey-cli.rs
@@ -18,7 +18,7 @@ utility with general-purpose public-key encryption and signing support.
## Minimum Supported Rust Version ## Minimum Supported Rust Version
- Rust **1.39+** Rust **1.60** or newer.
## Supported YubiKeys ## Supported YubiKeys
@@ -35,10 +35,6 @@ an experimental stage and may still contain high-severity issues.
USE AT YOUR OWN RISK! USE AT YOUR OWN RISK!
## Status
WIP. Check back later.
## Code of Conduct ## Code of Conduct
We abide by the [Contributor Covenant][cc-md] and ask that you do as well. We abide by the [Contributor Covenant][cc-md] and ask that you do as well.
@@ -47,7 +43,7 @@ For more information, please see [CODE_OF_CONDUCT.md][cc-md].
## License ## License
Copyright (c) 2014-2019 Yubico AB, Tony Arcieri Copyright (c) 2014-2023 Yubico AB, Tony Arcieri
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
@@ -88,12 +84,12 @@ or conditions.
[docs-image]: https://docs.rs/yubikey-cli/badge.svg [docs-image]: https://docs.rs/yubikey-cli/badge.svg
[docs-link]: https://docs.rs/yubikey-cli/ [docs-link]: https://docs.rs/yubikey-cli/
[license-image]: https://img.shields.io/badge/license-BSD-blue.svg [license-image]: https://img.shields.io/badge/license-BSD-blue.svg
[rustc-image]: https://img.shields.io/badge/rustc-1.39+-blue.svg [rustc-image]: https://img.shields.io/badge/rustc-1.60+-blue.svg
[maintenance-image]: https://img.shields.io/badge/maintenance-experimental-blue.svg [maintenance-image]: https://img.shields.io/badge/maintenance-experimental-blue.svg
[safety-image]: https://img.shields.io/badge/unsafe-forbidden-success.svg [safety-image]: https://img.shields.io/badge/unsafe-forbidden-success.svg
[safety-link]: https://github.com/rust-secure-code/safety-dance/ [safety-link]: https://github.com/rust-secure-code/safety-dance/
[build-image]: https://github.com/iqlusioninc/yubikey-piv.rs/workflows/CI/badge.svg?branch=main&event=push [build-image]: https://github.com/iqlusioninc/yubikey.rs/workflows/CI/badge.svg?branch=main&event=push
[build-link]: https://github.com/iqlusioninc/yubikey-piv.rs/actions [build-link]: https://github.com/iqlusioninc/yubikey.rs/actions
[gitter-image]: https://badges.gitter.im/badge.svg [gitter-image]: https://badges.gitter.im/badge.svg
[gitter-link]: https://gitter.im/iqlusioninc/community [gitter-link]: https://gitter.im/iqlusioninc/community
+2 -2
View File
@@ -8,9 +8,9 @@
unused_qualifications unused_qualifications
)] )]
use gumdrop::Options; use clap::Parser;
use yubikey_cli::commands::YubiKeyCli; use yubikey_cli::commands::YubiKeyCli;
fn main() { fn main() {
YubiKeyCli::parse_args_default_or_exit().run(); YubiKeyCli::parse().run()
} }
+16 -81
View File
@@ -4,62 +4,25 @@ pub mod readers;
pub mod status; pub mod status;
use self::{readers::ReadersCmd, status::StatusCmd}; use self::{readers::ReadersCmd, status::StatusCmd};
use crate::terminal::{self, STDOUT}; use crate::terminal;
use gumdrop::Options; use clap::Parser;
use std::{ use std::{env, process::exit};
env, use termcolor::ColorChoice;
io::{self, Write}, use yubikey::{Serial, YubiKey};
process::exit,
};
use termcolor::{ColorChoice, ColorSpec, WriteColor};
use yubikey_piv::{Serial, YubiKey};
/// The `yubikey` CLI utility /// The `yubikey` CLI utility
#[derive(Debug, Options)] #[derive(Debug, Parser)]
pub struct YubiKeyCli { pub struct YubiKeyCli {
/// Obtain help about the current command /// Serial number of the YubiKey to connect to
#[options(short = "h", help = "print help message")] #[clap(short = 's', long = "serial")]
pub help: bool,
/// Specify the serial number of the YubiKey to connect to
#[options(
short = "s",
long = "serial",
help = "serial number of the YubiKey to connect to"
)]
pub serial: Option<Serial>, pub serial: Option<Serial>,
/// Subcommand to execute. /// Subcommand to execute.
#[options(command)] #[clap(subcommand)]
pub command: Option<Commands>, pub command: Commands,
} }
impl YubiKeyCli { impl YubiKeyCli {
/// Print usage information
pub fn print_usage() -> Result<(), io::Error> {
let mut stdout = STDOUT.lock();
stdout.reset()?;
let mut bold = ColorSpec::new();
bold.set_bold(true);
stdout.set_color(&bold)?;
writeln!(
stdout,
"{} {}",
env!("CARGO_PKG_NAME"),
env!("CARGO_PKG_VERSION")
)?;
stdout.reset()?;
writeln!(stdout, "{}", env!("CARGO_PKG_AUTHORS"))?;
writeln!(stdout, "{}", env!("CARGO_PKG_DESCRIPTION").trim())?;
writeln!(stdout)?;
writeln!(stdout, "{}", Commands::usage())?;
Ok(())
}
/// Run the underlying command type or print usage info and exit /// Run the underlying command type or print usage info and exit
pub fn run(&self) { pub fn run(&self) {
// TODO(tarcieri): make this more configurable // TODO(tarcieri): make this more configurable
@@ -70,10 +33,7 @@ impl YubiKeyCli {
env_logger::builder().format_timestamp(None).init(); env_logger::builder().format_timestamp(None).init();
} }
match &self.command { self.command.run(self.yubikey_init())
Some(cmd) => cmd.run(self.yubikey_init()),
None => Self::print_usage().unwrap(),
}
} }
/// Initialize the YubiKey client driver /// Initialize the YubiKey client driver
@@ -92,22 +52,18 @@ impl YubiKeyCli {
} }
/// Subcommands of this application /// Subcommands of this application
#[derive(Debug, Options)] #[derive(Debug, Parser)]
pub enum Commands { pub enum Commands {
/// `help` subcommand
#[options(help = "show help for a command")]
Help(HelpOpts),
/// `version` subcommand /// `version` subcommand
#[options(help = "display version information")] #[clap(about = "display version information")]
Version(VersionOpts), Version(VersionOpts),
/// `readers` subcommand /// `readers` subcommand
#[options(help = "list detected readers")] #[clap(about = "list detected readers")]
Readers(ReadersCmd), Readers(ReadersCmd),
/// `status` subcommand /// `status` subcommand
#[options(help = "show yubikey status")] #[clap(about = "show yubikey status")]
Status(StatusCmd), Status(StatusCmd),
} }
@@ -115,7 +71,6 @@ impl Commands {
/// Run the given command /// Run the given command
pub fn run(&self, yubikey: YubiKey) { pub fn run(&self, yubikey: YubiKey) {
match self { match self {
Commands::Help(help) => help.run(),
Commands::Version(version) => version.run(), Commands::Version(version) => version.run(),
Commands::Readers(list) => list.run(), Commands::Readers(list) => list.run(),
Commands::Status(status) => status.run(yubikey), Commands::Status(status) => status.run(yubikey),
@@ -123,28 +78,8 @@ impl Commands {
} }
} }
/// Help options
#[derive(Debug, Options)]
pub struct HelpOpts {
#[options(free, help = "subcommand to get help for")]
free: Vec<String>,
}
impl HelpOpts {
fn run(&self) {
if let Some(command) = self.free.first() {
if let Some(usage) = Commands::command_usage(command) {
println!("{}", usage);
exit(1);
}
}
println!("{}", Commands::usage());
}
}
/// Version options /// Version options
#[derive(Debug, Options)] #[derive(Debug, Parser)]
pub struct VersionOpts {} pub struct VersionOpts {}
impl VersionOpts { impl VersionOpts {
+5 -5
View File
@@ -1,22 +1,22 @@
//! List detected readers //! List detected readers
use crate::terminal::STDOUT; use crate::terminal::STDOUT;
use gumdrop::Options; use clap::Parser;
use std::{ use std::{
io::{self, Write}, io::{self, Write},
process::exit, process::exit,
}; };
use termcolor::{ColorSpec, StandardStreamLock, WriteColor}; use termcolor::{ColorSpec, StandardStreamLock, WriteColor};
use yubikey_piv::{Readers, Serial}; use yubikey::{Context, Serial};
/// The `readers` subcommand /// The `readers` subcommand
#[derive(Debug, Options)] #[derive(Debug, Parser)]
pub struct ReadersCmd {} pub struct ReadersCmd {}
impl ReadersCmd { impl ReadersCmd {
/// Run the `readers` subcommand /// Run the `readers` subcommand
pub fn run(&self) { pub fn run(&self) {
let mut readers = Readers::open().unwrap_or_else(|e| { let mut readers = Context::open().unwrap_or_else(|e| {
status_err!("couldn't open PC/SC context: {}", e); status_err!("couldn't open PC/SC context: {}", e);
exit(1); exit(1);
}); });
@@ -53,7 +53,7 @@ impl ReadersCmd {
index: usize, index: usize,
name: &str, name: &str,
serial: Serial, serial: Serial,
) -> Result<(), io::Error> { ) -> io::Result<()> {
stream.set_color(ColorSpec::new().set_bold(true))?; stream.set_color(ColorSpec::new().set_bold(true))?;
write!(stream, "{:>3}:", index)?; write!(stream, "{:>3}:", index)?;
stream.reset()?; stream.reset()?;
+5 -7
View File
@@ -1,18 +1,16 @@
//! Print device status //! Print device status
use crate::terminal::STDOUT; use crate::terminal::{print_cert_info, STDOUT};
use gumdrop::Options; use clap::Parser;
use std::io::{self, Write}; use std::io::{self, Write};
use termcolor::{ColorSpec, StandardStreamLock, WriteColor}; use termcolor::{ColorSpec, StandardStreamLock, WriteColor};
use yubikey_piv::{key::*, YubiKey}; use yubikey::{piv::*, YubiKey};
use crate::print_cert_info;
// String to use for `None` // String to use for `None`
const NONE_STR: &str = "<none>"; const NONE_STR: &str = "<none>";
/// The `status` subcommand /// The `status` subcommand
#[derive(Debug, Options)] #[derive(Debug, Parser)]
pub struct StatusCmd {} pub struct StatusCmd {}
impl StatusCmd { impl StatusCmd {
@@ -51,7 +49,7 @@ impl StatusCmd {
stream: &mut StandardStreamLock<'_>, stream: &mut StandardStreamLock<'_>,
name: &str, name: &str,
value: impl ToString, value: impl ToString,
) -> Result<(), io::Error> { ) -> io::Result<()> {
stream.set_color(ColorSpec::new().set_bold(true))?; stream.set_color(ColorSpec::new().set_bold(true))?;
write!(stream, "{:>12}:", name)?; write!(stream, "{:>12}:", name)?;
stream.reset()?; stream.reset()?;
+7 -86
View File
@@ -1,92 +1,13 @@
//! `yubikey` command-line utility //! `yubikey` command-line utility.
//!
//! The goal of this tool is to provide functionality similar to `yubico-piv-tool`
//! but implemented in pure Rust.
//!
//! It also serves as a demonstration/example of how to use the `yubikey` crate.
#![forbid(unsafe_code)] #![forbid(unsafe_code)]
#![warn( #![warn(missing_docs, rust_2018_idioms, unused_qualifications)]
missing_docs,
rust_2018_idioms,
unused_lifetimes,
unused_qualifications
)]
#[macro_use] #[macro_use]
pub mod terminal; pub mod terminal;
pub mod commands; pub mod commands;
use log::debug;
use sha2::{Digest, Sha256};
use std::io::{self, Write};
use std::str;
use subtle_encoding::hex;
use termcolor::{ColorSpec, StandardStreamLock, WriteColor};
use x509_parser::parse_x509_certificate;
use yubikey_piv::{certificate::Certificate, key::*, YubiKey};
///Write information about certificate found in slot a la yubico-piv-tool output.
pub fn print_cert_info(
yubikey: &mut YubiKey,
slot: SlotId,
stream: &mut StandardStreamLock<'_>,
) -> Result<(), io::Error> {
let cert = match Certificate::read(yubikey, slot) {
Ok(c) => c,
Err(e) => {
debug!("error reading certificate in slot {:?}: {}", slot, e);
return Ok(());
}
};
let buf = cert.into_buffer();
if !buf.is_empty() {
let fingerprint = Sha256::digest(&buf);
let slot_id: u8 = slot.into();
print_cert_attr(stream, "Slot", format!("{:x}", slot_id))?;
match parse_x509_certificate(&buf) {
Ok((_rem, cert)) => {
print_cert_attr(
stream,
"Algorithm",
cert.tbs_certificate.subject_pki.algorithm.algorithm,
)?;
print_cert_attr(stream, "Subject", cert.tbs_certificate.subject)?;
print_cert_attr(stream, "Issuer", cert.tbs_certificate.issuer)?;
print_cert_attr(
stream,
"Fingerprint",
str::from_utf8(hex::encode(fingerprint).as_slice()).unwrap(),
)?;
print_cert_attr(
stream,
"Not Before",
cert.tbs_certificate.validity.not_before.to_rfc2822(),
)?;
print_cert_attr(
stream,
"Not After",
cert.tbs_certificate.validity.not_after.to_rfc2822(),
)?;
}
_ => {
println!("Failed to parse certificate");
return Ok(());
}
};
}
Ok(())
}
/// Print a status attribute
fn print_cert_attr(
stream: &mut StandardStreamLock<'_>,
name: &str,
value: impl ToString,
) -> Result<(), io::Error> {
stream.set_color(ColorSpec::new().set_bold(true))?;
write!(stream, "{:>12}:", name)?;
stream.reset()?;
writeln!(stream, " {}", value.to_string())?;
stream.flush()?;
Ok(())
}
+94 -14
View File
@@ -1,9 +1,16 @@
//! Status messages //! Status messages
use lazy_static::lazy_static; use log::debug;
use std::io::{self, Write}; use once_cell::sync::Lazy;
use std::sync::Mutex; use sha2::{Digest, Sha256};
use termcolor::{Color, ColorChoice, ColorSpec, StandardStream, WriteColor}; use std::{
io::{self, Write},
str,
sync::Mutex,
};
use termcolor::{Color, ColorChoice, ColorSpec, StandardStream, StandardStreamLock, WriteColor};
use x509_parser::parse_x509_certificate;
use yubikey::{certificate::Certificate, piv::*, YubiKey};
/// Print a success status message (in green if colors are enabled) /// Print a success status message (in green if colors are enabled)
#[macro_export] #[macro_export]
@@ -51,16 +58,14 @@ macro_rules! status_err {
}; };
} }
lazy_static! {
/// Color configuration /// Color configuration
static ref COLOR_CHOICE: Mutex<Option<ColorChoice>> = Mutex::new(None); static COLOR_CHOICE: Lazy<Mutex<Option<ColorChoice>>> = Lazy::new(|| Mutex::new(None));
/// Standard output /// Standard output
pub static ref STDOUT: StandardStream = StandardStream::stdout(get_color_choice()); pub static STDOUT: Lazy<StandardStream> = Lazy::new(|| StandardStream::stdout(get_color_choice()));
/// Standard error /// Standard error
pub static ref STDERR: StandardStream = StandardStream::stderr(get_color_choice()); pub static STDERR: Lazy<StandardStream> = Lazy::new(|| StandardStream::stderr(get_color_choice()));
}
/// Obtain the color configuration. /// Obtain the color configuration.
/// ///
@@ -132,18 +137,16 @@ impl Status {
/// Print the given message to stdout /// Print the given message to stdout
pub fn print_stdout(self, msg: impl AsRef<str>) { pub fn print_stdout(self, msg: impl AsRef<str>) {
self.print(&*STDOUT, msg) self.print(&STDOUT, msg).expect("error printing to stdout!")
.expect("error printing to stdout!")
} }
/// Print the given message to stderr /// Print the given message to stderr
pub fn print_stderr(self, msg: impl AsRef<str>) { pub fn print_stderr(self, msg: impl AsRef<str>) {
self.print(&*STDERR, msg) self.print(&STDERR, msg).expect("error printing to stderr!")
.expect("error printing to stderr!")
} }
/// Print the given message /// Print the given message
fn print(self, stream: &StandardStream, msg: impl AsRef<str>) -> Result<(), io::Error> { fn print(self, stream: &StandardStream, msg: impl AsRef<str>) -> io::Result<()> {
let mut s = stream.lock(); let mut s = stream.lock();
s.reset()?; s.reset()?;
s.set_color(ColorSpec::new().set_fg(self.color).set_bold(self.bold))?; s.set_color(ColorSpec::new().set_fg(self.color).set_bold(self.bold))?;
@@ -163,3 +166,80 @@ impl Status {
Ok(()) Ok(())
} }
} }
/// Write information about certificate found in slot a la yubico-piv-tool output.
pub fn print_cert_info(
yubikey: &mut YubiKey,
slot: SlotId,
stream: &mut StandardStreamLock<'_>,
) -> io::Result<()> {
let cert = match Certificate::read(yubikey, slot) {
Ok(c) => c,
Err(e) => {
debug!("error reading certificate in slot {:?}: {}", slot, e);
return Ok(());
}
};
let buf = cert.into_buffer();
if !buf.is_empty() {
let fingerprint = Sha256::digest(&buf);
let slot_id: u8 = slot.into();
print_cert_attr(stream, "Slot", format!("{:x}", slot_id))?;
match parse_x509_certificate(&buf) {
Ok((_rem, cert)) => {
print_cert_attr(
stream,
"Algorithm",
cert.tbs_certificate.subject_pki.algorithm.algorithm,
)?;
print_cert_attr(stream, "Subject", cert.tbs_certificate.subject)?;
print_cert_attr(stream, "Issuer", cert.tbs_certificate.issuer)?;
print_cert_attr(
stream,
"Fingerprint",
&hex::upper::encode_string(&fingerprint),
)?;
print_cert_attr(
stream,
"Not Before",
cert.tbs_certificate
.validity
.not_before
.to_rfc2822()
.unwrap(),
)?;
print_cert_attr(
stream,
"Not After",
cert.tbs_certificate
.validity
.not_after
.to_rfc2822()
.unwrap(),
)?;
}
_ => {
println!("Failed to parse certificate");
return Ok(());
}
};
}
Ok(())
}
/// Print a status attribute
fn print_cert_attr(
stream: &mut StandardStreamLock<'_>,
name: &str,
value: impl ToString,
) -> io::Result<()> {
stream.set_color(ColorSpec::new().set_bold(true))?;
write!(stream, "{:>12}:", name)?;
stream.reset()?;
writeln!(stream, " {}", value.to_string())?;
stream.flush()?;
Ok(())
}
BIN
View File
Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

+59 -7
View File
@@ -30,7 +30,7 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{error::Error, transaction::Transaction, Buffer}; use crate::{transaction::Transaction, Buffer, Result};
use log::trace; use log::trace;
use zeroize::{Zeroize, Zeroizing}; use zeroize::{Zeroize, Zeroizing};
@@ -41,7 +41,7 @@ const APDU_DATA_MAX: usize = 0xFF;
/// ///
/// These messages are packets used to communicate with the YubiKey. /// These messages are packets used to communicate with the YubiKey.
#[derive(Clone, Debug, Eq, PartialEq)] #[derive(Clone, Debug, Eq, PartialEq)]
pub(crate) struct APDU { pub(crate) struct Apdu {
/// Instruction class: indicates the type of command (e.g. inter-industry or proprietary) /// Instruction class: indicates the type of command (e.g. inter-industry or proprietary)
cla: u8, cla: u8,
@@ -58,7 +58,7 @@ pub(crate) struct APDU {
data: Vec<u8>, data: Vec<u8>,
} }
impl APDU { impl Apdu {
/// Create a new APDU with the given instruction code /// Create a new APDU with the given instruction code
pub fn new(ins: impl Into<Ins>) -> Self { pub fn new(ins: impl Into<Ins>) -> Self {
Self { Self {
@@ -109,7 +109,7 @@ impl APDU {
} }
/// Transmit this APDU using the given card transaction /// Transmit this APDU using the given card transaction
pub fn transmit(&self, txn: &Transaction<'_>, recv_len: usize) -> Result<Response, Error> { pub fn transmit(&self, txn: &Transaction<'_>, recv_len: usize) -> Result<Response> {
trace!(">>> {:?}", self); trace!(">>> {:?}", self);
let response = Response::from(txn.transmit(&self.to_bytes(), recv_len)?); let response = Response::from(txn.transmit(&self.to_bytes(), recv_len)?);
trace!("<<< {:?}", &response); trace!("<<< {:?}", &response);
@@ -129,13 +129,13 @@ impl APDU {
} }
} }
impl Drop for APDU { impl Drop for Apdu {
fn drop(&mut self) { fn drop(&mut self) {
self.zeroize(); self.zeroize();
} }
} }
impl Zeroize for APDU { impl Zeroize for Apdu {
fn zeroize(&mut self) { fn zeroize(&mut self) {
// Only `data` may contain secrets // Only `data` may contain secrets
self.data.zeroize(); self.data.zeroize();
@@ -195,6 +195,9 @@ pub enum Ins {
/// Get device serial /// Get device serial
GetSerial, GetSerial,
/// Get slot metadata
GetMetadata,
/// Other/unrecognized instruction codes /// Other/unrecognized instruction codes
Other(u8), Other(u8),
} }
@@ -219,6 +222,7 @@ impl Ins {
Ins::SetPinRetries => 0xfa, Ins::SetPinRetries => 0xfa,
Ins::Attest => 0xf9, Ins::Attest => 0xf9,
Ins::GetSerial => 0xf8, Ins::GetSerial => 0xf8,
Ins::GetMetadata => 0xf7,
Ins::Other(code) => code, Ins::Other(code) => code,
} }
} }
@@ -243,6 +247,7 @@ impl From<u8> for Ins {
0xfa => Ins::SetPinRetries, 0xfa => Ins::SetPinRetries,
0xf9 => Ins::Attest, 0xf9 => Ins::Attest,
0xf8 => Ins::GetSerial, 0xf8 => Ins::GetSerial,
0xf7 => Ins::GetMetadata,
code => Ins::Other(code), code => Ins::Other(code),
} }
} }
@@ -348,6 +353,12 @@ pub(crate) enum StatusWords {
/// Successful execution /// Successful execution
Success, Success,
/// The requested data was too large for the response, and there is data remaining.
BytesRemaining {
/// The number of bytes remaining, as indicated in the response.
len: u8,
},
/// https://github.com/Yubico/yubikey-manager/blob/1f22620b623c6b345dd9f9193ec765a542dddc80/ykman/driver_ccid.py#L53 /// https://github.com/Yubico/yubikey-manager/blob/1f22620b623c6b345dd9f9193ec765a542dddc80/ykman/driver_ccid.py#L53
NoInputDataError, NoInputDataError,
@@ -405,8 +416,9 @@ impl StatusWords {
pub fn code(self) -> u16 { pub fn code(self) -> u16 {
match self { match self {
StatusWords::None => 0, StatusWords::None => 0,
StatusWords::BytesRemaining { len } => 0x6100 | len as u16,
StatusWords::NoInputDataError => 0x6285, StatusWords::NoInputDataError => 0x6285,
StatusWords::VerifyFailError { tries } => 0x63c0 & tries as u16, StatusWords::VerifyFailError { tries } => 0x63c0 | tries as u16,
StatusWords::WrongLengthError => 0x6700, StatusWords::WrongLengthError => 0x6700,
StatusWords::SecurityStatusError => 0x6982, StatusWords::SecurityStatusError => 0x6982,
StatusWords::AuthBlockedError => 0x6983, StatusWords::AuthBlockedError => 0x6983,
@@ -434,6 +446,9 @@ impl From<u16> for StatusWords {
fn from(sw: u16) -> Self { fn from(sw: u16) -> Self {
match sw { match sw {
0x0000 => StatusWords::None, 0x0000 => StatusWords::None,
sw if sw & 0xff00 == 0x6100 => Self::BytesRemaining {
len: (sw & 0x00ff) as u8,
},
0x6285 => StatusWords::NoInputDataError, 0x6285 => StatusWords::NoInputDataError,
sw if sw & 0xfff0 == 0x63c0 => StatusWords::VerifyFailError { sw if sw & 0xfff0 == 0x63c0 => StatusWords::VerifyFailError {
tries: (sw & 0x000f) as u8, tries: (sw & 0x000f) as u8,
@@ -461,3 +476,40 @@ impl From<StatusWords> for u16 {
sw.code() sw.code()
} }
} }
#[cfg(test)]
mod tests {
use super::StatusWords;
#[test]
fn status_words_round_trip() {
let round_trip = |sw: StatusWords| {
assert_eq!(StatusWords::from(sw.code()), sw);
};
round_trip(StatusWords::None);
round_trip(StatusWords::BytesRemaining { len: 1 });
round_trip(StatusWords::BytesRemaining { len: 10 });
round_trip(StatusWords::BytesRemaining { len: 0xFF });
round_trip(StatusWords::Success);
round_trip(StatusWords::NoInputDataError);
round_trip(StatusWords::VerifyFailError { tries: 0x0F });
round_trip(StatusWords::VerifyFailError { tries: 3 });
round_trip(StatusWords::VerifyFailError { tries: 2 });
round_trip(StatusWords::VerifyFailError { tries: 1 });
round_trip(StatusWords::VerifyFailError { tries: 0 });
round_trip(StatusWords::WrongLengthError);
round_trip(StatusWords::SecurityStatusError);
round_trip(StatusWords::AuthBlockedError);
round_trip(StatusWords::DataInvalidError);
round_trip(StatusWords::ConditionsNotSatisfiedError);
round_trip(StatusWords::CommandNotAllowedError);
round_trip(StatusWords::IncorrectParamError);
round_trip(StatusWords::NotFoundError);
round_trip(StatusWords::NoSpaceError);
round_trip(StatusWords::IncorrectSlotError);
round_trip(StatusWords::NotSupportedError);
round_trip(StatusWords::CommandAbortedError);
round_trip(StatusWords::Other(0x1337));
}
}
+32 -38
View File
@@ -30,16 +30,9 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{error::Error, yubikey::YubiKey}; use crate::{Error, Result, YubiKey};
use getrandom::getrandom; use rand_core::{OsRng, RngCore};
use std::fmt::{self, Debug, Display}; use std::fmt::{self, Debug, Display};
use subtle_encoding::hex;
/// CCCID size
pub const CCCID_SIZE: usize = 14;
/// CCC size
pub const CCC_SIZE: usize = 51;
/// CCCID offset /// CCCID offset
const CCC_ID_OFFS: usize = 9; const CCC_ID_OFFS: usize = 9;
@@ -62,33 +55,39 @@ const CCC_TMPL: &[u8] = &[
0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00,
]; ];
/// Cardholder Capability Container (CCC) Identifier Card ID /// Cardholder Capability Container (CCC) Identifier Card ID.
#[derive(Copy, Clone, Debug, Eq, PartialEq)] #[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
pub struct CardId(pub [u8; CCCID_SIZE]); pub struct CardId(pub [u8; Self::BYTE_SIZE]);
impl CardId { impl CardId {
/// CCCID size in bytes
pub const BYTE_SIZE: usize = 14;
/// Generate a random CCC Card ID /// Generate a random CCC Card ID
pub fn generate() -> Result<Self, Error> { pub fn generate() -> Self {
let mut id = [0u8; CCCID_SIZE]; let mut id = [0u8; Self::BYTE_SIZE];
getrandom(&mut id).map_err(|_| Error::RandomnessError)?; OsRng.fill_bytes(&mut id);
Ok(Self(id)) Self(id)
} }
} }
/// Cardholder Capability Container (CCC) Identifier /// Cardholder Capability Container (CCC) Identifier.
#[derive(Copy, Clone)] #[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub struct CCC(pub [u8; CCC_SIZE]); pub struct CccId(pub [u8; Self::BYTE_SIZE]);
impl CccId {
/// CCC size in bytes
pub const BYTE_SIZE: usize = 51;
impl CCC {
/// Return CardId component of CCC /// Return CardId component of CCC
pub fn cccid(&self) -> Result<CardId, Error> { pub fn card_id(&self) -> Result<CardId> {
let mut cccid = [0u8; CCCID_SIZE]; let mut cccid = [0u8; CardId::BYTE_SIZE];
cccid.copy_from_slice(&self.0[CCC_ID_OFFS..(CCC_ID_OFFS + CCCID_SIZE)]); cccid.copy_from_slice(&self.0[CCC_ID_OFFS..(CCC_ID_OFFS + CardId::BYTE_SIZE)]);
Ok(CardId(cccid)) Ok(CardId(cccid))
} }
/// Get Cardholder Capability Container (CCC) ID /// Get Cardholder Capability Container (CCC) ID
pub fn get(yubikey: &mut YubiKey) -> Result<Self, Error> { pub fn get(yubikey: &mut YubiKey) -> Result<Self> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
let response = txn.fetch_object(OBJ_CAPABILITY)?; let response = txn.fetch_object(OBJ_CAPABILITY)?;
@@ -96,14 +95,13 @@ impl CCC {
return Err(Error::GenericError); return Err(Error::GenericError);
} }
let mut ccc = [0u8; CCC_SIZE]; Ok(Self(response[..Self::BYTE_SIZE].try_into().unwrap()))
ccc.copy_from_slice(&response[0..CCC_SIZE]);
Ok(Self(ccc))
} }
/// Get Cardholder Capability Container (CCC) ID /// Set Cardholder Capability Container (CCC) ID
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn set(&self, yubikey: &mut YubiKey) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn set(&self, yubikey: &mut YubiKey) -> Result<()> {
let mut buf = CCC_TMPL.to_vec(); let mut buf = CCC_TMPL.to_vec();
buf[0..self.0.len()].copy_from_slice(&self.0); buf[0..self.0.len()].copy_from_slice(&self.0);
@@ -112,18 +110,14 @@ impl CCC {
} }
} }
impl Debug for CCC { impl AsRef<[u8]> for CccId {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn as_ref(&self) -> &[u8] {
write!(f, "CCC({:?})", &self.0[..]) &self.0
} }
} }
impl Display for CCC { impl Display for CccId {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!( f.write_str(&hex::upper::encode_string(self.as_ref()))
f,
"{}",
String::from_utf8(hex::encode(&self.0[..])).unwrap()
)
} }
} }
+69 -57
View File
@@ -1,4 +1,4 @@
//! YubiKey Certificates //! X.509 certificate support.
// Adapted from yubico-piv-tool: // Adapted from yubico-piv-tool:
// <https://github.com/Yubico/yubico-piv-tool/> // <https://github.com/Yubico/yubico-piv-tool/>
@@ -31,8 +31,9 @@
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{ use crate::{
error::Error, consts::CB_OBJ_MAX,
key::{sign_data, AlgorithmId, SlotId}, error::{Error, Result},
piv::{sign_data, AlgorithmId, SlotId},
serialization::*, serialization::*,
transaction::Transaction, transaction::Transaction,
yubikey::YubiKey, yubikey::YubiKey,
@@ -41,20 +42,17 @@ use crate::{
use chrono::{DateTime, Utc}; use chrono::{DateTime, Utc};
use elliptic_curve::sec1::EncodedPoint as EcPublicKey; use elliptic_curve::sec1::EncodedPoint as EcPublicKey;
use log::error; use log::error;
use num_bigint::BigUint; use num_bigint_dig::BigUint;
use p256::NistP256; use p256::NistP256;
use p384::NistP384; use p384::NistP384;
use rsa::{PublicKeyParts, RSAPublicKey}; use rsa::{PublicKeyParts, RsaPublicKey};
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use std::convert::TryFrom; use std::fmt::Display;
use std::fmt; use std::{fmt, ops::DerefMut};
use std::ops::DerefMut;
use x509::{der::Oid, RelativeDistinguishedName}; use x509::{der::Oid, RelativeDistinguishedName};
use x509_parser::{parse_x509_certificate, x509::SubjectPublicKeyInfo}; use x509_parser::{parse_x509_certificate, x509::SubjectPublicKeyInfo};
use zeroize::Zeroizing; use zeroize::Zeroizing;
use crate::CB_OBJ_MAX;
// TODO: Make these der_parser::oid::Oid constants when it has const fn support. // TODO: Make these der_parser::oid::Oid constants when it has const fn support.
const OID_RSA_ENCRYPTION: &str = "1.2.840.113549.1.1.1"; const OID_RSA_ENCRYPTION: &str = "1.2.840.113549.1.1.1";
const OID_EC_PUBLIC_KEY: &str = "1.2.840.10045.2.1"; const OID_EC_PUBLIC_KEY: &str = "1.2.840.10045.2.1";
@@ -82,13 +80,13 @@ impl From<[u8; 20]> for Serial {
} }
impl TryFrom<&[u8]> for Serial { impl TryFrom<&[u8]> for Serial {
type Error = (); type Error = Error;
fn try_from(bytes: &[u8]) -> Result<Serial, ()> { fn try_from(bytes: &[u8]) -> Result<Serial> {
if bytes.len() <= 20 { if bytes.len() <= 20 {
Ok(Serial(BigUint::from_bytes_be(&bytes))) Ok(Serial(BigUint::from_bytes_be(bytes)))
} else { } else {
Err(()) Err(Error::ParseError)
} }
} }
} }
@@ -97,10 +95,30 @@ impl Serial {
fn to_bytes(&self) -> Vec<u8> { fn to_bytes(&self) -> Vec<u8> {
self.0.to_bytes_be() self.0.to_bytes_be()
} }
/// Returns itself formatted as x509 compatible hex string
pub fn as_x509_hex(&self) -> String {
let data = self.to_bytes();
let raw_hex_string = format!("{:02X?}", data);
raw_hex_string
.replace(", ", ":")
.replace([']', '['], "")
.to_lowercase()
}
/// Returns itself formatted as x509 compatible int string
pub fn as_x509_int(&self) -> String {
let Serial(buint) = self;
format!("{}", buint)
}
}
impl Display for Serial {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.write_str(&self.as_x509_hex())
}
} }
/// Information about how a [`Certificate`] is stored within a YubiKey. /// Information about how a [`Certificate`] is stored within a YubiKey.
#[derive(Clone, Copy, Debug, PartialEq)] #[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub enum CertInfo { pub enum CertInfo {
/// The certificate is uncompressed. /// The certificate is uncompressed.
Uncompressed, Uncompressed,
@@ -112,7 +130,7 @@ pub enum CertInfo {
impl TryFrom<u8> for CertInfo { impl TryFrom<u8> for CertInfo {
type Error = Error; type Error = Error;
fn try_from(value: u8) -> Result<Self, Self::Error> { fn try_from(value: u8) -> Result<Self> {
match value { match value {
0x00 => Ok(CertInfo::Uncompressed), 0x00 => Ok(CertInfo::Uncompressed),
0x01 => Ok(CertInfo::Gzip), 0x01 => Ok(CertInfo::Gzip),
@@ -173,7 +191,7 @@ pub enum PublicKeyInfo {
algorithm: AlgorithmId, algorithm: AlgorithmId,
/// Public key /// Public key
pubkey: RSAPublicKey, pubkey: RsaPublicKey,
}, },
/// EC P-256 keys /// EC P-256 keys
@@ -190,10 +208,10 @@ impl fmt::Debug for PublicKeyInfo {
} }
impl PublicKeyInfo { impl PublicKeyInfo {
fn parse(subject_pki: &SubjectPublicKeyInfo<'_>) -> Result<Self, Error> { fn parse(subject_pki: &SubjectPublicKeyInfo<'_>) -> Result<Self> {
match subject_pki.algorithm.algorithm.to_string().as_str() { match subject_pki.algorithm.algorithm.to_string().as_str() {
OID_RSA_ENCRYPTION => { OID_RSA_ENCRYPTION => {
let pubkey = read_pki::rsa_pubkey(subject_pki.subject_public_key.data)?; let pubkey = read_pki::rsa_pubkey(&subject_pki.subject_public_key.data)?;
Ok(PublicKeyInfo::Rsa { Ok(PublicKeyInfo::Rsa {
algorithm: match pubkey.n().bits() { algorithm: match pubkey.n().bits() {
@@ -213,10 +231,10 @@ impl PublicKeyInfo {
.ok_or(Error::InvalidObject)?; .ok_or(Error::InvalidObject)?;
match read_pki::ec_parameters(algorithm_parameters)? { match read_pki::ec_parameters(algorithm_parameters)? {
AlgorithmId::EccP256 => EcPublicKey::from_bytes(key_bytes) AlgorithmId::EccP256 => EcPublicKey::<NistP256>::from_bytes(key_bytes)
.map(PublicKeyInfo::EcP256) .map(PublicKeyInfo::EcP256)
.map_err(|_| Error::InvalidObject), .map_err(|_| Error::InvalidObject),
AlgorithmId::EccP384 => EcPublicKey::from_bytes(key_bytes) AlgorithmId::EccP384 => EcPublicKey::<NistP384>::from_bytes(key_bytes)
.map(PublicKeyInfo::EcP384) .map(PublicKeyInfo::EcP384)
.map_err(|_| Error::InvalidObject), .map_err(|_| Error::InvalidObject),
_ => Err(Error::AlgorithmError), _ => Err(Error::AlgorithmError),
@@ -321,6 +339,7 @@ impl x509::AlgorithmIdentifier for SignatureId {
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub struct Certificate { pub struct Certificate {
serial: Serial, serial: Serial,
#[allow(dead_code)]
issuer: String, issuer: String,
subject: String, subject: String,
subject_pki: PublicKeyInfo, subject_pki: PublicKeyInfo,
@@ -330,7 +349,7 @@ pub struct Certificate {
impl<'a> TryFrom<&'a [u8]> for Certificate { impl<'a> TryFrom<&'a [u8]> for Certificate {
type Error = Error; type Error = Error;
fn try_from(bytes: &'a [u8]) -> Result<Self, Error> { fn try_from(bytes: &'a [u8]) -> Result<Self> {
Self::from_bytes(bytes.to_vec()) Self::from_bytes(bytes.to_vec())
} }
} }
@@ -350,7 +369,7 @@ impl Certificate {
subject: &[RelativeDistinguishedName<'_>], subject: &[RelativeDistinguishedName<'_>],
subject_pki: PublicKeyInfo, subject_pki: PublicKeyInfo,
extensions: &[x509::Extension<'_, O>], extensions: &[x509::Extension<'_, O>],
) -> Result<Self, Error> { ) -> Result<Self> {
let serial = serial.into(); let serial = serial.into();
let mut tbs_cert = Buffer::new(Vec::with_capacity(CB_OBJ_MAX)); let mut tbs_cert = Buffer::new(Vec::with_capacity(CB_OBJ_MAX));
@@ -365,12 +384,12 @@ impl Certificate {
&serial.to_bytes(), &serial.to_bytes(),
&signature_algorithm, &signature_algorithm,
// Issuer and subject are the same in self-signed certificates. // Issuer and subject are the same in self-signed certificates.
&subject, subject,
Utc::now(), Utc::now(),
not_after, not_after,
&subject, subject,
&subject_pki, &subject_pki,
&extensions, extensions,
), ),
tbs_cert.deref_mut(), tbs_cert.deref_mut(),
) )
@@ -453,7 +472,7 @@ impl Certificate {
} }
/// Read a certificate from the given slot in the YubiKey /// Read a certificate from the given slot in the YubiKey
pub fn read(yubikey: &mut YubiKey, slot: SlotId) -> Result<Self, Error> { pub fn read(yubikey: &mut YubiKey, slot: SlotId) -> Result<Self> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
let buf = read_certificate(&txn, slot)?; let buf = read_certificate(&txn, slot)?;
@@ -465,25 +484,21 @@ impl Certificate {
} }
/// Write this certificate into the YubiKey in the given slot /// Write this certificate into the YubiKey in the given slot
pub fn write( pub fn write(&self, yubikey: &mut YubiKey, slot: SlotId, certinfo: CertInfo) -> Result<()> {
&self,
yubikey: &mut YubiKey,
slot: SlotId,
certinfo: CertInfo,
) -> Result<(), Error> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
write_certificate(&txn, slot, Some(&self.data), certinfo) write_certificate(&txn, slot, Some(&self.data), certinfo)
} }
/// Delete a certificate located at the given slot of the given YubiKey /// Delete a certificate located at the given slot of the given YubiKey
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn delete(yubikey: &mut YubiKey, slot: SlotId) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn delete(yubikey: &mut YubiKey, slot: SlotId) -> Result<()> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
write_certificate(&txn, slot, None, CertInfo::Uncompressed) write_certificate(&txn, slot, None, CertInfo::Uncompressed)
} }
/// Initialize a local certificate struct from the given bytebuffer /// Initialize a local certificate struct from the given bytebuffer
pub fn from_bytes(cert: impl Into<Buffer>) -> Result<Self, Error> { pub fn from_bytes(cert: impl Into<Buffer>) -> Result<Self> {
let cert = cert.into(); let cert = cert.into();
if cert.is_empty() { if cert.is_empty() {
@@ -518,7 +533,7 @@ impl Certificate {
/// Returns the Issuer field of the certificate. /// Returns the Issuer field of the certificate.
pub fn issuer(&self) -> &str { pub fn issuer(&self) -> &str {
&self.subject &self.issuer
} }
/// Returns the SubjectName field of the certificate. /// Returns the SubjectName field of the certificate.
@@ -544,7 +559,7 @@ impl AsRef<[u8]> for Certificate {
} }
/// Read certificate /// Read certificate
pub(crate) fn read_certificate(txn: &Transaction<'_>, slot: SlotId) -> Result<Buffer, Error> { pub(crate) fn read_certificate(txn: &Transaction<'_>, slot: SlotId) -> Result<Buffer> {
let object_id = slot.object_id(); let object_id = slot.object_id();
let buf = match txn.fetch_object(object_id) { let buf = match txn.fetch_object(object_id) {
@@ -572,7 +587,7 @@ pub(crate) fn write_certificate(
slot: SlotId, slot: SlotId,
data: Option<&[u8]>, data: Option<&[u8]>,
certinfo: CertInfo, certinfo: CertInfo,
) -> Result<(), Error> { ) -> Result<()> {
let object_id = slot.object_id(); let object_id = slot.object_id();
if data.is_none() { if data.is_none() {
@@ -593,16 +608,16 @@ pub(crate) fn write_certificate(
mod read_pki { mod read_pki {
use der_parser::{ use der_parser::{
asn1_rs::Any,
ber::BerObjectContent, ber::BerObjectContent,
der::{parse_der_integer, DerObject}, der::{parse_der_integer, parse_der_sequence_defined_g, DerObject},
error::BerError, error::BerError,
*,
}; };
use nom::{combinator, IResult}; use nom::{combinator, sequence::pair, IResult};
use rsa::{BigUint, RSAPublicKey}; use rsa::{BigUint, RsaPublicKey};
use super::{OID_NIST_P256, OID_NIST_P384}; use super::{OID_NIST_P256, OID_NIST_P384};
use crate::{error::Error, key::AlgorithmId}; use crate::{piv::AlgorithmId, Error, Result};
/// From [RFC 8017](https://tools.ietf.org/html/rfc8017#appendix-A.1.1): /// From [RFC 8017](https://tools.ietf.org/html/rfc8017#appendix-A.1.1):
/// ```text /// ```text
@@ -611,21 +626,18 @@ mod read_pki {
/// publicExponent INTEGER -- e /// publicExponent INTEGER -- e
/// } /// }
/// ``` /// ```
pub(super) fn rsa_pubkey(encoded: &[u8]) -> Result<RSAPublicKey, Error> { pub(super) fn rsa_pubkey(encoded: &[u8]) -> Result<RsaPublicKey> {
fn parse_rsa_pubkey(i: &[u8]) -> IResult<&[u8], DerObject<'_>, BerError> { fn parse_rsa_pubkey(i: &[u8]) -> IResult<&[u8], (DerObject<'_>, DerObject<'_>), BerError> {
parse_der_sequence_defined!(i, parse_der_integer >> parse_der_integer) parse_der_sequence_defined_g(|i, _| pair(parse_der_integer, parse_der_integer)(i))(i)
} }
fn rsa_pubkey_parts(i: &[u8]) -> IResult<&[u8], (BigUint, BigUint), BerError> { fn rsa_pubkey_parts(i: &[u8]) -> IResult<&[u8], (BigUint, BigUint), BerError> {
combinator::map(parse_rsa_pubkey, |object| { combinator::map(parse_rsa_pubkey, |(modulus, public_exponent)| {
let seq = object.as_sequence().expect("is DER sequence"); let n = match modulus.content {
assert_eq!(seq.len(), 2);
let n = match seq[0].content {
BerObjectContent::Integer(s) => BigUint::from_bytes_be(s), BerObjectContent::Integer(s) => BigUint::from_bytes_be(s),
_ => panic!("expected DER integer"), _ => panic!("expected DER integer"),
}; };
let e = match seq[1].content { let e = match public_exponent.content {
BerObjectContent::Integer(s) => BigUint::from_bytes_be(s), BerObjectContent::Integer(s) => BigUint::from_bytes_be(s),
_ => panic!("expected DER integer"), _ => panic!("expected DER integer"),
}; };
@@ -639,7 +651,7 @@ mod read_pki {
_ => return Err(Error::InvalidObject), _ => return Err(Error::InvalidObject),
}; };
RSAPublicKey::new(n, e).map_err(|_| Error::InvalidObject) RsaPublicKey::new(n, e).map_err(|_| Error::InvalidObject)
} }
/// From [RFC 5480](https://tools.ietf.org/html/rfc5480#section-2.1.1): /// From [RFC 5480](https://tools.ietf.org/html/rfc5480#section-2.1.1):
@@ -650,8 +662,8 @@ mod read_pki {
/// -- specifiedCurve SpecifiedECDomain /// -- specifiedCurve SpecifiedECDomain
/// } /// }
/// ``` /// ```
pub(super) fn ec_parameters(parameters: &DerObject<'_>) -> Result<AlgorithmId, Error> { pub(super) fn ec_parameters(parameters: &Any<'_>) -> Result<AlgorithmId> {
let curve_oid = parameters.as_oid_val().map_err(|_| Error::InvalidObject)?; let curve_oid = parameters.as_oid().map_err(|_| Error::InvalidObject)?;
match curve_oid.to_string().as_str() { match curve_oid.to_string().as_str() {
OID_NIST_P256 => Ok(AlgorithmId::EccP256), OID_NIST_P256 => Ok(AlgorithmId::EccP256),
@@ -663,7 +675,7 @@ mod read_pki {
mod write_pki { mod write_pki {
use cookie_factory::{SerializeFn, WriteContext}; use cookie_factory::{SerializeFn, WriteContext};
use rsa::{BigUint, PublicKeyParts, RSAPublicKey}; use rsa::{BigUint, PublicKeyParts, RsaPublicKey};
use std::io::Write; use std::io::Write;
use x509::der::write::{der_integer, der_sequence}; use x509::der::write::{der_integer, der_sequence};
@@ -680,7 +692,7 @@ mod write_pki {
/// } /// }
/// ``` /// ```
pub(super) fn rsa_pubkey<'a, W: Write + 'a>( pub(super) fn rsa_pubkey<'a, W: Write + 'a>(
pubkey: &'a RSAPublicKey, pubkey: &'a RsaPublicKey,
) -> impl SerializeFn<W> + 'a { ) -> impl SerializeFn<W> + 'a {
der_sequence(( der_sequence((
der_integer_biguint(pubkey.n()), der_integer_biguint(pubkey.n()),
+32 -60
View File
@@ -30,22 +30,9 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{error::Error, yubikey::YubiKey}; use crate::{Error, Result, YubiKey};
use getrandom::getrandom;
use std::fmt::{self, Debug, Display}; use std::fmt::{self, Debug, Display};
use subtle_encoding::hex; use uuid::Uuid;
/// CHUID size
pub const CHUID_SIZE: usize = 59;
/// CARDID size
pub const CARDID_SIZE: usize = 16;
/// FASC-N component size
pub const FASCN_SIZE: usize = 25;
/// Expiration size
pub const EXPIRATION_SIZE: usize = 8;
/// FASC-N offset /// FASC-N offset
const CHUID_FASCN_OFFS: usize = 2; const CHUID_FASCN_OFFS: usize = 2;
@@ -81,50 +68,42 @@ const CHUID_TMPL: &[u8] = &[
0x30, 0x33, 0x30, 0x30, 0x31, 0x30, 0x31, 0x3e, 0x00, 0xfe, 0x00, 0x30, 0x33, 0x30, 0x30, 0x31, 0x30, 0x31, 0x3e, 0x00, 0xfe, 0x00,
]; ];
/// Cardholder Unique Identifier (CHUID) Card UUID/GUID value /// Cardholder Unique Identifier (CHUID).
#[derive(Copy, Clone, Debug)] #[derive(Copy, Clone, Debug)]
pub struct Uuid(pub [u8; CARDID_SIZE]); pub struct ChuId(pub [u8; Self::BYTE_SIZE]);
impl Uuid { impl ChuId {
/// Generate a random Cardholder Unique Identifier (CHUID) UUID /// CHUID size in bytes
pub fn generate() -> Result<Self, Error> { pub const BYTE_SIZE: usize = 59;
let mut id = [0u8; CARDID_SIZE];
getrandom(&mut id).map_err(|_| Error::RandomnessError)?;
Ok(Self(id))
}
}
/// Cardholder Unique Identifier (CHUID) /// FASC-N component size
#[derive(Copy, Clone)] pub const FASCN_SIZE: usize = 25;
pub struct CHUID(pub [u8; CHUID_SIZE]);
/// Expiration size
pub const EXPIRATION_SIZE: usize = 8;
impl CHUID {
/// Return FASC-N component of CHUID /// Return FASC-N component of CHUID
pub fn fascn(&self) -> Result<[u8; FASCN_SIZE], Error> { pub fn fascn(&self) -> [u8; Self::FASCN_SIZE] {
let mut fascn = [0u8; FASCN_SIZE]; self.0[CHUID_FASCN_OFFS..(CHUID_FASCN_OFFS + Self::FASCN_SIZE)]
fascn.copy_from_slice(&self.0[CHUID_FASCN_OFFS..(CHUID_FASCN_OFFS + FASCN_SIZE)]); .try_into()
Ok(fascn) .unwrap()
} }
/// Return Card UUID/GUID component of CHUID /// Return Card UUID/GUID component of CHUID
pub fn uuid(&self) -> Result<[u8; CARDID_SIZE], Error> { pub fn uuid(&self) -> Uuid {
let mut uuid = [0u8; CARDID_SIZE]; Uuid::from_slice(&self.0[CHUID_GUID_OFFS..(CHUID_GUID_OFFS + 16)]).unwrap()
uuid.copy_from_slice(&self.0[CHUID_GUID_OFFS..(CHUID_GUID_OFFS + CARDID_SIZE)]);
Ok(uuid)
} }
/// Return expiration date component of CHUID /// Return expiration date component of CHUID
// TODO(tarcieri): parse expiration? // TODO(tarcieri): parse expiration?
pub fn expiration(&self) -> Result<[u8; EXPIRATION_SIZE], Error> { pub fn expiration(&self) -> [u8; Self::EXPIRATION_SIZE] {
let mut expiration = [0u8; EXPIRATION_SIZE]; self.0[CHUID_EXPIRATION_OFFS..(CHUID_EXPIRATION_OFFS + Self::EXPIRATION_SIZE)]
expiration.copy_from_slice( .try_into()
&self.0[CHUID_EXPIRATION_OFFS..(CHUID_EXPIRATION_OFFS + EXPIRATION_SIZE)], .unwrap()
);
Ok(expiration)
} }
/// Get Cardholder Unique Identifier (CHUID) /// Get Cardholder Unique Identifier (CHUID)
pub fn get(yubikey: &mut YubiKey) -> Result<CHUID, Error> { pub fn get(yubikey: &mut YubiKey) -> Result<ChuId> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
let response = txn.fetch_object(OBJ_CHUID)?; let response = txn.fetch_object(OBJ_CHUID)?;
@@ -132,36 +111,29 @@ impl CHUID {
return Err(Error::GenericError); return Err(Error::GenericError);
} }
let mut chuid = [0u8; CHUID_SIZE]; Ok(ChuId(response[..Self::BYTE_SIZE].try_into().unwrap()))
chuid.copy_from_slice(&response[0..CHUID_SIZE]);
let retval = CHUID { 0: chuid };
Ok(retval)
} }
/// Set Cardholder Unique Identifier (CHUID) /// Set Cardholder Unique Identifier (CHUID)
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn set(&self, yubikey: &mut YubiKey) -> Result<(), Error> { pub fn set(&self, yubikey: &mut YubiKey) -> Result<()> {
let mut buf = CHUID_TMPL.to_vec(); let mut buf = CHUID_TMPL.to_vec();
buf[0..self.0.len()].copy_from_slice(&self.0); buf[..Self::BYTE_SIZE].copy_from_slice(&self.0);
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
txn.save_object(OBJ_CHUID, &buf) txn.save_object(OBJ_CHUID, &buf)
} }
} }
impl Display for CHUID { impl AsRef<[u8]> for ChuId {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn as_ref(&self) -> &[u8] {
write!( &self.0
f,
"{}",
String::from_utf8(hex::encode(&self.0[..])).unwrap()
)
} }
} }
impl Debug for CHUID { impl Display for ChuId {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "CHUID({:?})", &self.0[..]) f.write_str(&hex::upper::encode_string(self.as_ref()))
} }
} }
+23 -21
View File
@@ -31,52 +31,56 @@
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{ use crate::{
error::Error, consts::{
TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_ADMIN_TIMESTAMP, TAG_PROTECTED_FLAGS_1,
TAG_PROTECTED_MGM,
},
metadata::{AdminData, ProtectedData}, metadata::{AdminData, ProtectedData},
mgm::{MgmType, ADMIN_FLAGS_1_PROTECTED_MGM}, mgm::{MgmType, ADMIN_FLAGS_1_PROTECTED_MGM},
yubikey::{YubiKey, ADMIN_FLAGS_1_PUK_BLOCKED}, yubikey::{YubiKey, ADMIN_FLAGS_1_PUK_BLOCKED},
TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_ADMIN_TIMESTAMP, TAG_PROTECTED_FLAGS_1, Result,
TAG_PROTECTED_MGM,
}; };
use log::error; use log::error;
use std::{ use std::time::{Duration, SystemTime, UNIX_EPOCH};
convert::TryInto,
time::{Duration, SystemTime, UNIX_EPOCH},
};
const CB_ADMIN_TIMESTAMP: usize = 0x04; const CB_ADMIN_TIMESTAMP: usize = 0x04;
const PROTECTED_FLAGS_1_PUK_NOBLOCK: u8 = 0x01; const PROTECTED_FLAGS_1_PUK_NOBLOCK: u8 = 0x01;
/// Config /// YubiKey configuration.
#[derive(Copy, Clone, Debug)] #[derive(Copy, Clone, Debug)]
pub struct Config { pub struct Config {
/// Protected data available /// Protected data available
protected_data_available: bool, pub protected_data_available: bool,
/// PUK blocked /// PUK blocked
puk_blocked: bool, pub puk_blocked: bool,
/// No block on upgrade /// No block on upgrade
puk_noblock_on_upgrade: bool, pub puk_noblock_on_upgrade: bool,
/// PIN last changed /// PIN last changed
pin_last_changed: Option<SystemTime>, pub pin_last_changed: Option<SystemTime>,
/// MGM type /// MGM type
mgm_type: MgmType, pub mgm_type: MgmType,
} }
impl Config { impl Default for Config {
/// Get YubiKey config fn default() -> Config {
pub fn get(yubikey: &mut YubiKey) -> Result<Config, Error> { Config {
let mut config = Config {
protected_data_available: false, protected_data_available: false,
puk_blocked: false, puk_blocked: false,
puk_noblock_on_upgrade: false, puk_noblock_on_upgrade: false,
pin_last_changed: None, pin_last_changed: None,
mgm_type: MgmType::Manual, mgm_type: MgmType::Manual,
}; }
}
}
impl Config {
/// Get YubiKey config.
pub(crate) fn get(yubikey: &mut YubiKey) -> Result<Config> {
let mut config = Self::default();
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
if let Ok(admin_data) = AdminData::read(&txn) { if let Ok(admin_data) = AdminData::read(&txn) {
@@ -130,9 +134,7 @@ impl Config {
if protected_data.get_item(TAG_PROTECTED_MGM).is_ok() { if protected_data.get_item(TAG_PROTECTED_MGM).is_ok() {
if config.mgm_type != MgmType::Protected { if config.mgm_type != MgmType::Protected {
error!( error!("conflicting MGM key types: protected MGM exists");
"conflicting types of mgm key administration configured: protected MGM exists"
);
} }
// Always favor protected MGM // Always favor protected MGM
+20
View File
@@ -0,0 +1,20 @@
//! Miscellaneous constant values
/// YubiKey max buffer size
pub(crate) const CB_BUF_MAX: usize = 3072;
/// YubiKey max object size
pub(crate) const CB_OBJ_MAX: usize = CB_BUF_MAX - 9;
pub(crate) const CB_OBJ_TAG_MIN: usize = 2; // 1 byte tag + 1 byte len
#[cfg(feature = "untested")]
pub(crate) const CB_OBJ_TAG_MAX: usize = CB_OBJ_TAG_MIN + 2; // 1 byte tag + 3 bytes len
// Admin tags
pub(crate) const TAG_ADMIN_FLAGS_1: u8 = 0x81;
pub(crate) const TAG_ADMIN_SALT: u8 = 0x82;
pub(crate) const TAG_ADMIN_TIMESTAMP: u8 = 0x83;
// Protected tags
pub(crate) const TAG_PROTECTED_FLAGS_1: u8 = 0x81;
pub(crate) const TAG_PROTECTED_MGM: u8 = 0x89;
+92 -80
View File
@@ -32,65 +32,72 @@
use std::fmt::{self, Display}; use std::fmt::{self, Display};
/// Kinds of errors /// Result type with [`Error`].
pub type Result<T> = core::result::Result<T, Error>;
/// Kinds of errors.
#[derive(Clone, Copy, Debug, Eq, PartialEq)] #[derive(Clone, Copy, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum Error { pub enum Error {
/// Algorithm error
AlgorithmError,
/// Applet error
AppletError,
/// We tried to select an applet that could not be found.
AppletNotFound {
/// Human-readable name of the applet.
applet_name: &'static str,
},
/// Argument error
ArgumentError,
/// Authentication error
AuthenticationError,
/// Generic error
GenericError,
/// Invalid object
InvalidObject,
/// Key error
KeyError,
/// Memory error /// Memory error
MemoryError, MemoryError,
/// Not supported
NotSupported,
/// Not found
NotFound,
/// Parse error
ParseError,
/// PCSC error /// PCSC error
PcscError { PcscError {
/// Original PC/SC error /// Original PC/SC error
inner: Option<pcsc::Error>, inner: Option<pcsc::Error>,
}, },
/// PIN locked
PinLocked,
/// Range error
RangeError,
/// Size error /// Size error
SizeError, SizeError,
/// Applet error
AppletError,
/// Authentication error
AuthenticationError,
/// Randomness error
RandomnessError,
/// Generic error
GenericError,
/// Key error
KeyError,
/// Parse error
ParseError,
/// Wrong PIN /// Wrong PIN
WrongPin { WrongPin {
/// Number of tries remaining /// Number of tries remaining
tries: u8, tries: u8,
}, },
/// Invalid object
InvalidObject,
/// Algorithm error
AlgorithmError,
/// PIN locked
PinLocked,
/// Argument error
ArgumentError,
/// Range error
RangeError,
/// Not supported
NotSupported,
/// Not found
NotFound,
} }
impl Error { impl Error {
@@ -98,55 +105,62 @@ impl Error {
/// ///
/// These names map to the legacy names from the Yubico C library, to /// These names map to the legacy names from the Yubico C library, to
/// assist in web searches for relevant information for these errors. /// assist in web searches for relevant information for these errors.
pub fn name(self) -> &'static str { pub fn name(self) -> Option<&'static str> {
match self { Some(match self {
Error::MemoryError => "YKPIV_MEMORY_ERROR",
Error::PcscError { .. } => "YKPIV_PCSC_ERROR",
Error::SizeError => "YKPIV_SIZE_ERROR",
Error::AppletError => "YKPIV_APPLET_ERROR",
Error::AuthenticationError => "YKPIV_AUTHENTICATION_ERROR",
Error::RandomnessError => "YKPIV_RANDOMNESS_ERROR",
Error::GenericError => "YKPIV_GENERIC_ERROR",
Error::KeyError => "YKPIV_KEY_ERROR",
Error::ParseError => "YKPIV_PARSE_ERROR",
Error::WrongPin { .. } => "YKPIV_WRONG_PIN",
Error::InvalidObject => "YKPIV_INVALID_OBJECT",
Error::AlgorithmError => "YKPIV_ALGORITHM_ERROR", Error::AlgorithmError => "YKPIV_ALGORITHM_ERROR",
Error::PinLocked => "YKPIV_PIN_LOCKED", Error::AppletError => "YKPIV_APPLET_ERROR",
Error::ArgumentError => "YKPIV_ARGUMENT_ERROR", Error::ArgumentError => "YKPIV_ARGUMENT_ERROR",
Error::RangeError => "YKPIV_RANGE_ERROR", Error::AuthenticationError => "YKPIV_AUTHENTICATION_ERROR",
Error::GenericError => "YKPIV_GENERIC_ERROR",
Error::InvalidObject => "YKPIV_INVALID_OBJECT",
Error::KeyError => "YKPIV_KEY_ERROR",
Error::MemoryError => "YKPIV_MEMORY_ERROR",
Error::NotSupported => "YKPIV_NOT_SUPPORTED", Error::NotSupported => "YKPIV_NOT_SUPPORTED",
Error::NotFound => "<not found>", Error::ParseError => "YKPIV_PARSE_ERROR",
} Error::PcscError { .. } => "YKPIV_PCSC_ERROR",
Error::PinLocked => "YKPIV_PIN_LOCKED",
Error::RangeError => "YKPIV_RANGE_ERROR",
Error::SizeError => "YKPIV_SIZE_ERROR",
Error::WrongPin { .. } => "YKPIV_WRONG_PIN",
_ => return None,
})
} }
/// Error message /// Error message
pub fn msg(self) -> &'static str { pub fn msg(self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self { match self {
Error::MemoryError => "memory error", Error::AlgorithmError => f.write_str("algorithm error"),
Error::PcscError { .. } => "PCSC error", Error::AppletError => f.write_str("applet error"),
Error::SizeError => "size error", Error::AppletNotFound { applet_name } => {
Error::AppletError => "applet error", f.write_str(&format!("{} applet not found", applet_name))
Error::AuthenticationError => "authentication error", }
Error::RandomnessError => "randomness error", Error::ArgumentError => f.write_str("argument error"),
Error::GenericError => "generic error", Error::AuthenticationError => f.write_str("authentication error"),
Error::KeyError => "key error", Error::GenericError => f.write_str("generic error"),
Error::ParseError => "parse error", Error::InvalidObject => f.write_str("invalid object"),
Error::WrongPin { .. } => "wrong pin", Error::KeyError => f.write_str("key error"),
Error::InvalidObject => "invalid object", Error::MemoryError => f.write_str("memory error"),
Error::AlgorithmError => "algorithm error", Error::NotSupported => f.write_str("not supported"),
Error::PinLocked => "PIN locked", Error::NotFound => f.write_str("not found"),
Error::ArgumentError => "argument error", Error::ParseError => f.write_str("parse error"),
Error::RangeError => "range error",
Error::NotSupported => "not supported", Error::PcscError {
Error::NotFound => "not found", inner: Some(pcsc_error),
} => f.write_fmt(format_args!("PC/SC error: {}", pcsc_error)),
Error::PcscError { .. } => f.write_str("PC/SC error"),
Error::PinLocked => f.write_str("PIN locked"),
Error::RangeError => f.write_str("range error"),
Error::SizeError => f.write_str("size error"),
Error::WrongPin { .. } => f.write_str("wrong pin"),
} }
} }
} }
impl Display for Error { impl Display for Error {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.write_str(self.msg()) self.msg(f)
} }
} }
@@ -159,10 +173,8 @@ impl From<pcsc::Error> for Error {
impl std::error::Error for Error { impl std::error::Error for Error {
fn source(&self) -> Option<&(dyn std::error::Error + 'static)> { fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
match self { match self {
#[allow(trivial_casts)] // why doesn't this work without the cast??? #[allow(trivial_casts)]
Error::PcscError { inner } => inner Error::PcscError { inner } => inner.as_ref().map(|err| err as &_),
.as_ref()
.map(|err| err as &(dyn std::error::Error + 'static)),
_ => None, _ => None,
} }
} }
+40 -152
View File
@@ -1,95 +1,10 @@
//! [YubiKey] PIV: [Personal Identity Verification][PIV] support for #![doc = include_str!("../README.md")]
//! [Yubico] devices using the Personal Computer/Smart Card ([PC/SC]) #![doc(
//! interface as provided by the [`pcsc` crate]. html_logo_url = "https://raw.githubusercontent.com/iqlusioninc/yubikey.rs/main/img/logo-sq.png"
//! )]
//! **PIV** is a [NIST] standard for both *signing* and *encryption* #![cfg_attr(docsrs, feature(doc_cfg))]
//! using SmartCards and SmartCard-based hardware tokens like YubiKeys. #![forbid(unsafe_code)]
//! #![warn(missing_docs, rust_2018_idioms, trivial_casts, unused_qualifications)]
//! This library natively implements the protocol used to manage and
//! utilize PIV encryption and signing keys which can be generated, imported,
//! and stored on YubiKey devices.
//!
//! See [Yubico's guide to PIV-enabled YubiKeys][yk-guide] for more information
//! on which devices support PIV and the available functionality.
//!
//! ## Minimum Supported Rust Version
//!
//! Rust 1.44+
//!
//! ## Supported YubiKeys
//!
//! - [YubiKey 4] series
//! - [YubiKey 5] series
//!
//! NOTE: Nano and USB-C variants of the above are also supported.
//! Pre-YK4 [YubiKey NEO] series is **NOT** supported.
//!
//! ## Supported Algorithms
//!
//! - **Authentication**: `3DES`
//! - **Encryption**: `RSA1024`, `RSA2048`, `ECCP256`, `ECCP384`
//! - **Signatures**:
//! - RSASSA-PKCS#1v1.5: `RSA1024`, `RSA2048`
//! - ECDSA: `ECCP256`, `ECCP384`
//!
//! NOTE: RSASSA-PSS signatures and RSA-OAEP encryption may be supportable (TBD)
//!
//! ## Status
//!
//! This is a work-in-progress effort, and while much of the library-level
//! code from upstream [yubico-piv-tool] has been translated into Rust
//! presenting a safe interface, much of it is still untested.
//!
//! Please see the [project's README.md for a complete status][status].
//!
//! ## History
//!
//! This library is a Rust translation of the [yubico-piv-tool] utility by
//! Yubico, which was originally written in C. It was mechanically translated
//! from C into Rust using [Corrode], and then subsequently heavily
//! refactored into safer, more idiomatic Rust.
//!
//! For more information on [yubico-piv-tool] and background information on how
//! the YubiKey implementation of PIV works in general, see the
//! [Yubico PIV Tool Command Line Guide][piv-tool-guide].
//!
//! ## Security Warning
//!
//! No security audits of this crate have ever been performed. Presently it is in
//! an experimental stage and may still contain high-severity issues.
//!
//! USE AT YOUR OWN RISK!
//!
//! ## Code of Conduct
//!
//! We abide by the [Contributor Covenant][cc-md] and ask that you do as well.
//!
//! For more information, please see [CODE_OF_CONDUCT.md][cc-md].
//!
//! ## License
//!
//! **yubikey-piv.rs** is a fork of and originally a mechanical translation from
//! Yubico's [yubico-piv-tool], a C library/CLI program. The original library
//! was licensed under a [2-Clause BSD License][BSDL], which this library inherits
//! as a derived work.
//!
//! [YubiKey]: https://www.yubico.com/products/yubikey-hardware/
//! [PIV]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf
//! [Yubico]: https://www.yubico.com/
//! [PC/SC]: https://en.wikipedia.org/wiki/PC/SC
//! [`pcsc` crate]: https://github.com/bluetech/pcsc-rust
//! [NIST]: https://www.nist.gov/
//! [yk-guide]: https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html
//! [YubiKey NEO]: https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo
//! [YubiKey 4]: https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4
//! [YubiKey 5]: https://www.yubico.com/products/yubikey-5-overview/
//! [status]: https://github.com/iqlusioninc/yubikey-piv.rs#status
//! [yubico-piv-tool]: https://github.com/Yubico/yubico-piv-tool/
//! [Corrode]: https://github.com/jameysharp/corrode
//! [piv-tool-guide]: https://www.yubico.com/wp-content/uploads/2016/05/Yubico_PIV_Tool_Command_Line_Guide_en.pdf
//! [cc-web]: https://contributor-covenant.org/
//! [cc-md]: https://github.com/iqlusioninc/yubikey-piv.rs/blob/main/CODE_OF_CONDUCT.md
//! [BSDL]: https://opensource.org/licenses/BSD-2-Clause
// Adapted from yubico-piv-tool: // Adapted from yubico-piv-tool:
// <https://github.com/Yubico/yubico-piv-tool/> // <https://github.com/Yubico/yubico-piv-tool/>
@@ -121,76 +36,49 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#![doc(
html_logo_url = "https://raw.githubusercontent.com/iqlusioninc/yubikey-piv.rs/main/img/logo.png",
html_root_url = "https://docs.rs/yubikey-piv/0.3.0"
)]
#![forbid(unsafe_code)]
#![warn(
missing_docs,
rust_2018_idioms,
trivial_casts,
trivial_numeric_casts,
unused_lifetimes,
unused_qualifications
)]
mod apdu; mod apdu;
pub mod cccid; mod cccid;
pub mod certificate; pub mod certificate;
pub mod chuid; mod chuid;
pub mod config; mod config;
pub mod error; mod consts;
pub mod key; mod error;
mod metadata; mod metadata;
pub mod mgm; mod mgm;
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub mod mscmap; mod mscmap;
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub mod msroots; mod msroots;
pub mod policy; mod otp;
pub mod readers; pub mod piv;
mod policy;
pub mod reader;
mod serialization; mod serialization;
pub mod settings; mod setting;
mod transaction; mod transaction;
pub mod yubikey; mod yubikey;
pub use self::{ pub use crate::{
error::Error, cccid::{CardId, CccId},
key::Key, certificate::Certificate,
mgm::MgmKey, chuid::ChuId,
readers::Readers, config::Config,
yubikey::{Serial, YubiKey}, error::{Error, Result},
mgm::{MgmKey, MgmType},
piv::Key,
policy::{PinPolicy, TouchPolicy},
reader::Context,
setting::{Setting, SettingSource},
yubikey::{CachedPin, Serial, Version, YubiKey},
}; };
/// Object identifiers #[cfg(feature = "untested")]
pub use crate::{mscmap::MsContainer, msroots::MsRoots};
pub use uuid::Uuid;
/// Object identifiers: handles to particular objects stored on a YubiKey.
pub type ObjectId = u32; pub type ObjectId = u32;
/// Buffer type (self-zeroizing byte vector) /// Buffer type (self-zeroizing byte vector)
pub(crate) type Buffer = zeroize::Zeroizing<Vec<u8>>; pub type Buffer = zeroize::Zeroizing<Vec<u8>>;
/// YubiKey max buffer size
pub(crate) const CB_BUF_MAX: usize = 3072;
/// YubiKey max object size
pub(crate) const CB_OBJ_MAX: usize = CB_BUF_MAX - 9;
pub(crate) const CB_OBJ_TAG_MIN: usize = 2; // 1 byte tag + 1 byte len
#[cfg(feature = "untested")]
pub(crate) const CB_OBJ_TAG_MAX: usize = CB_OBJ_TAG_MIN + 2; // 1 byte tag + 3 bytes len
pub(crate) const TAG_ADMIN_FLAGS_1: u8 = 0x81;
pub(crate) const TAG_ADMIN_SALT: u8 = 0x82;
pub(crate) const TAG_ADMIN_TIMESTAMP: u8 = 0x83;
pub(crate) const TAG_PROTECTED_FLAGS_1: u8 = 0x81;
pub(crate) const TAG_PROTECTED_MGM: u8 = 0x89;
/// PIV Applet ID
pub(crate) const PIV_AID: [u8; 5] = [0xa0, 0x00, 0x00, 0x03, 0x08];
/// MGMT Applet ID.
/// <https://developers.yubico.com/PIV/Introduction/Admin_access.html>
#[cfg(feature = "untested")]
pub(crate) const MGMT_AID: [u8; 8] = [0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17];
/// YubiKey OTP Applet ID. Needed to query serial on YK4.
pub(crate) const YK_AID: [u8; 8] = [0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01];
+10 -7
View File
@@ -33,10 +33,10 @@
use std::marker::PhantomData; use std::marker::PhantomData;
use zeroize::Zeroizing; use zeroize::Zeroizing;
use crate::{error::Error, serialization::*, transaction::Transaction, Buffer}; use crate::{serialization::*, transaction::Transaction, Buffer, Error, Result};
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use crate::{CB_OBJ_MAX, CB_OBJ_TAG_MAX}; use crate::consts::{CB_OBJ_MAX, CB_OBJ_TAG_MAX};
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use std::iter; use std::iter;
@@ -78,7 +78,7 @@ impl<T: MetadataType> Default for Metadata<T> {
impl<T: MetadataType> Metadata<T> { impl<T: MetadataType> Metadata<T> {
/// Read metadata /// Read metadata
pub(crate) fn read(txn: &Transaction<'_>) -> Result<Self, Error> { pub(crate) fn read(txn: &Transaction<'_>) -> Result<Self> {
let data = txn.fetch_object(T::obj_id())?; let data = txn.fetch_object(T::obj_id())?;
Ok(Metadata { Ok(Metadata {
inner: Tlv::parse_single(data, T::tag())?, inner: Tlv::parse_single(data, T::tag())?,
@@ -88,7 +88,8 @@ impl<T: MetadataType> Metadata<T> {
/// Write metadata /// Write metadata
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub(crate) fn write(&self, txn: &Transaction<'_>) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub(crate) fn write(&self, txn: &Transaction<'_>) -> Result<()> {
if self.inner.len() > CB_OBJ_MAX - CB_OBJ_TAG_MAX { if self.inner.len() > CB_OBJ_MAX - CB_OBJ_TAG_MAX {
return Err(Error::GenericError); return Err(Error::GenericError);
} }
@@ -105,12 +106,13 @@ impl<T: MetadataType> Metadata<T> {
/// Delete metadata /// Delete metadata
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub(crate) fn delete(txn: &Transaction<'_>) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub(crate) fn delete(txn: &Transaction<'_>) -> Result<()> {
txn.save_object(T::obj_id(), &[]) txn.save_object(T::obj_id(), &[])
} }
/// Get metadata item /// Get metadata item
pub(crate) fn get_item(&self, tag: u8) -> Result<&[u8], Error> { pub(crate) fn get_item(&self, tag: u8) -> Result<&[u8]> {
let mut data = &self.inner[..]; let mut data = &self.inner[..];
while !data.is_empty() { while !data.is_empty() {
@@ -128,7 +130,8 @@ impl<T: MetadataType> Metadata<T> {
/// Set metadata item /// Set metadata item
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub(crate) fn set_item(&mut self, tag: u8, item: &[u8]) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub(crate) fn set_item(&mut self, tag: u8, item: &[u8]) -> Result<()> {
let mut cb_temp: usize = 0; let mut cb_temp: usize = 0;
let mut tag_temp: u8 = 0; let mut tag_temp: u8 = 0;
let mut cb_len: usize = 0; let mut cb_len: usize = 0;
+38 -37
View File
@@ -30,39 +30,39 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::error::Error; use crate::{Error, Result};
use getrandom::getrandom;
use log::error; use log::error;
use std::convert::{TryFrom, TryInto}; use rand_core::{OsRng, RngCore};
use zeroize::{Zeroize, Zeroizing}; use zeroize::{Zeroize, Zeroizing};
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use crate::{ use crate::{
consts::{TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_PROTECTED_MGM},
metadata::{AdminData, ProtectedData}, metadata::{AdminData, ProtectedData},
yubikey::YubiKey, yubikey::YubiKey,
TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_PROTECTED_MGM,
}; };
use des::{ use des::{
cipher::{generic_array::GenericArray, BlockCipher, NewBlockCipher}, cipher::{generic_array::GenericArray, BlockDecrypt, BlockEncrypt, KeyInit},
TdesEde3, TdesEde3,
}; };
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use hmac::Hmac; use {pbkdf2::pbkdf2_hmac, sha1::Sha1};
/// YubiKey MGMT Applet Name
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use pbkdf2::pbkdf2; pub(crate) const APPLET_NAME: &str = "YubiKey MGMT";
/// MGMT Applet ID.
///
/// <https://developers.yubico.com/PIV/Introduction/Admin_access.html>
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use sha1::Sha1; pub(crate) const APPLET_ID: &[u8] = &[0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17];
pub(crate) const ADMIN_FLAGS_1_PROTECTED_MGM: u8 = 0x02; pub(crate) const ADMIN_FLAGS_1_PROTECTED_MGM: u8 = 0x02;
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
const CB_ADMIN_SALT: usize = 16; const CB_ADMIN_SALT: usize = 16;
/// Default MGM key configured on all YubiKeys
const DEFAULT_MGM_KEY: [u8; DES_LEN_3DES] = [
1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8,
];
/// Size of a DES key /// Size of a DES key
const DES_LEN_DES: usize = 8; const DES_LEN_DES: usize = 8;
@@ -73,7 +73,7 @@ pub(crate) const DES_LEN_3DES: usize = DES_LEN_DES * 3;
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
const ITER_MGM_PBKDF2: u32 = 10000; const ITER_MGM_PBKDF2: u32 = 10000;
/// Management Key (MGM) key types (manual/derived/protected) /// Management Key (MGM) key types (manual/derived/protected).
#[derive(Copy, Clone, Debug, Eq, PartialEq)] #[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub enum MgmType { pub enum MgmType {
/// Manual /// Manual
@@ -97,27 +97,23 @@ pub struct MgmKey([u8; DES_LEN_3DES]);
impl MgmKey { impl MgmKey {
/// Generate a random MGM key /// Generate a random MGM key
pub fn generate() -> Result<Self, Error> { pub fn generate() -> Self {
let mut key_bytes = [0u8; DES_LEN_3DES]; let mut key_bytes = [0u8; DES_LEN_3DES];
OsRng.fill_bytes(&mut key_bytes);
if getrandom(&mut key_bytes).is_err() { Self(key_bytes)
return Err(Error::RandomnessError);
}
MgmKey::new(key_bytes)
} }
/// Create an MGM key from byte slice. /// Create an MGM key from byte slice.
/// ///
/// Returns an error if the slice is the wrong size or the key is weak. /// Returns an error if the slice is the wrong size or the key is weak.
pub fn from_bytes(bytes: impl AsRef<[u8]>) -> Result<Self, Error> { pub fn from_bytes(bytes: impl AsRef<[u8]>) -> Result<Self> {
bytes.as_ref().try_into() bytes.as_ref().try_into()
} }
/// Create an MGM key from the given byte array. /// Create an MGM key from the given byte array.
/// ///
/// Returns an error if the key is weak. /// Returns an error if the key is weak.
pub fn new(key_bytes: [u8; DES_LEN_3DES]) -> Result<Self, Error> { pub fn new(key_bytes: [u8; DES_LEN_3DES]) -> Result<Self> {
if is_weak_key(&key_bytes) { if is_weak_key(&key_bytes) {
error!( error!(
"blacklisting key '{:?}' since it's weak (with odd parity)", "blacklisting key '{:?}' since it's weak (with odd parity)",
@@ -127,12 +123,13 @@ impl MgmKey {
return Err(Error::KeyError); return Err(Error::KeyError);
} }
Ok(MgmKey(key_bytes)) Ok(Self(key_bytes))
} }
/// Get derived management key (MGM) /// Get derived management key (MGM)
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn get_derived(yubikey: &mut YubiKey, pin: &[u8]) -> Result<Self, Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn get_derived(yubikey: &mut YubiKey, pin: &[u8]) -> Result<Self> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
// recover management key // recover management key
@@ -150,14 +147,14 @@ impl MgmKey {
} }
let mut mgm = [0u8; DES_LEN_3DES]; let mut mgm = [0u8; DES_LEN_3DES];
pbkdf2::<Hmac<Sha1>>(pin, &salt, ITER_MGM_PBKDF2, &mut mgm); pbkdf2_hmac::<Sha1>(pin, salt, ITER_MGM_PBKDF2, &mut mgm);
MgmKey::from_bytes(mgm) MgmKey::from_bytes(mgm)
} }
/// Get protected management key (MGM) /// Get protected management key (MGM)
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn get_protected(yubikey: &mut YubiKey) -> Result<Self, Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn get_protected(yubikey: &mut YubiKey) -> Result<Self> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
let protected_data = ProtectedData::read(&txn).map_err(|e| { let protected_data = ProtectedData::read(&txn).map_err(|e| {
@@ -187,7 +184,8 @@ impl MgmKey {
/// ///
/// This will wipe any metadata related to derived and PIN-protected management keys. /// This will wipe any metadata related to derived and PIN-protected management keys.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn set_default(yubikey: &mut YubiKey) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn set_default(yubikey: &mut YubiKey) -> Result<()> {
MgmKey::default().set_manual(yubikey, false) MgmKey::default().set_manual(yubikey, false)
} }
@@ -198,10 +196,11 @@ impl MgmKey {
/// ///
/// This will wipe any metadata related to derived and PIN-protected management keys. /// This will wipe any metadata related to derived and PIN-protected management keys.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn set_manual(&self, yubikey: &mut YubiKey, require_touch: bool) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn set_manual(&self, yubikey: &mut YubiKey, require_touch: bool) -> Result<()> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
txn.set_mgm_key(&self, require_touch).map_err(|e| { txn.set_mgm_key(self, require_touch).map_err(|e| {
// Log a warning, since the device mgm key is corrupt or we're in a state // Log a warning, since the device mgm key is corrupt or we're in a state
// where we can't set the mgm key. // where we can't set the mgm key.
error!("could not set new derived mgm key, err = {}", e); error!("could not set new derived mgm key, err = {}", e);
@@ -257,7 +256,8 @@ impl MgmKey {
/// ///
/// This enables key management operations to be performed with access to the PIN. /// This enables key management operations to be performed with access to the PIN.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn set_protected(&self, yubikey: &mut YubiKey) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn set_protected(&self, yubikey: &mut YubiKey) -> Result<()> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
txn.set_mgm_key(self, false).map_err(|e| { txn.set_mgm_key(self, false).map_err(|e| {
@@ -325,7 +325,6 @@ impl MgmKey {
} }
/// Encrypt with 3DES key /// Encrypt with 3DES key
#[allow(clippy::trivially_copy_pass_by_ref)]
pub(crate) fn encrypt(&self, input: &[u8; DES_LEN_DES]) -> [u8; DES_LEN_DES] { pub(crate) fn encrypt(&self, input: &[u8; DES_LEN_DES]) -> [u8; DES_LEN_DES] {
let mut output = input.to_owned(); let mut output = input.to_owned();
TdesEde3::new(GenericArray::from_slice(&self.0)) TdesEde3::new(GenericArray::from_slice(&self.0))
@@ -334,7 +333,6 @@ impl MgmKey {
} }
/// Decrypt with 3DES key /// Decrypt with 3DES key
#[allow(clippy::trivially_copy_pass_by_ref)]
pub(crate) fn decrypt(&self, input: &[u8; DES_LEN_DES]) -> [u8; DES_LEN_DES] { pub(crate) fn decrypt(&self, input: &[u8; DES_LEN_DES]) -> [u8; DES_LEN_DES] {
let mut output = input.to_owned(); let mut output = input.to_owned();
TdesEde3::new(GenericArray::from_slice(&self.0)) TdesEde3::new(GenericArray::from_slice(&self.0))
@@ -349,9 +347,12 @@ impl AsRef<[u8; DES_LEN_3DES]> for MgmKey {
} }
} }
/// Default MGM key configured on all YubiKeys
impl Default for MgmKey { impl Default for MgmKey {
fn default() -> Self { fn default() -> Self {
MgmKey(DEFAULT_MGM_KEY) MgmKey([
1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8,
])
} }
} }
@@ -364,7 +365,7 @@ impl Drop for MgmKey {
impl<'a> TryFrom<&'a [u8]> for MgmKey { impl<'a> TryFrom<&'a [u8]> for MgmKey {
type Error = Error; type Error = Error;
fn try_from(key_bytes: &'a [u8]) -> Result<Self, Error> { fn try_from(key_bytes: &'a [u8]) -> Result<Self> {
Self::new(key_bytes.try_into().map_err(|_| Error::SizeError)?) Self::new(key_bytes.try_into().map_err(|_| Error::SizeError)?)
} }
} }
@@ -413,7 +414,7 @@ fn is_weak_key(key: &[u8; DES_LEN_3DES]) -> bool {
c = (c & 0x0F) + ((c >> 4) & 0x0F); c = (c & 0x0F) + ((c >> 4) & 0x0F);
// if count is even, set low key bit to 1, otherwise 0 // if count is even, set low key bit to 1, otherwise 0
tmp[i] = (key[i] & 0xFE) | (if c & 0x01 == 0x01 { 0x00 } else { 0x01 }); tmp[i] = (key[i] & 0xFE) | u8::from(c & 0x01 != 0x01);
} }
// check odd parity key against table by DES key block // check odd parity key against table by DES key block
+53 -74
View File
@@ -1,7 +1,4 @@
//! MS Container Map Records //! MS Container Map Records.
//!
//! These appear(?) to be defined in Microsoft's Smart Card Minidriver Specification:
//! <https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn631754(v=vs.85)>
// Adapted from yubico-piv-tool: // Adapted from yubico-piv-tool:
// <https://github.com/Yubico/yubico-piv-tool/> // <https://github.com/Yubico/yubico-piv-tool/>
@@ -33,54 +30,57 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{error::Error, key::SlotId, serialization::*, yubikey::YubiKey, CB_OBJ_MAX}; use crate::{consts::CB_OBJ_MAX, piv::SlotId, serialization::*, Error, Result, YubiKey};
use log::error; use log::error;
use std::{
convert::{TryFrom, TryInto},
fmt::{self, Debug},
};
/// Container name length
const CONTAINER_NAME_LEN: usize = 40;
/// Container record length: 27 = 80 + 1 + 1 + 2 + 1 + 1 + 1 + 20
const CONTAINER_REC_LEN: usize = (2 * CONTAINER_NAME_LEN) + 27;
const OBJ_MSCMAP: u32 = 0x005f_ff10; const OBJ_MSCMAP: u32 = 0x005f_ff10;
const TAG_MSCMAP: u8 = 0x81; const TAG_MSCMAP: u8 = 0x81;
/// MS Container Map(?) Records /// MS Container Map records.
#[derive(Copy, Clone)] ///
pub struct Container { /// Defined in Microsoft's Smart Card Minidriver Specification:
/// Container name /// <https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn631754(v=vs.85)>
pub name: [u16; CONTAINER_NAME_LEN], #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
#[derive(Clone, Debug)]
pub struct MsContainer {
/// Container name.
pub name: [u16; Self::NAME_LEN],
/// Card slot /// Card slot.
pub slot: SlotId, pub slot: SlotId,
/// Key spec /// Key spec.
pub key_spec: u8, pub key_spec: u8,
/// Key size in bits /// Key size in bits.
pub key_size_bits: u16, pub key_size_bits: u16,
/// Flags /// Flags.
pub flags: u8, pub flags: u8,
/// PIN ID /// PIN ID.
pub pin_id: u8, pub pin_id: u8,
/// Associated ECHD(?) container (typo of "ecdh" perhaps?) /// Associated ECHD container.
pub associated_echd_container: u8, pub associated_echd_container: u8,
/// Cert fingerprint /// Cert fingerprint.
pub cert_fingerprint: [u8; 20], pub cert_fingerprint: [u8; Self::CERT_FINGERPRINT_LEN],
} }
impl Container { impl MsContainer {
/// Read MS Container Map records /// Container name length in UTF-16 chars.
pub fn read_mscmap(yubikey: &mut YubiKey) -> Result<Vec<Self>, Error> { const NAME_LEN: usize = 40;
/// Container record length: 27 = 80 + 1 + 1 + 2 + 1 + 1 + 1 + 20
const REC_LEN: usize = (2 * Self::NAME_LEN) + 27;
/// Length of a certificate fingerprint.
const CERT_FINGERPRINT_LEN: usize = 20;
/// Read MS Container Map records.
pub fn read_mscmap(yubikey: &mut YubiKey) -> Result<Vec<Self>> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
let response = txn.fetch_object(OBJ_MSCMAP)?; let response = txn.fetch_object(OBJ_MSCMAP)?;
let mut containers = vec![]; let mut containers = vec![];
@@ -98,17 +98,17 @@ impl Container {
return Err(Error::InvalidObject); return Err(Error::InvalidObject);
} }
for chunk in tlv.value.chunks_exact(CONTAINER_REC_LEN) { for chunk in tlv.value.chunks_exact(Self::REC_LEN) {
containers.push(Container::new(chunk)?); containers.push(MsContainer::new(chunk)?);
} }
Ok(containers) Ok(containers)
} }
/// Write MS Container Map records. /// Write MS Container Map records.
pub fn write_mscmap(yubikey: &mut YubiKey, containers: &[Self]) -> Result<(), Error> { pub fn write_mscmap(yubikey: &mut YubiKey, containers: &[Self]) -> Result<()> {
let n_containers = containers.len(); let n_containers = containers.len();
let data_len = n_containers * CONTAINER_REC_LEN; let data_len = n_containers * Self::REC_LEN;
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
@@ -118,7 +118,7 @@ impl Container {
let mut buf = [0u8; CB_OBJ_MAX]; let mut buf = [0u8; CB_OBJ_MAX];
let offset = Tlv::write_as(&mut buf, TAG_MSCMAP, data_len, |buf| { let offset = Tlv::write_as(&mut buf, TAG_MSCMAP, data_len, |buf| {
for (i, chunk) in buf.chunks_exact_mut(CONTAINER_REC_LEN).enumerate() { for (i, chunk) in buf.chunks_exact_mut(Self::REC_LEN).enumerate() {
chunk.copy_from_slice(&containers[i].to_bytes()); chunk.copy_from_slice(&containers[i].to_bytes());
} }
})?; })?;
@@ -126,19 +126,19 @@ impl Container {
txn.save_object(OBJ_MSCMAP, &buf[..offset]) txn.save_object(OBJ_MSCMAP, &buf[..offset])
} }
/// Parse a container record from a byte slice /// Parse a container record from a byte slice.
pub fn new(bytes: &[u8]) -> Result<Self, Error> { pub fn new(bytes: &[u8]) -> Result<Self> {
if bytes.len() != CONTAINER_REC_LEN { if bytes.len() != Self::REC_LEN {
error!( error!(
"couldn't parse PIV container: expected {}-bytes, got {}-bytes", "couldn't parse PIV container: expected {}-bytes, got {}-bytes",
CONTAINER_REC_LEN, Self::REC_LEN,
bytes.len() bytes.len()
); );
return Err(Error::ParseError); return Err(Error::ParseError);
} }
let mut name = [0u16; CONTAINER_NAME_LEN]; let mut name = [0u16; Self::NAME_LEN];
let name_bytes_len = CONTAINER_NAME_LEN * 2; let name_bytes_len = Self::NAME_LEN * 2;
for (i, chunk) in bytes[..name_bytes_len].chunks_exact(2).enumerate() { for (i, chunk) in bytes[..name_bytes_len].chunks_exact(2).enumerate() {
name[i] = u16::from_le_bytes(chunk.try_into().unwrap()); name[i] = u16::from_le_bytes(chunk.try_into().unwrap());
@@ -147,7 +147,7 @@ impl Container {
let mut cert_fingerprint = [0u8; 20]; let mut cert_fingerprint = [0u8; 20];
cert_fingerprint.copy_from_slice(&bytes[(bytes.len() - 20)..]); cert_fingerprint.copy_from_slice(&bytes[(bytes.len() - 20)..]);
Ok(Container { Ok(Self {
name, name,
slot: bytes[name_bytes_len].try_into()?, slot: bytes[name_bytes_len].try_into()?,
key_spec: bytes[name_bytes_len + 1], key_spec: bytes[name_bytes_len + 1],
@@ -163,16 +163,17 @@ impl Container {
}) })
} }
/// Parse the container name as a UTF-16 string /// Parse the container name as a UTF-16 string.
pub fn parse_name(&self) -> Result<String, Error> { pub fn parse_name(&self) -> Result<String> {
String::from_utf16(&self.name).map_err(|_| Error::ParseError) String::from_utf16(&self.name).map_err(|_| Error::ParseError)
} }
/// Serialize a container record as a byte size /// Serialize a container record as a byte size.
pub fn to_bytes(&self) -> [u8; CONTAINER_REC_LEN] { pub fn to_bytes(&self) -> [u8; Self::REC_LEN] {
let mut bytes = Vec::with_capacity(CONTAINER_REC_LEN); // TODO(tarcieri): use array instead of `Vec`
let mut bytes = Vec::with_capacity(Self::REC_LEN);
for i in 0..CONTAINER_NAME_LEN { for i in 0..Self::NAME_LEN {
bytes.extend_from_slice(&self.name[i].to_le_bytes()); bytes.extend_from_slice(&self.name[i].to_le_bytes());
} }
@@ -183,36 +184,14 @@ impl Container {
bytes.push(self.pin_id); bytes.push(self.pin_id);
bytes.push(self.associated_echd_container); bytes.push(self.associated_echd_container);
bytes.extend_from_slice(&self.cert_fingerprint); bytes.extend_from_slice(&self.cert_fingerprint);
bytes.as_slice().try_into().unwrap()
// TODO(tarcieri): use TryInto here when const generics are available
let mut result = [0u8; CONTAINER_REC_LEN];
result.copy_from_slice(&bytes);
result
} }
} }
impl Debug for Container { impl<'a> TryFrom<&'a [u8]> for MsContainer {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(
f,
"PivContainer {{ name: {:?}, slot: {:?}, key_spec: {}, key_size_bits: {}, \
flags: {}, pin_id: {}, associated_echd_container: {}, cert_fingerprint: {:?} }}",
&self.name[..],
self.slot,
self.key_spec,
self.key_size_bits,
self.flags,
self.pin_id,
self.associated_echd_container,
&self.cert_fingerprint[..]
)
}
}
impl<'a> TryFrom<&'a [u8]> for Container {
type Error = Error; type Error = Error;
fn try_from(bytes: &'a [u8]) -> Result<Self, Error> { fn try_from(bytes: &'a [u8]) -> Result<Self> {
Self::new(bytes) Self::new(bytes)
} }
} }
+20 -16
View File
@@ -1,11 +1,4 @@
//! `msroots`: PKCS#7 formatted certificate store for enterprise trusted roots. //! PKCS#7 formatted certificate store for enterprise trusted roots.
//!
//! This `msroots` file contains a bag of certificates with empty content and
//! an empty signature, allowing an enterprise root certificate truststore to
//! be written to and read from a YubiKey.
//!
//! For more information, see:
//! <https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/developer-guidelines#-interoperability-with-msroots>
// Adapted from yubico-piv-tool: // Adapted from yubico-piv-tool:
// <https://github.com/Yubico/yubico-piv-tool/> // <https://github.com/Yubico/yubico-piv-tool/>
@@ -37,8 +30,11 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{error::Error, serialization::*, yubikey::YubiKey}; use crate::{
use crate::{CB_OBJ_MAX, CB_OBJ_TAG_MAX}; consts::{CB_OBJ_MAX, CB_OBJ_TAG_MAX},
serialization::*,
Error, Result, YubiKey,
};
use log::error; use log::error;
const OBJ_MSROOTS1: u32 = 0x005f_ff11; const OBJ_MSROOTS1: u32 = 0x005f_ff11;
@@ -53,17 +49,25 @@ const OBJ_MSROOTS5: u32 = 0x005f_ff15;
const TAG_MSROOTS_END: u8 = 0x82; const TAG_MSROOTS_END: u8 = 0x82;
const TAG_MSROOTS_MID: u8 = 0x83; const TAG_MSROOTS_MID: u8 = 0x83;
/// `msroots` file: PKCS#7-formatted certificate store for enterprise trust roots /// PKCS#7-formatted certificate store for enterprise trust roots.
///
/// The `msroots` file contains a bag of certificates with empty content and
/// an empty signature, allowing an enterprise root certificate truststore to
/// be written to and read from a YubiKey.
///
/// For more information, see:
/// <https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/developer-guidelines#-interoperability-with-msroots>
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub struct MsRoots(Vec<u8>); pub struct MsRoots(Vec<u8>);
impl MsRoots { impl MsRoots {
/// Initialize a local certificate struct from the given bytebuffer /// Initialize a local certificate struct from the given bytebuffer
pub fn new(msroots: impl AsRef<[u8]>) -> Result<Self, Error> { pub fn new(msroots: impl AsRef<[u8]>) -> Result<Self> {
Ok(MsRoots(msroots.as_ref().into())) Ok(MsRoots(msroots.as_ref().into()))
} }
/// Read `msroots` file from YubiKey /// Read `msroots` file from YubiKey
pub fn read(yubikey: &mut YubiKey) -> Result<Option<Self>, Error> { pub fn read(yubikey: &mut YubiKey) -> Result<Option<Self>> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
// allocate first page // allocate first page
@@ -100,14 +104,14 @@ impl MsRoots {
} }
/// Write `msroots` file to YubiKey /// Write `msroots` file to YubiKey
pub fn write(&self, yubikey: &mut YubiKey) -> Result<(), Error> { pub fn write(&self, yubikey: &mut YubiKey) -> Result<()> {
let mut buf = [0u8; CB_OBJ_MAX]; let mut buf = [0u8; CB_OBJ_MAX];
let mut offset: usize; let mut offset: usize;
let mut data_offset: usize = 0; let mut data_offset: usize = 0;
let mut data_chunk: usize; let mut data_chunk: usize;
let data = &self.0; let data = &self.0;
let data_len = data.len(); let data_len = data.len();
let n_objs: usize;
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
if data_len == 0 { if data_len == 0 {
@@ -115,7 +119,7 @@ impl MsRoots {
} }
// Calculate number of objects required to store blob // Calculate number of objects required to store blob
n_objs = (data_len / (CB_OBJ_MAX - CB_OBJ_TAG_MAX)) + 1; let n_objs: usize = (data_len / (CB_OBJ_MAX - CB_OBJ_TAG_MAX)) + 1;
if n_objs > 5 { if n_objs > 5 {
return Err(Error::SizeError); return Err(Error::SizeError);
+5
View File
@@ -0,0 +1,5 @@
/// YubiKey OTP Applet Name
pub(crate) const APPLET_NAME: &str = "YubiKey OTP";
/// YubiKey OTP Applet ID. Needed to query serial on YK4.
pub(crate) const APPLET_ID: &[u8] = &[0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01];
+514 -151
View File
@@ -1,11 +1,16 @@
//! PIV cryptographic keys stored in a YubiKey. //! Personal Identity Verification (PIV) cryptographic keys stored in a YubiKey.
//!
//! Support for public-key cryptography using keys stored within the PIV
//! slots of a YubiKey.
//! //!
//! Supported algorithms: //! Supported algorithms:
//! //!
//! - **Encryption**: `RSA1024`, `RSA2048`, `ECCP256`, `ECCP384` //! - **Encryption**:
//! - RSA: `RSA1024`, `RSA2048`
//! - ECC: `ECCP256`, `ECCP384` (NIST curves: P-256, P-384)
//! - **Signatures**: //! - **Signatures**:
//! - RSASSA-PKCS#1v1.5: `RSA1024`, `RSA2048` //! - RSASSA-PKCS#1v1.5: `RSA1024`, `RSA2048`
//! - ECDSA: `ECCP256`, `ECCP384` //! - ECDSA: `ECCP256`, `ECCP384` (NIST curves: P-256, P-384)
// Adapted from yubico-piv-tool: // Adapted from yubico-piv-tool:
// <https://github.com/Yubico/yubico-piv-tool/> // <https://github.com/Yubico/yubico-piv-tool/>
@@ -39,35 +44,41 @@
use crate::{ use crate::{
apdu::{Ins, StatusWords}, apdu::{Ins, StatusWords},
certificate::{self, Certificate}, certificate::{self, Certificate, PublicKeyInfo},
error::Error, consts::CB_OBJ_MAX,
serialization::*, error::{Error, Result},
settings,
yubikey::YubiKey,
ObjectId,
};
use log::debug;
use std::convert::TryFrom;
#[cfg(feature = "untested")]
use crate::CB_OBJ_MAX;
use crate::{
certificate::PublicKeyInfo,
policy::{PinPolicy, TouchPolicy}, policy::{PinPolicy, TouchPolicy},
Buffer, serialization::*,
setting,
yubikey::YubiKey,
Buffer, ObjectId,
}; };
use elliptic_curve::sec1::EncodedPoint as EcPublicKey; use elliptic_curve::sec1::EncodedPoint as EcPublicKey;
use log::{error, warn}; use log::{debug, error, warn};
use p256::NistP256;
use p384::NistP384;
use rsa::{BigUint, RsaPublicKey};
use std::{
fmt::{Display, Formatter},
str::FromStr,
};
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use num_bigint::traits::ModInverse; use {
#[cfg(feature = "untested")] num_bigint_dig::traits::ModInverse,
use num_integer::Integer; num_integer::Integer,
#[cfg(feature = "untested")] num_traits::{FromPrimitive, One},
use num_traits::{FromPrimitive, One}; };
use rsa::{BigUint, RSAPublicKey};
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use zeroize::Zeroizing; use zeroize::Zeroizing;
/// PIV Applet Name
pub(crate) const APPLET_NAME: &str = "PIV";
/// PIV Applet ID
pub(crate) const APPLET_ID: &[u8] = &[0xa0, 0x00, 0x00, 0x03, 0x08];
const CB_ECC_POINTP256: usize = 65; const CB_ECC_POINTP256: usize = 65;
const CB_ECC_POINTP384: usize = 97; const CB_ECC_POINTP384: usize = 97;
@@ -83,7 +94,7 @@ const KEYDATA_RSA_EXP: u64 = 65537;
/// Slot identifiers. /// Slot identifiers.
/// <https://developers.yubico.com/PIV/Introduction/Certificate_slots.html> /// <https://developers.yubico.com/PIV/Introduction/Certificate_slots.html>
#[derive(Clone, Copy, Debug, PartialEq)] #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, Ord, PartialOrd)]
pub enum SlotId { pub enum SlotId {
/// This certificate and its associated private key is used to authenticate the card /// This certificate and its associated private key is used to authenticate the card
/// and the cardholder. This slot is used for things like system login. The end user /// and the cardholder. This slot is used for things like system login. The end user
@@ -121,19 +132,24 @@ pub enum SlotId {
/// attestation of other keys generated on device with instruction `f9`. This slot is /// attestation of other keys generated on device with instruction `f9`. This slot is
/// not cleared on reset, but can be overwritten. /// not cleared on reset, but can be overwritten.
Attestation, Attestation,
/// Thse slots are used for management. PIN PUK and Management Key.
Management(ManagementSlotId),
} }
impl TryFrom<u8> for SlotId { impl TryFrom<u8> for SlotId {
type Error = Error; type Error = Error;
fn try_from(value: u8) -> Result<Self, Self::Error> { fn try_from(value: u8) -> Result<Self> {
match value { match value {
0x9a => Ok(SlotId::Authentication), 0x9a => Ok(SlotId::Authentication),
0x9c => Ok(SlotId::Signature), 0x9c => Ok(SlotId::Signature),
0x9d => Ok(SlotId::KeyManagement), 0x9d => Ok(SlotId::KeyManagement),
0x9e => Ok(SlotId::CardAuthentication), 0x9e => Ok(SlotId::CardAuthentication),
0xf9 => Ok(SlotId::Attestation), 0xf9 => Ok(SlotId::Attestation),
_ => RetiredSlotId::try_from(value).map(SlotId::Retired), _ => RetiredSlotId::try_from(value)
.map(SlotId::Retired)
.or_else(|_| ManagementSlotId::try_from(value).map(SlotId::Management)),
} }
} }
} }
@@ -147,21 +163,35 @@ impl From<SlotId> for u8 {
SlotId::CardAuthentication => 0x9e, SlotId::CardAuthentication => 0x9e,
SlotId::Retired(retired) => retired.into(), SlotId::Retired(retired) => retired.into(),
SlotId::Attestation => 0xf9, SlotId::Attestation => 0xf9,
SlotId::Management(mgmt) => mgmt.into(),
} }
} }
} }
impl TryFrom<String> for SlotId { impl Display for SlotId {
type Error = Error; fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
match self {
SlotId::Management(r) => write!(f, "{:?}", r),
SlotId::Retired(r) => write!(f, "{:?}", r),
_ => write!(f, "{:?}", self),
}
}
}
fn try_from(s: String) -> Result<SlotId, Error> { impl FromStr for SlotId {
match s.as_ref() { type Err = Error;
fn from_str(s: &str) -> Result<SlotId> {
match s {
"9a" => Ok(SlotId::Authentication), "9a" => Ok(SlotId::Authentication),
"9c" => Ok(SlotId::Signature), "9c" => Ok(SlotId::Signature),
"9d" => Ok(SlotId::KeyManagement), "9d" => Ok(SlotId::KeyManagement),
"9e" => Ok(SlotId::CardAuthentication), "9e" => Ok(SlotId::CardAuthentication),
"f9" => Ok(SlotId::Attestation), "f9" => Ok(SlotId::Attestation),
_ => RetiredSlotId::try_from(s).map(SlotId::Retired), _ => s
.parse()
.map(SlotId::Management)
.or_else(|_| s.parse().map(SlotId::Retired)),
} }
} }
} }
@@ -175,6 +205,7 @@ impl SlotId {
SlotId::KeyManagement => 0x005f_c10b, SlotId::KeyManagement => 0x005f_c10b,
SlotId::CardAuthentication => 0x005f_c101, SlotId::CardAuthentication => 0x005f_c101,
SlotId::Retired(retired) => retired.object_id(), SlotId::Retired(retired) => retired.object_id(),
SlotId::Management(mgmt) => mgmt.object_id(),
SlotId::Attestation => 0x005f_ff01, SlotId::Attestation => 0x005f_ff01,
} }
} }
@@ -182,7 +213,7 @@ impl SlotId {
/// Retired slot IDs. /// Retired slot IDs.
#[allow(missing_docs)] #[allow(missing_docs)]
#[derive(Clone, Copy, Debug, PartialEq)] #[derive(Clone, Copy, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
pub enum RetiredSlotId { pub enum RetiredSlotId {
R1, R1,
R2, R2,
@@ -209,7 +240,7 @@ pub enum RetiredSlotId {
impl TryFrom<u8> for RetiredSlotId { impl TryFrom<u8> for RetiredSlotId {
type Error = Error; type Error = Error;
fn try_from(value: u8) -> Result<Self, Self::Error> { fn try_from(value: u8) -> Result<Self> {
match value { match value {
0x82 => Ok(RetiredSlotId::R1), 0x82 => Ok(RetiredSlotId::R1),
0x83 => Ok(RetiredSlotId::R2), 0x83 => Ok(RetiredSlotId::R2),
@@ -236,11 +267,11 @@ impl TryFrom<u8> for RetiredSlotId {
} }
} }
impl TryFrom<String> for RetiredSlotId { impl FromStr for RetiredSlotId {
type Error = Error; type Err = Error;
fn try_from(value: String) -> Result<Self, Self::Error> { fn from_str(value: &str) -> Result<Self> {
match value.as_ref() { match value {
"82" => Ok(RetiredSlotId::R1), "82" => Ok(RetiredSlotId::R1),
"83" => Ok(RetiredSlotId::R2), "83" => Ok(RetiredSlotId::R2),
"84" => Ok(RetiredSlotId::R3), "84" => Ok(RetiredSlotId::R3),
@@ -293,6 +324,12 @@ impl From<RetiredSlotId> for u8 {
} }
} }
impl Display for RetiredSlotId {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
write!(f, "{:?}", self)
}
}
impl RetiredSlotId { impl RetiredSlotId {
/// Returns the [`ObjectId`] that corresponds to a given [`RetiredSlotId`]. /// Returns the [`ObjectId`] that corresponds to a given [`RetiredSlotId`].
pub(crate) fn object_id(self) -> ObjectId { pub(crate) fn object_id(self) -> ObjectId {
@@ -321,8 +358,90 @@ impl RetiredSlotId {
} }
} }
/// Management slot IDs.
#[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, Ord, PartialOrd)]
pub enum ManagementSlotId {
/// Personal Identification Number (PIN).
Pin,
/// PIN Unblocking Key (PUK).
Puk,
/// Management Key.
Management,
}
impl TryFrom<u8> for ManagementSlotId {
type Error = Error;
fn try_from(value: u8) -> Result<Self> {
match value {
0x80 => Ok(ManagementSlotId::Pin),
0x81 => Ok(ManagementSlotId::Puk),
0x9b => Ok(ManagementSlotId::Management),
_ => Err(Error::InvalidObject),
}
}
}
impl FromStr for ManagementSlotId {
type Err = Error;
fn from_str(value: &str) -> Result<Self> {
match value {
"80" => Ok(ManagementSlotId::Pin),
"81" => Ok(ManagementSlotId::Puk),
"9b" => Ok(ManagementSlotId::Management),
_ => Err(Error::InvalidObject),
}
}
}
impl From<ManagementSlotId> for u8 {
fn from(slot: ManagementSlotId) -> u8 {
match slot {
ManagementSlotId::Pin => 0x80,
ManagementSlotId::Puk => 0x81,
ManagementSlotId::Management => 0x9b,
}
}
}
impl Display for ManagementSlotId {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
write!(f, "{:?}", self)
}
}
impl ManagementSlotId {
/// Returns the [`ObjectId`] that corresponds to a given [`ManagementSlotId`].
///
/// These correspond to the "BER-TLV Tag" values from Table 3 of [NIST SP 800-73-4]:
/// "Object Identifiers of the PIV Data Objects for Interoperable Use".
///
/// [NIST SP 800-73-4]: https://csrc.nist.gov/publications/detail/sp/800-73/4/final
pub(crate) fn object_id(self) -> ObjectId {
match self {
// Data Object: "X.509 Certificate for Key Management"
// OID: 2.16.840.1.101.3.7.2.1.2
// BER-TLV Tag: '5FC10B'
ManagementSlotId::Pin => 0x005f_c10b,
// Data Object: "Key History Object"
// OID: 2.16.840.1.101.3.7.2.96.96
// BER-TLV Tag: '5FC10C'
ManagementSlotId::Puk => 0x005f_c10c,
// Data Object: "Retired X.509 Certificate for Key Management 3"
// OID: 2.16.840.1.101.3.7.2.16.3
// BER-TLV Tag: '5FC10F'
ManagementSlotId::Management => 0x005f_c10f,
}
}
}
/// Personal Identity Verification (PIV) key slots /// Personal Identity Verification (PIV) key slots
pub const SLOTS: [SlotId; 24] = [ pub const SLOTS: [SlotId; 27] = [
SlotId::Authentication, SlotId::Authentication,
SlotId::Signature, SlotId::Signature,
SlotId::KeyManagement, SlotId::KeyManagement,
@@ -347,6 +466,9 @@ pub const SLOTS: [SlotId; 24] = [
SlotId::Retired(RetiredSlotId::R19), SlotId::Retired(RetiredSlotId::R19),
SlotId::Retired(RetiredSlotId::R20), SlotId::Retired(RetiredSlotId::R20),
SlotId::CardAuthentication, SlotId::CardAuthentication,
SlotId::Management(ManagementSlotId::Pin),
SlotId::Management(ManagementSlotId::Puk),
SlotId::Management(ManagementSlotId::Management),
]; ];
/// Algorithm identifiers /// Algorithm identifiers
@@ -354,10 +476,13 @@ pub const SLOTS: [SlotId; 24] = [
pub enum AlgorithmId { pub enum AlgorithmId {
/// 1024-bit RSA. /// 1024-bit RSA.
Rsa1024, Rsa1024,
/// 2048-bit RSA. /// 2048-bit RSA.
Rsa2048, Rsa2048,
/// ECDSA with the NIST P256 curve. /// ECDSA with the NIST P256 curve.
EccP256, EccP256,
/// ECDSA with the NIST P384 curve. /// ECDSA with the NIST P384 curve.
EccP384, EccP384,
} }
@@ -365,7 +490,7 @@ pub enum AlgorithmId {
impl TryFrom<u8> for AlgorithmId { impl TryFrom<u8> for AlgorithmId {
type Error = Error; type Error = Error;
fn try_from(value: u8) -> Result<Self, Self::Error> { fn try_from(value: u8) -> Result<Self> {
match value { match value {
0x06 => Ok(AlgorithmId::Rsa1024), 0x06 => Ok(AlgorithmId::Rsa1024),
0x07 => Ok(AlgorithmId::Rsa2048), 0x07 => Ok(AlgorithmId::Rsa2048),
@@ -389,11 +514,12 @@ impl From<AlgorithmId> for u8 {
impl AlgorithmId { impl AlgorithmId {
/// Writes the `AlgorithmId` in the format the YubiKey expects during key generation. /// Writes the `AlgorithmId` in the format the YubiKey expects during key generation.
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize, Error> { pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize> {
Tlv::write(buf, 0x80, &[self.into()]) Tlv::write(buf, 0x80, &[self.into()])
} }
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
fn get_elem_len(self) -> usize { fn get_elem_len(self) -> usize {
match self { match self {
AlgorithmId::Rsa1024 => 64, AlgorithmId::Rsa1024 => 64,
@@ -404,6 +530,7 @@ impl AlgorithmId {
} }
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
fn get_param_tag(self) -> u8 { fn get_param_tag(self) -> u8 {
match self { match self {
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => 0x01, AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => 0x01,
@@ -424,7 +551,7 @@ pub struct Key {
impl Key { impl Key {
/// List Personal Identity Verification (PIV) keys stored in a YubiKey /// List Personal Identity Verification (PIV) keys stored in a YubiKey
pub fn list(yubikey: &mut YubiKey) -> Result<Vec<Self>, Error> { pub fn list(yubikey: &mut YubiKey) -> Result<Vec<Self>> {
let mut keys = vec![]; let mut keys = vec![];
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
@@ -438,8 +565,11 @@ impl Key {
}; };
if !buf.is_empty() { if !buf.is_empty() {
let cert = Certificate::from_bytes(buf)?; match Certificate::from_bytes(buf) {
keys.push(Key { slot, cert }); Ok(cert) => keys.push(Key { slot, cert }),
Err(Error::InvalidObject) => {} // skip slots we can't parse (e.g. Ed25519)
Err(other) => return Err(other),
}
} }
} }
@@ -457,15 +587,14 @@ impl Key {
} }
} }
/// Generate key /// Generate new key.
#[allow(clippy::cognitive_complexity)]
pub fn generate( pub fn generate(
yubikey: &mut YubiKey, yubikey: &mut YubiKey,
slot: SlotId, slot: SlotId,
algorithm: AlgorithmId, algorithm: AlgorithmId,
pin_policy: PinPolicy, pin_policy: PinPolicy,
touch_policy: TouchPolicy, touch_policy: TouchPolicy,
) -> Result<PublicKeyInfo, Error> { ) -> Result<PublicKeyInfo> {
// Keygen messages // Keygen messages
// TODO(tarcieri): extract these into an I18N-handling type? // TODO(tarcieri): extract these into an I18N-handling type?
const SZ_SETTING_ROCA: &str = "Enable_Unsafe_Keygen_ROCA"; const SZ_SETTING_ROCA: &str = "Enable_Unsafe_Keygen_ROCA";
@@ -477,7 +606,7 @@ pub fn generate(
const SZ_ROCA_BLOCK_ADMIN: &str = "was blocked due to an administrator configuration setting."; const SZ_ROCA_BLOCK_ADMIN: &str = "was blocked due to an administrator configuration setting.";
const SZ_ROCA_DEFAULT: &str = "was permitted by default, but is not recommended. The default behavior will change in a future Yubico release."; const SZ_ROCA_DEFAULT: &str = "was permitted by default, but is not recommended. The default behavior will change in a future Yubico release.";
let setting_roca: settings::BoolValue; let setting_roca: setting::Setting;
match algorithm { match algorithm {
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => { AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => {
@@ -485,17 +614,17 @@ pub fn generate(
&& (yubikey.version.minor < 3 && (yubikey.version.minor < 3
|| yubikey.version.minor == 3 && (yubikey.version.patch < 5)) || yubikey.version.minor == 3 && (yubikey.version.patch < 5))
{ {
setting_roca = settings::BoolValue::get(SZ_SETTING_ROCA, true); setting_roca = setting::Setting::get(SZ_SETTING_ROCA, true);
let psz_msg = match setting_roca.source { let psz_msg = match setting_roca.source {
settings::Source::User => { setting::SettingSource::User => {
if setting_roca.value { if setting_roca.value {
SZ_ROCA_ALLOW_USER SZ_ROCA_ALLOW_USER
} else { } else {
SZ_ROCA_BLOCK_USER SZ_ROCA_BLOCK_USER
} }
} }
settings::Source::Admin => { setting::SettingSource::Admin => {
if setting_roca.value { if setting_roca.value {
SZ_ROCA_ALLOW_ADMIN SZ_ROCA_ALLOW_ADMIN
} else { } else {
@@ -570,100 +699,12 @@ pub fn generate(
} }
} }
// TODO(str4d): Response is wrapped in an ASN.1 TLV: let value = response.data();
// read_public_key(algorithm, value, true)
// 0x7f 0x49 -> Application | Constructed | 0x49
match algorithm {
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => {
// It appears that the inner application-specific value returned by the
// YubiKey is constructed such that RSA pubkeys can be parsed in two ways:
//
// - Use a full ASN.1 parser on the entire datastructure:
//
// RSA 1024:
// [127, 73, 129, 136, 129, 129, 128, [ 128 octets ], 130, 3, 1, 0, 1]
// | tag | len:136 |0x81| len:128 | modulus |0x82|len3| exp |
//
// RSA 2048:
// [127, 73, 130, 1, 9, 129, 130, 1, 0, [ 256 octets ], 130, 3, 1, 0, 1]
// | tag | len:265 |0x81| len:256 | modulus |0x82|len3| exp |
//
// - Skip the first 5 bytes and use crate::serialize::get_length during TLV
// parsing (which treats 128 as a single-byte definite length instead of an
// indefinite length):
//
// RSA 1024:
// [127, 73, 129, 136, 129, 129, 128, [ 128 octets ], 130, 3, 1, 0, 1]
// | |0x81|len128| modulus |0x82|len3| exp |
//
// RSA 2048:
// [127, 73, 130, 1, 9, 129, 130, 1, 0, [ 256 octets ], 130, 3, 1, 0, 1]
// | |0x81| len:256 | modulus |0x82|len3| exp |
//
// Because of the above, treat this for now as a 2-byte ASN.1 tag with a
// 3-byte length.
let data = &response.data()[5..];
let (data, modulus_tlv) = Tlv::parse(data)?;
if modulus_tlv.tag != TAG_RSA_MODULUS {
error!("Failed to parse public key structure (modulus)");
return Err(Error::ParseError);
}
let modulus = modulus_tlv.value.to_vec();
let (_, exp_tlv) = Tlv::parse(data)?;
if exp_tlv.tag != TAG_RSA_EXP {
error!("failed to parse public key structure (public exponent)");
return Err(Error::ParseError);
}
let exp = exp_tlv.value.to_vec();
Ok(PublicKeyInfo::Rsa {
algorithm,
pubkey: RSAPublicKey::new(
BigUint::from_bytes_be(&modulus),
BigUint::from_bytes_be(&exp),
)
.map_err(|_| Error::InvalidObject)?,
})
}
AlgorithmId::EccP256 | AlgorithmId::EccP384 => {
// 2-byte ASN.1 tag, 1-byte length (because all supported EC pubkey lengths
// are shorter than 128 bytes, fitting into a definite short ASN.1 length).
let data = &response.data()[3..];
let len = if let AlgorithmId::EccP256 = algorithm {
CB_ECC_POINTP256
} else {
CB_ECC_POINTP384
};
let (_, tlv) = Tlv::parse(data)?;
if tlv.tag != TAG_ECC_POINT {
error!("failed to parse public key structure");
return Err(Error::ParseError);
}
// the curve point should always be determined by the curve
if tlv.value.len() != len {
error!("unexpected length");
return Err(Error::AlgorithmError);
}
let point = tlv.value.to_vec();
if let AlgorithmId::EccP256 = algorithm {
EcPublicKey::from_bytes(point).map(PublicKeyInfo::EcP256)
} else {
EcPublicKey::from_bytes(point).map(PublicKeyInfo::EcP384)
}
.map_err(|_| Error::InvalidObject)
}
}
} }
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
fn write_key( fn write_key(
yubikey: &mut YubiKey, yubikey: &mut YubiKey,
slot: SlotId, slot: SlotId,
@@ -671,7 +712,7 @@ fn write_key(
pin_policy: PinPolicy, pin_policy: PinPolicy,
touch_policy: TouchPolicy, touch_policy: TouchPolicy,
algorithm: AlgorithmId, algorithm: AlgorithmId,
) -> Result<(), Error> { ) -> Result<()> {
let mut key_data = Buffer::new(vec![0u8; KEYDATA_LEN]); let mut key_data = Buffer::new(vec![0u8; KEYDATA_LEN]);
let templ = [0, Ins::ImportKey.code(), algorithm.into(), slot.into()]; let templ = [0, Ins::ImportKey.code(), algorithm.into(), slot.into()];
let mut offset = 0; let mut offset = 0;
@@ -712,6 +753,7 @@ fn write_key(
/// The key data that makes up an RSA key. /// The key data that makes up an RSA key.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub struct RsaKeyData { pub struct RsaKeyData {
/// The secret prime `p`. /// The secret prime `p`.
p: Buffer, p: Buffer,
@@ -773,6 +815,7 @@ impl RsaKeyData {
/// ///
/// Errors if `algorithm` isn't `AlgorithmId::Rsa1024` or `AlgorithmId::Rsa2048`. /// Errors if `algorithm` isn't `AlgorithmId::Rsa1024` or `AlgorithmId::Rsa2048`.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn import_rsa_key( pub fn import_rsa_key(
yubikey: &mut YubiKey, yubikey: &mut YubiKey,
slot: SlotId, slot: SlotId,
@@ -780,7 +823,7 @@ pub fn import_rsa_key(
key_data: RsaKeyData, key_data: RsaKeyData,
touch_policy: TouchPolicy, touch_policy: TouchPolicy,
pin_policy: PinPolicy, pin_policy: PinPolicy,
) -> Result<(), Error> { ) -> Result<()> {
match algorithm { match algorithm {
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => (), AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => (),
_ => return Err(Error::AlgorithmError), _ => return Err(Error::AlgorithmError),
@@ -807,6 +850,7 @@ pub fn import_rsa_key(
/// ///
/// Errors if `algorithm` isn't `AlgorithmId::EccP256` or ` AlgorithmId::EccP384`. /// Errors if `algorithm` isn't `AlgorithmId::EccP256` or ` AlgorithmId::EccP384`.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn import_ecc_key( pub fn import_ecc_key(
yubikey: &mut YubiKey, yubikey: &mut YubiKey,
slot: SlotId, slot: SlotId,
@@ -814,7 +858,7 @@ pub fn import_ecc_key(
key_data: &[u8], key_data: &[u8],
touch_policy: TouchPolicy, touch_policy: TouchPolicy,
pin_policy: PinPolicy, pin_policy: PinPolicy,
) -> Result<(), Error> { ) -> Result<()> {
match algorithm { match algorithm {
AlgorithmId::EccP256 | AlgorithmId::EccP384 => (), AlgorithmId::EccP256 | AlgorithmId::EccP384 => (),
_ => return Err(Error::AlgorithmError), _ => return Err(Error::AlgorithmError),
@@ -832,9 +876,11 @@ pub fn import_ecc_key(
} }
/// Generate an attestation certificate for a stored key. /// Generate an attestation certificate for a stored key.
///
/// <https://developers.yubico.com/PIV/Introduction/PIV_attestation.html> /// <https://developers.yubico.com/PIV/Introduction/PIV_attestation.html>
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn attest(yubikey: &mut YubiKey, key: SlotId) -> Result<Buffer, Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn attest(yubikey: &mut YubiKey, key: SlotId) -> Result<Buffer> {
let templ = [0, Ins::Attest.code(), key.into(), 0]; let templ = [0, Ins::Attest.code(), key.into(), 0];
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
let response = txn.transfer_data(&templ, &[], CB_OBJ_MAX)?; let response = txn.transfer_data(&templ, &[], CB_OBJ_MAX)?;
@@ -854,29 +900,346 @@ pub fn attest(yubikey: &mut YubiKey, key: SlotId) -> Result<Buffer, Error> {
Ok(Buffer::new(response.data().into())) Ok(Buffer::new(response.data().into()))
} }
/// Sign data using a PIV key /// Sign data using a PIV key.
pub fn sign_data( pub fn sign_data(
yubikey: &mut YubiKey, yubikey: &mut YubiKey,
raw_in: &[u8], raw_in: &[u8],
algorithm: AlgorithmId, algorithm: AlgorithmId,
key: SlotId, key: SlotId,
) -> Result<Buffer, Error> { ) -> Result<Buffer> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
// don't attempt to reselect in crypt operations to avoid problems with PIN_ALWAYS // don't attempt to reselect in crypt operations to avoid problems with PIN_ALWAYS
txn.authenticated_command(raw_in, algorithm, key, false) txn.authenticated_command(raw_in, algorithm, key, false)
} }
/// Decrypt data using a PIV key /// Decrypt data using a PIV key.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn decrypt_data( pub fn decrypt_data(
yubikey: &mut YubiKey, yubikey: &mut YubiKey,
input: &[u8], input: &[u8],
algorithm: AlgorithmId, algorithm: AlgorithmId,
key: SlotId, key: SlotId,
) -> Result<Buffer, Error> { ) -> Result<Buffer> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
// don't attempt to reselect in crypt operations to avoid problems with PIN_ALWAYS // don't attempt to reselect in crypt operations to avoid problems with PIN_ALWAYS
txn.authenticated_command(input, algorithm, key, true) txn.authenticated_command(input, algorithm, key, true)
} }
/// Read metadata
pub fn metadata(yubikey: &mut YubiKey, slot: SlotId) -> Result<SlotMetadata> {
let txn = yubikey.begin_transaction()?;
let templ = [0, Ins::GetMetadata.code(), 0, slot.into()];
let response = txn.transfer_data(&templ, &[], CB_OBJ_MAX)?;
if !response.is_success() {
if response.status_words() == StatusWords::NotSupportedError {
return Err(Error::NotSupported); // Requires firmware 5.2.3
} else {
return Err(Error::GenericError);
}
}
let buf = Buffer::new(response.data().into());
SlotMetadata::try_from(buf)
}
/// Metadata from a slot
#[derive(Debug)]
pub struct SlotMetadata {
/// Algorithm / Type of key
pub algorithm: ManagementAlgorithmId,
/// PIN and touch policy
pub policy: Option<(PinPolicy, TouchPolicy)>,
/// Imported or generated key
pub origin: Option<Origin>,
/// Pub key of the key
pub public: Option<PublicKeyInfo>,
/// Whether PIN PUK and management key are default
pub default: Option<bool>,
/// Number of retries left
pub retries: Option<Retries>,
}
impl TryFrom<Buffer> for SlotMetadata {
type Error = Error;
fn try_from(buf: Buffer) -> Result<Self> {
use nom::{
combinator::{eof, map_res},
multi::fold_many1,
number::complete::u8,
};
let out = fold_many1(
|input| Tlv::parse(input).map_err(|_| nom::Err::Error(())),
|| {
Ok(SlotMetadata {
algorithm: ManagementAlgorithmId::PinPuk,
policy: None,
origin: None,
public: None,
default: None,
retries: None,
})
},
|acc: Result<SlotMetadata>, tlv| match acc {
Ok(mut metadata) => match tlv.tag {
1 => {
metadata.algorithm = ManagementAlgorithmId::try_from(tlv.value[0])?;
Ok(metadata)
}
2 => {
fn policy_parser(
i: &[u8],
) -> nom::IResult<&[u8], (PinPolicy, TouchPolicy)> {
let (i, pin) = map_res(u8, PinPolicy::try_from)(i)?;
let (i, touch) = map_res(u8, TouchPolicy::try_from)(i)?;
let (i, _) = eof(i)?;
Ok((i, (pin, touch)))
}
metadata.policy =
Some(policy_parser(tlv.value).map_err(|_| Error::ParseError)?.1);
Ok(metadata)
}
3 => {
fn origin_parser(i: &[u8]) -> nom::IResult<&[u8], Origin> {
let (i, origin) = map_res(u8, Origin::try_from)(i)?;
let (i, _) = eof(i)?;
Ok((i, origin))
}
metadata.origin =
Some(origin_parser(tlv.value).map_err(|_| Error::ParseError)?.1);
Ok(metadata)
}
4 => {
match metadata.algorithm {
ManagementAlgorithmId::Asymmetric(alg) => {
metadata.public = Some(read_public_key(alg, tlv.value, false)?);
}
_ => Err(Error::ParseError)?,
}
Ok(metadata)
}
5 => {
fn default_parser(i: &[u8]) -> nom::IResult<&[u8], bool> {
let (i, default) = u8(i)?;
let (i, _) = eof(i)?;
Ok((i, default == 1))
}
metadata.default =
Some(default_parser(tlv.value).map_err(|_| Error::ParseError)?.1);
Ok(metadata)
}
6 => {
fn retries_parser(i: &[u8]) -> nom::IResult<&[u8], Retries> {
let (i, retry_count) = u8(i)?;
let (i, remaining_count) = u8(i)?;
let (i, _) = eof(i)?;
Ok((
i,
Retries {
retry_count,
remaining_count,
},
))
}
metadata.retries =
Some(retries_parser(tlv.value).map_err(|_| Error::ParseError)?.1);
Ok(metadata)
}
_unsupported => {
// New unsupported tags
// https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/metadata.html
Ok(metadata)
}
},
err => err,
},
)(buf.as_ref());
match out {
Ok((_, res)) => res,
_ => Err(Error::ParseError),
}
}
}
/// The number of retries used and remaining.
#[derive(Debug, PartialEq, Eq)]
pub struct Retries {
/// TODO
pub retry_count: u8,
/// Remaining attempts
pub remaining_count: u8,
}
/// Origin of a slot
#[derive(Debug, PartialEq, Eq, Copy, Clone)]
pub enum Origin {
/// The key has been imported
Imported,
/// The key has been generated on the YubiKey
Generated,
}
impl TryFrom<u8> for Origin {
type Error = Error;
fn try_from(value: u8) -> Result<Self> {
match value {
1 => Ok(Origin::Generated),
2 => Ok(Origin::Imported),
_ => Err(Error::GenericError),
}
}
}
fn read_public_key(
algorithm: AlgorithmId,
input: &[u8],
skip_asn1_tag: bool,
) -> Result<PublicKeyInfo> {
// TODO(str4d): Response is wrapped in an ASN.1 TLV:
//
// 0x7f 0x49 -> Application | Constructed | 0x49
match algorithm {
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => {
// It appears that the inner application-specific value returned by the
// YubiKey is constructed such that RSA pubkeys can be parsed in two ways:
//
// - Use a full ASN.1 parser on the entire datastructure:
//
// RSA 1024:
// [127, 73, 129, 136, 129, 129, 128, [ 128 octets ], 130, 3, 1, 0, 1]
// | tag | len:136 |0x81| len:128 | modulus |0x82|len3| exp |
//
// RSA 2048:
// [127, 73, 130, 1, 9, 129, 130, 1, 0, [ 256 octets ], 130, 3, 1, 0, 1]
// | tag | len:265 |0x81| len:256 | modulus |0x82|len3| exp |
//
// - Skip the first 5 bytes and use crate::serialize::get_length during TLV
// parsing (which treats 128 as a single-byte definite length instead of an
// indefinite length):
//
// RSA 1024:
// [127, 73, 129, 136, 129, 129, 128, [ 128 octets ], 130, 3, 1, 0, 1]
// | |0x81|len128| modulus |0x82|len3| exp |
//
// RSA 2048:
// [127, 73, 130, 1, 9, 129, 130, 1, 0, [ 256 octets ], 130, 3, 1, 0, 1]
// | |0x81| len:256 | modulus |0x82|len3| exp |
//
// Because of the above, treat this for now as a 2-byte ASN.1 tag with a
// 3-byte length.
let data = if skip_asn1_tag { &input[5..] } else { input };
let (data, modulus_tlv) = Tlv::parse(data)?;
if modulus_tlv.tag != TAG_RSA_MODULUS {
error!("Failed to parse public key structure (modulus)");
return Err(Error::ParseError);
}
let modulus = modulus_tlv.value.to_vec();
let (_, exp_tlv) = Tlv::parse(data)?;
if exp_tlv.tag != TAG_RSA_EXP {
error!("failed to parse public key structure (public exponent)");
return Err(Error::ParseError);
}
let exp = exp_tlv.value.to_vec();
Ok(PublicKeyInfo::Rsa {
algorithm,
pubkey: RsaPublicKey::new(
BigUint::from_bytes_be(&modulus),
BigUint::from_bytes_be(&exp),
)
.map_err(|_| Error::InvalidObject)?,
})
}
AlgorithmId::EccP256 | AlgorithmId::EccP384 => {
// 2-byte ASN.1 tag, 1-byte length (because all supported EC pubkey lengths
// are shorter than 128 bytes, fitting into a definite short ASN.1 length).
let data = if skip_asn1_tag { &input[3..] } else { input };
let len = if let AlgorithmId::EccP256 = algorithm {
CB_ECC_POINTP256
} else {
CB_ECC_POINTP384
};
let (_, tlv) = Tlv::parse(data)?;
if tlv.tag != TAG_ECC_POINT {
error!("failed to parse public key structure");
return Err(Error::ParseError);
}
// the curve point should always be determined by the curve
if tlv.value.len() != len {
error!("unexpected length");
return Err(Error::AlgorithmError);
}
let point = tlv.value.to_vec();
match algorithm {
AlgorithmId::EccP256 => {
EcPublicKey::<NistP256>::from_bytes(point).map(PublicKeyInfo::EcP256)
}
AlgorithmId::EccP384 => {
EcPublicKey::<NistP384>::from_bytes(point).map(PublicKeyInfo::EcP384)
}
_ => return Err(Error::AlgorithmError),
}
.map_err(|_| Error::InvalidObject)
}
}
}
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
/// Algorithms as reported by the metadata command.
pub enum ManagementAlgorithmId {
/// Used on PIN and PUK slots.
PinPuk,
/// Used on the key management slot.
ThreeDes,
/// Used on all other slots.
Asymmetric(AlgorithmId),
}
impl TryFrom<u8> for ManagementAlgorithmId {
type Error = Error;
fn try_from(value: u8) -> Result<Self> {
match value {
0xff => Ok(ManagementAlgorithmId::PinPuk),
0x03 => Ok(ManagementAlgorithmId::ThreeDes),
oth => AlgorithmId::try_from(oth).map(ManagementAlgorithmId::Asymmetric),
}
}
}
impl From<ManagementAlgorithmId> for u8 {
fn from(id: ManagementAlgorithmId) -> u8 {
match id {
ManagementAlgorithmId::PinPuk => 0xff,
ManagementAlgorithmId::ThreeDes => 0x03,
ManagementAlgorithmId::Asymmetric(oth) => oth.into(),
}
}
}
+39 -9
View File
@@ -1,11 +1,12 @@
//! Enums representing key policies. //! Enums representing key policies.
use crate::{error::Error, serialization::Tlv}; use crate::{serialization::Tlv, Error, Result};
/// Specifies how often the PIN needs to be entered for access to the credential in a /// Specifies how often the PIN needs to be entered for access to the credential in a
/// given slot. This policy must be set upon key generation or importation, and cannot be /// given slot.
/// changed later. ///
#[derive(Clone, Copy, Debug, PartialEq)] /// This policy must be set when keys are generated or imported, and cannot be changed later.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub enum PinPolicy { pub enum PinPolicy {
/// Use the default PIN policy for the slot. See the slot's documentation for details. /// Use the default PIN policy for the slot. See the slot's documentation for details.
Default, Default,
@@ -34,10 +35,24 @@ impl From<PinPolicy> for u8 {
} }
} }
impl TryFrom<u8> for PinPolicy {
type Error = Error;
fn try_from(value: u8) -> Result<Self> {
match value {
0 => Ok(PinPolicy::Default),
1 => Ok(PinPolicy::Never),
2 => Ok(PinPolicy::Once),
3 => Ok(PinPolicy::Always),
_ => Err(Error::GenericError),
}
}
}
impl PinPolicy { impl PinPolicy {
/// Writes the `PinPolicy` in the format the YubiKey expects during key generation or /// Writes the `PinPolicy` in the format the YubiKey expects during key generation or
/// importation. /// importation.
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize, Error> { pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize> {
match self { match self {
PinPolicy::Default => Ok(0), PinPolicy::Default => Ok(0),
_ => Tlv::write(buf, 0xaa, &[self.into()]), _ => Tlv::write(buf, 0xaa, &[self.into()]),
@@ -46,9 +61,10 @@ impl PinPolicy {
} }
/// Specifies under what conditions a physical touch on the metal contact is required, in /// Specifies under what conditions a physical touch on the metal contact is required, in
/// addition to the [`PinPolicy`]. This policy must be set upon key generation or /// addition to the [`PinPolicy`].
/// importation, and cannot be changed later. ///
#[derive(Clone, Copy, Debug, PartialEq)] /// This policy must be set when keys are generated or imported, and cannot be changed later.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub enum TouchPolicy { pub enum TouchPolicy {
/// Use the default touch policy for the slot. /// Use the default touch policy for the slot.
Default, Default,
@@ -81,10 +97,24 @@ impl From<TouchPolicy> for u8 {
impl TouchPolicy { impl TouchPolicy {
/// Writes the `TouchPolicy` in the format the YubiKey expects during key generation /// Writes the `TouchPolicy` in the format the YubiKey expects during key generation
/// or importation. /// or importation.
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize, Error> { pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize> {
match self { match self {
TouchPolicy::Default => Ok(0), TouchPolicy::Default => Ok(0),
_ => Tlv::write(buf, 0xab, &[self.into()]), _ => Tlv::write(buf, 0xab, &[self.into()]),
} }
} }
} }
impl TryFrom<u8> for TouchPolicy {
type Error = Error;
fn try_from(value: u8) -> Result<Self> {
match value {
0 => Ok(TouchPolicy::Default),
1 => Ok(TouchPolicy::Never),
2 => Ok(TouchPolicy::Always),
3 => Ok(TouchPolicy::Cached),
_ => Err(Error::GenericError),
}
}
}
+23 -16
View File
@@ -1,18 +1,18 @@
//! Support for enumerating available readers //! Support for enumerating available PC/SC card readers.
use crate::{error::Error, yubikey::YubiKey}; use crate::{Result, YubiKey};
use std::{ use std::{
borrow::Cow, borrow::Cow,
convert::TryInto,
ffi::CStr, ffi::CStr,
fmt,
sync::{Arc, Mutex}, sync::{Arc, Mutex},
}; };
/// Iterator over connected readers /// Iterator over connected readers
pub type Iter<'ctx> = std::vec::IntoIter<Reader<'ctx>>; pub type Iter<'ctx> = std::vec::IntoIter<Reader<'ctx>>;
/// Enumeration support for available readers /// PC/SC reader context: used to enumerate available PC/SC [`Reader`]s.
pub struct Readers { pub struct Context {
/// PC/SC context /// PC/SC context
ctx: Arc<Mutex<pcsc::Context>>, ctx: Arc<Mutex<pcsc::Context>>,
@@ -20,10 +20,16 @@ pub struct Readers {
reader_names: Vec<u8>, reader_names: Vec<u8>,
} }
impl Readers { impl fmt::Debug for Context {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("Context").finish_non_exhaustive()
}
}
impl Context {
/// Open a PC/SC context, which can be used to enumerate available PC/SC /// Open a PC/SC context, which can be used to enumerate available PC/SC
/// readers (which can be used to connect to YubiKeys). /// readers (which can be used to connect to YubiKeys).
pub fn open() -> Result<Self, Error> { pub fn open() -> Result<Self> {
let ctx = pcsc::Context::establish(pcsc::Scope::System)?; let ctx = pcsc::Context::establish(pcsc::Scope::System)?;
let reader_names = vec![0u8; ctx.list_readers_len()?]; let reader_names = vec![0u8; ctx.list_readers_len()?];
Ok(Self { Ok(Self {
@@ -32,8 +38,8 @@ impl Readers {
}) })
} }
/// Iterate over the available readers /// Iterate over the available readers.
pub fn iter(&mut self) -> Result<Iter<'_>, Error> { pub fn iter(&mut self) -> Result<Iter<'_>> {
let Self { ctx, reader_names } = self; let Self { ctx, reader_names } = self;
let reader_cstrs: Vec<_> = { let reader_cstrs: Vec<_> = {
@@ -45,6 +51,7 @@ impl Readers {
c.list_readers(reader_names)?.collect() c.list_readers(reader_names)?.collect()
}; };
#[allow(clippy::needless_collect)]
let readers: Vec<_> = reader_cstrs let readers: Vec<_> = reader_cstrs
.iter() .iter()
.map(|name| Reader::new(name, Arc::clone(ctx))) .map(|name| Reader::new(name, Arc::clone(ctx)))
@@ -54,7 +61,7 @@ impl Readers {
} }
} }
/// An individual connected reader /// An individual connected PC/SC card reader.
pub struct Reader<'ctx> { pub struct Reader<'ctx> {
/// Name of this reader /// Name of this reader
name: &'ctx CStr, name: &'ctx CStr,
@@ -64,25 +71,25 @@ pub struct Reader<'ctx> {
} }
impl<'ctx> Reader<'ctx> { impl<'ctx> Reader<'ctx> {
/// Create a new reader from its name and context /// Create a new reader from its name and context.
fn new(name: &'ctx CStr, ctx: Arc<Mutex<pcsc::Context>>) -> Self { fn new(name: &'ctx CStr, ctx: Arc<Mutex<pcsc::Context>>) -> Self {
// TODO(tarcieri): open devices, determine they're YubiKeys, get serial? // TODO(tarcieri): open devices, determine they're YubiKeys, get serial?
Self { name, ctx } Self { name, ctx }
} }
/// Get this reader's name /// Get this reader's name.
pub fn name(&self) -> Cow<'_, str> { pub fn name(&self) -> Cow<'_, str> {
// TODO(tarcieri): is lossy ok here? try to avoid lossiness? // TODO(tarcieri): is lossy ok here? try to avoid lossiness?
self.name.to_string_lossy() self.name.to_string_lossy()
} }
/// Open a connection to this reader, returning a `YubiKey` if successful /// Open a connection to this reader, returning a `YubiKey` if successful.
pub fn open(&self) -> Result<YubiKey, Error> { pub fn open(&self) -> Result<YubiKey> {
self.try_into() self.try_into()
} }
/// Connect to this reader, returning its `pcsc::Card` /// Connect to this reader, returning its `pcsc::Card`.
pub(crate) fn connect(&self) -> Result<pcsc::Card, Error> { pub(crate) fn connect(&self) -> Result<pcsc::Card> {
let ctx = self.ctx.lock().unwrap(); let ctx = self.ctx.lock().unwrap();
Ok(ctx.connect(self.name, pcsc::ShareMode::Shared, pcsc::Protocols::T1)?) Ok(ctx.connect(self.name, pcsc::ShareMode::Shared, pcsc::Protocols::T1)?)
} }
+12 -9
View File
@@ -30,7 +30,7 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{error::Error, Buffer, ObjectId, CB_OBJ_TAG_MIN}; use crate::{consts::CB_OBJ_TAG_MIN, Buffer, Error, ObjectId, Result};
pub const OBJ_DISCOVERY: u32 = 0x7e; pub const OBJ_DISCOVERY: u32 = 0x7e;
@@ -44,24 +44,27 @@ pub(crate) struct Tlv<'a> {
impl<'a> Tlv<'a> { impl<'a> Tlv<'a> {
/// Parses a `Tlv` from a buffer, returning the remainder of the buffer. /// Parses a `Tlv` from a buffer, returning the remainder of the buffer.
pub(crate) fn parse(buffer: &'a [u8]) -> Result<(&'a [u8], Self), Error> { pub(crate) fn parse(buffer: &'a [u8]) -> Result<(&'a [u8], Self)> {
if buffer.len() < CB_OBJ_TAG_MIN || !has_valid_length(&buffer[1..], buffer.len() - 1) { if buffer.len() < CB_OBJ_TAG_MIN || !has_valid_length(&buffer[1..], buffer.len() - 1) {
return Err(Error::SizeError); return Err(Error::SizeError);
} }
let tag = buffer[0]; let tag = buffer[0];
let mut len = 0; let mut len = 0;
let offset = 1 + get_length(&buffer[1..], &mut len); let offset = 1 + get_length(&buffer[1..], &mut len);
let buffer = buffer.get(offset..).ok_or(Error::SizeError)?;
let (value, buffer) = buffer[offset..].split_at(len); if buffer.len() >= len {
let (value, buffer) = buffer.split_at(len);
Ok((buffer, Tlv { tag, value })) Ok((buffer, Tlv { tag, value }))
} else {
Err(Error::SizeError)
}
} }
/// Takes a [`Buffer`] containing a single `Tlv` with the given tag, and returns a /// Takes a [`Buffer`] containing a single `Tlv` with the given tag, and returns a
/// `Buffer` containing only the value part of the `Tlv`. /// `Buffer` containing only the value part of the `Tlv`.
pub(crate) fn parse_single(mut buffer: Buffer, tag: u8) -> Result<Buffer, Error> { pub(crate) fn parse_single(mut buffer: Buffer, tag: u8) -> Result<Buffer> {
if buffer.len() < CB_OBJ_TAG_MIN || !has_valid_length(&buffer[1..], buffer.len() - 1) { if buffer.len() < CB_OBJ_TAG_MIN || !has_valid_length(&buffer[1..], buffer.len() - 1) {
return Err(Error::SizeError); return Err(Error::SizeError);
} }
@@ -79,7 +82,7 @@ impl<'a> Tlv<'a> {
} }
/// Writes a TLV to the given buffer. /// Writes a TLV to the given buffer.
pub(crate) fn write(buffer: &mut [u8], tag: u8, value: &[u8]) -> Result<usize, Error> { pub(crate) fn write(buffer: &mut [u8], tag: u8, value: &[u8]) -> Result<usize> {
if buffer.len() < CB_OBJ_TAG_MIN { if buffer.len() < CB_OBJ_TAG_MIN {
return Err(Error::SizeError); return Err(Error::SizeError);
} }
@@ -103,7 +106,7 @@ impl<'a> Tlv<'a> {
tag: u8, tag: u8,
length: usize, length: usize,
value: Gen, value: Gen,
) -> Result<usize, Error> ) -> Result<usize>
where where
Gen: FnOnce(&mut [u8]), Gen: FnOnce(&mut [u8]),
{ {
@@ -124,7 +127,7 @@ impl<'a> Tlv<'a> {
} }
/// Set length /// Set length
pub(crate) fn set_length(buffer: &mut [u8], length: usize) -> Result<usize, Error> { pub(crate) fn set_length(buffer: &mut [u8], length: usize) -> Result<usize> {
if length < 0x80 { if length < 0x80 {
if buffer.is_empty() { if buffer.is_empty() {
Err(Error::SizeError) Err(Error::SizeError)
+132
View File
@@ -0,0 +1,132 @@
//! Configuration setting values parsed from the environment and config file:
//! `/etc/yubico/yubikeypiv.conf`
// Adapted from yubico-piv-tool:
// <https://github.com/Yubico/yubico-piv-tool/>
//
// Copyright (c) 2014-2016 Yubico AB
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
/// Default location of the YubiKey PIV configuration file
pub const DEFAULT_CONFIG_FILE: &str = "/etc/yubico/yubikeypiv.conf";
use std::{
env,
fs::File,
io::{BufRead, BufReader},
};
/// Source of how a setting was configured.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub enum SettingSource {
/// User-specified setting: sourced via `YUBIKEY_PIV_*` environment vars.
User,
/// Admin-specified setting: sourced via the `/etc/yubico/yubikeypiv.conf`
/// configuration file.
Admin,
/// Default setting.
Default,
}
impl Default for SettingSource {
fn default() -> Self {
Self::Default
}
}
/// Setting booleans: configuration values sourced from a file or the environment.
///
/// These can be configured globally in `/etc/yubico/yubikeypiv.conf` by a
/// system administrator, or by the local user via `YUBIKEY_PIV_*` environment
/// variables.
#[derive(Copy, Clone, Debug, Default)]
pub struct Setting {
/// Boolean value
pub value: bool,
/// Source of the configuration setting (user, admin, or default)
pub source: SettingSource,
}
impl Setting {
/// Get a setting by name.
pub fn get(key: &str, default: bool) -> Self {
Self::from_file(key)
.or_else(|| Self::from_env(key))
.unwrap_or(Self {
value: default,
source: SettingSource::Default,
})
}
/// Get a boolean config value from the provided config file
fn from_file(key: &str) -> Option<Self> {
if let Ok(file) = File::open(DEFAULT_CONFIG_FILE) {
for line in BufReader::new(file).lines() {
let line = match line {
Ok(line) => line,
_ => continue,
};
if line.starts_with('#') || line.starts_with('\r') || line.starts_with('\n') {
continue;
}
let (name, value) = {
let mut parts = line.splitn(2, '=');
let name = parts.next();
let value = parts.next();
match (name, value, parts.next()) {
(Some(name), Some(value), None) => (name.trim(), value.trim()),
_ => continue,
}
};
if name == key {
return Some(Setting {
source: SettingSource::Admin,
value: value == "1" || value == "true",
});
}
}
}
None
}
/// Get a setting boolean from an environment variable
fn from_env(key: &str) -> Option<Self> {
env::var(format!("YUBIKEY_PIV_{}", key))
.ok()
.map(|value| Setting {
source: SettingSource::User,
value: value == "1" || value == "true",
})
}
}
-138
View File
@@ -1,138 +0,0 @@
//! Configuration setting values parsed from the environment and config file:
//! `/etc/yubico/yubikeypiv.conf`
// Adapted from yubico-piv-tool:
// <https://github.com/Yubico/yubico-piv-tool/>
//
// Copyright (c) 2014-2016 Yubico AB
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
/// Default location of the YubiKey PIV configuration file
pub const DEFAULT_CONFIG_FILE: &str = "/etc/yubico/yubikeypiv.conf";
use std::{
env,
fs::File,
io::{BufRead, BufReader},
};
/// Source of how a setting was configured
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub enum Source {
/// User-specified setting
User,
/// Admin-specified setting
Admin,
/// Default setting
Default,
}
/// Setting booleans
#[derive(Copy, Clone, Debug)]
pub struct BoolValue {
/// Boolean value
pub value: bool,
/// Source of the configuration setting (user/admin/default)
pub source: Source,
}
impl BoolValue {
/// Get a [`BoolValue`] value
pub fn get(key: &str, def: bool) -> Self {
let mut setting = get_setting_from_file(key);
if setting.source == Source::Default {
setting = get_setting_from_env(key);
}
if setting.source == Source::Default {
setting.value = def;
}
setting
}
}
/// Get a boolean config value
fn get_setting_from_file(key: &str) -> BoolValue {
let mut setting: BoolValue = BoolValue {
value: false,
source: Source::Default,
};
let file = match File::open(DEFAULT_CONFIG_FILE) {
Ok(f) => f,
Err(_) => return setting,
};
for line in BufReader::new(file).lines() {
let line = match line {
Ok(line) => line,
_ => continue,
};
if line.starts_with('#') || line.starts_with('\r') || line.starts_with('\n') {
continue;
}
let (name, value) = {
let mut parts = line.splitn(1, '=');
let name = parts.next();
let value = parts.next();
match (name, value, parts.next()) {
(Some(name), Some(value), None) => (name.trim(), value.trim()),
_ => continue,
}
};
if name == key {
setting.source = Source::Admin;
setting.value = value == "1" || value == "true";
break;
}
}
setting
}
/// Get a setting boolean from an environment variable
fn get_setting_from_env(key: &str) -> BoolValue {
let mut setting: BoolValue = BoolValue {
value: false,
source: Source::Default,
};
if let Ok(value) = env::var(format!("YUBIKEY_PIV_{}", key)) {
setting.source = Source::User;
setting.value = value == "1" || value == "true";
}
setting
}
+79 -66
View File
@@ -2,15 +2,16 @@
use crate::{ use crate::{
apdu::Response, apdu::Response,
apdu::{Ins, StatusWords, APDU}, apdu::{Apdu, Ins, StatusWords},
error::Error, consts::{CB_BUF_MAX, CB_OBJ_MAX},
key::{AlgorithmId, SlotId}, error::{Error, Result},
otp,
piv::{self, AlgorithmId, SlotId},
serialization::*, serialization::*,
yubikey::*, yubikey::*,
Buffer, ObjectId, CB_BUF_MAX, CB_OBJ_MAX, PIV_AID, YK_AID, Buffer, ObjectId,
}; };
use log::{error, trace}; use log::{error, trace};
use std::convert::TryInto;
use zeroize::Zeroizing; use zeroize::Zeroizing;
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
@@ -32,7 +33,7 @@ pub(crate) struct Transaction<'tx> {
impl<'tx> Transaction<'tx> { impl<'tx> Transaction<'tx> {
/// Create a new transaction with the given card. /// Create a new transaction with the given card.
pub fn new(card: &'tx mut pcsc::Card) -> Result<Self, Error> { pub fn new(card: &'tx mut pcsc::Card) -> Result<Self> {
Ok(Transaction { Ok(Transaction {
inner: card.transaction()?, inner: card.transaction()?,
}) })
@@ -45,7 +46,7 @@ impl<'tx> Transaction<'tx> {
/// single APDU messages at a time. For larger messages that need to be /// single APDU messages at a time. For larger messages that need to be
/// split into multiple APDUs, use the [`Transaction::transfer_data`] /// split into multiple APDUs, use the [`Transaction::transfer_data`]
/// method instead. /// method instead.
pub fn transmit(&self, send_buffer: &[u8], recv_len: usize) -> Result<Vec<u8>, Error> { pub fn transmit(&self, send_buffer: &[u8], recv_len: usize) -> Result<Vec<u8>> {
trace!(">>> {:?}", send_buffer); trace!(">>> {:?}", send_buffer);
let mut recv_buffer = vec![0u8; recv_len]; let mut recv_buffer = vec![0u8; recv_len];
@@ -60,10 +61,10 @@ impl<'tx> Transaction<'tx> {
} }
/// Select application. /// Select application.
pub fn select_application(&self) -> Result<(), Error> { pub fn select_application(&self) -> Result<()> {
let response = APDU::new(Ins::SelectApplication) let response = Apdu::new(Ins::SelectApplication)
.p1(0x04) .p1(0x04)
.data(&PIV_AID) .data(piv::APPLET_ID)
.transmit(self, 0xFF) .transmit(self, 0xFF)
.map_err(|e| { .map_err(|e| {
error!("failed communicating with card: '{}'", e); error!("failed communicating with card: '{}'", e);
@@ -75,16 +76,21 @@ impl<'tx> Transaction<'tx> {
"failed selecting application: {:04x}", "failed selecting application: {:04x}",
response.status_words().code() response.status_words().code()
); );
return Err(Error::GenericError); return Err(match response.status_words() {
StatusWords::NotFoundError => Error::AppletNotFound {
applet_name: piv::APPLET_NAME,
},
_ => Error::GenericError,
});
} }
Ok(()) Ok(())
} }
/// Get the version of the PIV application installed on the YubiKey. /// Get the version of the PIV application installed on the YubiKey.
pub fn get_version(&self) -> Result<Version, Error> { pub fn get_version(&self) -> Result<Version> {
// get version from device // get version from device
let response = APDU::new(Ins::GetVersion).transmit(self, 261)?; let response = Apdu::new(Ins::GetVersion).transmit(self, 261)?;
if !response.is_success() { if !response.is_success() {
return Err(Error::GenericError); return Err(Error::GenericError);
@@ -98,71 +104,84 @@ impl<'tx> Transaction<'tx> {
} }
/// Get YubiKey device serial number. /// Get YubiKey device serial number.
pub fn get_serial(&self, version: Version) -> Result<Serial, Error> { pub fn get_serial(&self, version: Version) -> Result<Serial> {
let response = if version.major < 5 { match version.major {
// YK4 requires switching to the yk applet to retrieve the serial // YK4 requires switching to the YK applet to retrieve the serial
let sw = APDU::new(Ins::SelectApplication) 4 => {
let sw = Apdu::new(Ins::SelectApplication)
.p1(0x04) .p1(0x04)
.data(&YK_AID) .data(otp::APPLET_ID)
.transmit(self, 0xFF)? .transmit(self, 0xFF)?
.status_words(); .status_words();
if !sw.is_success() { if !sw.is_success() {
error!("failed selecting yk application: {:04x}", sw.code()); error!("failed selecting yk application: {:04x}", sw.code());
return Err(Error::GenericError); return Err(match sw {
StatusWords::NotFoundError => Error::AppletNotFound {
applet_name: otp::APPLET_NAME,
},
_ => Error::GenericError,
});
} }
let resp = APDU::new(0x01).p1(0x10).transmit(self, 0xFF)?; let response = Apdu::new(0x01).p1(0x10).transmit(self, 0xFF)?;
if !resp.is_success() { if !response.is_success() {
// TODO(tarcieri): still reselect the PIV applet in this case?
error!( error!(
"failed retrieving serial number: {:04x}", "failed retrieving serial number: {:04x}",
resp.status_words().code() response.status_words().code()
); );
return Err(Error::GenericError); return Err(Error::GenericError);
} }
// reselect the PIV applet // reselect the PIV applet
let sw = APDU::new(Ins::SelectApplication) let sw = Apdu::new(Ins::SelectApplication)
.p1(0x04) .p1(0x04)
.data(&PIV_AID) .data(piv::APPLET_ID)
.transmit(self, 0xFF)? .transmit(self, 0xFF)?
.status_words(); .status_words();
if !sw.is_success() { if !sw.is_success() {
error!("failed selecting application: {:04x}", sw.code()); error!("failed selecting application: {:04x}", sw.code());
return Err(Error::GenericError); return Err(match sw {
StatusWords::NotFoundError => Error::AppletNotFound {
applet_name: piv::APPLET_NAME,
},
_ => Error::GenericError,
});
} }
resp response.data().try_into()
} else { }
// YK5 implements getting the serial as a PIV applet command (0xf8)
let resp = APDU::new(Ins::GetSerial).transmit(self, 0xFF)?;
if !resp.is_success() { // YK5 implements getting the serial as a PIV applet command (0xf8)
5 => {
let response = Apdu::new(Ins::GetSerial).transmit(self, 0xFF)?;
if !response.is_success() {
error!( error!(
"failed retrieving serial number: {:04x}", "failed retrieving serial number: {:04x}",
resp.status_words().code() response.status_words().code()
); );
return Err(Error::GenericError); return Err(Error::GenericError);
} }
resp response.data().try_into()
}; }
response.data()[..4] // Other versions unsupported
.try_into() _ => Err(Error::NotSupported),
.map(|serial| Serial::from(u32::from_be_bytes(serial))) }
.map_err(|_| Error::SizeError)
} }
/// Verify device PIN. /// Verify device PIN.
pub fn verify_pin(&self, pin: &[u8]) -> Result<(), Error> { pub fn verify_pin(&self, pin: &[u8]) -> Result<()> {
if pin.len() > CB_PIN_MAX { if pin.len() > CB_PIN_MAX {
return Err(Error::SizeError); return Err(Error::SizeError);
} }
let mut query = APDU::new(Ins::Verify); let mut query = Apdu::new(Ins::Verify);
query.params(0x00, 0x80); query.params(0x00, 0x80);
// Empty pin means we are querying the number of retries. We set no data in this // Empty pin means we are querying the number of retries. We set no data in this
@@ -191,7 +210,7 @@ impl<'tx> Transaction<'tx> {
action: ChangeRefAction, action: ChangeRefAction,
current_pin: &[u8], current_pin: &[u8],
new_pin: &[u8], new_pin: &[u8],
) -> Result<(), Error> { ) -> Result<()> {
if current_pin.len() > CB_PIN_MAX || new_pin.len() > CB_PIN_MAX { if current_pin.len() > CB_PIN_MAX || new_pin.len() > CB_PIN_MAX {
return Err(Error::SizeError); return Err(Error::SizeError);
} }
@@ -229,7 +248,7 @@ impl<'tx> Transaction<'tx> {
/// Set the management key (MGM). /// Set the management key (MGM).
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn set_mgm_key(&self, new_key: &MgmKey, require_touch: bool) -> Result<(), Error> { pub fn set_mgm_key(&self, new_key: &MgmKey, require_touch: bool) -> Result<()> {
let p2 = if require_touch { 0xfe } else { 0xff }; let p2 = if require_touch { 0xfe } else { 0xff };
let mut data = [0u8; DES_LEN_3DES + 3]; let mut data = [0u8; DES_LEN_3DES + 3];
@@ -238,9 +257,9 @@ impl<'tx> Transaction<'tx> {
data[2] = DES_LEN_3DES as u8; data[2] = DES_LEN_3DES as u8;
data[3..3 + DES_LEN_3DES].copy_from_slice(new_key.as_ref()); data[3..3 + DES_LEN_3DES].copy_from_slice(new_key.as_ref());
let status_words = APDU::new(Ins::SetMgmKey) let status_words = Apdu::new(Ins::SetMgmKey)
.params(0xff, p2) .params(0xff, p2)
.data(&data) .data(data)
.transmit(self, 261)? .transmit(self, 261)?
.status_words(); .status_words();
@@ -263,7 +282,7 @@ impl<'tx> Transaction<'tx> {
algorithm: AlgorithmId, algorithm: AlgorithmId,
key: SlotId, key: SlotId,
decipher: bool, decipher: bool,
) -> Result<Buffer, Error> { ) -> Result<Buffer> {
let in_len = sign_in.len(); let in_len = sign_in.len();
let mut indata = [0u8; 1024]; let mut indata = [0u8; 1024];
let templ = [0, Ins::Authenticate.code(), algorithm.into(), key.into()]; let templ = [0, Ins::Authenticate.code(), algorithm.into(), key.into()];
@@ -358,12 +377,7 @@ impl<'tx> Transaction<'tx> {
/// messages into smaller APDU-sized messages (using the provided APDU /// messages into smaller APDU-sized messages (using the provided APDU
/// template to construct them), and then sending those via /// template to construct them), and then sending those via
/// [`Transaction::transmit`]. /// [`Transaction::transmit`].
pub fn transfer_data( pub fn transfer_data(&self, templ: &[u8], in_data: &[u8], max_out: usize) -> Result<Response> {
&self,
templ: &[u8],
in_data: &[u8],
max_out: usize,
) -> Result<Response, Error> {
let mut in_offset = 0; let mut in_offset = 0;
let mut out_data = vec![]; let mut out_data = vec![];
let mut sw; let mut sw;
@@ -380,17 +394,18 @@ impl<'tx> Transaction<'tx> {
trace!("going to send {} bytes in this go", this_size); trace!("going to send {} bytes in this go", this_size);
let response = APDU::new(templ[1]) let response = Apdu::new(templ[1])
.cla(cla) .cla(cla)
.params(templ[2], templ[3]) .params(templ[2], templ[3])
.data(&in_data[in_offset..(in_offset + this_size)]) .data(&in_data[in_offset..(in_offset + this_size)])
.transmit(self, 261)?; .transmit(self, 261)?;
sw = response.status_words().code(); sw = response.status_words();
if !response.is_success() && (sw >> 8 != 0x61) { match sw {
StatusWords::Success | StatusWords::BytesRemaining { .. } => (),
// TODO(tarcieri): is this really OK? // TODO(tarcieri): is this really OK?
return Ok(Response::new(sw.into(), out_data)); _ => return Ok(Response::new(sw, out_data)),
} }
if !out_data.is_empty() && (out_data.len() - response.data().len() > max_out) { if !out_data.is_empty() && (out_data.len() - response.data().len() > max_out) {
@@ -411,17 +426,15 @@ impl<'tx> Transaction<'tx> {
} }
} }
while sw >> 8 == 0x61 { while let StatusWords::BytesRemaining { len } = sw {
trace!( trace!("The card indicates there is {} bytes more data for us", len);
"The card indicates there is {} bytes more data for us",
sw & 0xff
);
let response = APDU::new(Ins::GetResponseApdu).transmit(self, 261)?; let response = Apdu::new(Ins::GetResponseApdu).transmit(self, 261)?;
sw = response.status_words().code(); sw = response.status_words();
if sw != StatusWords::Success.code() && (sw >> 8 != 0x61) { match sw {
return Ok(Response::new(sw.into(), vec![])); StatusWords::Success | StatusWords::BytesRemaining { .. } => (),
_ => return Ok(Response::new(sw, vec![])),
} }
if out_data.len() + response.data().len() > max_out { if out_data.len() + response.data().len() > max_out {
@@ -437,11 +450,11 @@ impl<'tx> Transaction<'tx> {
out_data.extend_from_slice(&response.data()[..response.data().len()]); out_data.extend_from_slice(&response.data()[..response.data().len()]);
} }
Ok(Response::new(sw.into(), out_data)) Ok(Response::new(sw, out_data))
} }
/// Fetch an object. /// Fetch an object.
pub fn fetch_object(&self, object_id: ObjectId) -> Result<Buffer, Error> { pub fn fetch_object(&self, object_id: ObjectId) -> Result<Buffer> {
let mut indata = [0u8; 5]; let mut indata = [0u8; 5];
let templ = [0, Ins::GetData.code(), 0x3f, 0xff]; let templ = [0, Ins::GetData.code(), 0x3f, 0xff];
@@ -475,7 +488,7 @@ impl<'tx> Transaction<'tx> {
} }
/// Save an object. /// Save an object.
pub fn save_object(&self, object_id: ObjectId, indata: &[u8]) -> Result<(), Error> { pub fn save_object(&self, object_id: ObjectId, indata: &[u8]) -> Result<()> {
let templ = [0, Ins::PutData.code(), 0x3f, 0xff]; let templ = [0, Ins::PutData.code(), 0x3f, 0xff];
// TODO(tarcieri): replace with vector // TODO(tarcieri): replace with vector
+212 -106
View File
@@ -31,33 +31,37 @@
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use crate::{ use crate::{
apdu::{Ins, APDU}, apdu::{Apdu, Ins},
cccid::CCC, cccid::CccId,
chuid::CHUID, chuid::ChuId,
config::Config, config::Config,
error::Error, error::{Error, Result},
mgm::MgmKey, mgm::MgmKey,
readers::{Reader, Readers}, piv,
reader::{Context, Reader},
transaction::Transaction, transaction::Transaction,
}; };
use log::{error, info}; use log::{error, info};
use pcsc::Card; use pcsc::{Card, Disposition};
use rand_core::{OsRng, RngCore};
use std::{ use std::{
convert::{TryFrom, TryInto},
fmt::{self, Display}, fmt::{self, Display},
str::FromStr, str::FromStr,
}; };
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
use crate::{ use {
apdu::StatusWords, metadata::AdminData, transaction::ChangeRefAction, Buffer, ObjectId, crate::{
MGMT_AID, TAG_ADMIN_FLAGS_1, TAG_ADMIN_TIMESTAMP, apdu::StatusWords,
consts::{TAG_ADMIN_FLAGS_1, TAG_ADMIN_TIMESTAMP},
metadata::AdminData,
mgm,
transaction::ChangeRefAction,
Buffer, ObjectId,
},
secrecy::ExposeSecret,
std::time::{SystemTime, UNIX_EPOCH},
}; };
use getrandom::getrandom;
#[cfg(feature = "untested")]
use secrecy::ExposeSecret;
#[cfg(feature = "untested")]
use std::time::{SystemTime, UNIX_EPOCH};
/// Flag for PUK blocked /// Flag for PUK blocked
pub(crate) const ADMIN_FLAGS_1_PUK_BLOCKED: u8 = 0x01; pub(crate) const ADMIN_FLAGS_1_PUK_BLOCKED: u8 = 0x01;
@@ -70,10 +74,10 @@ pub(crate) const KEY_CARDMGM: u8 = 0x9b;
const TAG_DYN_AUTH: u8 = 0x7c; const TAG_DYN_AUTH: u8 = 0x7c;
/// Cached YubiKey PIN /// Cached YubiKey PIN.
pub type CachedPin = secrecy::SecretVec<u8>; pub type CachedPin = secrecy::SecretVec<u8>;
/// YubiKey Serial Number /// YubiKey serial number.
#[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)] #[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
pub struct Serial(pub u32); pub struct Serial(pub u32);
@@ -89,11 +93,25 @@ impl From<Serial> for u32 {
} }
} }
impl TryFrom<&[u8]> for Serial {
type Error = Error;
fn try_from(bytes: &[u8]) -> Result<Self> {
if bytes.len() > 4 {
return Err(Error::SizeError);
}
let mut arr = [0u8; 4];
arr[(4 - bytes.len())..].copy_from_slice(bytes);
Ok(Self(u32::from_be_bytes(arr)))
}
}
impl FromStr for Serial { impl FromStr for Serial {
type Err = Error; type Err = Error;
fn from_str(s: &str) -> Result<Self, Error> { fn from_str(s: &str) -> Result<Self> {
u32::from_str(s).map(Serial).map_err(|_| Error::ParseError) s.parse().map(Serial).map_err(|_| Error::ParseError)
} }
} }
@@ -103,7 +121,7 @@ impl Display for Serial {
} }
} }
/// YubiKey Version /// YubiKey version.
#[derive(Copy, Clone, Debug, Eq, PartialEq)] #[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub struct Version { pub struct Version {
/// Major version component /// Major version component
@@ -133,8 +151,7 @@ impl Display for Version {
} }
} }
/// YubiKey Device: this is the primary API for opening a session and /// YubiKey device: primary API for opening a session and performing various operations.
/// performing various operations.
/// ///
/// Almost all functionality in this library will require an open session /// Almost all functionality in this library will require an open session
/// with a YubiKey which is represented by this type. /// with a YubiKey which is represented by this type.
@@ -148,6 +165,16 @@ pub struct YubiKey {
pub(crate) serial: Serial, pub(crate) serial: Serial,
} }
impl fmt::Debug for YubiKey {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("YubiKey")
.field("name", &self.name)
.field("version", &self.version)
.field("serial", &self.serial)
.finish_non_exhaustive()
}
}
impl YubiKey { impl YubiKey {
/// Open a connection to a YubiKey. /// Open a connection to a YubiKey.
/// ///
@@ -155,14 +182,10 @@ impl YubiKey {
/// ///
/// If you need to operate in environments with more than one YubiKey /// If you need to operate in environments with more than one YubiKey
/// attached to the same system, use [`YubiKey::open_by_serial`] or /// attached to the same system, use [`YubiKey::open_by_serial`] or
///[`yubikey_piv::Readers`] to select from the available PC/SC readers. /// [`yubikey::reader::Context`][`Context`] to select from the available
pub fn open() -> Result<Self, Error> { /// PC/SC readers.
let mut readers = Readers::open().map_err(|e| match e { pub fn open() -> Result<Self> {
Error::PcscError { let mut readers = Context::open()?;
inner: Some(pcsc::Error::NoReadersAvailable),
} => Error::NotFound,
other => other,
})?;
let mut reader_iter = readers.iter()?; let mut reader_iter = readers.iter()?;
if let Some(reader) = reader_iter.next() { if let Some(reader) = reader_iter.next() {
@@ -179,32 +202,49 @@ impl YubiKey {
} }
/// Open a YubiKey with a specific serial number. /// Open a YubiKey with a specific serial number.
pub fn open_by_serial(serial: Serial) -> Result<Self, Error> { pub fn open_by_serial(serial: Serial) -> Result<Self> {
let mut readers = Readers::open().map_err(|e| match e { let mut readers = Context::open()?;
Error::PcscError {
inner: Some(pcsc::Error::NoReadersAvailable), let mut open_error = None;
} => Error::NotFound,
other => other,
})?;
for reader in readers.iter()? { for reader in readers.iter()? {
let yubikey = match reader.open() { let yubikey = match reader.open() {
Ok(yk) => yk, Ok(yk) => yk,
Err(_) => continue, Err(e) => {
// Save the first error we see that indicates we might have been able
// to find a matching YubiKey.
if open_error.is_none() {
if let Error::PcscError {
inner: Some(pcsc::Error::SharingViolation),
} = e
{
open_error = Some(e);
}
}
continue;
}
}; };
if serial == yubikey.serial() { if serial == yubikey.serial() {
return Ok(yubikey); return Ok(yubikey);
} else {
// We didn't want this YubiKey; don't reset it.
let _ = yubikey.disconnect(pcsc::Disposition::LeaveCard);
} }
} }
Err(if let Some(e) = open_error {
e
} else {
error!("no YubiKey detected with serial: {}", serial); error!("no YubiKey detected with serial: {}", serial);
Err(Error::NotFound) Error::NotFound
})
} }
/// Reconnect to a YubiKey /// Reconnect to a YubiKey.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn reconnect(&mut self) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn reconnect(&mut self) -> Result<()> {
info!("trying to reconnect to current reader"); info!("trying to reconnect to current reader");
self.card.reconnect( self.card.reconnect(
@@ -228,13 +268,45 @@ impl YubiKey {
Ok(()) Ok(())
} }
/// Begin a transaction. /// Disconnect from the YubiKey.
pub(crate) fn begin_transaction(&mut self) -> Result<Transaction<'_>, Error> { ///
// TODO(tarcieri): reconnect support /// In case of error, ownership of the YubiKey is returned to the caller.
Ok(Transaction::new(&mut self.card)?) ///
/// # Note
///
/// `YubiKey` implements `Drop` which automatically disconnects the card using
/// `Disposition::ResetCard`; you only need to call this function if you want to
/// handle errors or use a different disposition method.
pub fn disconnect(self, disposition: Disposition) -> core::result::Result<(), (Self, Error)> {
let Self {
card,
name,
pin,
version,
serial,
} = self;
card.disconnect(disposition).map_err(|(card, e)| {
(
Self {
card,
name,
pin,
version,
serial,
},
e.into(),
)
})
} }
/// Get the name of the associated PC/SC card reader /// Begin a transaction.
pub(crate) fn begin_transaction(&mut self) -> Result<Transaction<'_>> {
// TODO(tarcieri): reconnect support
Transaction::new(&mut self.card)
}
/// Get the name of the associated PC/SC card reader.
pub fn name(&self) -> &str { pub fn name(&self) -> &str {
&self.name &self.name
} }
@@ -254,28 +326,28 @@ impl YubiKey {
} }
/// Get device configuration. /// Get device configuration.
pub fn config(&mut self) -> Result<Config, Error> { pub fn config(&mut self) -> Result<Config> {
Config::get(self) Config::get(self)
} }
/// Get CHUID /// Get Cardholder Unique Identifier (CHUID).
pub fn chuid(&mut self) -> Result<CHUID, Error> { pub fn chuid(&mut self) -> Result<ChuId> {
CHUID::get(self) ChuId::get(self)
} }
/// Get CCCID /// Get Cardholder Capability Container (CCC) Identifier.
pub fn cccid(&mut self) -> Result<CCC, Error> { pub fn cccid(&mut self) -> Result<CccId> {
CCC::get(self) CccId::get(self)
} }
/// Authenticate to the card using the provided management key (MGM). /// Authenticate to the card using the provided management key (MGM).
pub fn authenticate(&mut self, mgm_key: MgmKey) -> Result<(), Error> { pub fn authenticate(&mut self, mgm_key: MgmKey) -> Result<()> {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
// get a challenge from the card // get a challenge from the card
let challenge = APDU::new(Ins::Authenticate) let challenge = Apdu::new(Ins::Authenticate)
.params(ALGO_3DES, KEY_CARDMGM) .params(ALGO_3DES, KEY_CARDMGM)
.data(&[TAG_DYN_AUTH, 0x02, 0x80, 0x00]) .data([TAG_DYN_AUTH, 0x02, 0x80, 0x00])
.transmit(&txn, 261)?; .transmit(&txn, 261)?;
if !challenge.is_success() || challenge.data().len() < 12 { if !challenge.is_success() || challenge.data().len() < 12 {
@@ -293,18 +365,14 @@ impl YubiKey {
data[4..12].copy_from_slice(&response); data[4..12].copy_from_slice(&response);
data[12] = 0x81; data[12] = 0x81;
data[13] = 8; data[13] = 8;
OsRng.fill_bytes(&mut data[14..22]);
if getrandom(&mut data[14..22]).is_err() {
error!("failed getting randomness for authentication");
return Err(Error::RandomnessError);
}
let mut challenge = [0u8; 8]; let mut challenge = [0u8; 8];
challenge.copy_from_slice(&data[14..22]); challenge.copy_from_slice(&data[14..22]);
let authentication = APDU::new(Ins::Authenticate) let authentication = Apdu::new(Ins::Authenticate)
.params(ALGO_3DES, KEY_CARDMGM) .params(ALGO_3DES, KEY_CARDMGM)
.data(&data) .data(data)
.transmit(&txn, 261)?; .transmit(&txn, 261)?;
if !authentication.is_success() { if !authentication.is_success() {
@@ -322,14 +390,20 @@ impl YubiKey {
Ok(()) Ok(())
} }
/// Deauthenticate /// Get the PIV keys contained in this YubiKey.
pub fn piv_keys(&mut self) -> Result<Vec<piv::Key>> {
piv::Key::list(self)
}
/// Deauthenticate.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn deauthenticate(&mut self) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn deauthenticate(&mut self) -> Result<()> {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
let status_words = APDU::new(Ins::SelectApplication) let status_words = Apdu::new(Ins::SelectApplication)
.p1(0x04) .p1(0x04)
.data(MGMT_AID) .data(mgm::APPLET_ID)
.transmit(&txn, 255)? .transmit(&txn, 255)?
.status_words(); .status_words();
@@ -338,14 +412,19 @@ impl YubiKey {
"Failed selecting mgmt application: {:04x}", "Failed selecting mgmt application: {:04x}",
status_words.code() status_words.code()
); );
return Err(Error::GenericError); return Err(match status_words {
StatusWords::NotFoundError => Error::AppletNotFound {
applet_name: mgm::APPLET_NAME,
},
_ => Error::GenericError,
});
} }
Ok(()) Ok(())
} }
/// Verify device PIN. /// Verify device PIN.
pub fn verify_pin(&mut self, pin: &[u8]) -> Result<(), Error> { pub fn verify_pin(&mut self, pin: &[u8]) -> Result<()> {
{ {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
txn.verify_pin(pin)?; txn.verify_pin(pin)?;
@@ -358,8 +437,8 @@ impl YubiKey {
Ok(()) Ok(())
} }
/// Get the number of PIN retries /// Get the number of PIN retries.
pub fn get_pin_retries(&mut self) -> Result<u8, Error> { pub fn get_pin_retries(&mut self) -> Result<u8> {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
// Force a re-select to unverify, because once verified the spec dictates that // Force a re-select to unverify, because once verified the spec dictates that
@@ -375,9 +454,10 @@ impl YubiKey {
} }
} }
/// Set the number of PIN retries /// Set the number of PIN retries.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn set_pin_retries(&mut self, pin_tries: u8, puk_tries: u8) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn set_pin_retries(&mut self, pin_tries: u8, puk_tries: u8) -> Result<()> {
// Special case: if either retry count is 0, it's a successful no-op // Special case: if either retry count is 0, it's a successful no-op
if pin_tries == 0 || puk_tries == 0 { if pin_tries == 0 || puk_tries == 0 {
return Ok(()); return Ok(());
@@ -399,9 +479,10 @@ impl YubiKey {
/// Change the Personal Identification Number (PIN). /// Change the Personal Identification Number (PIN).
/// ///
/// The default PIN code is 123456 /// The default PIN code is `123456`.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn change_pin(&mut self, current_pin: &[u8], new_pin: &[u8]) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn change_pin(&mut self, current_pin: &[u8], new_pin: &[u8]) -> Result<()> {
{ {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
txn.change_ref(ChangeRefAction::ChangePin, current_pin, new_pin)?; txn.change_ref(ChangeRefAction::ChangePin, current_pin, new_pin)?;
@@ -414,9 +495,10 @@ impl YubiKey {
Ok(()) Ok(())
} }
/// Set PIN last changed /// Set PIN last changed.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn set_pin_last_changed(yubikey: &mut YubiKey) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn set_pin_last_changed(yubikey: &mut YubiKey) -> Result<()> {
let txn = yubikey.begin_transaction()?; let txn = yubikey.begin_transaction()?;
let mut admin_data = AdminData::read(&txn)?; let mut admin_data = AdminData::read(&txn)?;
@@ -449,21 +531,23 @@ impl YubiKey {
/// ///
/// The PUK is part of the PIV standard that the YubiKey follows. /// The PUK is part of the PIV standard that the YubiKey follows.
/// ///
/// The default PUK code is 12345678. /// The default PUK code is `12345678`.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn change_puk(&mut self, current_puk: &[u8], new_puk: &[u8]) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn change_puk(&mut self, current_puk: &[u8], new_puk: &[u8]) -> Result<()> {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
txn.change_ref(ChangeRefAction::ChangePuk, current_puk, new_puk) txn.change_ref(ChangeRefAction::ChangePuk, current_puk, new_puk)
} }
/// Block PUK: permanently prevent the PIN from becoming unblocked /// Block PUK: permanently prevent the PIN from becoming unblocked.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn block_puk(yubikey: &mut YubiKey) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn block_puk(&mut self) -> Result<()> {
let mut puk = [0x30, 0x42, 0x41, 0x44, 0x46, 0x30, 0x30, 0x44]; let mut puk = [0x30, 0x42, 0x41, 0x44, 0x46, 0x30, 0x30, 0x44];
let mut tries_remaining: i32 = -1; let mut tries_remaining: i32 = -1;
let mut flags = [0]; let mut flags = [0];
let txn = yubikey.begin_transaction()?; let txn = self.begin_transaction()?;
while tries_remaining != 0 { while tries_remaining != 0 {
// 2 -> change puk // 2 -> change puk
@@ -487,9 +571,9 @@ impl YubiKey {
} }
// Attempt to set the "PUK blocked" flag in admin data. // Attempt to set the "PUK blocked" flag in admin data.
let mut admin_data = AdminData::read(&txn)
let mut admin_data = if let Ok(admin_data) = AdminData::read(&txn) { .map(|data| {
if let Ok(item) = admin_data.get_item(TAG_ADMIN_FLAGS_1) { if let Ok(item) = data.get_item(TAG_ADMIN_FLAGS_1) {
if item.len() == flags.len() { if item.len() == flags.len() {
flags.copy_from_slice(item) flags.copy_from_slice(item)
} else { } else {
@@ -501,10 +585,9 @@ impl YubiKey {
} }
} }
admin_data data
} else { })
AdminData::default() .unwrap_or_default();
};
flags[0] |= ADMIN_FLAGS_1_PUK_BLOCKED; flags[0] |= ADMIN_FLAGS_1_PUK_BLOCKED;
@@ -522,33 +605,37 @@ impl YubiKey {
/// Unblock a Personal Identification Number (PIN) using a previously /// Unblock a Personal Identification Number (PIN) using a previously
/// configured PIN Unblocking Key (PUK). /// configured PIN Unblocking Key (PUK).
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn unblock_pin(&mut self, puk: &[u8], new_pin: &[u8]) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn unblock_pin(&mut self, puk: &[u8], new_pin: &[u8]) -> Result<()> {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
txn.change_ref(ChangeRefAction::UnblockPin, puk, new_pin) txn.change_ref(ChangeRefAction::UnblockPin, puk, new_pin)
} }
/// Fetch an object from the YubiKey /// Fetch an object from the YubiKey.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn fetch_object(&mut self, object_id: ObjectId) -> Result<Buffer, Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn fetch_object(&mut self, object_id: ObjectId) -> Result<Buffer> {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
txn.fetch_object(object_id) txn.fetch_object(object_id)
} }
/// Save an object /// Save an object.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn save_object(&mut self, object_id: ObjectId, indata: &mut [u8]) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn save_object(&mut self, object_id: ObjectId, indata: &mut [u8]) -> Result<()> {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
txn.save_object(object_id, indata) txn.save_object(object_id, indata)
} }
/// Get an auth challenge /// Get an auth challenge.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn get_auth_challenge(&mut self) -> Result<[u8; 8], Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn get_auth_challenge(&mut self) -> Result<[u8; 8]> {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
let response = APDU::new(Ins::Authenticate) let response = Apdu::new(Ins::Authenticate)
.params(ALGO_3DES, KEY_CARDMGM) .params(ALGO_3DES, KEY_CARDMGM)
.data(&[0x7c, 0x02, 0x81, 0x00]) .data([0x7c, 0x02, 0x81, 0x00])
.transmit(&txn, 261)?; .transmit(&txn, 261)?;
if !response.is_success() { if !response.is_success() {
@@ -558,9 +645,10 @@ impl YubiKey {
Ok(response.data()[4..12].try_into().unwrap()) Ok(response.data()[4..12].try_into().unwrap())
} }
/// Verify an auth response /// Verify an auth response.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn verify_auth_response(&mut self, response: [u8; 8]) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn verify_auth_response(&mut self, response: [u8; 8]) -> Result<()> {
let mut data = [0u8; 12]; let mut data = [0u8; 12];
data[0] = 0x7c; data[0] = 0x7c;
data[1] = 0x0a; data[1] = 0x0a;
@@ -571,9 +659,9 @@ impl YubiKey {
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
// send the response to the card and a challenge of our own. // send the response to the card and a challenge of our own.
let status_words = APDU::new(Ins::Authenticate) let status_words = Apdu::new(Ins::Authenticate)
.params(ALGO_3DES, KEY_CARDMGM) .params(ALGO_3DES, KEY_CARDMGM)
.data(&data) .data(data)
.transmit(&txn, 261)? .transmit(&txn, 261)?
.status_words(); .status_words();
@@ -590,7 +678,8 @@ impl YubiKey {
/// ///
/// The reset function is only available when both pins are blocked. /// The reset function is only available when both pins are blocked.
#[cfg(feature = "untested")] #[cfg(feature = "untested")]
pub fn reset_device(&mut self) -> Result<(), Error> { #[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
pub fn reset_device(&mut self) -> Result<()> {
let templ = [0, Ins::Reset.code(), 0, 0]; let templ = [0, Ins::Reset.code(), 0, 0];
let txn = self.begin_transaction()?; let txn = self.begin_transaction()?;
let status_words = txn.transfer_data(&templ, &[], 255)?.status_words(); let status_words = txn.transfer_data(&templ, &[], 255)?.status_words();
@@ -606,7 +695,7 @@ impl YubiKey {
impl<'a> TryFrom<&'a Reader<'_>> for YubiKey { impl<'a> TryFrom<&'a Reader<'_>> for YubiKey {
type Error = Error; type Error = Error;
fn try_from(reader: &'a Reader<'_>) -> Result<Self, Error> { fn try_from(reader: &'a Reader<'_>) -> Result<Self> {
let mut card = reader.connect().map_err(|e| { let mut card = reader.connect().map_err(|e| {
error!("error connecting to reader '{}': {}", reader.name(), e); error!("error connecting to reader '{}': {}", reader.name(), e);
e e
@@ -614,15 +703,30 @@ impl<'a> TryFrom<&'a Reader<'_>> for YubiKey {
info!("connected to reader: {}", reader.name()); info!("connected to reader: {}", reader.name());
let (version, serial) = { let mut app_version_serial = || -> Result<(Version, Serial)> {
let txn = Transaction::new(&mut card)?; let txn = Transaction::new(&mut card)?;
txn.select_application()?; txn.select_application()?;
let v = txn.get_version()?; let v = txn.get_version()?;
let s = txn.get_serial(v)?; let s = txn.get_serial(v)?;
(v, s) Ok((v, s))
}; };
match app_version_serial() {
Err(e) => {
error!("Could not use reader: {}", e);
// We were unable to use the card, so we've effectively only connected as
// a side-effect of determining this. Avoid disrupting its internal state
// any further (e.g. preserve the PIN cache of whatever applet is selected
// currently).
if let Err((_, e)) = card.disconnect(pcsc::Disposition::LeaveCard) {
error!("Failed to disconnect gracefully from card: {}", e);
}
Err(e)
}
Ok((version, serial)) => {
let yubikey = YubiKey { let yubikey = YubiKey {
card, card,
name: String::from(reader.name()), name: String::from(reader.name()),
@@ -634,3 +738,5 @@ impl<'a> TryFrom<&'a Reader<'_>> for YubiKey {
Ok(yubikey) Ok(yubikey)
} }
} }
}
}
+85
View File
@@ -0,0 +1,85 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d4:29:8f:df:8a:af:7b:c0:d7:bf:19:9d:90:d5:ef:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Ferdinand Linnenberg CA
Validity
Not Before: Feb 10 12:25:37 2022 GMT
Not After : May 15 12:25:37 2024 GMT
Subject: CN=Bob
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:27:9b:99:1b:3a:36:64:36:c8:e5:78:64:b6:
9d:70:9d:29:6c:0e:85:91:4b:78:3b:dc:16:c3:09:
8c:d3:74:20:8c:6f:ed:c3:90:c9:1b:4d:80:d5:46:
da:52:7f:d2:2f:bc:b2:f7:40:8d:ad:dd:24:b9:5c:
dc:a2:21:2f:48:ec:06:93:8b:89:f0:cd:63:ff:a1:
fd:ce:36:d5:07:7a:1e:0e:cf:68:a8:c1:b3:7f:62:
84:b7:e1:cf:25:7b:3f:a8:3c:ac:07:1a:fd:c2:e1:
e0:9e:26:24:c1:0d:6d:9d:c6:57:6a:b4:39:28:3d:
88:3e:c9:6a:89:90:72:4a:7b:75:c5:5e:1b:5e:5c:
32:54:a3:ff:eb:01:68:7f:89:b4:4c:01:3f:08:8e:
6c:61:49:60:26:0b:26:58:81:d7:1a:57:ee:52:5c:
05:47:de:da:eb:b5:92:9d:5b:ce:26:18:44:59:3e:
27:d0:61:86:e2:f4:c6:d9:c7:2b:1f:cb:ea:78:f0:
a1:a9:57:d7:98:4c:c1:2f:ae:6a:38:b4:34:53:2e:
5a:9e:f8:58:c7:51:e7:fd:b8:27:cd:87:72:26:c1:
7d:14:c7:cd:fb:f2:04:8a:c4:8f:61:cf:a8:78:bd:
21:be:28:cb:e8:a8:65:29:28:82:46:2f:18:e6:ff:
6f:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
B5:A5:F0:37:25:97:AD:BE:F1:43:52:45:4D:8B:A0:5E:E9:78:21:B8
X509v3 Authority Key Identifier:
keyid:26:4E:EB:B0:A5:1B:08:A8:90:2A:85:04:73:84:B5:A5:2C:61:D6:91
DirName:/CN=Ferdinand Linnenberg CA
serial:8C:E0:40:D9:D8:60:E5:77
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
19:f3:eb:c1:95:e6:d5:a9:33:d7:2e:02:d8:3a:91:84:81:14:
93:fc:03:4d:b1:4b:9d:0b:9b:94:93:9f:1a:0d:87:31:a1:fa:
a6:c7:3a:6b:18:24:12:ab:28:fb:c8:e3:09:a2:5d:50:49:00:
d9:18:e6:4a:09:18:e0:1c:da:d3:19:96:3d:74:72:fe:e0:8f:
ee:59:54:66:2e:57:72:b8:91:55:06:13:e5:9e:89:a2:3a:13:
3b:45:30:d3:cd:15:0e:81:eb:4f:b0:6a:a4:6d:00:7d:5b:c0:
4a:7f:97:d0:27:27:31:ae:3e:72:f1:74:fe:86:8e:29:a9:42:
23:26:22:db:08:8b:df:e9:d3:83:8d:81:10:36:d7:33:68:5e:
cb:93:cb:1e:12:c8:cb:be:5e:5c:8e:58:b0:1d:06:5e:c9:98:
b7:f1:49:fe:c4:03:de:b4:2b:da:9d:2c:7d:98:37:1c:6c:a8:
95:21:6f:23:e3:2e:09:bc:6c:e5:ed:e2:50:d8:f7:da:45:39:
d8:34:8a:57:0c:4f:d0:0d:80:06:d6:34:63:72:27:d1:50:d1:
d2:21:2c:97:57:17:98:02:95:3a:96:ed:75:9f:cc:f3:b8:f1:
3a:85:f9:58:08:9b:a0:75:fd:9b:fd:31:dd:08:dc:14:3d:f4:
68:aa:d4:30
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIRANQpj9+Kr3vA178ZnZDV78owDQYJKoZIhvcNAQELBQAw
IjEgMB4GA1UEAwwXRmVyZGluYW5kIExpbm5lbmJlcmcgQ0EwHhcNMjIwMjEwMTIy
NTM3WhcNMjQwNTE1MTIyNTM3WjAOMQwwCgYDVQQDDANCb2IwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDVJ5uZGzo2ZDbI5Xhktp1wnSlsDoWRS3g73BbD
CYzTdCCMb+3DkMkbTYDVRtpSf9IvvLL3QI2t3SS5XNyiIS9I7AaTi4nwzWP/of3O
NtUHeh4Oz2iowbN/YoS34c8lez+oPKwHGv3C4eCeJiTBDW2dxldqtDkoPYg+yWqJ
kHJKe3XFXhteXDJUo//rAWh/ibRMAT8IjmxhSWAmCyZYgdcaV+5SXAVH3trrtZKd
W84mGERZPifQYYbi9MbZxysfy+p48KGpV9eYTMEvrmo4tDRTLlqe+FjHUef9uCfN
h3ImwX0Ux8378gSKxI9hz6h4vSG+KMvoqGUpKIJGLxjm/29TAgMBAAGjgaMwgaAw
CQYDVR0TBAIwADAdBgNVHQ4EFgQUtaXwNyWXrb7xQ1JFTYugXul4IbgwUgYDVR0j
BEswSYAUJk7rsKUbCKiQKoUEc4S1pSxh1pGhJqQkMCIxIDAeBgNVBAMMF0ZlcmRp
bmFuZCBMaW5uZW5iZXJnIENBggkAjOBA2dhg5XcwEwYDVR0lBAwwCgYIKwYBBQUH
AwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQAZ8+vBlebVqTPXLgLY
OpGEgRST/ANNsUudC5uUk58aDYcxofqmxzprGCQSqyj7yOMJol1QSQDZGOZKCRjg
HNrTGZY9dHL+4I/uWVRmLldyuJFVBhPlnomiOhM7RTDTzRUOgetPsGqkbQB9W8BK
f5fQJycxrj5y8XT+ho4pqUIjJiLbCIvf6dODjYEQNtczaF7Lk8seEsjLvl5cjliw
HQZeyZi38Un+xAPetCvanSx9mDccbKiVIW8j4y4JvGzl7eJQ2PfaRTnYNIpXDE/Q
DYAG1jRjcifRUNHSISyXVxeYApU6lu11n8zzuPE6hflYCJugdf2b/THdCNwUPfRo
qtQw
-----END CERTIFICATE-----
Binary file not shown.
+30
View File
@@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIi6DixMpf5PQCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLgvCsIAjjXRBIIEyDAss0V4NrI5
W7KXPRgRJ1tqvQrWZQTIFu4Crzs9Inb4TtSv5mATI9ZU2RMFF6MYXlhIxJng861P
5IWcU6VeOjRFej8wcB3uTvD2z7NB2cyA5BZSojrZfX5OIEKL9sBzn0vinqmm5N1z
oXhLMgf0FZssA3+zjIf04vtvmk5pxTCE6dq6vlsEIJyQ0xGc39bStIwk2a4E9wvi
XayKNJnRFSrTahuI3DvQJPd9TdmM6sBKnrcJrDa6LvH51SrGzW8bBEjDAmC7yJdi
mBckFTjZ6rGrSxOI6HdnF9RP+y9OiLE4ou5OJ9MbBtngq9OrTImAMZ5ftWowaqX/
Do1UTqixi4ecWrr5fr1+A2Vch0I1drds2e/mmLR+5GEQXQXZPZKjtPMwxM/AYnTZ
w/M3T9KtwSj0s5G6Saz4WpzaUL7wATb/UNqMr8Ifl8mHEVoFZhvoRpMWA7Yj1oPb
cHz8lsfoSrTnK+zLR8ZK3HRu4MtpdCNVwQIJ67T6Feb8YLwYSccTNHBSqUmWRD95
wOOqY33xcfplaQ2Y+/8+mHScGSEPNmC4f7EggDeUnG3ow0f4n95DENO+aYqGLjSF
+XdCjhD+NTNdlV0z50B6P2XWUoBZOOnPfgFf4nAgn7xQbkZZOk5bQDKo2Zu9jW9/
uJyTHqI58tcopI3cjd5iQXOJUrM4OWpPIu3p+VWaIAA8JzJIfDN6fyQ3qsMr305L
30JcjrH6if/6J+2g+DpMAK928JY2hfE8VNWH7096ZnArp42/hLYsNuYnSrL1eS+g
F/4mvyZyLLTFyB0Frnic4I1QTuNkNmwSrm/B5wIWLqkS7XAyyDDXAcaTHdZCN6nM
O2OuF7DfBsFcNMM4VagG5adPS9CYkvz0EEh6ho5XiP2yL3tZfsHyuB4njAsV3aFi
D0Yq7QiCf5iA2d4KsYO6yr1wPfVhlsmPi3++mrHulBwwCQWHTlPgRZnjj1xgmPcQ
00KsUVh+CMWlf20O5sKhzjvkzbwUj1K+ZfMDuuq1RbzFRSx+Gx8vIaThFg9kVyoP
zuvzsT6qc3BGNHmaGZ3d5Re25AuGRTF4cTpDfjW0UL7Wnvnis7iMrUasDhyF7CFn
/KG7eKzxqS08o6D4AM5S/fzZEtszoEgAga6DS2R75FVskDweWuEIsar9UGg3UlmW
q3+rRPRf1CzrLtyYenkkLg/ajr8JOnFGqZVaLmMnegZQH6rF3aEzlQLNgbNepcuA
ObSmAO6MR3MlQgdsH/lNzOPdj1gKcE25hOjGfmwgbOXSJv9Cz0bcBLFEyLZSNpRk
HhNejj6BEz/Cmqg1wm7SOBHsXJGcOTnLO1Y3FBt0I7heWvWmj9rOLG9tvvx9dtrP
pQyDbIcWonuXLrXYSPyOjmeWoQSzdH3NsCswBV4G+iOiLCJDkElR+mrwKbhtS88T
3YeZnsCTsmH+jZpxGgPTObjIG91U4UE4Pnkwc2df355VuOKrf0rB/NK0A9hZGqsV
nxtodjn92P6UFzmfEdt95pMcmurK9wkm1kRkP7cIyAs2lCOIdbgGsszz6Mk16Xqy
49RdhLxJrJ4gkYZIAbY+KNGVc7uPhm/T9xGrIstbEsoUM7jy7nHMOCCDgdbwX/4X
caMeSMZcZ+RvraDDBEbSbg==
-----END ENCRYPTED PRIVATE KEY-----
+169 -41
View File
@@ -3,39 +3,39 @@
#![forbid(unsafe_code)] #![forbid(unsafe_code)]
#![warn(missing_docs, rust_2018_idioms, trivial_casts, unused_qualifications)] #![warn(missing_docs, rust_2018_idioms, trivial_casts, unused_qualifications)]
use getrandom::getrandom;
use lazy_static::lazy_static;
use log::trace; use log::trace;
use rsa::{hash::Hash::SHA2_256, PaddingScheme, PublicKey}; use once_cell::sync::Lazy;
use rand_core::{OsRng, RngCore};
use rsa::pkcs1v15;
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use std::convert::TryInto; use signature::hazmat::PrehashVerifier;
use std::{env, sync::Mutex}; use std::{env, str::FromStr, sync::Mutex};
use x509::RelativeDistinguishedName; use x509::RelativeDistinguishedName;
use yubikey_piv::{ use yubikey::{
certificate,
certificate::{Certificate, PublicKeyInfo}, certificate::{Certificate, PublicKeyInfo},
key::{self, AlgorithmId, Key, RetiredSlotId, SlotId}, piv::{self, AlgorithmId, Key, ManagementSlotId, RetiredSlotId, SlotId},
policy::{PinPolicy, TouchPolicy}, Error, MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
Error, MgmKey, YubiKey,
}; };
lazy_static! { static YUBIKEY: Lazy<Mutex<YubiKey>> = Lazy::new(|| {
/// Provide thread-safe access to a YubiKey
static ref YUBIKEY: Mutex<YubiKey> = init_yubikey();
}
/// One-time test initialization and setup
fn init_yubikey() -> Mutex<YubiKey> {
// Only show logs if `RUST_LOG` is set // Only show logs if `RUST_LOG` is set
if env::var("RUST_LOG").is_ok() { if env::var("RUST_LOG").is_ok() {
env_logger::builder().format_timestamp(None).init(); env_logger::builder().format_timestamp(None).init();
} }
let yubikey = YubiKey::open().unwrap(); let yubikey = if let Ok(serial) = env::var("YUBIKEY_SERIAL") {
let serial = Serial::from_str(&serial).unwrap();
YubiKey::open_by_serial(serial).unwrap()
} else {
YubiKey::open().unwrap()
};
trace!("serial: {}", yubikey.serial()); trace!("serial: {}", yubikey.serial());
trace!("version: {}", yubikey.version()); trace!("version: {}", yubikey.version());
Mutex::new(yubikey) Mutex::new(yubikey)
} });
// //
// CCCID support // CCCID support
@@ -122,16 +122,13 @@ fn test_set_mgmkey() {
assert!(yubikey.authenticate(MgmKey::default()).is_ok()); assert!(yubikey.authenticate(MgmKey::default()).is_ok());
// Set a protected management key. // Set a protected management key.
assert!(MgmKey::generate() assert!(MgmKey::generate().set_protected(&mut yubikey).is_ok());
.unwrap()
.set_protected(&mut yubikey)
.is_ok());
let protected = MgmKey::get_protected(&mut yubikey).unwrap(); let protected = MgmKey::get_protected(&mut yubikey).unwrap();
assert!(yubikey.authenticate(MgmKey::default()).is_err()); assert!(yubikey.authenticate(MgmKey::default()).is_err());
assert!(yubikey.authenticate(protected.clone()).is_ok()); assert!(yubikey.authenticate(protected.clone()).is_ok());
// Set a manual management key. // Set a manual management key.
let manual = MgmKey::generate().unwrap(); let manual = MgmKey::generate();
assert!(manual.set_manual(&mut yubikey, false).is_ok()); assert!(manual.set_manual(&mut yubikey, false).is_ok());
assert!(MgmKey::get_protected(&mut yubikey).is_err()); assert!(MgmKey::get_protected(&mut yubikey).is_err());
assert!(yubikey.authenticate(MgmKey::default()).is_err()); assert!(yubikey.authenticate(MgmKey::default()).is_err());
@@ -159,7 +156,7 @@ fn generate_self_signed_cert(algorithm: AlgorithmId) -> Certificate {
let slot = SlotId::Retired(RetiredSlotId::R1); let slot = SlotId::Retired(RetiredSlotId::R1);
// Generate a new key in the selected slot. // Generate a new key in the selected slot.
let generated = key::generate( let generated = piv::generate(
&mut yubikey, &mut yubikey,
slot, slot,
algorithm, algorithm,
@@ -169,7 +166,7 @@ fn generate_self_signed_cert(algorithm: AlgorithmId) -> Certificate {
.unwrap(); .unwrap();
let mut serial = [0u8; 20]; let mut serial = [0u8; 20];
getrandom(&mut serial).unwrap(); OsRng.fill_bytes(&mut serial);
// Generate a self-signed certificate for the new key. // Generate a self-signed certificate for the new key.
let extensions: &[x509::Extension<'_, &[u64]>] = &[]; let extensions: &[x509::Extension<'_, &[u64]>] = &[];
@@ -199,26 +196,17 @@ fn generate_self_signed_rsa_cert() {
// //
let pubkey = match cert.subject_pki() { let pubkey = match cert.subject_pki() {
PublicKeyInfo::Rsa { pubkey, .. } => pubkey, PublicKeyInfo::Rsa { pubkey, .. } => pkcs1v15::VerifyingKey::<Sha256>::from(pubkey.clone()),
_ => unreachable!(), _ => unreachable!(),
}; };
let data = cert.as_ref(); let data = cert.as_ref();
let tbs_cert_len = u16::from_be_bytes(data[6..8].try_into().unwrap()) as usize; let tbs_cert_len = u16::from_be_bytes(data[6..8].try_into().unwrap()) as usize;
let msg = &data[4..8 + tbs_cert_len]; let msg = &data[4..8 + tbs_cert_len];
let sig = &data[data.len() - 128..]; let sig = pkcs1v15::Signature::try_from(&data[data.len() - 128..]).unwrap();
let hash = Sha256::digest(msg); let hash = Sha256::digest(msg);
assert!(pubkey assert!(pubkey.verify_prehash(&hash, &sig).is_ok());
.verify(
PaddingScheme::PKCS1v15Sign {
hash: Some(SHA2_256)
},
&hash,
sig
)
.is_ok());
} }
#[test] #[test]
@@ -240,9 +228,149 @@ fn generate_self_signed_ec_cert() {
let sig_algo_len = data[7 + tbs_cert_len + 1] as usize; let sig_algo_len = data[7 + tbs_cert_len + 1] as usize;
let sig_start = 7 + tbs_cert_len + 2 + sig_algo_len + 3; let sig_start = 7 + tbs_cert_len + 2 + sig_algo_len + 3;
let msg = &data[4..7 + tbs_cert_len]; let msg = &data[4..7 + tbs_cert_len];
let sig = &data[sig_start..]; let sig = p256::ecdsa::Signature::from_der(&data[sig_start..]).unwrap();
let vk = p256::ecdsa::VerifyingKey::from_sec1_bytes(pubkey.as_bytes()).unwrap();
use ring::signature::{UnparsedPublicKey, ECDSA_P256_SHA256_ASN1}; use p256::ecdsa::signature::Verifier;
let ring_pk = UnparsedPublicKey::new(&ECDSA_P256_SHA256_ASN1, pubkey.as_bytes()); assert!(vk.verify(msg, &sig).is_ok());
assert!(ring_pk.verify(msg, sig).is_ok()); }
#[test]
#[ignore]
fn test_slot_id_display() {
assert_eq!(format!("{}", SlotId::Authentication), "Authentication");
assert_eq!(format!("{}", SlotId::Signature), "Signature");
assert_eq!(format!("{}", SlotId::KeyManagement), "KeyManagement");
assert_eq!(
format!("{}", SlotId::CardAuthentication),
"CardAuthentication"
);
assert_eq!(format!("{}", SlotId::Attestation), "Attestation");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R1)), "R1");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R2)), "R2");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R3)), "R3");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R4)), "R4");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R5)), "R5");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R6)), "R6");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R7)), "R7");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R8)), "R8");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R9)), "R9");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R10)), "R10");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R11)), "R11");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R12)), "R12");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R13)), "R13");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R14)), "R14");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R15)), "R15");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R16)), "R16");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R17)), "R17");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R18)), "R18");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R19)), "R19");
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R20)), "R20");
assert_eq!(
format!("{}", SlotId::Management(ManagementSlotId::Pin)),
"PIN"
);
assert_eq!(
format!("{}", SlotId::Management(ManagementSlotId::Puk)),
"PUK"
);
assert_eq!(
format!("{}", SlotId::Management(ManagementSlotId::Management)),
"Management"
);
}
//
// Metadata
//
#[test]
#[ignore]
fn test_read_metadata() {
let mut yubikey = YUBIKEY.lock().unwrap();
assert!(yubikey.verify_pin(b"123456").is_ok());
assert!(yubikey.authenticate(MgmKey::default()).is_ok());
let slot = SlotId::Retired(RetiredSlotId::R1);
// Generate a new key in the selected slot.
let generated = piv::generate(
&mut yubikey,
slot,
AlgorithmId::EccP256,
PinPolicy::Default,
TouchPolicy::Default,
)
.unwrap();
let metadata = piv::metadata(&mut yubikey, slot).unwrap();
assert_eq!(metadata.public, Some(generated));
}
#[test]
#[ignore]
fn test_serial_string_conversions() {
//2^152+1
let serial: [u8; 20] = [
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01,
];
let s = certificate::Serial::from(serial);
assert_eq!(
s.as_x509_int(),
"5708990770823839524233143877797980545530986497"
);
assert_eq!(
s.as_x509_hex(),
"01:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01"
);
let serial2: [u8; 20] = [
0xA1, 0xF3, 0x02, 0x30, 0x76, 0x01, 0x32, 0x48, 0x09, 0x9C, 0x10, 0xAA, 0x3F, 0xA0, 0x54,
0x0D, 0xC0, 0xB7, 0x65, 0x01,
];
let s2 = certificate::Serial::from(serial2);
assert_eq!(
s2.as_x509_int(),
"924566785900861696177829411010986812227211191553"
);
assert_eq!(
s2.as_x509_hex(),
"a1:f3:02:30:76:01:32:48:09:9c:10:aa:3f:a0:54:0d:c0:b7:65:01"
);
let serial3: [u8; 20] = [
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAA, 0x3F, 0xA0, 0x54,
0x0D, 0xC0, 0xB7, 0x65, 0x01,
];
let s3 = certificate::Serial::from(serial3);
assert_eq!(s3.as_x509_int(), "3140531249369331492097");
assert_eq!(s3.as_x509_hex(), "aa:3f:a0:54:0d:c0:b7:65:01");
}
#[test]
#[ignore]
fn test_parse_cert_from_der() {
let bob_der = std::fs::read("tests/assets/Bob.der").expect(".der file not found");
let cert =
certificate::Certificate::from_bytes(bob_der).expect("Failed to parse valid certificate");
assert_eq!(
cert.subject(),
"CN=Bob",
"Subject is {} should be CN=Bob",
cert.subject()
);
assert_eq!(
cert.issuer(),
"CN=Ferdinand Linnenberg CA",
"Issuer is {} should be {}",
cert.issuer(),
"CN=Ferdinand Linnenberg CA"
);
} }