Compare commits
115 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| cafb0b2c18 | |||
| 0c7441a81e | |||
| a50addc15b | |||
| 0809f300b7 | |||
| d55079f9a6 | |||
| 10241230b3 | |||
| 1e02f135f0 | |||
| 0c2633ab31 | |||
| f49c617a9d | |||
| 1d33ea1747 | |||
| 18eb4bf4f4 | |||
| 10941bfb5b | |||
| 002491193e | |||
| 2e5139b237 | |||
| d880faaefa | |||
| cc00a10c2f | |||
| 0a2e798894 | |||
| 5c4259023f | |||
| 57bb088c7d | |||
| ccf19a3668 | |||
| db13fce53b | |||
| 0071566097 | |||
| d8653bc6f0 | |||
| 603b102932 | |||
| 7470b1613a | |||
| 4310cc0f9a | |||
| 87ed7b2338 | |||
| 7866d8d53e | |||
| 744238fd77 | |||
| bbb186f95e | |||
| c89cc5acd0 | |||
| 2294c1cc3a | |||
| 65e201db0f | |||
| b571f81007 | |||
| 0a36a37ae3 | |||
| 3463d109b2 | |||
| 014b7ee6fd | |||
| 498de4c10d | |||
| 98b038c873 | |||
| fab9d25b0a | |||
| bb80551324 | |||
| 9e20ecfe55 | |||
| fac83c60fb | |||
| 914f9bee0d | |||
| 83de59983f | |||
| e21395c934 | |||
| 935fea0868 | |||
| dd4b1c60a4 | |||
| 74a50f0f0c | |||
| 86d482b38d | |||
| edf74871ba | |||
| b11d5c409b | |||
| 52107281df | |||
| bcef792f69 | |||
| 10a7ead932 | |||
| 54ce90d51d | |||
| 3905104b52 | |||
| 97e15abcee | |||
| da7e7af109 | |||
| 6e96087b93 | |||
| f3bb858a2f | |||
| ac72797d1f | |||
| fdd3b8730a | |||
| d51ec0a225 | |||
| d601c33ba3 | |||
| 8e52d75992 | |||
| 42ae5fb974 | |||
| 224d346f09 | |||
| 01e5bba33f | |||
| 48f42780df | |||
| 92f770805f | |||
| 563f6f9ccc | |||
| 5f418bbd1d | |||
| 47776ebf0b | |||
| 227518dd1b | |||
| e6cea2eca6 | |||
| e249e91297 | |||
| 1018127843 | |||
| 1765e11bc0 | |||
| 1228d16439 | |||
| de51b0cc46 | |||
| 1051eaf26d | |||
| a1d9c7afc5 | |||
| 2c06626c25 | |||
| a2a912fc3c | |||
| c9e2edc41f | |||
| 20bf9b0679 | |||
| 0d4d4f7f06 | |||
| d31872964d | |||
| 865353f4da | |||
| 1ad17bb025 | |||
| d33e80faea | |||
| e61682be43 | |||
| 43dfc06875 | |||
| e230390e7e | |||
| ef3df46ed2 | |||
| 18e3636161 | |||
| 9d1da84233 | |||
| 37088bba56 | |||
| 3580c45f71 | |||
| 79c289ac00 | |||
| cbca858488 | |||
| 8b896ab4de | |||
| 24b035008c | |||
| 90bc878b21 | |||
| 08185c5ec9 | |||
| 7da2c7ba6a | |||
| fecd786262 | |||
| 1a6d1d0a71 | |||
| f43539088b | |||
| 72f63131ac | |||
| b59856d09e | |||
| 7628ebf605 | |||
| 0688dbf30d | |||
| 7e3d0bc838 |
@@ -0,0 +1,5 @@
|
||||
[advisories]
|
||||
ignore = [
|
||||
"RUSTSEC-2020-0071", # chrono
|
||||
"RUSTSEC-2021-0145", # atty
|
||||
] # advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
|
||||
@@ -3,7 +3,7 @@ name: CI
|
||||
on:
|
||||
pull_request: {}
|
||||
push:
|
||||
branches: develop
|
||||
branches: main
|
||||
|
||||
env:
|
||||
CARGO_INCREMENTAL: 0
|
||||
@@ -36,13 +36,13 @@ jobs:
|
||||
toolchain: stable
|
||||
deps: true
|
||||
- platform: ubuntu-latest
|
||||
toolchain: 1.44.0 # MSRV
|
||||
toolchain: 1.65.0 # MSRV
|
||||
deps: sudo apt-get install libpcsclite-dev
|
||||
- platform: windows-latest
|
||||
toolchain: 1.44.0 # MSRV
|
||||
toolchain: 1.65.0 # MSRV
|
||||
deps: true
|
||||
- platform: macos-latest
|
||||
toolchain: 1.44.0 # MSRV
|
||||
toolchain: 1.65.0 # MSRV
|
||||
deps: true
|
||||
runs-on: ${{ matrix.platform }}
|
||||
steps:
|
||||
@@ -82,7 +82,8 @@ jobs:
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
profile: minimal
|
||||
toolchain: 1.44.0 # MSRV
|
||||
toolchain: 1.65.0
|
||||
components: clippy
|
||||
override: true
|
||||
- run: sudo apt-get install libpcsclite-dev
|
||||
- run: cargo clippy --all --exclude crypto_box --all-features -- -D warnings
|
||||
- run: cargo clippy --all --all-features -- -D warnings
|
||||
|
||||
@@ -3,7 +3,7 @@ on:
|
||||
pull_request:
|
||||
paths: Cargo.lock
|
||||
push:
|
||||
branches: develop
|
||||
branches: main
|
||||
paths: Cargo.lock
|
||||
schedule:
|
||||
- cron: '0 0 * * *'
|
||||
@@ -42,4 +42,4 @@ jobs:
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: audit
|
||||
args: --deny-warnings --ignore RUSTSEC-2019-0031 # spin
|
||||
args: --deny warnings
|
||||
|
||||
+207
-41
@@ -4,7 +4,173 @@ All notable changes to this project will be documented in this file.
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## 0.1.0 (2020-10-18)
|
||||
## Unreleased
|
||||
### Added
|
||||
- `YubiKey::disconnect`
|
||||
- `impl Debug for {Context, YubiKey}`
|
||||
- `Error::AppletNotFound`
|
||||
|
||||
### Changed
|
||||
- `Reader::open` now returns `Error::AppletNotFound` instead of `Error::Generic`
|
||||
if the PIV applet is not present on the device. This is returned by non-PIV
|
||||
virtual smart cards like Windows Hello for Business, as well as some smart
|
||||
card readers when no card is present.
|
||||
- `Reader::open` now avoids resetting the card if an error occurs (equivalent to
|
||||
calling `YubiKey::disconnect(pcsc::Disposition::LeaveCard)` if `Reader::open`
|
||||
succeeds).
|
||||
|
||||
### Fixed
|
||||
- `StatusWords::code` now returns the correct code (including embedded `tries`
|
||||
count) for `StatusWords::VerifyFailError`. Previously the returned code lost
|
||||
information and was not round-trip compatible with `StatusWords::from(u16)`.
|
||||
|
||||
## 0.7.0 (2022-11-14)
|
||||
### Added
|
||||
- Display inner PC/SC errors ([#420])
|
||||
- Support for metadata command ([#371])
|
||||
- Better `certificate::Serial` inspection ([#437])
|
||||
|
||||
### Changed
|
||||
- MSRV 1.60.0 ([#423])
|
||||
- Bump `rsa` to v0.7.1 ([#440])
|
||||
- Switch from `lazy_static` to `once_cell` ([#442])
|
||||
- Switch from `subtle-encoding` to `base16ct` ([#443])
|
||||
|
||||
### Fixed
|
||||
- Use `chrono` v0.4.23 or newer ([#436])
|
||||
- `Certificate::issuer` was returning the subject instead ([#437])
|
||||
|
||||
[#371]: https://github.com/iqlusioninc/yubikey.rs/pull/371
|
||||
[#420]: https://github.com/iqlusioninc/yubikey.rs/pull/420
|
||||
[#423]: https://github.com/iqlusioninc/yubikey.rs/pull/423
|
||||
[#436]: https://github.com/iqlusioninc/yubikey.rs/pull/436
|
||||
[#437]: https://github.com/iqlusioninc/yubikey.rs/pull/437
|
||||
[#440]: https://github.com/iqlusioninc/yubikey.rs/pull/440
|
||||
[#442]: https://github.com/iqlusioninc/yubikey.rs/pull/442
|
||||
[#443]: https://github.com/iqlusioninc/yubikey.rs/pull/443
|
||||
|
||||
## 0.6.0 (2022-08-10)
|
||||
### Changed
|
||||
- 2021 edition upgrade ([#343])
|
||||
- RustCrypto crate upgrades; MSRV 1.57 ([#378])
|
||||
- `des` v0.8
|
||||
- `elliptic-curve` v0.12
|
||||
- `hmac` v0.12
|
||||
- `num-bigint-dig` v0.8
|
||||
- `pbkdf2` v0.11
|
||||
- `p256` v0.11
|
||||
- `p384` v0.11
|
||||
- `rsa` v0.6
|
||||
- `sha1` v0.10 (replacing `sha-1`)
|
||||
- `sha2` v0.10
|
||||
- Bump `uuid` to v1.0 ([#376])
|
||||
- Bump `der-parser` to v8.0 ([#402])
|
||||
- Bump `x509-parser` to v0.14 ([#402])
|
||||
|
||||
[#343]: https://github.com/iqlusioninc/yubikey.rs/pull/343
|
||||
[#376]: https://github.com/iqlusioninc/yubikey.rs/pull/376
|
||||
[#378]: https://github.com/iqlusioninc/yubikey.rs/pull/378
|
||||
[#402]: https://github.com/iqlusioninc/yubikey.rs/pull/402
|
||||
|
||||
## 0.5.0 (2021-11-21)
|
||||
### Changed
|
||||
- Update `rsa` dependency to 0.5 ([#315])
|
||||
- Update `pbkdf2` dependency to 0.9 ([#315])
|
||||
- Update `x509-parser` dependency to 0.12 ([#315], [#322])
|
||||
- Update `nom` to v7.0 ([#322])
|
||||
|
||||
[#315]: https://github.com/iqlusioninc/yubikey.rs/pull/315
|
||||
[#322]: https://github.com/iqlusioninc/yubikey.rs/pull/322
|
||||
|
||||
## 0.4.2 (2021-07-13)
|
||||
### Added
|
||||
- Make `yubikey::Buffer` a pub type ([#290])
|
||||
|
||||
### Changed
|
||||
- Have `YubiKey::block_puk` take `&mut self` as argument ([#289])
|
||||
|
||||
[#289]: https://github.com/iqlusioninc/yubikey.rs/pull/289
|
||||
[#290]: https://github.com/iqlusioninc/yubikey.rs/pull/290
|
||||
|
||||
## 0.4.1 (2021-07-12)
|
||||
### Changed
|
||||
- Rename `SettingValue` to `Setting` ([#286])
|
||||
- Rename `Ccc` to `CccId` ([#287])
|
||||
|
||||
[#286]: https://github.com/iqlusioninc/yubikey.rs/pull/286
|
||||
[#287]: https://github.com/iqlusioninc/yubikey.rs/pull/287
|
||||
|
||||
## 0.4.0 (2021-07-12) [YANKED]
|
||||
### Added
|
||||
- `Result` alias ([#271])
|
||||
|
||||
### Changed
|
||||
- Renamed crate from `yubikey-piv` => `yubikey` ([#267])
|
||||
- Renamed the following:
|
||||
- `APDU` => `Apdu` ([#269])
|
||||
- `CCC` => `Ccc` ([#269])
|
||||
- `CHUID` => `ChuId` ([#269])
|
||||
- `Ccc::cccid` => `Ccc::card_id` ([#270])
|
||||
- `key` => `piv` ([#277])
|
||||
- `readers` => `reader` ([#278])
|
||||
- `readers::Readers` => `reader::Context` ([#278])
|
||||
- Bumped the following dependencies:
|
||||
- `rsa` => v0.4 ([#246])
|
||||
- `des` => v0.7 ([#251])
|
||||
- `elliptic-curve` => v0.10 ([#268])
|
||||
- `hmac` => v0.11 ([#251])
|
||||
- `pbkdf2` => v0.8 ([#251])
|
||||
- `p256` => v0.9 ([#268])
|
||||
- `p384` => v0.8 ([#268])
|
||||
- MSRV 1.51+ ([#268])
|
||||
- Flatten API ([#274])
|
||||
- Replace `getrandom` with `rand_core` ([#276])
|
||||
|
||||
### Fixed
|
||||
- Potential local DoS in TLV parser ([#279])
|
||||
|
||||
[#246]: https://github.com/iqlusioninc/yubikey.rs/pull/246
|
||||
[#251]: https://github.com/iqlusioninc/yubikey.rs/pull/251
|
||||
[#267]: https://github.com/iqlusioninc/yubikey.rs/pull/267
|
||||
[#268]: https://github.com/iqlusioninc/yubikey.rs/pull/268
|
||||
[#269]: https://github.com/iqlusioninc/yubikey.rs/pull/269
|
||||
[#270]: https://github.com/iqlusioninc/yubikey.rs/pull/270
|
||||
[#271]: https://github.com/iqlusioninc/yubikey.rs/pull/271
|
||||
[#274]: https://github.com/iqlusioninc/yubikey.rs/pull/274
|
||||
[#276]: https://github.com/iqlusioninc/yubikey.rs/pull/276
|
||||
[#277]: https://github.com/iqlusioninc/yubikey.rs/pull/277
|
||||
[#278]: https://github.com/iqlusioninc/yubikey.rs/pull/278
|
||||
[#279]: https://github.com/iqlusioninc/yubikey.rs/pull/279
|
||||
|
||||
## yubikey-piv 0.3.0 (2021-03-22)
|
||||
### Added
|
||||
- Typed structs for PIN-protected and admin metadata ([#223])
|
||||
- `MgmKey::set_default`/`MgmKey::set_manual` methods ([#224])
|
||||
|
||||
### Changed
|
||||
- Have `Transaction::set_mgm_key` take touch requirement as bool ([#224])
|
||||
|
||||
### Removed
|
||||
- `MgmKey::set` method ([#224])
|
||||
|
||||
[#223]: https://github.com/iqlusioninc/yubikey.rs/pull/223
|
||||
[#224]: https://github.com/iqlusioninc/yubikey.rs/pull/224
|
||||
|
||||
## yubikey-piv 0.2.0 (2021-01-30)
|
||||
### Changed
|
||||
- Bump `der-parser` to v5.0 ([#194])
|
||||
- Improve self-signed certificates ([#207])
|
||||
- Bump `x509-parser` to v0.9 ([#208])
|
||||
- Bump elliptic-curve to 0.8. Also requires bumping p256 and p384 ([#208])
|
||||
- Bump MSRV to 1.46+ ([#208])
|
||||
- Bump `pbkdf2` dependency to v0.7 ([#219])
|
||||
|
||||
[#194]: https://github.com/iqlusioninc/yubikey.rs/pull/194
|
||||
[#207]: https://github.com/iqlusioninc/yubikey.rs/pull/207
|
||||
[#208]: https://github.com/iqlusioninc/yubikey.rs/pull/208
|
||||
[#219]: https://github.com/iqlusioninc/yubikey.rs/pull/219
|
||||
|
||||
## yubikey-piv 0.1.0 (2020-10-19)
|
||||
### Added
|
||||
- `Certificate::generate_self_signed` ([#80])
|
||||
- `YubiKey::open_by_serial` ([#69])
|
||||
@@ -29,24 +195,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
### Removed
|
||||
- YubiKey NEO support ([#63])
|
||||
|
||||
[#177]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/177
|
||||
[#175]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/175
|
||||
[#128]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/128
|
||||
[#82]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/82
|
||||
[#73]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/73
|
||||
[#88]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/88
|
||||
[#80]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/80
|
||||
[#69]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/69
|
||||
[#68]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/68
|
||||
[#67]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/67
|
||||
[#65]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/65
|
||||
[#64]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/64
|
||||
[#63]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/63
|
||||
[#62]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/62
|
||||
[#61]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/61
|
||||
[#60]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/60
|
||||
[#177]: https://github.com/iqlusioninc/yubikey.rs/pull/177
|
||||
[#175]: https://github.com/iqlusioninc/yubikey.rs/pull/175
|
||||
[#128]: https://github.com/iqlusioninc/yubikey.rs/pull/128
|
||||
[#82]: https://github.com/iqlusioninc/yubikey.rs/pull/82
|
||||
[#73]: https://github.com/iqlusioninc/yubikey.rs/pull/73
|
||||
[#88]: https://github.com/iqlusioninc/yubikey.rs/pull/88
|
||||
[#80]: https://github.com/iqlusioninc/yubikey.rs/pull/80
|
||||
[#69]: https://github.com/iqlusioninc/yubikey.rs/pull/69
|
||||
[#68]: https://github.com/iqlusioninc/yubikey.rs/pull/68
|
||||
[#67]: https://github.com/iqlusioninc/yubikey.rs/pull/67
|
||||
[#65]: https://github.com/iqlusioninc/yubikey.rs/pull/65
|
||||
[#64]: https://github.com/iqlusioninc/yubikey.rs/pull/64
|
||||
[#63]: https://github.com/iqlusioninc/yubikey.rs/pull/63
|
||||
[#62]: https://github.com/iqlusioninc/yubikey.rs/pull/62
|
||||
[#61]: https://github.com/iqlusioninc/yubikey.rs/pull/61
|
||||
[#60]: https://github.com/iqlusioninc/yubikey.rs/pull/60
|
||||
|
||||
## 0.0.3 (2019-12-02)
|
||||
## yubikey-piv 0.0.3 (2019-12-02)
|
||||
### Added
|
||||
- Initial `Readers` enumerator for detecting YubiKeys ([#51])
|
||||
- Certificate parsing ([#45])
|
||||
@@ -62,19 +228,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- `Ins` (APDU instruction codes) enum ([#33])
|
||||
- Factor `Response` into `apdu` module; improved debugging ([#32])
|
||||
|
||||
[#51]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/51
|
||||
[#45]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/45
|
||||
[#44]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/44
|
||||
[#43]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/43
|
||||
[#42]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/42
|
||||
[#39]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/39
|
||||
[#37]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/37
|
||||
[#36]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/36
|
||||
[#34]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/34
|
||||
[#33]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/33
|
||||
[#32]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/32
|
||||
[#51]: https://github.com/iqlusioninc/yubikey.rs/pull/51
|
||||
[#45]: https://github.com/iqlusioninc/yubikey.rs/pull/45
|
||||
[#44]: https://github.com/iqlusioninc/yubikey.rs/pull/44
|
||||
[#43]: https://github.com/iqlusioninc/yubikey.rs/pull/43
|
||||
[#42]: https://github.com/iqlusioninc/yubikey.rs/pull/42
|
||||
[#39]: https://github.com/iqlusioninc/yubikey.rs/pull/39
|
||||
[#37]: https://github.com/iqlusioninc/yubikey.rs/pull/37
|
||||
[#36]: https://github.com/iqlusioninc/yubikey.rs/pull/36
|
||||
[#34]: https://github.com/iqlusioninc/yubikey.rs/pull/34
|
||||
[#33]: https://github.com/iqlusioninc/yubikey.rs/pull/33
|
||||
[#32]: https://github.com/iqlusioninc/yubikey.rs/pull/32
|
||||
|
||||
## 0.0.2 (2019-11-25)
|
||||
## yubikey-piv 0.0.2 (2019-11-25)
|
||||
### Added
|
||||
- `untested` Cargo feature to mark untested functionality ([#30])
|
||||
- Initial connect test and docs ([#19])
|
||||
@@ -89,16 +255,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- Use `log` crate for logging ([#7])
|
||||
- Replace `ErrorKind::Ok` with `Result` ([#6])
|
||||
|
||||
[#30]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/30
|
||||
[#19]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/19
|
||||
[#17]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/17
|
||||
[#15]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/15
|
||||
[#13]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/13
|
||||
[#10]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/10
|
||||
[#9]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/9
|
||||
[#8]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/8
|
||||
[#7]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/7
|
||||
[#6]: https://github.com/iqlusioninc/yubikey-piv.rs/pull/6
|
||||
[#30]: https://github.com/iqlusioninc/yubikey.rs/pull/30
|
||||
[#19]: https://github.com/iqlusioninc/yubikey.rs/pull/19
|
||||
[#17]: https://github.com/iqlusioninc/yubikey.rs/pull/17
|
||||
[#15]: https://github.com/iqlusioninc/yubikey.rs/pull/15
|
||||
[#13]: https://github.com/iqlusioninc/yubikey.rs/pull/13
|
||||
[#10]: https://github.com/iqlusioninc/yubikey.rs/pull/10
|
||||
[#9]: https://github.com/iqlusioninc/yubikey.rs/pull/9
|
||||
[#8]: https://github.com/iqlusioninc/yubikey.rs/pull/8
|
||||
[#7]: https://github.com/iqlusioninc/yubikey.rs/pull/7
|
||||
[#6]: https://github.com/iqlusioninc/yubikey.rs/pull/6
|
||||
|
||||
## 0.0.1 (2019-11-18)
|
||||
## yubikey-piv 0.0.1 (2019-11-18)
|
||||
- Initial release
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
Copyright (c) 2014-2019 Yubico AB, Tony Arcieri
|
||||
Copyright (c) 2014-2021 Yubico AB, Tony Arcieri
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
||||
Generated
+919
-683
File diff suppressed because it is too large
Load Diff
+35
-35
@@ -1,60 +1,60 @@
|
||||
[package]
|
||||
name = "yubikey-piv"
|
||||
version = "0.1.0" # Also update html_root_url in lib.rs when bumping this
|
||||
name = "yubikey"
|
||||
version = "0.8.0-pre.0"
|
||||
description = """
|
||||
Pure Rust host-side driver for the YubiKey Personal Identity Verification (PIV)
|
||||
application providing general-purpose public-key signing and encryption
|
||||
with hardware-backed private keys for RSA (2048/1024) and ECC (P-256/P-384)
|
||||
algorithms (e.g, PKCS#1v1.5, ECDSA)
|
||||
Pure Rust cross-platform host-side driver for YubiKey devices from Yubico with
|
||||
support for hardware-backed public-key decryption and digital signatures using
|
||||
the Personal Identity Verification (PIV) application. Supports RSA (1024/2048)
|
||||
or ECC (NIST P-256/P-384) algorithms e.g, PKCS#1v1.5, ECDSA
|
||||
"""
|
||||
authors = ["Tony Arcieri <tony@iqlusion.io>", "Yubico AB"]
|
||||
edition = "2018"
|
||||
license = "BSD-2-Clause"
|
||||
repository = "https://github.com/iqlusioninc/yubikey-piv.rs"
|
||||
repository = "https://github.com/iqlusioninc/yubikey.rs"
|
||||
readme = "README.md"
|
||||
categories = ["api-bindings", "cryptography", "hardware-support"]
|
||||
keywords = ["ecdsa", "rsa", "piv", "pcsc", "yubikey"]
|
||||
categories = ["api-bindings", "authentication", "cryptography", "hardware-support"]
|
||||
keywords = ["ecdsa", "encryption", "rsa", "piv", "signature"]
|
||||
edition = "2021"
|
||||
rust-version = "1.65"
|
||||
|
||||
[workspace]
|
||||
members = [".", "cli"]
|
||||
|
||||
[badges]
|
||||
maintenance = { status = "experimental" }
|
||||
|
||||
[dependencies]
|
||||
chrono = "0.4"
|
||||
chrono = "0.4.23"
|
||||
cookie-factory = "0.3"
|
||||
der-parser = "4"
|
||||
des = "0.6"
|
||||
elliptic-curve = "0.6"
|
||||
getrandom = "0.1"
|
||||
hmac = "0.10"
|
||||
der-parser = "8"
|
||||
des = "0.8"
|
||||
elliptic-curve = "0.13"
|
||||
hex = { package = "base16ct", version = "0.2", features = ["alloc"] }
|
||||
hmac = "0.12"
|
||||
log = "0.4"
|
||||
nom = "5"
|
||||
num-bigint = { version = "0.6", features = ["rand"], package = "num-bigint-dig" }
|
||||
nom = "7"
|
||||
num-bigint-dig = { version = "0.8", features = ["rand"] }
|
||||
num-traits = "0.2"
|
||||
num-integer = "0.1"
|
||||
pbkdf2 = "0.6"
|
||||
p256 = "0.5"
|
||||
p384 = "0.4"
|
||||
pcsc = "2"
|
||||
rsa = "0.3"
|
||||
secrecy = "0.7"
|
||||
sha-1 = "0.9"
|
||||
sha2 = "0.9"
|
||||
p256 = "0.13"
|
||||
p384 = "0.13"
|
||||
pbkdf2 = { version = "0.12", default-features = false, features = ["hmac"] }
|
||||
pcsc = "2.3.1"
|
||||
rand_core = { version = "0.6", features = ["std"] }
|
||||
rsa = "=0.9.0-pre.0"
|
||||
secrecy = "0.8"
|
||||
sha1 = { version = "0.10", features = ["oid"] }
|
||||
sha2 = { version = "0.10", features = ["oid"] }
|
||||
subtle = "2"
|
||||
subtle-encoding = "0.5"
|
||||
x509 = "0.1.2"
|
||||
x509-parser = "0.8"
|
||||
uuid = { version = "1.2", features = ["v4"] }
|
||||
x509 = "0.2"
|
||||
x509-parser = "0.14"
|
||||
zeroize = "1"
|
||||
|
||||
[dev-dependencies]
|
||||
env_logger = "0.8"
|
||||
ring = "0.16.15"
|
||||
lazy_static = "1"
|
||||
env_logger = "0.10"
|
||||
once_cell = "1"
|
||||
signature = "2"
|
||||
|
||||
[features]
|
||||
untested = []
|
||||
|
||||
[package.metadata.docs.rs]
|
||||
all-features = true
|
||||
rustdoc-args = ["--cfg", "docsrs"]
|
||||
|
||||
@@ -1,18 +1,21 @@
|
||||
<img src="https://raw.githubusercontent.com/iqlusioninc/yubikey-piv.rs/develop/img/logo.png" width="150" height="110">
|
||||
<img src="https://raw.githubusercontent.com/iqlusioninc/yubikey.rs/main/img/logo.png" width="150" height="110">
|
||||
|
||||
# yubikey-piv.rs
|
||||
# yubikey.rs
|
||||
|
||||
[![crate][crate-image]][crate-link]
|
||||
[![Docs][docs-image]][docs-link]
|
||||
[![2-Clause BSD Licensed][license-image]][license-link]
|
||||
![Rust Version][rustc-image]
|
||||
![Maintenance Status: Experimental][maintenance-image]
|
||||
[![Safety Dance][safety-image]][safety-link]
|
||||
[![Build Status][build-image]][build-link]
|
||||
[![Gitter Chat][gitter-image]][gitter-link]
|
||||
[![Safety Dance][safety-image]][safety-link]
|
||||
[![Dependency Status][deps-image]][deps-link]
|
||||
[![2-Clause BSD Licensed][license-image]][license-link]
|
||||
![MSRV][msrv-image]
|
||||
|
||||
Pure Rust host-side YubiKey [Personal Identity Verification (PIV)][PIV] driver
|
||||
with general-purpose public-key encryption and signing support.
|
||||
Pure Rust cross-platform host-side driver for [YubiKey] devices from [Yubico]
|
||||
with support for public-key encryption and digital signatures using the
|
||||
[Personal Identity Verification (PIV)][PIV] application.
|
||||
|
||||
Uses the Personal Computer/Smart Card ([PC/SC]) interface with cross-platform
|
||||
access provided by the [`pcsc` crate].
|
||||
|
||||
[Documentation][docs-link]
|
||||
|
||||
@@ -26,17 +29,44 @@ encryption (PKCS#1v1.5/ECIES) use cases are supported for either key type.
|
||||
See [Yubico's guide to PIV-enabled YubiKeys][yk-guide] for more information
|
||||
on which devices support PIV and the available functionality.
|
||||
|
||||
If you've been wanting to use Rust to sign and/or encrypt stuff using a
|
||||
private key generated and stored on a Yubikey (with option PIN-based access),
|
||||
If you've been wanting to use Rust to sign and/or encrypt data using a
|
||||
private key generated and stored on a YubiKey (with option PIN-based access),
|
||||
this is the crate you've been after!
|
||||
|
||||
Note that while this project started as a fork of a [Yubico] project,
|
||||
this fork is **NOT** an official Yubico project and is in no way supported or
|
||||
endorsed by Yubico.
|
||||
|
||||
## Features
|
||||
|
||||
### Personal Identity Verification (PIV)
|
||||
|
||||
[PIV] is a [NIST] standard for both *signing* and *encryption*
|
||||
using SmartCards and SmartCard-based hardware tokens like YubiKeys.
|
||||
|
||||
PIV-related functionality can be found in the [`piv`] module.
|
||||
|
||||
This library natively implements the protocol used to manage and
|
||||
utilize PIV encryption and signing keys which can be generated, imported,
|
||||
and stored on YubiKey devices.
|
||||
|
||||
See [Yubico's guide to PIV-enabled YubiKeys][yk-guide] for more information
|
||||
on which devices support PIV and the available functionality.
|
||||
|
||||
### Supported Algorithms
|
||||
- **Authentication**: `3DES`
|
||||
- **Encryption**:
|
||||
- RSA: `RSA1024`, `RSA2048`
|
||||
- ECC: `ECCP256`, `ECCP384` (NIST curves: P-256, P-384)
|
||||
- **Signatures**:
|
||||
- RSASSA-PKCS#1v1.5: `RSA1024`, `RSA2048`
|
||||
- ECDSA: `ECCP256`, `ECCP384` (NIST curves: P-256, P-384)
|
||||
|
||||
NOTE: RSASSA-PSS signatures and RSA-OAEP encryption may be supportable (TBD)
|
||||
|
||||
## Minimum Supported Rust Version
|
||||
|
||||
- Rust **1.44** or newer
|
||||
Rust **1.60** or newer.
|
||||
|
||||
## Supported YubiKeys
|
||||
|
||||
@@ -46,6 +76,12 @@ endorsed by Yubico.
|
||||
NOTE: Nano and USB-C variants of the above are also supported.
|
||||
Pre-YK4 [YubiKey NEO] series is **NOT** supported (see [#18]).
|
||||
|
||||
## Supported Operating Systems
|
||||
|
||||
- Linux
|
||||
- macOS
|
||||
- Windows
|
||||
|
||||
## Security Warning
|
||||
|
||||
No security audits of this crate have ever been performed. Presently it is in
|
||||
@@ -55,38 +91,14 @@ USE AT YOUR OWN RISK!
|
||||
|
||||
## Status
|
||||
|
||||
This project is a largely incomplete work-in-progress. So far the only
|
||||
functionality which has actually been tested is connecting to Yubikeys.
|
||||
Functionality which has been successfully tested is available by default.
|
||||
|
||||
If you're interested helping test functionality, the table below documents
|
||||
the current status of the project and relevant GitHub issues for various
|
||||
functions of the YubiKey:
|
||||
Any functionality which is gated on the `untested` feature has not been
|
||||
properly tested and is not known to function correctly.
|
||||
|
||||
| | Module | Issue | Description |
|
||||
|----|---------------|-------|-------------|
|
||||
| 🚧 | `yubikey` | [#20] | Core functionality: auth, keys, PIN/PUK, encrypt, sign, attest |
|
||||
| 🚧 | `cccid` | [#21] | Cardholder Capability Container (CCC) IDs |
|
||||
| 🚧️ | `certificate` | [#22] | Certificates for stored keys |
|
||||
| 🚧 | `chuid` | [#23] | Cardholder Unique Identifier (CHUID) |
|
||||
| ✅️ | `config` | [#24] | Support for reading on-key configuration |
|
||||
| 🚧 | `key` | [#26] | Crypto key management: list, generate, import |
|
||||
| 🚧 | `mgm` | [#26] | Management Key (MGM) support: set, get, derive |
|
||||
| ⚠️ | `mscmap` | [#25] | MS Container Map Records |
|
||||
| ⚠️ | `msroots` | [#28] | `msroots` file: PKCS#7 formatted certificate store for enterprise trusted roots |
|
||||
|
||||
Legend:
|
||||
|
||||
| | Description |
|
||||
|----|------------------------------------|
|
||||
| ✅ | Working |
|
||||
| 🚧 | Testing and validation in progress |
|
||||
| ⚠️ | Untested support |
|
||||
|
||||
NOTE: Commands marked ⚠️ are disabled by default as they have have not been properly tested and may contain bugs or
|
||||
not work at all. USE AT YOUR OWN RISK!
|
||||
|
||||
Enable the `untested` feature in your `Cargo.toml` to enable features marked ⚠️
|
||||
above.
|
||||
Please see the [`untested` functionality tracking issue] for current status.
|
||||
We would appreciate any help testing this functionality and removing the
|
||||
`untested` gating as well as writing more automated tests.
|
||||
|
||||
## Testing
|
||||
|
||||
@@ -97,7 +109,7 @@ Tests which run live against a YubiKey device are marked as `#[ignore]` by
|
||||
default in order to pass when running in a CI environment. To run these
|
||||
tests locally, invoke the following command:
|
||||
|
||||
```
|
||||
```shell
|
||||
cargo test -- --ignored
|
||||
```
|
||||
|
||||
@@ -106,26 +118,26 @@ information about what is happening. If you'd like to print this logging
|
||||
information while running the tests, set the `RUST_LOG` environment variable
|
||||
to a relevant loglevel (e.g. `error`, `warn`, `info`, `debug`, `trace`):
|
||||
|
||||
```
|
||||
```shell
|
||||
RUST_LOG=info cargo test -- --ignored
|
||||
```
|
||||
|
||||
To trace every message sent to/from the card i.e. the raw
|
||||
Application Protocol Data Unit (APDU) messages, use the `trace` log level:
|
||||
|
||||
```
|
||||
```text
|
||||
running 1 test
|
||||
[INFO yubikey_piv::yubikey] trying to connect to reader 'Yubico YubiKey OTP+FIDO+CCID'
|
||||
[INFO yubikey_piv::yubikey] connected to 'Yubico YubiKey OTP+FIDO+CCID' successfully
|
||||
[TRACE yubikey_piv::apdu] >>> APDU { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
|
||||
[TRACE yubikey_piv::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
|
||||
[TRACE yubikey_piv::apdu] <<< Response { status_words: Success, data: [97, 17, 79, 6, 0, 0, 16, 0, 1, 0, 121, 7, 79, 5, 160, 0, 0, 3, 8] }
|
||||
[TRACE yubikey_piv::apdu] >>> APDU { cla: 0, ins: GetVersion, p1: 0, p2: 0, data: [] }
|
||||
[TRACE yubikey_piv::transaction] >>> [0, 253, 0, 0, 0]
|
||||
[TRACE yubikey_piv::apdu] <<< Response { status_words: Success, data: [5, 1, 2] }
|
||||
[TRACE yubikey_piv::apdu] >>> APDU { cla: 0, ins: GetSerial, p1: 0, p2: 0, data: [] }
|
||||
[TRACE yubikey_piv::transaction] >>> [0, 248, 0, 0, 0]
|
||||
[TRACE yubikey_piv::apdu] <<< Response { status_words: Success, data: [0, 115, 0, 178] }
|
||||
[INFO yubikey::yubikey] trying to connect to reader 'Yubico YubiKey OTP+FIDO+CCID'
|
||||
[INFO yubikey::yubikey] connected to 'Yubico YubiKey OTP+FIDO+CCID' successfully
|
||||
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
|
||||
[TRACE yubikey::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
|
||||
[TRACE yubikey::apdu] <<< Response { status_words: Success, data: [97, 17, 79, 6, 0, 0, 16, 0, 1, 0, 121, 7, 79, 5, 160, 0, 0, 3, 8] }
|
||||
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: GetVersion, p1: 0, p2: 0, data: [] }
|
||||
[TRACE yubikey::transaction] >>> [0, 253, 0, 0, 0]
|
||||
[TRACE yubikey::apdu] <<< Response { status_words: Success, data: [5, 1, 2] }
|
||||
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: GetSerial, p1: 0, p2: 0, data: [] }
|
||||
[TRACE yubikey::transaction] >>> [0, 248, 0, 0, 0]
|
||||
[TRACE yubikey::apdu] <<< Response { status_words: Success, data: [0, 115, 0, 178] }
|
||||
test connect ... ok
|
||||
```
|
||||
|
||||
@@ -139,6 +151,14 @@ Yubico, which was originally written in C. It was mechanically translated
|
||||
from C into Rust using [Corrode], and then subsequently heavily
|
||||
refactored into safer, more idiomatic Rust.
|
||||
|
||||
For more information on [yubico-piv-tool] and background information on how
|
||||
the YubiKey implementation of PIV works in general, see the
|
||||
[Yubico PIV Tool Command Line Guide][piv-tool-guide].
|
||||
|
||||
## ⚠️ Security Warning
|
||||
|
||||
No security audits of this crate have ever been performed.
|
||||
|
||||
## Code of Conduct
|
||||
|
||||
We abide by the [Contributor Covenant][cc-md] and ask that you do as well.
|
||||
@@ -147,12 +167,12 @@ For more information, please see [CODE_OF_CONDUCT.md][cc-md].
|
||||
|
||||
## License
|
||||
|
||||
**yubikey-piv.rs** is a fork of and originally a mechanical translation from
|
||||
**yubikey.rs** is a fork of and originally a mechanical translation from
|
||||
Yubico's [yubico-piv-tool], a C library/CLI program. The original library
|
||||
was licensed under a [2-Clause BSD License][BSDL], which this library inherits
|
||||
as a derived work.
|
||||
|
||||
Copyright (c) 2014-2020 Yubico AB, Tony Arcieri
|
||||
Copyright (c) 2014-2023 Yubico AB, Tony Arcieri
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
@@ -188,44 +208,48 @@ or conditions.
|
||||
|
||||
[//]: # (badges)
|
||||
|
||||
[crate-image]: https://img.shields.io/crates/v/yubikey-piv.svg
|
||||
[crate-link]: https://crates.io/crates/yubikey-piv
|
||||
[docs-image]: https://docs.rs/yubikey-piv/badge.svg
|
||||
[docs-link]: https://docs.rs/yubikey-piv/
|
||||
[crate-image]: https://buildstats.info/crate/yubikey
|
||||
[crate-link]: https://crates.io/crates/yubikey
|
||||
[docs-image]: https://docs.rs/yubikey/badge.svg
|
||||
[docs-link]: https://docs.rs/yubikey/
|
||||
[license-image]: https://img.shields.io/badge/license-BSD-blue.svg
|
||||
[license-link]: https://github.com/iqlusioninc/yubikey-piv.rs/blob/develop/COPYING
|
||||
[rustc-image]: https://img.shields.io/badge/rustc-1.44+-blue.svg
|
||||
[maintenance-image]: https://img.shields.io/badge/maintenance-experimental-blue.svg
|
||||
[license-link]: https://github.com/iqlusioninc/yubikey.rs/blob/main/COPYING
|
||||
[msrv-image]: https://img.shields.io/badge/rustc-1.65+-blue.svg
|
||||
[safety-image]: https://img.shields.io/badge/unsafe-forbidden-success.svg
|
||||
[safety-link]: https://github.com/rust-secure-code/safety-dance/
|
||||
[build-image]: https://github.com/iqlusioninc/yubikey-piv.rs/workflows/CI/badge.svg?branch=develop&event=push
|
||||
[build-link]: https://github.com/iqlusioninc/yubikey-piv.rs/actions
|
||||
[gitter-image]: https://badges.gitter.im/badge.svg
|
||||
[gitter-link]: https://gitter.im/iqlusioninc/community
|
||||
[build-image]: https://github.com/iqlusioninc/yubikey.rs/workflows/CI/badge.svg?branch=main&event=push
|
||||
[build-link]: https://github.com/iqlusioninc/yubikey.rs/actions
|
||||
[deps-image]: https://deps.rs/repo/github/iqlusioninc/yubikey.rs/status.svg
|
||||
[deps-link]: https://deps.rs/repo/github/iqlusioninc/yubikey.rs
|
||||
|
||||
[//]: # (general links)
|
||||
|
||||
[PIV]: https://piv.idmanagement.gov/
|
||||
[yk-guide]: https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html
|
||||
[YubiKey]: https://www.yubico.com/products/yubikey-hardware/
|
||||
[Yubico]: https://www.yubico.com/
|
||||
[PIV]: https://piv.idmanagement.gov/
|
||||
[NIST]: https://www.nist.gov/
|
||||
[PC/SC]: https://en.wikipedia.org/wiki/PC/SC
|
||||
[`pcsc` crate]: https://github.com/bluetech/pcsc-rust
|
||||
[yk-guide]: https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html
|
||||
[YubiKey NEO]: https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo
|
||||
[YubiKey 4]: https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4
|
||||
[YubiKey 5]: https://www.yubico.com/products/yubikey-5-overview/
|
||||
[yubico-piv-tool]: https://github.com/Yubico/yubico-piv-tool/
|
||||
[Corrode]: https://github.com/jameysharp/corrode
|
||||
[cc-web]: https://contributor-covenant.org/
|
||||
[cc-md]: https://github.com/iqlusioninc/yubikey-piv.rs/blob/develop/CODE_OF_CONDUCT.md
|
||||
[cc-md]: https://github.com/iqlusioninc/yubikey.rs/blob/main/CODE_OF_CONDUCT.md
|
||||
[BSDL]: https://opensource.org/licenses/BSD-2-Clause
|
||||
[`untested` functionality tracking issue]: https://github.com/iqlusioninc/yubikey.rs/issues/280
|
||||
|
||||
[//]: # (github issues)
|
||||
|
||||
[#18]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/18
|
||||
[#20]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/20
|
||||
[#21]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/21
|
||||
[#22]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/22
|
||||
[#23]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/23
|
||||
[#24]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/24
|
||||
[#25]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/25
|
||||
[#26]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/26
|
||||
[#27]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/27
|
||||
[#28]: https://github.com/iqlusioninc/yubikey-piv.rs/issues/28
|
||||
[#18]: https://github.com/iqlusioninc/yubikey.rs/issues/18
|
||||
[#20]: https://github.com/iqlusioninc/yubikey.rs/issues/20
|
||||
[#21]: https://github.com/iqlusioninc/yubikey.rs/issues/21
|
||||
[#22]: https://github.com/iqlusioninc/yubikey.rs/issues/22
|
||||
[#23]: https://github.com/iqlusioninc/yubikey.rs/issues/23
|
||||
[#24]: https://github.com/iqlusioninc/yubikey.rs/issues/24
|
||||
[#25]: https://github.com/iqlusioninc/yubikey.rs/issues/25
|
||||
[#26]: https://github.com/iqlusioninc/yubikey.rs/issues/26
|
||||
[#27]: https://github.com/iqlusioninc/yubikey.rs/issues/27
|
||||
[#28]: https://github.com/iqlusioninc/yubikey.rs/issues/28
|
||||
|
||||
@@ -4,5 +4,73 @@ All notable changes to this project will be documented in this file.
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## 0.7.0 (2022-11-14)
|
||||
### Changed
|
||||
- Bump `clap` to v4.0 ([#438])
|
||||
- Bump `x509-parser` to v0.14 ([#441])
|
||||
- Switch from `lazy_static` to `once_cell` ([#442])
|
||||
- Switch from `subtle-encoding` to `base16ct` ([#443])
|
||||
- Bump `yubikey` dependency to v0.7 ([#444])
|
||||
|
||||
[#438]: https://github.com/iqlusioninc/yubikey.rs/pull/438
|
||||
[#441]: https://github.com/iqlusioninc/yubikey.rs/pull/441
|
||||
[#442]: https://github.com/iqlusioninc/yubikey.rs/pull/442
|
||||
[#443]: https://github.com/iqlusioninc/yubikey.rs/pull/443
|
||||
[#444]: https://github.com/iqlusioninc/yubikey.rs/pull/444
|
||||
|
||||
## 0.6.0 (2022-08-10)
|
||||
### Changed
|
||||
- 2021 edition upgrade; MSRV 1.57 ([#343])
|
||||
- Migrate from `gumdrop` to `clap` v3 ([#379])
|
||||
- Bump `yubikey` dependency to v0.6 ([#403])
|
||||
|
||||
[#343]: https://github.com/iqlusioninc/yubikey.rs/pull/343
|
||||
[#379]: https://github.com/iqlusioninc/yubikey.rs/pull/379
|
||||
[#403]: https://github.com/iqlusioninc/yubikey.rs/pull/403
|
||||
|
||||
## 0.5.0 (2021-11-21)
|
||||
### Changed
|
||||
- Bump `yubikey` dependency to v0.5 ([#327])
|
||||
|
||||
[#327]: https://github.com/iqlusioninc/yubikey.rs/pull/327
|
||||
|
||||
## 0.4.0 (2021-07-12)
|
||||
### Changed
|
||||
- Switch to renamed `yubikey` crate ([#283])
|
||||
- Bump MSRV to 1.51+ ([#283])
|
||||
|
||||
[#283]: https://github.com/iqlusioninc/yubikey.rs/pull/283
|
||||
|
||||
## 0.3.0 (2021-03-22)
|
||||
### Changed
|
||||
- Bump `yubikey-piv` dependency to v0.3 ([#240])
|
||||
|
||||
[#240]: https://github.com/iqlusioninc/yubikey.rs/pull/240
|
||||
|
||||
## 0.2.0 (2021-01-30)
|
||||
### Changed
|
||||
- Bump MSRV to 1.46+ ([#208])
|
||||
- Bump `yubikey-piv` dependency to v0.2 ([#220])
|
||||
|
||||
[#208]: https://github.com/iqlusioninc/yubikey.rs/pull/208
|
||||
[#220]: https://github.com/iqlusioninc/yubikey.rs/pull/220
|
||||
|
||||
## 0.1.0 (2020-10-19)
|
||||
### Added
|
||||
- `status` command ([#72], [#74])
|
||||
|
||||
### Changed
|
||||
- Bump `yubikey-piv` to v0.1 ([#180])
|
||||
- Bump `x509-parser` to v0.8 ([#181])
|
||||
- Bump `sha2` to v0.9 ([#182])
|
||||
- Rename `list` command to `readers`; improve usage ([#71])
|
||||
|
||||
[#182]: https://github.com/iqlusioninc/yubikey.rs/pull/182
|
||||
[#181]: https://github.com/iqlusioninc/yubikey.rs/pull/181
|
||||
[#180]: https://github.com/iqlusioninc/yubikey.rs/pull/180
|
||||
[#74]: https://github.com/iqlusioninc/yubikey.rs/pull/74
|
||||
[#72]: https://github.com/iqlusioninc/yubikey.rs/pull/72
|
||||
[#71]: https://github.com/iqlusioninc/yubikey.rs/pull/71
|
||||
|
||||
## 0.0.1 (2019-12-02)
|
||||
- Initial release
|
||||
|
||||
+11
-10
@@ -1,25 +1,26 @@
|
||||
[package]
|
||||
name = "yubikey-cli"
|
||||
version = "0.0.1"
|
||||
version = "0.7.0"
|
||||
description = """
|
||||
Command-line interface for performing encryption and signing using RSA/ECC keys
|
||||
stored on YubiKey devices.
|
||||
"""
|
||||
authors = ["Tony Arcieri <tony@iqlusion.io>"]
|
||||
edition = "2018"
|
||||
license = "BSD-2-Clause"
|
||||
repository = "https://github.com/iqlusioninc/yubikey-piv.rs"
|
||||
repository = "https://github.com/iqlusioninc/yubikey.rs"
|
||||
readme = "README.md"
|
||||
categories = ["command-line-utilities", "cryptography", "hardware-support"]
|
||||
keywords = ["ecdsa", "rsa", "piv", "pcsc", "yubikey"]
|
||||
edition = "2021"
|
||||
rust-version = "1.56"
|
||||
|
||||
[dependencies]
|
||||
gumdrop = "0.8"
|
||||
env_logger = "0.8"
|
||||
lazy_static = "1"
|
||||
clap = { version = "4", features = ["derive"] }
|
||||
env_logger = "0.10"
|
||||
hex = { package = "base16ct", version = "0.2", features = ["alloc"] }
|
||||
log = "0.4"
|
||||
sha2 = "0.8"
|
||||
subtle-encoding = "0.5"
|
||||
once_cell = "1"
|
||||
sha2 = "0.10"
|
||||
termcolor = "1"
|
||||
x509-parser = "0.7"
|
||||
yubikey-piv = { version = "0.1", path = ".." }
|
||||
x509-parser = "0.14"
|
||||
yubikey = { version = "0.8.0-pre.0", path = ".." }
|
||||
|
||||
+7
-11
@@ -1,4 +1,4 @@
|
||||
<img src="https://raw.githubusercontent.com/iqlusioninc/yubikey-piv.rs/develop/img/logo.png" width="150" height="110">
|
||||
<img src="https://raw.githubusercontent.com/iqlusioninc/yubikey.rs/main/img/logo.png" width="150" height="110">
|
||||
|
||||
# yubikey-cli.rs
|
||||
|
||||
@@ -18,7 +18,7 @@ utility with general-purpose public-key encryption and signing support.
|
||||
|
||||
## Minimum Supported Rust Version
|
||||
|
||||
- Rust **1.39+**
|
||||
Rust **1.60** or newer.
|
||||
|
||||
## Supported YubiKeys
|
||||
|
||||
@@ -35,10 +35,6 @@ an experimental stage and may still contain high-severity issues.
|
||||
|
||||
USE AT YOUR OWN RISK!
|
||||
|
||||
## Status
|
||||
|
||||
WIP. Check back later.
|
||||
|
||||
## Code of Conduct
|
||||
|
||||
We abide by the [Contributor Covenant][cc-md] and ask that you do as well.
|
||||
@@ -47,7 +43,7 @@ For more information, please see [CODE_OF_CONDUCT.md][cc-md].
|
||||
|
||||
## License
|
||||
|
||||
Copyright (c) 2014-2019 Yubico AB, Tony Arcieri
|
||||
Copyright (c) 2014-2023 Yubico AB, Tony Arcieri
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
@@ -88,12 +84,12 @@ or conditions.
|
||||
[docs-image]: https://docs.rs/yubikey-cli/badge.svg
|
||||
[docs-link]: https://docs.rs/yubikey-cli/
|
||||
[license-image]: https://img.shields.io/badge/license-BSD-blue.svg
|
||||
[rustc-image]: https://img.shields.io/badge/rustc-1.39+-blue.svg
|
||||
[rustc-image]: https://img.shields.io/badge/rustc-1.60+-blue.svg
|
||||
[maintenance-image]: https://img.shields.io/badge/maintenance-experimental-blue.svg
|
||||
[safety-image]: https://img.shields.io/badge/unsafe-forbidden-success.svg
|
||||
[safety-link]: https://github.com/rust-secure-code/safety-dance/
|
||||
[build-image]: https://github.com/iqlusioninc/yubikey-piv.rs/workflows/Rust/badge.svg?branch=develop&event=push
|
||||
[build-link]: https://github.com/iqlusioninc/yubikey-piv.rs/actions
|
||||
[build-image]: https://github.com/iqlusioninc/yubikey.rs/workflows/CI/badge.svg?branch=main&event=push
|
||||
[build-link]: https://github.com/iqlusioninc/yubikey.rs/actions
|
||||
[gitter-image]: https://badges.gitter.im/badge.svg
|
||||
[gitter-link]: https://gitter.im/iqlusioninc/community
|
||||
|
||||
@@ -108,5 +104,5 @@ or conditions.
|
||||
[yubico-piv-tool]: https://github.com/Yubico/yubico-piv-tool/
|
||||
[Corrode]: https://github.com/jameysharp/corrode
|
||||
[cc-web]: https://contributor-covenant.org/
|
||||
[cc-md]: https://github.com/iqlusioninc/yubikey-cli.rs/blob/develop/CODE_OF_CONDUCT.md
|
||||
[cc-md]: https://github.com/iqlusioninc/yubikey-cli.rs/blob/main/CODE_OF_CONDUCT.md
|
||||
[BSDL]: https://opensource.org/licenses/BSD-2-Clause
|
||||
|
||||
@@ -8,9 +8,9 @@
|
||||
unused_qualifications
|
||||
)]
|
||||
|
||||
use gumdrop::Options;
|
||||
use clap::Parser;
|
||||
use yubikey_cli::commands::YubiKeyCli;
|
||||
|
||||
fn main() {
|
||||
YubiKeyCli::parse_args_default_or_exit().run();
|
||||
YubiKeyCli::parse().run()
|
||||
}
|
||||
|
||||
+16
-81
@@ -4,62 +4,25 @@ pub mod readers;
|
||||
pub mod status;
|
||||
|
||||
use self::{readers::ReadersCmd, status::StatusCmd};
|
||||
use crate::terminal::{self, STDOUT};
|
||||
use gumdrop::Options;
|
||||
use std::{
|
||||
env,
|
||||
io::{self, Write},
|
||||
process::exit,
|
||||
};
|
||||
use termcolor::{ColorChoice, ColorSpec, WriteColor};
|
||||
use yubikey_piv::{Serial, YubiKey};
|
||||
use crate::terminal;
|
||||
use clap::Parser;
|
||||
use std::{env, process::exit};
|
||||
use termcolor::ColorChoice;
|
||||
use yubikey::{Serial, YubiKey};
|
||||
|
||||
/// The `yubikey` CLI utility
|
||||
#[derive(Debug, Options)]
|
||||
#[derive(Debug, Parser)]
|
||||
pub struct YubiKeyCli {
|
||||
/// Obtain help about the current command
|
||||
#[options(short = "h", help = "print help message")]
|
||||
pub help: bool,
|
||||
|
||||
/// Specify the serial number of the YubiKey to connect to
|
||||
#[options(
|
||||
short = "s",
|
||||
long = "serial",
|
||||
help = "serial number of the YubiKey to connect to"
|
||||
)]
|
||||
/// Serial number of the YubiKey to connect to
|
||||
#[clap(short = 's', long = "serial")]
|
||||
pub serial: Option<Serial>,
|
||||
|
||||
/// Subcommand to execute.
|
||||
#[options(command)]
|
||||
pub command: Option<Commands>,
|
||||
#[clap(subcommand)]
|
||||
pub command: Commands,
|
||||
}
|
||||
|
||||
impl YubiKeyCli {
|
||||
/// Print usage information
|
||||
pub fn print_usage() -> Result<(), io::Error> {
|
||||
let mut stdout = STDOUT.lock();
|
||||
stdout.reset()?;
|
||||
|
||||
let mut bold = ColorSpec::new();
|
||||
bold.set_bold(true);
|
||||
|
||||
stdout.set_color(&bold)?;
|
||||
writeln!(
|
||||
stdout,
|
||||
"{} {}",
|
||||
env!("CARGO_PKG_NAME"),
|
||||
env!("CARGO_PKG_VERSION")
|
||||
)?;
|
||||
stdout.reset()?;
|
||||
|
||||
writeln!(stdout, "{}", env!("CARGO_PKG_AUTHORS"))?;
|
||||
writeln!(stdout, "{}", env!("CARGO_PKG_DESCRIPTION").trim())?;
|
||||
writeln!(stdout)?;
|
||||
writeln!(stdout, "{}", Commands::usage())?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Run the underlying command type or print usage info and exit
|
||||
pub fn run(&self) {
|
||||
// TODO(tarcieri): make this more configurable
|
||||
@@ -70,10 +33,7 @@ impl YubiKeyCli {
|
||||
env_logger::builder().format_timestamp(None).init();
|
||||
}
|
||||
|
||||
match &self.command {
|
||||
Some(cmd) => cmd.run(self.yubikey_init()),
|
||||
None => Self::print_usage().unwrap(),
|
||||
}
|
||||
self.command.run(self.yubikey_init())
|
||||
}
|
||||
|
||||
/// Initialize the YubiKey client driver
|
||||
@@ -92,22 +52,18 @@ impl YubiKeyCli {
|
||||
}
|
||||
|
||||
/// Subcommands of this application
|
||||
#[derive(Debug, Options)]
|
||||
#[derive(Debug, Parser)]
|
||||
pub enum Commands {
|
||||
/// `help` subcommand
|
||||
#[options(help = "show help for a command")]
|
||||
Help(HelpOpts),
|
||||
|
||||
/// `version` subcommand
|
||||
#[options(help = "display version information")]
|
||||
#[clap(about = "display version information")]
|
||||
Version(VersionOpts),
|
||||
|
||||
/// `readers` subcommand
|
||||
#[options(help = "list detected readers")]
|
||||
#[clap(about = "list detected readers")]
|
||||
Readers(ReadersCmd),
|
||||
|
||||
/// `status` subcommand
|
||||
#[options(help = "show yubikey status")]
|
||||
#[clap(about = "show yubikey status")]
|
||||
Status(StatusCmd),
|
||||
}
|
||||
|
||||
@@ -115,7 +71,6 @@ impl Commands {
|
||||
/// Run the given command
|
||||
pub fn run(&self, yubikey: YubiKey) {
|
||||
match self {
|
||||
Commands::Help(help) => help.run(),
|
||||
Commands::Version(version) => version.run(),
|
||||
Commands::Readers(list) => list.run(),
|
||||
Commands::Status(status) => status.run(yubikey),
|
||||
@@ -123,28 +78,8 @@ impl Commands {
|
||||
}
|
||||
}
|
||||
|
||||
/// Help options
|
||||
#[derive(Debug, Options)]
|
||||
pub struct HelpOpts {
|
||||
#[options(free, help = "subcommand to get help for")]
|
||||
free: Vec<String>,
|
||||
}
|
||||
|
||||
impl HelpOpts {
|
||||
fn run(&self) {
|
||||
if let Some(command) = self.free.first() {
|
||||
if let Some(usage) = Commands::command_usage(command) {
|
||||
println!("{}", usage);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
println!("{}", Commands::usage());
|
||||
}
|
||||
}
|
||||
|
||||
/// Version options
|
||||
#[derive(Debug, Options)]
|
||||
#[derive(Debug, Parser)]
|
||||
pub struct VersionOpts {}
|
||||
|
||||
impl VersionOpts {
|
||||
|
||||
@@ -1,22 +1,22 @@
|
||||
//! List detected readers
|
||||
|
||||
use crate::terminal::STDOUT;
|
||||
use gumdrop::Options;
|
||||
use clap::Parser;
|
||||
use std::{
|
||||
io::{self, Write},
|
||||
process::exit,
|
||||
};
|
||||
use termcolor::{ColorSpec, StandardStreamLock, WriteColor};
|
||||
use yubikey_piv::{Readers, Serial};
|
||||
use yubikey::{Context, Serial};
|
||||
|
||||
/// The `readers` subcommand
|
||||
#[derive(Debug, Options)]
|
||||
#[derive(Debug, Parser)]
|
||||
pub struct ReadersCmd {}
|
||||
|
||||
impl ReadersCmd {
|
||||
/// Run the `readers` subcommand
|
||||
pub fn run(&self) {
|
||||
let mut readers = Readers::open().unwrap_or_else(|e| {
|
||||
let mut readers = Context::open().unwrap_or_else(|e| {
|
||||
status_err!("couldn't open PC/SC context: {}", e);
|
||||
exit(1);
|
||||
});
|
||||
@@ -53,7 +53,7 @@ impl ReadersCmd {
|
||||
index: usize,
|
||||
name: &str,
|
||||
serial: Serial,
|
||||
) -> Result<(), io::Error> {
|
||||
) -> io::Result<()> {
|
||||
stream.set_color(ColorSpec::new().set_bold(true))?;
|
||||
write!(stream, "{:>3}:", index)?;
|
||||
stream.reset()?;
|
||||
|
||||
@@ -1,18 +1,16 @@
|
||||
//! Print device status
|
||||
|
||||
use crate::terminal::STDOUT;
|
||||
use gumdrop::Options;
|
||||
use crate::terminal::{print_cert_info, STDOUT};
|
||||
use clap::Parser;
|
||||
use std::io::{self, Write};
|
||||
use termcolor::{ColorSpec, StandardStreamLock, WriteColor};
|
||||
use yubikey_piv::{key::*, YubiKey};
|
||||
|
||||
use crate::print_cert_info;
|
||||
use yubikey::{piv::*, YubiKey};
|
||||
|
||||
// String to use for `None`
|
||||
const NONE_STR: &str = "<none>";
|
||||
|
||||
/// The `status` subcommand
|
||||
#[derive(Debug, Options)]
|
||||
#[derive(Debug, Parser)]
|
||||
pub struct StatusCmd {}
|
||||
|
||||
impl StatusCmd {
|
||||
@@ -51,7 +49,7 @@ impl StatusCmd {
|
||||
stream: &mut StandardStreamLock<'_>,
|
||||
name: &str,
|
||||
value: impl ToString,
|
||||
) -> Result<(), io::Error> {
|
||||
) -> io::Result<()> {
|
||||
stream.set_color(ColorSpec::new().set_bold(true))?;
|
||||
write!(stream, "{:>12}:", name)?;
|
||||
stream.reset()?;
|
||||
|
||||
+7
-86
@@ -1,92 +1,13 @@
|
||||
//! `yubikey` command-line utility
|
||||
//! `yubikey` command-line utility.
|
||||
//!
|
||||
//! The goal of this tool is to provide functionality similar to `yubico-piv-tool`
|
||||
//! but implemented in pure Rust.
|
||||
//!
|
||||
//! It also serves as a demonstration/example of how to use the `yubikey` crate.
|
||||
|
||||
#![forbid(unsafe_code)]
|
||||
#![warn(
|
||||
missing_docs,
|
||||
rust_2018_idioms,
|
||||
unused_lifetimes,
|
||||
unused_qualifications
|
||||
)]
|
||||
#![warn(missing_docs, rust_2018_idioms, unused_qualifications)]
|
||||
|
||||
#[macro_use]
|
||||
pub mod terminal;
|
||||
|
||||
pub mod commands;
|
||||
|
||||
use log::debug;
|
||||
use sha2::{Digest, Sha256};
|
||||
use std::io::{self, Write};
|
||||
use std::str;
|
||||
use subtle_encoding::hex;
|
||||
use termcolor::{ColorSpec, StandardStreamLock, WriteColor};
|
||||
use x509_parser::parse_x509_der;
|
||||
use yubikey_piv::{certificate::Certificate, key::*, YubiKey};
|
||||
|
||||
///Write information about certificate found in slot a la yubico-piv-tool output.
|
||||
pub fn print_cert_info(
|
||||
yubikey: &mut YubiKey,
|
||||
slot: SlotId,
|
||||
stream: &mut StandardStreamLock<'_>,
|
||||
) -> Result<(), io::Error> {
|
||||
let cert = match Certificate::read(yubikey, slot) {
|
||||
Ok(c) => c,
|
||||
Err(e) => {
|
||||
debug!("error reading certificate in slot {:?}: {}", slot, e);
|
||||
return Ok(());
|
||||
}
|
||||
};
|
||||
let buf = cert.into_buffer();
|
||||
|
||||
if !buf.is_empty() {
|
||||
let fingerprint = Sha256::digest(&buf);
|
||||
let slot_id: u8 = slot.into();
|
||||
print_cert_attr(stream, "Slot", format!("{:x}", slot_id))?;
|
||||
match parse_x509_der(&buf) {
|
||||
Ok((_rem, cert)) => {
|
||||
print_cert_attr(
|
||||
stream,
|
||||
"Algorithm",
|
||||
cert.tbs_certificate.subject_pki.algorithm.algorithm,
|
||||
)?;
|
||||
|
||||
print_cert_attr(stream, "Subject", cert.tbs_certificate.subject)?;
|
||||
print_cert_attr(stream, "Issuer", cert.tbs_certificate.issuer)?;
|
||||
print_cert_attr(
|
||||
stream,
|
||||
"Fingerprint",
|
||||
str::from_utf8(hex::encode(fingerprint).as_slice()).unwrap(),
|
||||
)?;
|
||||
print_cert_attr(
|
||||
stream,
|
||||
"Not Before",
|
||||
cert.tbs_certificate.validity.not_before.asctime(),
|
||||
)?;
|
||||
print_cert_attr(
|
||||
stream,
|
||||
"Not After",
|
||||
cert.tbs_certificate.validity.not_after.asctime(),
|
||||
)?;
|
||||
}
|
||||
_ => {
|
||||
println!("Failed to parse certificate");
|
||||
return Ok(());
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Print a status attribute
|
||||
fn print_cert_attr(
|
||||
stream: &mut StandardStreamLock<'_>,
|
||||
name: &str,
|
||||
value: impl ToString,
|
||||
) -> Result<(), io::Error> {
|
||||
stream.set_color(ColorSpec::new().set_bold(true))?;
|
||||
write!(stream, "{:>12}:", name)?;
|
||||
stream.reset()?;
|
||||
writeln!(stream, " {}", value.to_string())?;
|
||||
stream.flush()?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
+97
-17
@@ -1,9 +1,16 @@
|
||||
//! Status messages
|
||||
|
||||
use lazy_static::lazy_static;
|
||||
use std::io::{self, Write};
|
||||
use std::sync::Mutex;
|
||||
use termcolor::{Color, ColorChoice, ColorSpec, StandardStream, WriteColor};
|
||||
use log::debug;
|
||||
use once_cell::sync::Lazy;
|
||||
use sha2::{Digest, Sha256};
|
||||
use std::{
|
||||
io::{self, Write},
|
||||
str,
|
||||
sync::Mutex,
|
||||
};
|
||||
use termcolor::{Color, ColorChoice, ColorSpec, StandardStream, StandardStreamLock, WriteColor};
|
||||
use x509_parser::parse_x509_certificate;
|
||||
use yubikey::{certificate::Certificate, piv::*, YubiKey};
|
||||
|
||||
/// Print a success status message (in green if colors are enabled)
|
||||
#[macro_export]
|
||||
@@ -51,16 +58,14 @@ macro_rules! status_err {
|
||||
};
|
||||
}
|
||||
|
||||
lazy_static! {
|
||||
/// Color configuration
|
||||
static ref COLOR_CHOICE: Mutex<Option<ColorChoice>> = Mutex::new(None);
|
||||
/// Color configuration
|
||||
static COLOR_CHOICE: Lazy<Mutex<Option<ColorChoice>>> = Lazy::new(|| Mutex::new(None));
|
||||
|
||||
/// Standard output
|
||||
pub static ref STDOUT: StandardStream = StandardStream::stdout(get_color_choice());
|
||||
/// Standard output
|
||||
pub static STDOUT: Lazy<StandardStream> = Lazy::new(|| StandardStream::stdout(get_color_choice()));
|
||||
|
||||
/// Standard error
|
||||
pub static ref STDERR: StandardStream = StandardStream::stderr(get_color_choice());
|
||||
}
|
||||
/// Standard error
|
||||
pub static STDERR: Lazy<StandardStream> = Lazy::new(|| StandardStream::stderr(get_color_choice()));
|
||||
|
||||
/// Obtain the color configuration.
|
||||
///
|
||||
@@ -132,18 +137,16 @@ impl Status {
|
||||
|
||||
/// Print the given message to stdout
|
||||
pub fn print_stdout(self, msg: impl AsRef<str>) {
|
||||
self.print(&*STDOUT, msg)
|
||||
.expect("error printing to stdout!")
|
||||
self.print(&STDOUT, msg).expect("error printing to stdout!")
|
||||
}
|
||||
|
||||
/// Print the given message to stderr
|
||||
pub fn print_stderr(self, msg: impl AsRef<str>) {
|
||||
self.print(&*STDERR, msg)
|
||||
.expect("error printing to stderr!")
|
||||
self.print(&STDERR, msg).expect("error printing to stderr!")
|
||||
}
|
||||
|
||||
/// Print the given message
|
||||
fn print(self, stream: &StandardStream, msg: impl AsRef<str>) -> Result<(), io::Error> {
|
||||
fn print(self, stream: &StandardStream, msg: impl AsRef<str>) -> io::Result<()> {
|
||||
let mut s = stream.lock();
|
||||
s.reset()?;
|
||||
s.set_color(ColorSpec::new().set_fg(self.color).set_bold(self.bold))?;
|
||||
@@ -163,3 +166,80 @@ impl Status {
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
/// Write information about certificate found in slot a la yubico-piv-tool output.
|
||||
pub fn print_cert_info(
|
||||
yubikey: &mut YubiKey,
|
||||
slot: SlotId,
|
||||
stream: &mut StandardStreamLock<'_>,
|
||||
) -> io::Result<()> {
|
||||
let cert = match Certificate::read(yubikey, slot) {
|
||||
Ok(c) => c,
|
||||
Err(e) => {
|
||||
debug!("error reading certificate in slot {:?}: {}", slot, e);
|
||||
return Ok(());
|
||||
}
|
||||
};
|
||||
let buf = cert.into_buffer();
|
||||
|
||||
if !buf.is_empty() {
|
||||
let fingerprint = Sha256::digest(&buf);
|
||||
let slot_id: u8 = slot.into();
|
||||
print_cert_attr(stream, "Slot", format!("{:x}", slot_id))?;
|
||||
match parse_x509_certificate(&buf) {
|
||||
Ok((_rem, cert)) => {
|
||||
print_cert_attr(
|
||||
stream,
|
||||
"Algorithm",
|
||||
cert.tbs_certificate.subject_pki.algorithm.algorithm,
|
||||
)?;
|
||||
|
||||
print_cert_attr(stream, "Subject", cert.tbs_certificate.subject)?;
|
||||
print_cert_attr(stream, "Issuer", cert.tbs_certificate.issuer)?;
|
||||
print_cert_attr(
|
||||
stream,
|
||||
"Fingerprint",
|
||||
&hex::upper::encode_string(&fingerprint),
|
||||
)?;
|
||||
print_cert_attr(
|
||||
stream,
|
||||
"Not Before",
|
||||
cert.tbs_certificate
|
||||
.validity
|
||||
.not_before
|
||||
.to_rfc2822()
|
||||
.unwrap(),
|
||||
)?;
|
||||
print_cert_attr(
|
||||
stream,
|
||||
"Not After",
|
||||
cert.tbs_certificate
|
||||
.validity
|
||||
.not_after
|
||||
.to_rfc2822()
|
||||
.unwrap(),
|
||||
)?;
|
||||
}
|
||||
_ => {
|
||||
println!("Failed to parse certificate");
|
||||
return Ok(());
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Print a status attribute
|
||||
fn print_cert_attr(
|
||||
stream: &mut StandardStreamLock<'_>,
|
||||
name: &str,
|
||||
value: impl ToString,
|
||||
) -> io::Result<()> {
|
||||
stream.set_color(ColorSpec::new().set_bold(true))?;
|
||||
write!(stream, "{:>12}:", name)?;
|
||||
stream.reset()?;
|
||||
writeln!(stream, " {}", value.to_string())?;
|
||||
stream.flush()?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
+59
-7
@@ -30,7 +30,7 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{error::Error, transaction::Transaction, Buffer};
|
||||
use crate::{transaction::Transaction, Buffer, Result};
|
||||
use log::trace;
|
||||
use zeroize::{Zeroize, Zeroizing};
|
||||
|
||||
@@ -41,7 +41,7 @@ const APDU_DATA_MAX: usize = 0xFF;
|
||||
///
|
||||
/// These messages are packets used to communicate with the YubiKey.
|
||||
#[derive(Clone, Debug, Eq, PartialEq)]
|
||||
pub(crate) struct APDU {
|
||||
pub(crate) struct Apdu {
|
||||
/// Instruction class: indicates the type of command (e.g. inter-industry or proprietary)
|
||||
cla: u8,
|
||||
|
||||
@@ -58,7 +58,7 @@ pub(crate) struct APDU {
|
||||
data: Vec<u8>,
|
||||
}
|
||||
|
||||
impl APDU {
|
||||
impl Apdu {
|
||||
/// Create a new APDU with the given instruction code
|
||||
pub fn new(ins: impl Into<Ins>) -> Self {
|
||||
Self {
|
||||
@@ -109,7 +109,7 @@ impl APDU {
|
||||
}
|
||||
|
||||
/// Transmit this APDU using the given card transaction
|
||||
pub fn transmit(&self, txn: &Transaction<'_>, recv_len: usize) -> Result<Response, Error> {
|
||||
pub fn transmit(&self, txn: &Transaction<'_>, recv_len: usize) -> Result<Response> {
|
||||
trace!(">>> {:?}", self);
|
||||
let response = Response::from(txn.transmit(&self.to_bytes(), recv_len)?);
|
||||
trace!("<<< {:?}", &response);
|
||||
@@ -129,13 +129,13 @@ impl APDU {
|
||||
}
|
||||
}
|
||||
|
||||
impl Drop for APDU {
|
||||
impl Drop for Apdu {
|
||||
fn drop(&mut self) {
|
||||
self.zeroize();
|
||||
}
|
||||
}
|
||||
|
||||
impl Zeroize for APDU {
|
||||
impl Zeroize for Apdu {
|
||||
fn zeroize(&mut self) {
|
||||
// Only `data` may contain secrets
|
||||
self.data.zeroize();
|
||||
@@ -195,6 +195,9 @@ pub enum Ins {
|
||||
/// Get device serial
|
||||
GetSerial,
|
||||
|
||||
/// Get slot metadata
|
||||
GetMetadata,
|
||||
|
||||
/// Other/unrecognized instruction codes
|
||||
Other(u8),
|
||||
}
|
||||
@@ -219,6 +222,7 @@ impl Ins {
|
||||
Ins::SetPinRetries => 0xfa,
|
||||
Ins::Attest => 0xf9,
|
||||
Ins::GetSerial => 0xf8,
|
||||
Ins::GetMetadata => 0xf7,
|
||||
Ins::Other(code) => code,
|
||||
}
|
||||
}
|
||||
@@ -243,6 +247,7 @@ impl From<u8> for Ins {
|
||||
0xfa => Ins::SetPinRetries,
|
||||
0xf9 => Ins::Attest,
|
||||
0xf8 => Ins::GetSerial,
|
||||
0xf7 => Ins::GetMetadata,
|
||||
code => Ins::Other(code),
|
||||
}
|
||||
}
|
||||
@@ -348,6 +353,12 @@ pub(crate) enum StatusWords {
|
||||
/// Successful execution
|
||||
Success,
|
||||
|
||||
/// The requested data was too large for the response, and there is data remaining.
|
||||
BytesRemaining {
|
||||
/// The number of bytes remaining, as indicated in the response.
|
||||
len: u8,
|
||||
},
|
||||
|
||||
/// https://github.com/Yubico/yubikey-manager/blob/1f22620b623c6b345dd9f9193ec765a542dddc80/ykman/driver_ccid.py#L53
|
||||
NoInputDataError,
|
||||
|
||||
@@ -405,8 +416,9 @@ impl StatusWords {
|
||||
pub fn code(self) -> u16 {
|
||||
match self {
|
||||
StatusWords::None => 0,
|
||||
StatusWords::BytesRemaining { len } => 0x6100 | len as u16,
|
||||
StatusWords::NoInputDataError => 0x6285,
|
||||
StatusWords::VerifyFailError { tries } => 0x63c0 & tries as u16,
|
||||
StatusWords::VerifyFailError { tries } => 0x63c0 | tries as u16,
|
||||
StatusWords::WrongLengthError => 0x6700,
|
||||
StatusWords::SecurityStatusError => 0x6982,
|
||||
StatusWords::AuthBlockedError => 0x6983,
|
||||
@@ -434,6 +446,9 @@ impl From<u16> for StatusWords {
|
||||
fn from(sw: u16) -> Self {
|
||||
match sw {
|
||||
0x0000 => StatusWords::None,
|
||||
sw if sw & 0xff00 == 0x6100 => Self::BytesRemaining {
|
||||
len: (sw & 0x00ff) as u8,
|
||||
},
|
||||
0x6285 => StatusWords::NoInputDataError,
|
||||
sw if sw & 0xfff0 == 0x63c0 => StatusWords::VerifyFailError {
|
||||
tries: (sw & 0x000f) as u8,
|
||||
@@ -461,3 +476,40 @@ impl From<StatusWords> for u16 {
|
||||
sw.code()
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::StatusWords;
|
||||
|
||||
#[test]
|
||||
fn status_words_round_trip() {
|
||||
let round_trip = |sw: StatusWords| {
|
||||
assert_eq!(StatusWords::from(sw.code()), sw);
|
||||
};
|
||||
|
||||
round_trip(StatusWords::None);
|
||||
round_trip(StatusWords::BytesRemaining { len: 1 });
|
||||
round_trip(StatusWords::BytesRemaining { len: 10 });
|
||||
round_trip(StatusWords::BytesRemaining { len: 0xFF });
|
||||
round_trip(StatusWords::Success);
|
||||
round_trip(StatusWords::NoInputDataError);
|
||||
round_trip(StatusWords::VerifyFailError { tries: 0x0F });
|
||||
round_trip(StatusWords::VerifyFailError { tries: 3 });
|
||||
round_trip(StatusWords::VerifyFailError { tries: 2 });
|
||||
round_trip(StatusWords::VerifyFailError { tries: 1 });
|
||||
round_trip(StatusWords::VerifyFailError { tries: 0 });
|
||||
round_trip(StatusWords::WrongLengthError);
|
||||
round_trip(StatusWords::SecurityStatusError);
|
||||
round_trip(StatusWords::AuthBlockedError);
|
||||
round_trip(StatusWords::DataInvalidError);
|
||||
round_trip(StatusWords::ConditionsNotSatisfiedError);
|
||||
round_trip(StatusWords::CommandNotAllowedError);
|
||||
round_trip(StatusWords::IncorrectParamError);
|
||||
round_trip(StatusWords::NotFoundError);
|
||||
round_trip(StatusWords::NoSpaceError);
|
||||
round_trip(StatusWords::IncorrectSlotError);
|
||||
round_trip(StatusWords::NotSupportedError);
|
||||
round_trip(StatusWords::CommandAbortedError);
|
||||
round_trip(StatusWords::Other(0x1337));
|
||||
}
|
||||
}
|
||||
|
||||
+32
-38
@@ -30,16 +30,9 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{error::Error, yubikey::YubiKey};
|
||||
use getrandom::getrandom;
|
||||
use crate::{Error, Result, YubiKey};
|
||||
use rand_core::{OsRng, RngCore};
|
||||
use std::fmt::{self, Debug, Display};
|
||||
use subtle_encoding::hex;
|
||||
|
||||
/// CCCID size
|
||||
pub const CCCID_SIZE: usize = 14;
|
||||
|
||||
/// CCC size
|
||||
pub const CCC_SIZE: usize = 51;
|
||||
|
||||
/// CCCID offset
|
||||
const CCC_ID_OFFS: usize = 9;
|
||||
@@ -62,33 +55,39 @@ const CCC_TMPL: &[u8] = &[
|
||||
0x00, 0xfe, 0x00,
|
||||
];
|
||||
|
||||
/// Cardholder Capability Container (CCC) Identifier Card ID
|
||||
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
|
||||
pub struct CardId(pub [u8; CCCID_SIZE]);
|
||||
/// Cardholder Capability Container (CCC) Identifier Card ID.
|
||||
#[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
|
||||
pub struct CardId(pub [u8; Self::BYTE_SIZE]);
|
||||
|
||||
impl CardId {
|
||||
/// CCCID size in bytes
|
||||
pub const BYTE_SIZE: usize = 14;
|
||||
|
||||
/// Generate a random CCC Card ID
|
||||
pub fn generate() -> Result<Self, Error> {
|
||||
let mut id = [0u8; CCCID_SIZE];
|
||||
getrandom(&mut id).map_err(|_| Error::RandomnessError)?;
|
||||
Ok(Self(id))
|
||||
pub fn generate() -> Self {
|
||||
let mut id = [0u8; Self::BYTE_SIZE];
|
||||
OsRng.fill_bytes(&mut id);
|
||||
Self(id)
|
||||
}
|
||||
}
|
||||
|
||||
/// Cardholder Capability Container (CCC) Identifier
|
||||
#[derive(Copy, Clone)]
|
||||
pub struct CCC(pub [u8; CCC_SIZE]);
|
||||
/// Cardholder Capability Container (CCC) Identifier.
|
||||
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
|
||||
pub struct CccId(pub [u8; Self::BYTE_SIZE]);
|
||||
|
||||
impl CccId {
|
||||
/// CCC size in bytes
|
||||
pub const BYTE_SIZE: usize = 51;
|
||||
|
||||
impl CCC {
|
||||
/// Return CardId component of CCC
|
||||
pub fn cccid(&self) -> Result<CardId, Error> {
|
||||
let mut cccid = [0u8; CCCID_SIZE];
|
||||
cccid.copy_from_slice(&self.0[CCC_ID_OFFS..(CCC_ID_OFFS + CCCID_SIZE)]);
|
||||
pub fn card_id(&self) -> Result<CardId> {
|
||||
let mut cccid = [0u8; CardId::BYTE_SIZE];
|
||||
cccid.copy_from_slice(&self.0[CCC_ID_OFFS..(CCC_ID_OFFS + CardId::BYTE_SIZE)]);
|
||||
Ok(CardId(cccid))
|
||||
}
|
||||
|
||||
/// Get Cardholder Capability Container (CCC) ID
|
||||
pub fn get(yubikey: &mut YubiKey) -> Result<Self, Error> {
|
||||
pub fn get(yubikey: &mut YubiKey) -> Result<Self> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
let response = txn.fetch_object(OBJ_CAPABILITY)?;
|
||||
|
||||
@@ -96,14 +95,13 @@ impl CCC {
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
|
||||
let mut ccc = [0u8; CCC_SIZE];
|
||||
ccc.copy_from_slice(&response[0..CCC_SIZE]);
|
||||
Ok(Self(ccc))
|
||||
Ok(Self(response[..Self::BYTE_SIZE].try_into().unwrap()))
|
||||
}
|
||||
|
||||
/// Get Cardholder Capability Container (CCC) ID
|
||||
/// Set Cardholder Capability Container (CCC) ID
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn set(&self, yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn set(&self, yubikey: &mut YubiKey) -> Result<()> {
|
||||
let mut buf = CCC_TMPL.to_vec();
|
||||
buf[0..self.0.len()].copy_from_slice(&self.0);
|
||||
|
||||
@@ -112,18 +110,14 @@ impl CCC {
|
||||
}
|
||||
}
|
||||
|
||||
impl Debug for CCC {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
write!(f, "CCC({:?})", &self.0[..])
|
||||
impl AsRef<[u8]> for CccId {
|
||||
fn as_ref(&self) -> &[u8] {
|
||||
&self.0
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for CCC {
|
||||
impl Display for CccId {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
write!(
|
||||
f,
|
||||
"{}",
|
||||
String::from_utf8(hex::encode(&self.0[..])).unwrap()
|
||||
)
|
||||
f.write_str(&hex::upper::encode_string(self.as_ref()))
|
||||
}
|
||||
}
|
||||
|
||||
+96
-69
@@ -1,4 +1,4 @@
|
||||
//! YubiKey Certificates
|
||||
//! X.509 certificate support.
|
||||
|
||||
// Adapted from yubico-piv-tool:
|
||||
// <https://github.com/Yubico/yubico-piv-tool/>
|
||||
@@ -31,8 +31,9 @@
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{
|
||||
error::Error,
|
||||
key::{sign_data, AlgorithmId, SlotId},
|
||||
consts::CB_OBJ_MAX,
|
||||
error::{Error, Result},
|
||||
piv::{sign_data, AlgorithmId, SlotId},
|
||||
serialization::*,
|
||||
transaction::Transaction,
|
||||
yubikey::YubiKey,
|
||||
@@ -41,19 +42,17 @@ use crate::{
|
||||
use chrono::{DateTime, Utc};
|
||||
use elliptic_curve::sec1::EncodedPoint as EcPublicKey;
|
||||
use log::error;
|
||||
use num_bigint::BigUint;
|
||||
use num_bigint_dig::BigUint;
|
||||
use p256::NistP256;
|
||||
use p384::NistP384;
|
||||
use rsa::{PublicKeyParts, RSAPublicKey};
|
||||
use rsa::{PublicKeyParts, RsaPublicKey};
|
||||
use sha2::{Digest, Sha256};
|
||||
use std::convert::TryFrom;
|
||||
use std::fmt;
|
||||
use std::ops::DerefMut;
|
||||
use x509_parser::{parse_x509_der, x509::SubjectPublicKeyInfo};
|
||||
use std::fmt::Display;
|
||||
use std::{fmt, ops::DerefMut};
|
||||
use x509::{der::Oid, RelativeDistinguishedName};
|
||||
use x509_parser::{parse_x509_certificate, x509::SubjectPublicKeyInfo};
|
||||
use zeroize::Zeroizing;
|
||||
|
||||
use crate::CB_OBJ_MAX;
|
||||
|
||||
// TODO: Make these der_parser::oid::Oid constants when it has const fn support.
|
||||
const OID_RSA_ENCRYPTION: &str = "1.2.840.113549.1.1.1";
|
||||
const OID_EC_PUBLIC_KEY: &str = "1.2.840.10045.2.1";
|
||||
@@ -81,13 +80,13 @@ impl From<[u8; 20]> for Serial {
|
||||
}
|
||||
|
||||
impl TryFrom<&[u8]> for Serial {
|
||||
type Error = ();
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(bytes: &[u8]) -> Result<Serial, ()> {
|
||||
fn try_from(bytes: &[u8]) -> Result<Serial> {
|
||||
if bytes.len() <= 20 {
|
||||
Ok(Serial(BigUint::from_bytes_be(&bytes)))
|
||||
Ok(Serial(BigUint::from_bytes_be(bytes)))
|
||||
} else {
|
||||
Err(())
|
||||
Err(Error::ParseError)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -96,10 +95,30 @@ impl Serial {
|
||||
fn to_bytes(&self) -> Vec<u8> {
|
||||
self.0.to_bytes_be()
|
||||
}
|
||||
/// Returns itself formatted as x509 compatible hex string
|
||||
pub fn as_x509_hex(&self) -> String {
|
||||
let data = self.to_bytes();
|
||||
let raw_hex_string = format!("{:02X?}", data);
|
||||
raw_hex_string
|
||||
.replace(", ", ":")
|
||||
.replace([']', '['], "")
|
||||
.to_lowercase()
|
||||
}
|
||||
/// Returns itself formatted as x509 compatible int string
|
||||
pub fn as_x509_int(&self) -> String {
|
||||
let Serial(buint) = self;
|
||||
format!("{}", buint)
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for Serial {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
f.write_str(&self.as_x509_hex())
|
||||
}
|
||||
}
|
||||
|
||||
/// Information about how a [`Certificate`] is stored within a YubiKey.
|
||||
#[derive(Clone, Copy, Debug, PartialEq)]
|
||||
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
|
||||
pub enum CertInfo {
|
||||
/// The certificate is uncompressed.
|
||||
Uncompressed,
|
||||
@@ -111,7 +130,7 @@ pub enum CertInfo {
|
||||
impl TryFrom<u8> for CertInfo {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self, Self::Error> {
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
0x00 => Ok(CertInfo::Uncompressed),
|
||||
0x01 => Ok(CertInfo::Gzip),
|
||||
@@ -172,7 +191,7 @@ pub enum PublicKeyInfo {
|
||||
algorithm: AlgorithmId,
|
||||
|
||||
/// Public key
|
||||
pubkey: RSAPublicKey,
|
||||
pubkey: RsaPublicKey,
|
||||
},
|
||||
|
||||
/// EC P-256 keys
|
||||
@@ -189,10 +208,10 @@ impl fmt::Debug for PublicKeyInfo {
|
||||
}
|
||||
|
||||
impl PublicKeyInfo {
|
||||
fn parse(subject_pki: &SubjectPublicKeyInfo<'_>) -> Result<Self, Error> {
|
||||
fn parse(subject_pki: &SubjectPublicKeyInfo<'_>) -> Result<Self> {
|
||||
match subject_pki.algorithm.algorithm.to_string().as_str() {
|
||||
OID_RSA_ENCRYPTION => {
|
||||
let pubkey = read_pki::rsa_pubkey(subject_pki.subject_public_key.data)?;
|
||||
let pubkey = read_pki::rsa_pubkey(&subject_pki.subject_public_key.data)?;
|
||||
|
||||
Ok(PublicKeyInfo::Rsa {
|
||||
algorithm: match pubkey.n().bits() {
|
||||
@@ -205,11 +224,17 @@ impl PublicKeyInfo {
|
||||
}
|
||||
OID_EC_PUBLIC_KEY => {
|
||||
let key_bytes = &subject_pki.subject_public_key.data;
|
||||
match read_pki::ec_parameters(&subject_pki.algorithm.parameters)? {
|
||||
AlgorithmId::EccP256 => EcPublicKey::from_bytes(key_bytes)
|
||||
let algorithm_parameters = subject_pki
|
||||
.algorithm
|
||||
.parameters
|
||||
.as_ref()
|
||||
.ok_or(Error::InvalidObject)?;
|
||||
|
||||
match read_pki::ec_parameters(algorithm_parameters)? {
|
||||
AlgorithmId::EccP256 => EcPublicKey::<NistP256>::from_bytes(key_bytes)
|
||||
.map(PublicKeyInfo::EcP256)
|
||||
.map_err(|_| Error::InvalidObject),
|
||||
AlgorithmId::EccP384 => EcPublicKey::from_bytes(key_bytes)
|
||||
AlgorithmId::EccP384 => EcPublicKey::<NistP384>::from_bytes(key_bytes)
|
||||
.map(PublicKeyInfo::EcP384)
|
||||
.map_err(|_| Error::InvalidObject),
|
||||
_ => Err(Error::AlgorithmError),
|
||||
@@ -314,6 +339,7 @@ impl x509::AlgorithmIdentifier for SignatureId {
|
||||
#[derive(Clone, Debug)]
|
||||
pub struct Certificate {
|
||||
serial: Serial,
|
||||
#[allow(dead_code)]
|
||||
issuer: String,
|
||||
subject: String,
|
||||
subject_pki: PublicKeyInfo,
|
||||
@@ -323,7 +349,7 @@ pub struct Certificate {
|
||||
impl<'a> TryFrom<&'a [u8]> for Certificate {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(bytes: &'a [u8]) -> Result<Self, Error> {
|
||||
fn try_from(bytes: &'a [u8]) -> Result<Self> {
|
||||
Self::from_bytes(bytes.to_vec())
|
||||
}
|
||||
}
|
||||
@@ -331,19 +357,21 @@ impl<'a> TryFrom<&'a [u8]> for Certificate {
|
||||
impl Certificate {
|
||||
/// Creates a new self-signed certificate for the given key. Writes the resulting
|
||||
/// certificate to the slot before returning it.
|
||||
pub fn generate_self_signed(
|
||||
///
|
||||
/// `extensions` is optional; if empty, no extensions will be included. Due to the
|
||||
/// need for an `O: Oid` type parameter, users who do not have any extensions should
|
||||
/// use the workaround `let extensions: &[x509::Extension<'_, &[u64]>] = &[];`.
|
||||
pub fn generate_self_signed<O: Oid>(
|
||||
yubikey: &mut YubiKey,
|
||||
key: SlotId,
|
||||
serial: impl Into<Serial>,
|
||||
not_after: Option<DateTime<Utc>>,
|
||||
subject: String,
|
||||
subject: &[RelativeDistinguishedName<'_>],
|
||||
subject_pki: PublicKeyInfo,
|
||||
) -> Result<Self, Error> {
|
||||
extensions: &[x509::Extension<'_, O>],
|
||||
) -> Result<Self> {
|
||||
let serial = serial.into();
|
||||
|
||||
// Issuer and subject are the same in self-signed certificates
|
||||
let issuer = subject.clone();
|
||||
|
||||
let mut tbs_cert = Buffer::new(Vec::with_capacity(CB_OBJ_MAX));
|
||||
|
||||
let signature_algorithm = match subject_pki.algorithm() {
|
||||
@@ -355,11 +383,13 @@ impl Certificate {
|
||||
x509::write::tbs_certificate(
|
||||
&serial.to_bytes(),
|
||||
&signature_algorithm,
|
||||
&issuer,
|
||||
// Issuer and subject are the same in self-signed certificates.
|
||||
subject,
|
||||
Utc::now(),
|
||||
not_after,
|
||||
&subject,
|
||||
subject,
|
||||
&subject_pki,
|
||||
extensions,
|
||||
),
|
||||
tbs_cert.deref_mut(),
|
||||
)
|
||||
@@ -419,6 +449,15 @@ impl Certificate {
|
||||
)
|
||||
.expect("can serialize to Vec");
|
||||
|
||||
let (issuer, subject) = parse_x509_certificate(&data)
|
||||
.map(|(_, cert)| {
|
||||
(
|
||||
cert.tbs_certificate.issuer.to_string(),
|
||||
cert.tbs_certificate.subject.to_string(),
|
||||
)
|
||||
})
|
||||
.expect("We just serialized this correctly");
|
||||
|
||||
let cert = Certificate {
|
||||
serial,
|
||||
issuer,
|
||||
@@ -433,7 +472,7 @@ impl Certificate {
|
||||
}
|
||||
|
||||
/// Read a certificate from the given slot in the YubiKey
|
||||
pub fn read(yubikey: &mut YubiKey, slot: SlotId) -> Result<Self, Error> {
|
||||
pub fn read(yubikey: &mut YubiKey, slot: SlotId) -> Result<Self> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
let buf = read_certificate(&txn, slot)?;
|
||||
|
||||
@@ -445,25 +484,21 @@ impl Certificate {
|
||||
}
|
||||
|
||||
/// Write this certificate into the YubiKey in the given slot
|
||||
pub fn write(
|
||||
&self,
|
||||
yubikey: &mut YubiKey,
|
||||
slot: SlotId,
|
||||
certinfo: CertInfo,
|
||||
) -> Result<(), Error> {
|
||||
pub fn write(&self, yubikey: &mut YubiKey, slot: SlotId, certinfo: CertInfo) -> Result<()> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
write_certificate(&txn, slot, Some(&self.data), certinfo)
|
||||
}
|
||||
|
||||
/// Delete a certificate located at the given slot of the given YubiKey
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn delete(yubikey: &mut YubiKey, slot: SlotId) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn delete(yubikey: &mut YubiKey, slot: SlotId) -> Result<()> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
write_certificate(&txn, slot, None, CertInfo::Uncompressed)
|
||||
}
|
||||
|
||||
/// Initialize a local certificate struct from the given bytebuffer
|
||||
pub fn from_bytes(cert: impl Into<Buffer>) -> Result<Self, Error> {
|
||||
pub fn from_bytes(cert: impl Into<Buffer>) -> Result<Self> {
|
||||
let cert = cert.into();
|
||||
|
||||
if cert.is_empty() {
|
||||
@@ -471,7 +506,7 @@ impl Certificate {
|
||||
return Err(Error::SizeError);
|
||||
}
|
||||
|
||||
let parsed_cert = match parse_x509_der(&cert) {
|
||||
let parsed_cert = match parse_x509_certificate(&cert) {
|
||||
Ok((_, cert)) => cert,
|
||||
_ => return Err(Error::InvalidObject),
|
||||
};
|
||||
@@ -498,7 +533,7 @@ impl Certificate {
|
||||
|
||||
/// Returns the Issuer field of the certificate.
|
||||
pub fn issuer(&self) -> &str {
|
||||
&self.subject
|
||||
&self.issuer
|
||||
}
|
||||
|
||||
/// Returns the SubjectName field of the certificate.
|
||||
@@ -524,7 +559,7 @@ impl AsRef<[u8]> for Certificate {
|
||||
}
|
||||
|
||||
/// Read certificate
|
||||
pub(crate) fn read_certificate(txn: &Transaction<'_>, slot: SlotId) -> Result<Buffer, Error> {
|
||||
pub(crate) fn read_certificate(txn: &Transaction<'_>, slot: SlotId) -> Result<Buffer> {
|
||||
let object_id = slot.object_id();
|
||||
|
||||
let buf = match txn.fetch_object(object_id) {
|
||||
@@ -552,7 +587,7 @@ pub(crate) fn write_certificate(
|
||||
slot: SlotId,
|
||||
data: Option<&[u8]>,
|
||||
certinfo: CertInfo,
|
||||
) -> Result<(), Error> {
|
||||
) -> Result<()> {
|
||||
let object_id = slot.object_id();
|
||||
|
||||
if data.is_none() {
|
||||
@@ -573,16 +608,16 @@ pub(crate) fn write_certificate(
|
||||
|
||||
mod read_pki {
|
||||
use der_parser::{
|
||||
asn1_rs::Any,
|
||||
ber::BerObjectContent,
|
||||
der::{parse_der_integer, DerObject},
|
||||
der::{parse_der_integer, parse_der_sequence_defined_g, DerObject},
|
||||
error::BerError,
|
||||
*,
|
||||
};
|
||||
use nom::{combinator, IResult};
|
||||
use rsa::{BigUint, RSAPublicKey};
|
||||
use nom::{combinator, sequence::pair, IResult};
|
||||
use rsa::{BigUint, RsaPublicKey};
|
||||
|
||||
use super::{OID_NIST_P256, OID_NIST_P384};
|
||||
use crate::{error::Error, key::AlgorithmId};
|
||||
use crate::{piv::AlgorithmId, Error, Result};
|
||||
|
||||
/// From [RFC 8017](https://tools.ietf.org/html/rfc8017#appendix-A.1.1):
|
||||
/// ```text
|
||||
@@ -591,21 +626,18 @@ mod read_pki {
|
||||
/// publicExponent INTEGER -- e
|
||||
/// }
|
||||
/// ```
|
||||
pub(super) fn rsa_pubkey(encoded: &[u8]) -> Result<RSAPublicKey, Error> {
|
||||
fn parse_rsa_pubkey(i: &[u8]) -> IResult<&[u8], DerObject<'_>, BerError> {
|
||||
parse_der_sequence_defined!(i, parse_der_integer >> parse_der_integer)
|
||||
pub(super) fn rsa_pubkey(encoded: &[u8]) -> Result<RsaPublicKey> {
|
||||
fn parse_rsa_pubkey(i: &[u8]) -> IResult<&[u8], (DerObject<'_>, DerObject<'_>), BerError> {
|
||||
parse_der_sequence_defined_g(|i, _| pair(parse_der_integer, parse_der_integer)(i))(i)
|
||||
}
|
||||
|
||||
fn rsa_pubkey_parts(i: &[u8]) -> IResult<&[u8], (BigUint, BigUint), BerError> {
|
||||
combinator::map(parse_rsa_pubkey, |object| {
|
||||
let seq = object.as_sequence().expect("is DER sequence");
|
||||
assert_eq!(seq.len(), 2);
|
||||
|
||||
let n = match seq[0].content {
|
||||
combinator::map(parse_rsa_pubkey, |(modulus, public_exponent)| {
|
||||
let n = match modulus.content {
|
||||
BerObjectContent::Integer(s) => BigUint::from_bytes_be(s),
|
||||
_ => panic!("expected DER integer"),
|
||||
};
|
||||
let e = match seq[1].content {
|
||||
let e = match public_exponent.content {
|
||||
BerObjectContent::Integer(s) => BigUint::from_bytes_be(s),
|
||||
_ => panic!("expected DER integer"),
|
||||
};
|
||||
@@ -619,7 +651,7 @@ mod read_pki {
|
||||
_ => return Err(Error::InvalidObject),
|
||||
};
|
||||
|
||||
RSAPublicKey::new(n, e).map_err(|_| Error::InvalidObject)
|
||||
RsaPublicKey::new(n, e).map_err(|_| Error::InvalidObject)
|
||||
}
|
||||
|
||||
/// From [RFC 5480](https://tools.ietf.org/html/rfc5480#section-2.1.1):
|
||||
@@ -630,13 +662,8 @@ mod read_pki {
|
||||
/// -- specifiedCurve SpecifiedECDomain
|
||||
/// }
|
||||
/// ```
|
||||
pub(super) fn ec_parameters(parameters: &DerObject<'_>) -> Result<AlgorithmId, Error> {
|
||||
let curve_oid = match parameters.as_context_specific() {
|
||||
Ok((_, Some(named_curve))) => {
|
||||
named_curve.as_oid_val().map_err(|_| Error::InvalidObject)
|
||||
}
|
||||
_ => Err(Error::InvalidObject),
|
||||
}?;
|
||||
pub(super) fn ec_parameters(parameters: &Any<'_>) -> Result<AlgorithmId> {
|
||||
let curve_oid = parameters.as_oid().map_err(|_| Error::InvalidObject)?;
|
||||
|
||||
match curve_oid.to_string().as_str() {
|
||||
OID_NIST_P256 => Ok(AlgorithmId::EccP256),
|
||||
@@ -648,7 +675,7 @@ mod read_pki {
|
||||
|
||||
mod write_pki {
|
||||
use cookie_factory::{SerializeFn, WriteContext};
|
||||
use rsa::{BigUint, PublicKeyParts, RSAPublicKey};
|
||||
use rsa::{BigUint, PublicKeyParts, RsaPublicKey};
|
||||
use std::io::Write;
|
||||
use x509::der::write::{der_integer, der_sequence};
|
||||
|
||||
@@ -665,7 +692,7 @@ mod write_pki {
|
||||
/// }
|
||||
/// ```
|
||||
pub(super) fn rsa_pubkey<'a, W: Write + 'a>(
|
||||
pubkey: &'a RSAPublicKey,
|
||||
pubkey: &'a RsaPublicKey,
|
||||
) -> impl SerializeFn<W> + 'a {
|
||||
der_sequence((
|
||||
der_integer_biguint(pubkey.n()),
|
||||
|
||||
+32
-60
@@ -30,22 +30,9 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{error::Error, yubikey::YubiKey};
|
||||
use getrandom::getrandom;
|
||||
use crate::{Error, Result, YubiKey};
|
||||
use std::fmt::{self, Debug, Display};
|
||||
use subtle_encoding::hex;
|
||||
|
||||
/// CHUID size
|
||||
pub const CHUID_SIZE: usize = 59;
|
||||
|
||||
/// CARDID size
|
||||
pub const CARDID_SIZE: usize = 16;
|
||||
|
||||
/// FASC-N component size
|
||||
pub const FASCN_SIZE: usize = 25;
|
||||
|
||||
/// Expiration size
|
||||
pub const EXPIRATION_SIZE: usize = 8;
|
||||
use uuid::Uuid;
|
||||
|
||||
/// FASC-N offset
|
||||
const CHUID_FASCN_OFFS: usize = 2;
|
||||
@@ -81,50 +68,42 @@ const CHUID_TMPL: &[u8] = &[
|
||||
0x30, 0x33, 0x30, 0x30, 0x31, 0x30, 0x31, 0x3e, 0x00, 0xfe, 0x00,
|
||||
];
|
||||
|
||||
/// Cardholder Unique Identifier (CHUID) Card UUID/GUID value
|
||||
/// Cardholder Unique Identifier (CHUID).
|
||||
#[derive(Copy, Clone, Debug)]
|
||||
pub struct Uuid(pub [u8; CARDID_SIZE]);
|
||||
pub struct ChuId(pub [u8; Self::BYTE_SIZE]);
|
||||
|
||||
impl Uuid {
|
||||
/// Generate a random Cardholder Unique Identifier (CHUID) UUID
|
||||
pub fn generate() -> Result<Self, Error> {
|
||||
let mut id = [0u8; CARDID_SIZE];
|
||||
getrandom(&mut id).map_err(|_| Error::RandomnessError)?;
|
||||
Ok(Self(id))
|
||||
}
|
||||
}
|
||||
impl ChuId {
|
||||
/// CHUID size in bytes
|
||||
pub const BYTE_SIZE: usize = 59;
|
||||
|
||||
/// Cardholder Unique Identifier (CHUID)
|
||||
#[derive(Copy, Clone)]
|
||||
pub struct CHUID(pub [u8; CHUID_SIZE]);
|
||||
/// FASC-N component size
|
||||
pub const FASCN_SIZE: usize = 25;
|
||||
|
||||
/// Expiration size
|
||||
pub const EXPIRATION_SIZE: usize = 8;
|
||||
|
||||
impl CHUID {
|
||||
/// Return FASC-N component of CHUID
|
||||
pub fn fascn(&self) -> Result<[u8; FASCN_SIZE], Error> {
|
||||
let mut fascn = [0u8; FASCN_SIZE];
|
||||
fascn.copy_from_slice(&self.0[CHUID_FASCN_OFFS..(CHUID_FASCN_OFFS + FASCN_SIZE)]);
|
||||
Ok(fascn)
|
||||
pub fn fascn(&self) -> [u8; Self::FASCN_SIZE] {
|
||||
self.0[CHUID_FASCN_OFFS..(CHUID_FASCN_OFFS + Self::FASCN_SIZE)]
|
||||
.try_into()
|
||||
.unwrap()
|
||||
}
|
||||
|
||||
/// Return Card UUID/GUID component of CHUID
|
||||
pub fn uuid(&self) -> Result<[u8; CARDID_SIZE], Error> {
|
||||
let mut uuid = [0u8; CARDID_SIZE];
|
||||
uuid.copy_from_slice(&self.0[CHUID_GUID_OFFS..(CHUID_GUID_OFFS + CARDID_SIZE)]);
|
||||
Ok(uuid)
|
||||
pub fn uuid(&self) -> Uuid {
|
||||
Uuid::from_slice(&self.0[CHUID_GUID_OFFS..(CHUID_GUID_OFFS + 16)]).unwrap()
|
||||
}
|
||||
|
||||
/// Return expiration date component of CHUID
|
||||
// TODO(tarcieri): parse expiration?
|
||||
pub fn expiration(&self) -> Result<[u8; EXPIRATION_SIZE], Error> {
|
||||
let mut expiration = [0u8; EXPIRATION_SIZE];
|
||||
expiration.copy_from_slice(
|
||||
&self.0[CHUID_EXPIRATION_OFFS..(CHUID_EXPIRATION_OFFS + EXPIRATION_SIZE)],
|
||||
);
|
||||
Ok(expiration)
|
||||
pub fn expiration(&self) -> [u8; Self::EXPIRATION_SIZE] {
|
||||
self.0[CHUID_EXPIRATION_OFFS..(CHUID_EXPIRATION_OFFS + Self::EXPIRATION_SIZE)]
|
||||
.try_into()
|
||||
.unwrap()
|
||||
}
|
||||
|
||||
/// Get Cardholder Unique Identifier (CHUID)
|
||||
pub fn get(yubikey: &mut YubiKey) -> Result<CHUID, Error> {
|
||||
pub fn get(yubikey: &mut YubiKey) -> Result<ChuId> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
let response = txn.fetch_object(OBJ_CHUID)?;
|
||||
|
||||
@@ -132,36 +111,29 @@ impl CHUID {
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
|
||||
let mut chuid = [0u8; CHUID_SIZE];
|
||||
chuid.copy_from_slice(&response[0..CHUID_SIZE]);
|
||||
let retval = CHUID { 0: chuid };
|
||||
Ok(retval)
|
||||
Ok(ChuId(response[..Self::BYTE_SIZE].try_into().unwrap()))
|
||||
}
|
||||
|
||||
/// Set Cardholder Unique Identifier (CHUID)
|
||||
#[cfg(feature = "untested")]
|
||||
|
||||
pub fn set(&self, yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn set(&self, yubikey: &mut YubiKey) -> Result<()> {
|
||||
let mut buf = CHUID_TMPL.to_vec();
|
||||
buf[0..self.0.len()].copy_from_slice(&self.0);
|
||||
buf[..Self::BYTE_SIZE].copy_from_slice(&self.0);
|
||||
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
txn.save_object(OBJ_CHUID, &buf)
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for CHUID {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
write!(
|
||||
f,
|
||||
"{}",
|
||||
String::from_utf8(hex::encode(&self.0[..])).unwrap()
|
||||
)
|
||||
impl AsRef<[u8]> for ChuId {
|
||||
fn as_ref(&self) -> &[u8] {
|
||||
&self.0
|
||||
}
|
||||
}
|
||||
|
||||
impl Debug for CHUID {
|
||||
impl Display for ChuId {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
write!(f, "CHUID({:?})", &self.0[..])
|
||||
f.write_str(&hex::upper::encode_string(self.as_ref()))
|
||||
}
|
||||
}
|
||||
|
||||
+31
-29
@@ -31,56 +31,60 @@
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{
|
||||
error::Error,
|
||||
metadata,
|
||||
consts::{
|
||||
TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_ADMIN_TIMESTAMP, TAG_PROTECTED_FLAGS_1,
|
||||
TAG_PROTECTED_MGM,
|
||||
},
|
||||
metadata::{AdminData, ProtectedData},
|
||||
mgm::{MgmType, ADMIN_FLAGS_1_PROTECTED_MGM},
|
||||
yubikey::{YubiKey, ADMIN_FLAGS_1_PUK_BLOCKED},
|
||||
TAG_ADMIN, TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_ADMIN_TIMESTAMP, TAG_PROTECTED,
|
||||
TAG_PROTECTED_FLAGS_1, TAG_PROTECTED_MGM,
|
||||
Result,
|
||||
};
|
||||
use log::error;
|
||||
use std::{
|
||||
convert::TryInto,
|
||||
time::{Duration, SystemTime, UNIX_EPOCH},
|
||||
};
|
||||
use std::time::{Duration, SystemTime, UNIX_EPOCH};
|
||||
|
||||
const CB_ADMIN_TIMESTAMP: usize = 0x04;
|
||||
const PROTECTED_FLAGS_1_PUK_NOBLOCK: u8 = 0x01;
|
||||
|
||||
/// Config
|
||||
/// YubiKey configuration.
|
||||
#[derive(Copy, Clone, Debug)]
|
||||
pub struct Config {
|
||||
/// Protected data available
|
||||
protected_data_available: bool,
|
||||
pub protected_data_available: bool,
|
||||
|
||||
/// PUK blocked
|
||||
puk_blocked: bool,
|
||||
pub puk_blocked: bool,
|
||||
|
||||
/// No block on upgrade
|
||||
puk_noblock_on_upgrade: bool,
|
||||
pub puk_noblock_on_upgrade: bool,
|
||||
|
||||
/// PIN last changed
|
||||
pin_last_changed: Option<SystemTime>,
|
||||
pub pin_last_changed: Option<SystemTime>,
|
||||
|
||||
/// MGM type
|
||||
mgm_type: MgmType,
|
||||
pub mgm_type: MgmType,
|
||||
}
|
||||
|
||||
impl Config {
|
||||
/// Get YubiKey config
|
||||
pub fn get(yubikey: &mut YubiKey) -> Result<Config, Error> {
|
||||
let mut config = Config {
|
||||
impl Default for Config {
|
||||
fn default() -> Config {
|
||||
Config {
|
||||
protected_data_available: false,
|
||||
puk_blocked: false,
|
||||
puk_noblock_on_upgrade: false,
|
||||
pin_last_changed: None,
|
||||
mgm_type: MgmType::Manual,
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Config {
|
||||
/// Get YubiKey config.
|
||||
pub(crate) fn get(yubikey: &mut YubiKey) -> Result<Config> {
|
||||
let mut config = Self::default();
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
if let Ok(data) = metadata::read(&txn, TAG_ADMIN) {
|
||||
if let Ok(item) = metadata::get_item(&data, TAG_ADMIN_FLAGS_1) {
|
||||
if let Ok(admin_data) = AdminData::read(&txn) {
|
||||
if let Ok(item) = admin_data.get_item(TAG_ADMIN_FLAGS_1) {
|
||||
if item.is_empty() {
|
||||
error!("empty response for admin flags metadata item! ignoring");
|
||||
} else {
|
||||
@@ -94,7 +98,7 @@ impl Config {
|
||||
}
|
||||
}
|
||||
|
||||
if metadata::get_item(&data, TAG_ADMIN_SALT).is_ok() {
|
||||
if admin_data.get_item(TAG_ADMIN_SALT).is_ok() {
|
||||
if config.mgm_type != MgmType::Manual {
|
||||
error!("conflicting types of MGM key administration configured");
|
||||
} else {
|
||||
@@ -102,7 +106,7 @@ impl Config {
|
||||
}
|
||||
}
|
||||
|
||||
if let Ok(item) = metadata::get_item(&data, TAG_ADMIN_TIMESTAMP) {
|
||||
if let Ok(item) = admin_data.get_item(TAG_ADMIN_TIMESTAMP) {
|
||||
if item.len() != CB_ADMIN_TIMESTAMP {
|
||||
error!("pin timestamp in admin metadata is an invalid size");
|
||||
} else {
|
||||
@@ -117,10 +121,10 @@ impl Config {
|
||||
}
|
||||
}
|
||||
|
||||
if let Ok(data) = metadata::read(&txn, TAG_PROTECTED) {
|
||||
if let Ok(protected_data) = ProtectedData::read(&txn) {
|
||||
config.protected_data_available = true;
|
||||
|
||||
if let Ok(item) = metadata::get_item(&data, TAG_PROTECTED_FLAGS_1) {
|
||||
if let Ok(item) = protected_data.get_item(TAG_PROTECTED_FLAGS_1) {
|
||||
if item.is_empty() {
|
||||
error!("empty response for protected flags metadata item! ignoring");
|
||||
} else if item[0] & PROTECTED_FLAGS_1_PUK_NOBLOCK != 0 {
|
||||
@@ -128,11 +132,9 @@ impl Config {
|
||||
}
|
||||
}
|
||||
|
||||
if metadata::get_item(&data, TAG_PROTECTED_MGM).is_ok() {
|
||||
if protected_data.get_item(TAG_PROTECTED_MGM).is_ok() {
|
||||
if config.mgm_type != MgmType::Protected {
|
||||
error!(
|
||||
"conflicting types of mgm key administration configured: protected MGM exists"
|
||||
);
|
||||
error!("conflicting MGM key types: protected MGM exists");
|
||||
}
|
||||
|
||||
// Always favor protected MGM
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
//! Miscellaneous constant values
|
||||
|
||||
/// YubiKey max buffer size
|
||||
pub(crate) const CB_BUF_MAX: usize = 3072;
|
||||
|
||||
/// YubiKey max object size
|
||||
pub(crate) const CB_OBJ_MAX: usize = CB_BUF_MAX - 9;
|
||||
|
||||
pub(crate) const CB_OBJ_TAG_MIN: usize = 2; // 1 byte tag + 1 byte len
|
||||
#[cfg(feature = "untested")]
|
||||
pub(crate) const CB_OBJ_TAG_MAX: usize = CB_OBJ_TAG_MIN + 2; // 1 byte tag + 3 bytes len
|
||||
|
||||
// Admin tags
|
||||
pub(crate) const TAG_ADMIN_FLAGS_1: u8 = 0x81;
|
||||
pub(crate) const TAG_ADMIN_SALT: u8 = 0x82;
|
||||
pub(crate) const TAG_ADMIN_TIMESTAMP: u8 = 0x83;
|
||||
|
||||
// Protected tags
|
||||
pub(crate) const TAG_PROTECTED_FLAGS_1: u8 = 0x81;
|
||||
pub(crate) const TAG_PROTECTED_MGM: u8 = 0x89;
|
||||
+92
-80
@@ -32,65 +32,72 @@
|
||||
|
||||
use std::fmt::{self, Display};
|
||||
|
||||
/// Kinds of errors
|
||||
/// Result type with [`Error`].
|
||||
pub type Result<T> = core::result::Result<T, Error>;
|
||||
|
||||
/// Kinds of errors.
|
||||
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
|
||||
#[non_exhaustive]
|
||||
pub enum Error {
|
||||
/// Algorithm error
|
||||
AlgorithmError,
|
||||
|
||||
/// Applet error
|
||||
AppletError,
|
||||
|
||||
/// We tried to select an applet that could not be found.
|
||||
AppletNotFound {
|
||||
/// Human-readable name of the applet.
|
||||
applet_name: &'static str,
|
||||
},
|
||||
|
||||
/// Argument error
|
||||
ArgumentError,
|
||||
|
||||
/// Authentication error
|
||||
AuthenticationError,
|
||||
|
||||
/// Generic error
|
||||
GenericError,
|
||||
|
||||
/// Invalid object
|
||||
InvalidObject,
|
||||
|
||||
/// Key error
|
||||
KeyError,
|
||||
|
||||
/// Memory error
|
||||
MemoryError,
|
||||
|
||||
/// Not supported
|
||||
NotSupported,
|
||||
|
||||
/// Not found
|
||||
NotFound,
|
||||
|
||||
/// Parse error
|
||||
ParseError,
|
||||
|
||||
/// PCSC error
|
||||
PcscError {
|
||||
/// Original PC/SC error
|
||||
inner: Option<pcsc::Error>,
|
||||
},
|
||||
|
||||
/// PIN locked
|
||||
PinLocked,
|
||||
|
||||
/// Range error
|
||||
RangeError,
|
||||
|
||||
/// Size error
|
||||
SizeError,
|
||||
|
||||
/// Applet error
|
||||
AppletError,
|
||||
|
||||
/// Authentication error
|
||||
AuthenticationError,
|
||||
|
||||
/// Randomness error
|
||||
RandomnessError,
|
||||
|
||||
/// Generic error
|
||||
GenericError,
|
||||
|
||||
/// Key error
|
||||
KeyError,
|
||||
|
||||
/// Parse error
|
||||
ParseError,
|
||||
|
||||
/// Wrong PIN
|
||||
WrongPin {
|
||||
/// Number of tries remaining
|
||||
tries: u8,
|
||||
},
|
||||
|
||||
/// Invalid object
|
||||
InvalidObject,
|
||||
|
||||
/// Algorithm error
|
||||
AlgorithmError,
|
||||
|
||||
/// PIN locked
|
||||
PinLocked,
|
||||
|
||||
/// Argument error
|
||||
ArgumentError,
|
||||
|
||||
/// Range error
|
||||
RangeError,
|
||||
|
||||
/// Not supported
|
||||
NotSupported,
|
||||
|
||||
/// Not found
|
||||
NotFound,
|
||||
}
|
||||
|
||||
impl Error {
|
||||
@@ -98,55 +105,62 @@ impl Error {
|
||||
///
|
||||
/// These names map to the legacy names from the Yubico C library, to
|
||||
/// assist in web searches for relevant information for these errors.
|
||||
pub fn name(self) -> &'static str {
|
||||
match self {
|
||||
Error::MemoryError => "YKPIV_MEMORY_ERROR",
|
||||
Error::PcscError { .. } => "YKPIV_PCSC_ERROR",
|
||||
Error::SizeError => "YKPIV_SIZE_ERROR",
|
||||
Error::AppletError => "YKPIV_APPLET_ERROR",
|
||||
Error::AuthenticationError => "YKPIV_AUTHENTICATION_ERROR",
|
||||
Error::RandomnessError => "YKPIV_RANDOMNESS_ERROR",
|
||||
Error::GenericError => "YKPIV_GENERIC_ERROR",
|
||||
Error::KeyError => "YKPIV_KEY_ERROR",
|
||||
Error::ParseError => "YKPIV_PARSE_ERROR",
|
||||
Error::WrongPin { .. } => "YKPIV_WRONG_PIN",
|
||||
Error::InvalidObject => "YKPIV_INVALID_OBJECT",
|
||||
pub fn name(self) -> Option<&'static str> {
|
||||
Some(match self {
|
||||
Error::AlgorithmError => "YKPIV_ALGORITHM_ERROR",
|
||||
Error::PinLocked => "YKPIV_PIN_LOCKED",
|
||||
Error::AppletError => "YKPIV_APPLET_ERROR",
|
||||
Error::ArgumentError => "YKPIV_ARGUMENT_ERROR",
|
||||
Error::RangeError => "YKPIV_RANGE_ERROR",
|
||||
Error::AuthenticationError => "YKPIV_AUTHENTICATION_ERROR",
|
||||
Error::GenericError => "YKPIV_GENERIC_ERROR",
|
||||
Error::InvalidObject => "YKPIV_INVALID_OBJECT",
|
||||
Error::KeyError => "YKPIV_KEY_ERROR",
|
||||
Error::MemoryError => "YKPIV_MEMORY_ERROR",
|
||||
Error::NotSupported => "YKPIV_NOT_SUPPORTED",
|
||||
Error::NotFound => "<not found>",
|
||||
}
|
||||
Error::ParseError => "YKPIV_PARSE_ERROR",
|
||||
Error::PcscError { .. } => "YKPIV_PCSC_ERROR",
|
||||
Error::PinLocked => "YKPIV_PIN_LOCKED",
|
||||
Error::RangeError => "YKPIV_RANGE_ERROR",
|
||||
Error::SizeError => "YKPIV_SIZE_ERROR",
|
||||
Error::WrongPin { .. } => "YKPIV_WRONG_PIN",
|
||||
_ => return None,
|
||||
})
|
||||
}
|
||||
|
||||
/// Error message
|
||||
pub fn msg(self) -> &'static str {
|
||||
pub fn msg(self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
match self {
|
||||
Error::MemoryError => "memory error",
|
||||
Error::PcscError { .. } => "PCSC error",
|
||||
Error::SizeError => "size error",
|
||||
Error::AppletError => "applet error",
|
||||
Error::AuthenticationError => "authentication error",
|
||||
Error::RandomnessError => "randomness error",
|
||||
Error::GenericError => "generic error",
|
||||
Error::KeyError => "key error",
|
||||
Error::ParseError => "parse error",
|
||||
Error::WrongPin { .. } => "wrong pin",
|
||||
Error::InvalidObject => "invalid object",
|
||||
Error::AlgorithmError => "algorithm error",
|
||||
Error::PinLocked => "PIN locked",
|
||||
Error::ArgumentError => "argument error",
|
||||
Error::RangeError => "range error",
|
||||
Error::NotSupported => "not supported",
|
||||
Error::NotFound => "not found",
|
||||
Error::AlgorithmError => f.write_str("algorithm error"),
|
||||
Error::AppletError => f.write_str("applet error"),
|
||||
Error::AppletNotFound { applet_name } => {
|
||||
f.write_str(&format!("{} applet not found", applet_name))
|
||||
}
|
||||
Error::ArgumentError => f.write_str("argument error"),
|
||||
Error::AuthenticationError => f.write_str("authentication error"),
|
||||
Error::GenericError => f.write_str("generic error"),
|
||||
Error::InvalidObject => f.write_str("invalid object"),
|
||||
Error::KeyError => f.write_str("key error"),
|
||||
Error::MemoryError => f.write_str("memory error"),
|
||||
Error::NotSupported => f.write_str("not supported"),
|
||||
Error::NotFound => f.write_str("not found"),
|
||||
Error::ParseError => f.write_str("parse error"),
|
||||
|
||||
Error::PcscError {
|
||||
inner: Some(pcsc_error),
|
||||
} => f.write_fmt(format_args!("PC/SC error: {}", pcsc_error)),
|
||||
|
||||
Error::PcscError { .. } => f.write_str("PC/SC error"),
|
||||
|
||||
Error::PinLocked => f.write_str("PIN locked"),
|
||||
Error::RangeError => f.write_str("range error"),
|
||||
Error::SizeError => f.write_str("size error"),
|
||||
Error::WrongPin { .. } => f.write_str("wrong pin"),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for Error {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
f.write_str(self.msg())
|
||||
self.msg(f)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -159,10 +173,8 @@ impl From<pcsc::Error> for Error {
|
||||
impl std::error::Error for Error {
|
||||
fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
|
||||
match self {
|
||||
#[allow(trivial_casts)] // why doesn't this work without the cast???
|
||||
Error::PcscError { inner } => inner
|
||||
.as_ref()
|
||||
.map(|err| err as &(dyn std::error::Error + 'static)),
|
||||
#[allow(trivial_casts)]
|
||||
Error::PcscError { inner } => inner.as_ref().map(|err| err as &_),
|
||||
_ => None,
|
||||
}
|
||||
}
|
||||
|
||||
+40
-154
@@ -1,95 +1,10 @@
|
||||
//! [YubiKey] PIV: [Personal Identity Verification][PIV] support for
|
||||
//! [Yubico] devices using the Personal Computer/Smart Card ([PC/SC])
|
||||
//! interface as provided by the [`pcsc` crate].
|
||||
//!
|
||||
//! **PIV** is a [NIST] standard for both *signing* and *encryption*
|
||||
//! using SmartCards and SmartCard-based hardware tokens like YubiKeys.
|
||||
//!
|
||||
//! This library natively implements the protocol used to manage and
|
||||
//! utilize PIV encryption and signing keys which can be generated, imported,
|
||||
//! and stored on YubiKey devices.
|
||||
//!
|
||||
//! See [Yubico's guide to PIV-enabled YubiKeys][yk-guide] for more information
|
||||
//! on which devices support PIV and the available functionality.
|
||||
//!
|
||||
//! ## Minimum Supported Rust Version
|
||||
//!
|
||||
//! Rust 1.44+
|
||||
//!
|
||||
//! ## Supported YubiKeys
|
||||
//!
|
||||
//! - [YubiKey 4] series
|
||||
//! - [YubiKey 5] series
|
||||
//!
|
||||
//! NOTE: Nano and USB-C variants of the above are also supported.
|
||||
//! Pre-YK4 [YubiKey NEO] series is **NOT** supported.
|
||||
//!
|
||||
//! ## Supported Algorithms
|
||||
//!
|
||||
//! - **Authentication**: `3DES`
|
||||
//! - **Encryption**: `RSA1024`, `RSA2048`, `ECCP256`, `ECCP384`
|
||||
//! - **Signatures**:
|
||||
//! - RSASSA-PKCS#1v1.5: `RSA1024`, `RSA2048`
|
||||
//! - ECDSA: `ECCP256`, `ECCP384`
|
||||
//!
|
||||
//! NOTE: RSASSA-PSS signatures and RSA-OAEP encryption may be supportable (TBD)
|
||||
//!
|
||||
//! ## Status
|
||||
//!
|
||||
//! This is a work-in-progress effort, and while much of the library-level
|
||||
//! code from upstream [yubico-piv-tool] has been translated into Rust
|
||||
//! presenting a safe interface, much of it is still untested.
|
||||
//!
|
||||
//! Please see the [project's README.md for a complete status][status].
|
||||
//!
|
||||
//! ## History
|
||||
//!
|
||||
//! This library is a Rust translation of the [yubico-piv-tool] utility by
|
||||
//! Yubico, which was originally written in C. It was mechanically translated
|
||||
//! from C into Rust using [Corrode], and then subsequently heavily
|
||||
//! refactored into safer, more idiomatic Rust.
|
||||
//!
|
||||
//! For more information on [yubico-piv-tool] and background information on how
|
||||
//! the YubiKey implementation of PIV works in general, see the
|
||||
//! [Yubico PIV Tool Command Line Guide][piv-tool-guide].
|
||||
//!
|
||||
//! ## Security Warning
|
||||
//!
|
||||
//! No security audits of this crate have ever been performed. Presently it is in
|
||||
//! an experimental stage and may still contain high-severity issues.
|
||||
//!
|
||||
//! USE AT YOUR OWN RISK!
|
||||
//!
|
||||
//! ## Code of Conduct
|
||||
//!
|
||||
//! We abide by the [Contributor Covenant][cc-md] and ask that you do as well.
|
||||
//!
|
||||
//! For more information, please see [CODE_OF_CONDUCT.md][cc-md].
|
||||
//!
|
||||
//! ## License
|
||||
//!
|
||||
//! **yubikey-piv.rs** is a fork of and originally a mechanical translation from
|
||||
//! Yubico's [yubico-piv-tool], a C library/CLI program. The original library
|
||||
//! was licensed under a [2-Clause BSD License][BSDL], which this library inherits
|
||||
//! as a derived work.
|
||||
//!
|
||||
//! [YubiKey]: https://www.yubico.com/products/yubikey-hardware/
|
||||
//! [PIV]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf
|
||||
//! [Yubico]: https://www.yubico.com/
|
||||
//! [PC/SC]: https://en.wikipedia.org/wiki/PC/SC
|
||||
//! [`pcsc` crate]: https://github.com/bluetech/pcsc-rust
|
||||
//! [NIST]: https://www.nist.gov/
|
||||
//! [yk-guide]: https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html
|
||||
//! [YubiKey NEO]: https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo
|
||||
//! [YubiKey 4]: https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4
|
||||
//! [YubiKey 5]: https://www.yubico.com/products/yubikey-5-overview/
|
||||
//! [status]: https://github.com/tarcieri/yubikey-piv.rs#status
|
||||
//! [yubico-piv-tool]: https://github.com/Yubico/yubico-piv-tool/
|
||||
//! [Corrode]: https://github.com/jameysharp/corrode
|
||||
//! [piv-tool-guide]: https://www.yubico.com/wp-content/uploads/2016/05/Yubico_PIV_Tool_Command_Line_Guide_en.pdf
|
||||
//! [cc-web]: https://contributor-covenant.org/
|
||||
//! [cc-md]: https://github.com/tarcieri/yubikey-piv.rs/blob/develop/CODE_OF_CONDUCT.md
|
||||
//! [BSDL]: https://opensource.org/licenses/BSD-2-Clause
|
||||
#![doc = include_str!("../README.md")]
|
||||
#![doc(
|
||||
html_logo_url = "https://raw.githubusercontent.com/iqlusioninc/yubikey.rs/main/img/logo-sq.png"
|
||||
)]
|
||||
#![cfg_attr(docsrs, feature(doc_cfg))]
|
||||
#![forbid(unsafe_code)]
|
||||
#![warn(missing_docs, rust_2018_idioms, trivial_casts, unused_qualifications)]
|
||||
|
||||
// Adapted from yubico-piv-tool:
|
||||
// <https://github.com/Yubico/yubico-piv-tool/>
|
||||
@@ -121,78 +36,49 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
#![doc(
|
||||
html_logo_url = "https://raw.githubusercontent.com/iqlusioninc/yubikey-piv.rs/develop/img/logo.png",
|
||||
html_root_url = "https://docs.rs/yubikey-piv/0.1.0"
|
||||
)]
|
||||
#![forbid(unsafe_code)]
|
||||
#![warn(
|
||||
missing_docs,
|
||||
rust_2018_idioms,
|
||||
trivial_casts,
|
||||
trivial_numeric_casts,
|
||||
unused_lifetimes,
|
||||
unused_qualifications
|
||||
)]
|
||||
|
||||
mod apdu;
|
||||
pub mod cccid;
|
||||
mod cccid;
|
||||
pub mod certificate;
|
||||
pub mod chuid;
|
||||
pub mod config;
|
||||
pub mod error;
|
||||
pub mod key;
|
||||
mod chuid;
|
||||
mod config;
|
||||
mod consts;
|
||||
mod error;
|
||||
mod metadata;
|
||||
pub mod mgm;
|
||||
mod mgm;
|
||||
#[cfg(feature = "untested")]
|
||||
pub mod mscmap;
|
||||
mod mscmap;
|
||||
#[cfg(feature = "untested")]
|
||||
pub mod msroots;
|
||||
pub mod policy;
|
||||
pub mod readers;
|
||||
mod msroots;
|
||||
mod otp;
|
||||
pub mod piv;
|
||||
mod policy;
|
||||
pub mod reader;
|
||||
mod serialization;
|
||||
pub mod settings;
|
||||
mod setting;
|
||||
mod transaction;
|
||||
pub mod yubikey;
|
||||
mod yubikey;
|
||||
|
||||
pub use self::{
|
||||
error::Error,
|
||||
key::Key,
|
||||
mgm::MgmKey,
|
||||
readers::Readers,
|
||||
yubikey::{Serial, YubiKey},
|
||||
pub use crate::{
|
||||
cccid::{CardId, CccId},
|
||||
certificate::Certificate,
|
||||
chuid::ChuId,
|
||||
config::Config,
|
||||
error::{Error, Result},
|
||||
mgm::{MgmKey, MgmType},
|
||||
piv::Key,
|
||||
policy::{PinPolicy, TouchPolicy},
|
||||
reader::Context,
|
||||
setting::{Setting, SettingSource},
|
||||
yubikey::{CachedPin, Serial, Version, YubiKey},
|
||||
};
|
||||
|
||||
/// Object identifiers
|
||||
#[cfg(feature = "untested")]
|
||||
pub use crate::{mscmap::MsContainer, msroots::MsRoots};
|
||||
|
||||
pub use uuid::Uuid;
|
||||
|
||||
/// Object identifiers: handles to particular objects stored on a YubiKey.
|
||||
pub type ObjectId = u32;
|
||||
|
||||
/// Buffer type (self-zeroizing byte vector)
|
||||
pub(crate) type Buffer = zeroize::Zeroizing<Vec<u8>>;
|
||||
|
||||
/// YubiKey max buffer size
|
||||
pub(crate) const CB_BUF_MAX: usize = 3072;
|
||||
|
||||
/// YubiKey max object size
|
||||
pub(crate) const CB_OBJ_MAX: usize = CB_BUF_MAX - 9;
|
||||
pub(crate) const CB_OBJ_TAG_MIN: usize = 2; // 1 byte tag + 1 byte len
|
||||
#[cfg(feature = "untested")]
|
||||
pub(crate) const CB_OBJ_TAG_MAX: usize = CB_OBJ_TAG_MIN + 2; // 1 byte tag + 3 bytes len
|
||||
|
||||
pub(crate) const TAG_ADMIN: u8 = 0x80;
|
||||
pub(crate) const TAG_ADMIN_FLAGS_1: u8 = 0x81;
|
||||
pub(crate) const TAG_ADMIN_SALT: u8 = 0x82;
|
||||
pub(crate) const TAG_ADMIN_TIMESTAMP: u8 = 0x83;
|
||||
pub(crate) const TAG_PROTECTED: u8 = 0x88;
|
||||
pub(crate) const TAG_PROTECTED_FLAGS_1: u8 = 0x81;
|
||||
pub(crate) const TAG_PROTECTED_MGM: u8 = 0x89;
|
||||
|
||||
/// PIV Applet ID
|
||||
pub(crate) const PIV_AID: [u8; 5] = [0xa0, 0x00, 0x00, 0x03, 0x08];
|
||||
|
||||
/// MGMT Applet ID.
|
||||
/// <https://developers.yubico.com/PIV/Introduction/Admin_access.html>
|
||||
#[cfg(feature = "untested")]
|
||||
pub(crate) const MGMT_AID: [u8; 8] = [0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17];
|
||||
|
||||
/// YubiKey OTP Applet ID. Needed to query serial on YK4.
|
||||
pub(crate) const YK_AID: [u8; 8] = [0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01];
|
||||
pub type Buffer = zeroize::Zeroizing<Vec<u8>>;
|
||||
|
||||
+135
-74
@@ -30,21 +30,91 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{
|
||||
error::Error, serialization::*, transaction::Transaction, Buffer, TAG_ADMIN, TAG_PROTECTED,
|
||||
};
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use crate::{CB_OBJ_MAX, CB_OBJ_TAG_MAX};
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use std::marker::PhantomData;
|
||||
use zeroize::Zeroizing;
|
||||
|
||||
use crate::{serialization::*, transaction::Transaction, Buffer, Error, Result};
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use crate::consts::{CB_OBJ_MAX, CB_OBJ_TAG_MAX};
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use std::iter;
|
||||
|
||||
const TAG_ADMIN: u8 = 0x80;
|
||||
const TAG_PROTECTED: u8 = 0x88;
|
||||
pub const OBJ_ADMIN_DATA: u32 = 0x005f_ff00;
|
||||
pub const OBJ_PRINTED: u32 = 0x005f_c109;
|
||||
|
||||
/// Get metadata item
|
||||
pub(crate) fn get_item(mut data: &[u8], tag: u8) -> Result<&[u8], Error> {
|
||||
pub(crate) trait MetadataType: private::Sealed {}
|
||||
|
||||
/// A type variable corresponding to PIN-protected metadata.
|
||||
pub(crate) enum Protected {}
|
||||
impl MetadataType for Protected {}
|
||||
|
||||
/// A type variable corresponding to administrative metadata.
|
||||
pub(crate) enum Admin {}
|
||||
impl MetadataType for Admin {}
|
||||
|
||||
/// Metadata stored in a YubiKey.
|
||||
pub(crate) struct Metadata<T: MetadataType> {
|
||||
inner: Buffer,
|
||||
_marker: PhantomData<T>,
|
||||
}
|
||||
|
||||
/// PIN-protected metadata stored in a YubiKey.
|
||||
pub(crate) type ProtectedData = Metadata<Protected>;
|
||||
/// Administrative metadata stored in a YubiKey.
|
||||
pub(crate) type AdminData = Metadata<Admin>;
|
||||
|
||||
impl<T: MetadataType> Default for Metadata<T> {
|
||||
fn default() -> Self {
|
||||
Metadata {
|
||||
inner: Zeroizing::new(vec![]),
|
||||
_marker: PhantomData::default(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl<T: MetadataType> Metadata<T> {
|
||||
/// Read metadata
|
||||
pub(crate) fn read(txn: &Transaction<'_>) -> Result<Self> {
|
||||
let data = txn.fetch_object(T::obj_id())?;
|
||||
Ok(Metadata {
|
||||
inner: Tlv::parse_single(data, T::tag())?,
|
||||
_marker: PhantomData::default(),
|
||||
})
|
||||
}
|
||||
|
||||
/// Write metadata
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub(crate) fn write(&self, txn: &Transaction<'_>) -> Result<()> {
|
||||
if self.inner.len() > CB_OBJ_MAX - CB_OBJ_TAG_MAX {
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
|
||||
if self.inner.is_empty() {
|
||||
return Self::delete(txn);
|
||||
}
|
||||
|
||||
let mut buf = Zeroizing::new(vec![0u8; CB_OBJ_MAX]);
|
||||
let len = Tlv::write(&mut buf, T::tag(), &self.inner)?;
|
||||
|
||||
txn.save_object(T::obj_id(), &buf[..len])
|
||||
}
|
||||
|
||||
/// Delete metadata
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub(crate) fn delete(txn: &Transaction<'_>) -> Result<()> {
|
||||
txn.save_object(T::obj_id(), &[])
|
||||
}
|
||||
|
||||
/// Get metadata item
|
||||
pub(crate) fn get_item(&self, tag: u8) -> Result<&[u8]> {
|
||||
let mut data = &self.inner[..];
|
||||
|
||||
while !data.is_empty() {
|
||||
let (remaining, tlv) = Tlv::parse(data)?;
|
||||
data = remaining;
|
||||
@@ -56,29 +126,23 @@ pub(crate) fn get_item(mut data: &[u8], tag: u8) -> Result<&[u8], Error> {
|
||||
}
|
||||
|
||||
Err(Error::GenericError)
|
||||
}
|
||||
}
|
||||
|
||||
/// Set metadata item
|
||||
#[cfg(feature = "untested")]
|
||||
pub(crate) fn set_item(
|
||||
data: &mut [u8],
|
||||
pcb_data: &mut usize,
|
||||
cb_data_max: usize,
|
||||
tag: u8,
|
||||
p_item: &[u8],
|
||||
) -> Result<(), Error> {
|
||||
/// Set metadata item
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub(crate) fn set_item(&mut self, tag: u8, item: &[u8]) -> Result<()> {
|
||||
let mut cb_temp: usize = 0;
|
||||
let mut tag_temp: u8 = 0;
|
||||
let mut cb_len: usize = 0;
|
||||
let cb_item = p_item.len();
|
||||
|
||||
let mut offset = 0;
|
||||
|
||||
while offset < *pcb_data {
|
||||
tag_temp = data[offset];
|
||||
while offset < self.inner.len() {
|
||||
tag_temp = self.inner[offset];
|
||||
offset += 1;
|
||||
|
||||
cb_len = get_length(&data[offset..], &mut cb_temp);
|
||||
cb_len = get_length(&self.inner[offset..], &mut cb_temp);
|
||||
offset += cb_len;
|
||||
|
||||
if tag_temp == tag {
|
||||
@@ -89,13 +153,16 @@ pub(crate) fn set_item(
|
||||
}
|
||||
|
||||
if tag_temp != tag {
|
||||
if cb_item == 0 {
|
||||
if item.is_empty() {
|
||||
// We've been asked to delete an existing item that isn't in the blob
|
||||
return Ok(());
|
||||
}
|
||||
|
||||
// We did not find an existing tag, append
|
||||
*pcb_data += Tlv::write(&mut data[*pcb_data..], tag, p_item)?;
|
||||
assert_eq!(offset, self.inner.len());
|
||||
self.inner
|
||||
.extend(iter::repeat(0).take(1 + get_length_size(item.len()) + item.len()));
|
||||
Tlv::write(&mut self.inner[offset..], tag, item)?;
|
||||
|
||||
return Ok(());
|
||||
}
|
||||
@@ -103,80 +170,50 @@ pub(crate) fn set_item(
|
||||
// Found tag
|
||||
|
||||
// Check length, if it matches, overwrite
|
||||
if cb_temp == cb_item {
|
||||
data[offset..offset + cb_item].copy_from_slice(p_item);
|
||||
if cb_temp == item.len() {
|
||||
self.inner[offset..offset + item.len()].copy_from_slice(item);
|
||||
return Ok(());
|
||||
}
|
||||
|
||||
// Length doesn't match, expand/shrink to fit
|
||||
let next_offset = offset + cb_temp;
|
||||
// Must be signed to have negative offsets
|
||||
let cb_moved: isize = (cb_item as isize - cb_temp as isize)
|
||||
+ if cb_item != 0 {
|
||||
get_length_size(cb_item) as isize
|
||||
} else {
|
||||
let cb_moved: isize = (item.len() as isize - cb_temp as isize)
|
||||
+ if item.is_empty() {
|
||||
// For tag, if deleting
|
||||
-1
|
||||
} else {
|
||||
get_length_size(item.len()) as isize
|
||||
}
|
||||
// Accounts for different length encoding
|
||||
- cb_len as isize;
|
||||
|
||||
// If length would cause buffer overflow, return error
|
||||
if (*pcb_data as isize + cb_moved) as usize > cb_data_max {
|
||||
if (self.inner.len() as isize + cb_moved) as usize > CB_OBJ_MAX {
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
|
||||
// Move remaining data
|
||||
data.copy_within(
|
||||
next_offset..*pcb_data,
|
||||
let orig_len = self.inner.len();
|
||||
if cb_moved > 0 {
|
||||
self.inner.extend(iter::repeat(0).take(cb_moved as usize));
|
||||
}
|
||||
self.inner.copy_within(
|
||||
next_offset..orig_len,
|
||||
(next_offset as isize + cb_moved) as usize,
|
||||
);
|
||||
*pcb_data = (*pcb_data as isize + cb_moved) as usize;
|
||||
self.inner
|
||||
.resize((orig_len as isize + cb_moved) as usize, 0);
|
||||
|
||||
// Re-encode item and insert
|
||||
if cb_item != 0 {
|
||||
if !item.is_empty() {
|
||||
offset -= cb_len;
|
||||
offset += set_length(&mut data[offset..], cb_item)?;
|
||||
data[offset..offset + cb_item].copy_from_slice(p_item);
|
||||
offset += set_length(&mut self.inner[offset..], item.len())?;
|
||||
self.inner[offset..offset + item.len()].copy_from_slice(item);
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Read metadata
|
||||
pub(crate) fn read(txn: &Transaction<'_>, tag: u8) -> Result<Buffer, Error> {
|
||||
let obj_id = match tag {
|
||||
TAG_ADMIN => OBJ_ADMIN_DATA,
|
||||
TAG_PROTECTED => OBJ_PRINTED,
|
||||
_ => return Err(Error::InvalidObject),
|
||||
};
|
||||
|
||||
let data = txn.fetch_object(obj_id)?;
|
||||
Tlv::parse_single(data, tag)
|
||||
}
|
||||
|
||||
/// Write metadata
|
||||
#[cfg(feature = "untested")]
|
||||
pub(crate) fn write(txn: &Transaction<'_>, tag: u8, data: &[u8]) -> Result<(), Error> {
|
||||
if data.len() > CB_OBJ_MAX - CB_OBJ_TAG_MAX {
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
|
||||
let obj_id = match tag {
|
||||
TAG_ADMIN => OBJ_ADMIN_DATA,
|
||||
TAG_PROTECTED => OBJ_PRINTED,
|
||||
_ => return Err(Error::InvalidObject),
|
||||
};
|
||||
|
||||
if data.is_empty() {
|
||||
// Deleting metadata
|
||||
return txn.save_object(obj_id, &[]);
|
||||
}
|
||||
|
||||
let mut buf = Zeroizing::new(vec![0u8; CB_OBJ_MAX]);
|
||||
let len = Tlv::write(&mut buf, tag, data)?;
|
||||
|
||||
txn.save_object(obj_id, &buf[..len])
|
||||
}
|
||||
|
||||
/// Get the size of a length tag for the given length
|
||||
@@ -190,3 +227,27 @@ fn get_length_size(length: usize) -> usize {
|
||||
3
|
||||
}
|
||||
}
|
||||
|
||||
mod private {
|
||||
use super::*;
|
||||
pub trait Sealed {
|
||||
fn tag() -> u8;
|
||||
fn obj_id() -> u32;
|
||||
}
|
||||
impl Sealed for Protected {
|
||||
fn tag() -> u8 {
|
||||
TAG_PROTECTED
|
||||
}
|
||||
fn obj_id() -> u32 {
|
||||
OBJ_PRINTED
|
||||
}
|
||||
}
|
||||
impl Sealed for Admin {
|
||||
fn tag() -> u8 {
|
||||
TAG_ADMIN
|
||||
}
|
||||
fn obj_id() -> u32 {
|
||||
OBJ_ADMIN_DATA
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
+126
-81
@@ -30,38 +30,39 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::error::Error;
|
||||
use getrandom::getrandom;
|
||||
use crate::{Error, Result};
|
||||
use log::error;
|
||||
use std::convert::{TryFrom, TryInto};
|
||||
use rand_core::{OsRng, RngCore};
|
||||
use zeroize::{Zeroize, Zeroizing};
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use crate::{
|
||||
metadata, yubikey::YubiKey, CB_BUF_MAX, CB_OBJ_MAX, TAG_ADMIN, TAG_ADMIN_FLAGS_1,
|
||||
TAG_ADMIN_SALT, TAG_PROTECTED, TAG_PROTECTED_MGM,
|
||||
consts::{TAG_ADMIN_FLAGS_1, TAG_ADMIN_SALT, TAG_PROTECTED_MGM},
|
||||
metadata::{AdminData, ProtectedData},
|
||||
yubikey::YubiKey,
|
||||
};
|
||||
use des::{
|
||||
cipher::{generic_array::GenericArray, BlockCipher, NewBlockCipher},
|
||||
cipher::{generic_array::GenericArray, BlockDecrypt, BlockEncrypt, KeyInit},
|
||||
TdesEde3,
|
||||
};
|
||||
#[cfg(feature = "untested")]
|
||||
use hmac::Hmac;
|
||||
use {pbkdf2::pbkdf2_hmac, sha1::Sha1};
|
||||
|
||||
/// YubiKey MGMT Applet Name
|
||||
#[cfg(feature = "untested")]
|
||||
use pbkdf2::pbkdf2;
|
||||
pub(crate) const APPLET_NAME: &str = "YubiKey MGMT";
|
||||
|
||||
/// MGMT Applet ID.
|
||||
///
|
||||
/// <https://developers.yubico.com/PIV/Introduction/Admin_access.html>
|
||||
#[cfg(feature = "untested")]
|
||||
use sha1::Sha1;
|
||||
pub(crate) const APPLET_ID: &[u8] = &[0xa0, 0x00, 0x00, 0x05, 0x27, 0x47, 0x11, 0x17];
|
||||
|
||||
pub(crate) const ADMIN_FLAGS_1_PROTECTED_MGM: u8 = 0x02;
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
const CB_ADMIN_SALT: usize = 16;
|
||||
|
||||
/// Default MGM key configured on all YubiKeys
|
||||
const DEFAULT_MGM_KEY: [u8; DES_LEN_3DES] = [
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8,
|
||||
];
|
||||
|
||||
/// Size of a DES key
|
||||
const DES_LEN_DES: usize = 8;
|
||||
|
||||
@@ -72,7 +73,7 @@ pub(crate) const DES_LEN_3DES: usize = DES_LEN_DES * 3;
|
||||
#[cfg(feature = "untested")]
|
||||
const ITER_MGM_PBKDF2: u32 = 10000;
|
||||
|
||||
/// Management Key (MGM) key types (manual/derived/protected)
|
||||
/// Management Key (MGM) key types (manual/derived/protected).
|
||||
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
|
||||
pub enum MgmType {
|
||||
/// Manual
|
||||
@@ -96,27 +97,23 @@ pub struct MgmKey([u8; DES_LEN_3DES]);
|
||||
|
||||
impl MgmKey {
|
||||
/// Generate a random MGM key
|
||||
pub fn generate() -> Result<Self, Error> {
|
||||
pub fn generate() -> Self {
|
||||
let mut key_bytes = [0u8; DES_LEN_3DES];
|
||||
|
||||
if getrandom(&mut key_bytes).is_err() {
|
||||
return Err(Error::RandomnessError);
|
||||
}
|
||||
|
||||
MgmKey::new(key_bytes)
|
||||
OsRng.fill_bytes(&mut key_bytes);
|
||||
Self(key_bytes)
|
||||
}
|
||||
|
||||
/// Create an MGM key from byte slice.
|
||||
///
|
||||
/// Returns an error if the slice is the wrong size or the key is weak.
|
||||
pub fn from_bytes(bytes: impl AsRef<[u8]>) -> Result<Self, Error> {
|
||||
pub fn from_bytes(bytes: impl AsRef<[u8]>) -> Result<Self> {
|
||||
bytes.as_ref().try_into()
|
||||
}
|
||||
|
||||
/// Create an MGM key from the given byte array.
|
||||
///
|
||||
/// Returns an error if the key is weak.
|
||||
pub fn new(key_bytes: [u8; DES_LEN_3DES]) -> Result<Self, Error> {
|
||||
pub fn new(key_bytes: [u8; DES_LEN_3DES]) -> Result<Self> {
|
||||
if is_weak_key(&key_bytes) {
|
||||
error!(
|
||||
"blacklisting key '{:?}' since it's weak (with odd parity)",
|
||||
@@ -126,17 +123,18 @@ impl MgmKey {
|
||||
return Err(Error::KeyError);
|
||||
}
|
||||
|
||||
Ok(MgmKey(key_bytes))
|
||||
Ok(Self(key_bytes))
|
||||
}
|
||||
|
||||
/// Get derived management key (MGM)
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn get_derived(yubikey: &mut YubiKey, pin: &[u8]) -> Result<Self, Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn get_derived(yubikey: &mut YubiKey, pin: &[u8]) -> Result<Self> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
// recover management key
|
||||
let data = metadata::read(&txn, TAG_ADMIN)?;
|
||||
let salt = metadata::get_item(&data, TAG_ADMIN_SALT)?;
|
||||
let admin_data = AdminData::read(&txn)?;
|
||||
let salt = admin_data.get_item(TAG_ADMIN_SALT)?;
|
||||
|
||||
if salt.len() != CB_ADMIN_SALT {
|
||||
error!(
|
||||
@@ -149,22 +147,22 @@ impl MgmKey {
|
||||
}
|
||||
|
||||
let mut mgm = [0u8; DES_LEN_3DES];
|
||||
pbkdf2::<Hmac<Sha1>>(pin, &salt, ITER_MGM_PBKDF2, &mut mgm);
|
||||
|
||||
pbkdf2_hmac::<Sha1>(pin, salt, ITER_MGM_PBKDF2, &mut mgm);
|
||||
MgmKey::from_bytes(mgm)
|
||||
}
|
||||
|
||||
/// Get protected management key (MGM)
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn get_protected(yubikey: &mut YubiKey) -> Result<Self, Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn get_protected(yubikey: &mut YubiKey) -> Result<Self> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
let data = metadata::read(&txn, TAG_PROTECTED).map_err(|e| {
|
||||
let protected_data = ProtectedData::read(&txn).map_err(|e| {
|
||||
error!("could not read protected data (err: {:?})", e);
|
||||
e
|
||||
})?;
|
||||
|
||||
let item = metadata::get_item(&data, TAG_PROTECTED_MGM).map_err(|e| {
|
||||
let item = protected_data.get_item(TAG_PROTECTED_MGM).map_err(|e| {
|
||||
error!("could not read protected MGM from metadata (err: {:?})", e);
|
||||
e
|
||||
})?;
|
||||
@@ -182,21 +180,87 @@ impl MgmKey {
|
||||
MgmKey::from_bytes(item)
|
||||
}
|
||||
|
||||
/// Set the management key (MGM)
|
||||
/// Resets the management key for the given YubiKey to the default value.
|
||||
///
|
||||
/// This will wipe any metadata related to derived and PIN-protected management keys.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn set(&self, yubikey: &mut YubiKey, touch: Option<u8>) -> Result<(), Error> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
txn.set_mgm_key(&self, touch)
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn set_default(yubikey: &mut YubiKey) -> Result<()> {
|
||||
MgmKey::default().set_manual(yubikey, false)
|
||||
}
|
||||
|
||||
/// Set protected management key (MGM)
|
||||
/// Configures the given YubiKey to use this management key.
|
||||
///
|
||||
/// The management key must be stored by the user, and provided when performing key
|
||||
/// management operations.
|
||||
///
|
||||
/// This will wipe any metadata related to derived and PIN-protected management keys.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn set_protected(&self, yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||
let mut data = Zeroizing::new(vec![0u8; CB_BUF_MAX]);
|
||||
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn set_manual(&self, yubikey: &mut YubiKey, require_touch: bool) -> Result<()> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
txn.set_mgm_key(self, None).map_err(|e| {
|
||||
txn.set_mgm_key(self, require_touch).map_err(|e| {
|
||||
// Log a warning, since the device mgm key is corrupt or we're in a state
|
||||
// where we can't set the mgm key.
|
||||
error!("could not set new derived mgm key, err = {}", e);
|
||||
e
|
||||
})?;
|
||||
|
||||
// After this point, we've set the mgm key, so the function should succeed,
|
||||
// regardless of being able to set the metadata.
|
||||
|
||||
if let Ok(mut admin_data) = AdminData::read(&txn) {
|
||||
// Clear the protected mgm key bit.
|
||||
if let Ok(item) = admin_data.get_item(TAG_ADMIN_FLAGS_1) {
|
||||
let mut flags_1 = [0u8; 1];
|
||||
if item.len() == flags_1.len() {
|
||||
flags_1.copy_from_slice(item);
|
||||
flags_1[0] &= !ADMIN_FLAGS_1_PROTECTED_MGM;
|
||||
|
||||
if let Err(e) = admin_data.set_item(TAG_ADMIN_FLAGS_1, &flags_1) {
|
||||
error!("could not set admin flags item, err = {}", e);
|
||||
}
|
||||
} else {
|
||||
error!(
|
||||
"admin data flags are an incorrect size: {} (expected {})",
|
||||
item.len(),
|
||||
flags_1.len()
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// Remove any existing salt for a derived mgm key.
|
||||
if let Err(e) = admin_data.set_item(TAG_ADMIN_SALT, &[]) {
|
||||
error!("could not unset derived mgm salt (err = {})", e)
|
||||
}
|
||||
|
||||
if let Err(e) = admin_data.write(&txn) {
|
||||
error!("could not write admin data, err = {}", e);
|
||||
}
|
||||
}
|
||||
|
||||
// Clear any prior mgm key from protected data.
|
||||
if let Ok(mut protected_data) = ProtectedData::read(&txn) {
|
||||
if let Err(e) = protected_data.set_item(TAG_PROTECTED_MGM, &[]) {
|
||||
error!("could not clear protected mgm item, err = {:?}", e);
|
||||
} else if let Err(e) = protected_data.write(&txn) {
|
||||
error!("could not write protected data, err = {:?}", e);
|
||||
}
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Configures the given YubiKey to use this as a PIN-protected management key.
|
||||
///
|
||||
/// This enables key management operations to be performed with access to the PIN.
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn set_protected(&self, yubikey: &mut YubiKey) -> Result<()> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
txn.set_mgm_key(self, false).map_err(|e| {
|
||||
// log a warning, since the device mgm key is corrupt or we're in
|
||||
// a state where we can't set the mgm key
|
||||
error!("could not set new derived mgm key, err = {}", e);
|
||||
@@ -206,39 +270,25 @@ impl MgmKey {
|
||||
// after this point, we've set the mgm key, so the function should
|
||||
// succeed, regardless of being able to set the metadata
|
||||
|
||||
// set the new mgm key in protected data
|
||||
let buffer = match metadata::read(&txn, TAG_PROTECTED) {
|
||||
Ok(b) => b,
|
||||
Err(_) => {
|
||||
// set current metadata blob size to zero, we'll add to the blank blob
|
||||
Zeroizing::new(vec![])
|
||||
}
|
||||
};
|
||||
let mut cb_data = buffer.len();
|
||||
data[..cb_data].copy_from_slice(&buffer);
|
||||
// Fetch the current protected data, or start a blank metadata blob.
|
||||
let mut protected_data = ProtectedData::read(&txn).unwrap_or_default();
|
||||
|
||||
if let Err(e) = metadata::set_item(
|
||||
data.as_mut_slice(),
|
||||
&mut cb_data,
|
||||
CB_OBJ_MAX,
|
||||
TAG_PROTECTED_MGM,
|
||||
self.as_ref(),
|
||||
) {
|
||||
// Set the new mgm key in protected data.
|
||||
if let Err(e) = protected_data.set_item(TAG_PROTECTED_MGM, self.as_ref()) {
|
||||
error!("could not set protected mgm item, err = {:?}", e);
|
||||
} else {
|
||||
metadata::write(&txn, TAG_PROTECTED, &data).map_err(|e| {
|
||||
protected_data.write(&txn).map_err(|e| {
|
||||
error!("could not write protected data, err = {:?}", e);
|
||||
e
|
||||
})?;
|
||||
}
|
||||
|
||||
// set the protected mgm flag in admin data
|
||||
cb_data = data.len();
|
||||
|
||||
let mut flags_1 = [0u8; 1];
|
||||
|
||||
if let Ok(buffer) = metadata::read(&txn, TAG_ADMIN) {
|
||||
if let Ok(item) = metadata::get_item(&buffer, TAG_ADMIN_FLAGS_1) {
|
||||
let mut admin_data = if let Ok(mut admin_data) = AdminData::read(&txn) {
|
||||
if let Ok(item) = admin_data.get_item(TAG_ADMIN_FLAGS_1) {
|
||||
if item.len() == flags_1.len() {
|
||||
flags_1.copy_from_slice(item);
|
||||
} else {
|
||||
@@ -254,26 +304,20 @@ impl MgmKey {
|
||||
}
|
||||
|
||||
// remove any existing salt
|
||||
if let Err(e) =
|
||||
metadata::set_item(&mut data, &mut cb_data, CB_OBJ_MAX, TAG_ADMIN_SALT, &[])
|
||||
{
|
||||
if let Err(e) = admin_data.set_item(TAG_ADMIN_SALT, &[]) {
|
||||
error!("could not unset derived mgm salt (err = {})", e)
|
||||
}
|
||||
|
||||
admin_data
|
||||
} else {
|
||||
cb_data = 0;
|
||||
}
|
||||
AdminData::default()
|
||||
};
|
||||
|
||||
flags_1[0] |= ADMIN_FLAGS_1_PROTECTED_MGM;
|
||||
|
||||
if let Err(e) = metadata::set_item(
|
||||
data.as_mut_slice(),
|
||||
&mut cb_data,
|
||||
CB_OBJ_MAX,
|
||||
TAG_ADMIN_FLAGS_1,
|
||||
&flags_1,
|
||||
) {
|
||||
if let Err(e) = admin_data.set_item(TAG_ADMIN_FLAGS_1, &flags_1) {
|
||||
error!("could not set admin flags item, err = {}", e);
|
||||
} else if let Err(e) = metadata::write(&txn, TAG_ADMIN, &data[..cb_data]) {
|
||||
} else if let Err(e) = admin_data.write(&txn) {
|
||||
error!("could not write admin data, err = {}", e);
|
||||
}
|
||||
|
||||
@@ -281,7 +325,6 @@ impl MgmKey {
|
||||
}
|
||||
|
||||
/// Encrypt with 3DES key
|
||||
#[allow(clippy::trivially_copy_pass_by_ref)]
|
||||
pub(crate) fn encrypt(&self, input: &[u8; DES_LEN_DES]) -> [u8; DES_LEN_DES] {
|
||||
let mut output = input.to_owned();
|
||||
TdesEde3::new(GenericArray::from_slice(&self.0))
|
||||
@@ -290,7 +333,6 @@ impl MgmKey {
|
||||
}
|
||||
|
||||
/// Decrypt with 3DES key
|
||||
#[allow(clippy::trivially_copy_pass_by_ref)]
|
||||
pub(crate) fn decrypt(&self, input: &[u8; DES_LEN_DES]) -> [u8; DES_LEN_DES] {
|
||||
let mut output = input.to_owned();
|
||||
TdesEde3::new(GenericArray::from_slice(&self.0))
|
||||
@@ -305,9 +347,12 @@ impl AsRef<[u8; DES_LEN_3DES]> for MgmKey {
|
||||
}
|
||||
}
|
||||
|
||||
/// Default MGM key configured on all YubiKeys
|
||||
impl Default for MgmKey {
|
||||
fn default() -> Self {
|
||||
MgmKey(DEFAULT_MGM_KEY)
|
||||
MgmKey([
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8,
|
||||
])
|
||||
}
|
||||
}
|
||||
|
||||
@@ -320,7 +365,7 @@ impl Drop for MgmKey {
|
||||
impl<'a> TryFrom<&'a [u8]> for MgmKey {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(key_bytes: &'a [u8]) -> Result<Self, Error> {
|
||||
fn try_from(key_bytes: &'a [u8]) -> Result<Self> {
|
||||
Self::new(key_bytes.try_into().map_err(|_| Error::SizeError)?)
|
||||
}
|
||||
}
|
||||
@@ -369,7 +414,7 @@ fn is_weak_key(key: &[u8; DES_LEN_3DES]) -> bool {
|
||||
c = (c & 0x0F) + ((c >> 4) & 0x0F);
|
||||
|
||||
// if count is even, set low key bit to 1, otherwise 0
|
||||
tmp[i] = (key[i] & 0xFE) | (if c & 0x01 == 0x01 { 0x00 } else { 0x01 });
|
||||
tmp[i] = (key[i] & 0xFE) | u8::from(c & 0x01 != 0x01);
|
||||
}
|
||||
|
||||
// check odd parity key against table by DES key block
|
||||
|
||||
+53
-74
@@ -1,7 +1,4 @@
|
||||
//! MS Container Map Records
|
||||
//!
|
||||
//! These appear(?) to be defined in Microsoft's Smart Card Minidriver Specification:
|
||||
//! <https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn631754(v=vs.85)>
|
||||
//! MS Container Map Records.
|
||||
|
||||
// Adapted from yubico-piv-tool:
|
||||
// <https://github.com/Yubico/yubico-piv-tool/>
|
||||
@@ -33,54 +30,57 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{error::Error, key::SlotId, serialization::*, yubikey::YubiKey, CB_OBJ_MAX};
|
||||
use crate::{consts::CB_OBJ_MAX, piv::SlotId, serialization::*, Error, Result, YubiKey};
|
||||
use log::error;
|
||||
use std::{
|
||||
convert::{TryFrom, TryInto},
|
||||
fmt::{self, Debug},
|
||||
};
|
||||
|
||||
/// Container name length
|
||||
const CONTAINER_NAME_LEN: usize = 40;
|
||||
|
||||
/// Container record length: 27 = 80 + 1 + 1 + 2 + 1 + 1 + 1 + 20
|
||||
const CONTAINER_REC_LEN: usize = (2 * CONTAINER_NAME_LEN) + 27;
|
||||
|
||||
const OBJ_MSCMAP: u32 = 0x005f_ff10;
|
||||
|
||||
const TAG_MSCMAP: u8 = 0x81;
|
||||
|
||||
/// MS Container Map(?) Records
|
||||
#[derive(Copy, Clone)]
|
||||
pub struct Container {
|
||||
/// Container name
|
||||
pub name: [u16; CONTAINER_NAME_LEN],
|
||||
/// MS Container Map records.
|
||||
///
|
||||
/// Defined in Microsoft's Smart Card Minidriver Specification:
|
||||
/// <https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn631754(v=vs.85)>
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
#[derive(Clone, Debug)]
|
||||
pub struct MsContainer {
|
||||
/// Container name.
|
||||
pub name: [u16; Self::NAME_LEN],
|
||||
|
||||
/// Card slot
|
||||
/// Card slot.
|
||||
pub slot: SlotId,
|
||||
|
||||
/// Key spec
|
||||
/// Key spec.
|
||||
pub key_spec: u8,
|
||||
|
||||
/// Key size in bits
|
||||
/// Key size in bits.
|
||||
pub key_size_bits: u16,
|
||||
|
||||
/// Flags
|
||||
/// Flags.
|
||||
pub flags: u8,
|
||||
|
||||
/// PIN ID
|
||||
/// PIN ID.
|
||||
pub pin_id: u8,
|
||||
|
||||
/// Associated ECHD(?) container (typo of "ecdh" perhaps?)
|
||||
/// Associated ECHD container.
|
||||
pub associated_echd_container: u8,
|
||||
|
||||
/// Cert fingerprint
|
||||
pub cert_fingerprint: [u8; 20],
|
||||
/// Cert fingerprint.
|
||||
pub cert_fingerprint: [u8; Self::CERT_FINGERPRINT_LEN],
|
||||
}
|
||||
|
||||
impl Container {
|
||||
/// Read MS Container Map records
|
||||
pub fn read_mscmap(yubikey: &mut YubiKey) -> Result<Vec<Self>, Error> {
|
||||
impl MsContainer {
|
||||
/// Container name length in UTF-16 chars.
|
||||
const NAME_LEN: usize = 40;
|
||||
|
||||
/// Container record length: 27 = 80 + 1 + 1 + 2 + 1 + 1 + 1 + 20
|
||||
const REC_LEN: usize = (2 * Self::NAME_LEN) + 27;
|
||||
|
||||
/// Length of a certificate fingerprint.
|
||||
const CERT_FINGERPRINT_LEN: usize = 20;
|
||||
|
||||
/// Read MS Container Map records.
|
||||
pub fn read_mscmap(yubikey: &mut YubiKey) -> Result<Vec<Self>> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
let response = txn.fetch_object(OBJ_MSCMAP)?;
|
||||
let mut containers = vec![];
|
||||
@@ -98,17 +98,17 @@ impl Container {
|
||||
return Err(Error::InvalidObject);
|
||||
}
|
||||
|
||||
for chunk in tlv.value.chunks_exact(CONTAINER_REC_LEN) {
|
||||
containers.push(Container::new(chunk)?);
|
||||
for chunk in tlv.value.chunks_exact(Self::REC_LEN) {
|
||||
containers.push(MsContainer::new(chunk)?);
|
||||
}
|
||||
|
||||
Ok(containers)
|
||||
}
|
||||
|
||||
/// Write MS Container Map records.
|
||||
pub fn write_mscmap(yubikey: &mut YubiKey, containers: &[Self]) -> Result<(), Error> {
|
||||
pub fn write_mscmap(yubikey: &mut YubiKey, containers: &[Self]) -> Result<()> {
|
||||
let n_containers = containers.len();
|
||||
let data_len = n_containers * CONTAINER_REC_LEN;
|
||||
let data_len = n_containers * Self::REC_LEN;
|
||||
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
@@ -118,7 +118,7 @@ impl Container {
|
||||
|
||||
let mut buf = [0u8; CB_OBJ_MAX];
|
||||
let offset = Tlv::write_as(&mut buf, TAG_MSCMAP, data_len, |buf| {
|
||||
for (i, chunk) in buf.chunks_exact_mut(CONTAINER_REC_LEN).enumerate() {
|
||||
for (i, chunk) in buf.chunks_exact_mut(Self::REC_LEN).enumerate() {
|
||||
chunk.copy_from_slice(&containers[i].to_bytes());
|
||||
}
|
||||
})?;
|
||||
@@ -126,19 +126,19 @@ impl Container {
|
||||
txn.save_object(OBJ_MSCMAP, &buf[..offset])
|
||||
}
|
||||
|
||||
/// Parse a container record from a byte slice
|
||||
pub fn new(bytes: &[u8]) -> Result<Self, Error> {
|
||||
if bytes.len() != CONTAINER_REC_LEN {
|
||||
/// Parse a container record from a byte slice.
|
||||
pub fn new(bytes: &[u8]) -> Result<Self> {
|
||||
if bytes.len() != Self::REC_LEN {
|
||||
error!(
|
||||
"couldn't parse PIV container: expected {}-bytes, got {}-bytes",
|
||||
CONTAINER_REC_LEN,
|
||||
Self::REC_LEN,
|
||||
bytes.len()
|
||||
);
|
||||
return Err(Error::ParseError);
|
||||
}
|
||||
|
||||
let mut name = [0u16; CONTAINER_NAME_LEN];
|
||||
let name_bytes_len = CONTAINER_NAME_LEN * 2;
|
||||
let mut name = [0u16; Self::NAME_LEN];
|
||||
let name_bytes_len = Self::NAME_LEN * 2;
|
||||
|
||||
for (i, chunk) in bytes[..name_bytes_len].chunks_exact(2).enumerate() {
|
||||
name[i] = u16::from_le_bytes(chunk.try_into().unwrap());
|
||||
@@ -147,7 +147,7 @@ impl Container {
|
||||
let mut cert_fingerprint = [0u8; 20];
|
||||
cert_fingerprint.copy_from_slice(&bytes[(bytes.len() - 20)..]);
|
||||
|
||||
Ok(Container {
|
||||
Ok(Self {
|
||||
name,
|
||||
slot: bytes[name_bytes_len].try_into()?,
|
||||
key_spec: bytes[name_bytes_len + 1],
|
||||
@@ -163,16 +163,17 @@ impl Container {
|
||||
})
|
||||
}
|
||||
|
||||
/// Parse the container name as a UTF-16 string
|
||||
pub fn parse_name(&self) -> Result<String, Error> {
|
||||
/// Parse the container name as a UTF-16 string.
|
||||
pub fn parse_name(&self) -> Result<String> {
|
||||
String::from_utf16(&self.name).map_err(|_| Error::ParseError)
|
||||
}
|
||||
|
||||
/// Serialize a container record as a byte size
|
||||
pub fn to_bytes(&self) -> [u8; CONTAINER_REC_LEN] {
|
||||
let mut bytes = Vec::with_capacity(CONTAINER_REC_LEN);
|
||||
/// Serialize a container record as a byte size.
|
||||
pub fn to_bytes(&self) -> [u8; Self::REC_LEN] {
|
||||
// TODO(tarcieri): use array instead of `Vec`
|
||||
let mut bytes = Vec::with_capacity(Self::REC_LEN);
|
||||
|
||||
for i in 0..CONTAINER_NAME_LEN {
|
||||
for i in 0..Self::NAME_LEN {
|
||||
bytes.extend_from_slice(&self.name[i].to_le_bytes());
|
||||
}
|
||||
|
||||
@@ -183,36 +184,14 @@ impl Container {
|
||||
bytes.push(self.pin_id);
|
||||
bytes.push(self.associated_echd_container);
|
||||
bytes.extend_from_slice(&self.cert_fingerprint);
|
||||
|
||||
// TODO(tarcieri): use TryInto here when const generics are available
|
||||
let mut result = [0u8; CONTAINER_REC_LEN];
|
||||
result.copy_from_slice(&bytes);
|
||||
result
|
||||
bytes.as_slice().try_into().unwrap()
|
||||
}
|
||||
}
|
||||
|
||||
impl Debug for Container {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
write!(
|
||||
f,
|
||||
"PivContainer {{ name: {:?}, slot: {:?}, key_spec: {}, key_size_bits: {}, \
|
||||
flags: {}, pin_id: {}, associated_echd_container: {}, cert_fingerprint: {:?} }}",
|
||||
&self.name[..],
|
||||
self.slot,
|
||||
self.key_spec,
|
||||
self.key_size_bits,
|
||||
self.flags,
|
||||
self.pin_id,
|
||||
self.associated_echd_container,
|
||||
&self.cert_fingerprint[..]
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
impl<'a> TryFrom<&'a [u8]> for Container {
|
||||
impl<'a> TryFrom<&'a [u8]> for MsContainer {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(bytes: &'a [u8]) -> Result<Self, Error> {
|
||||
fn try_from(bytes: &'a [u8]) -> Result<Self> {
|
||||
Self::new(bytes)
|
||||
}
|
||||
}
|
||||
|
||||
+20
-16
@@ -1,11 +1,4 @@
|
||||
//! `msroots`: PKCS#7 formatted certificate store for enterprise trusted roots.
|
||||
//!
|
||||
//! This `msroots` file contains a bag of certificates with empty content and
|
||||
//! an empty signature, allowing an enterprise root certificate truststore to
|
||||
//! be written to and read from a YubiKey.
|
||||
//!
|
||||
//! For more information, see:
|
||||
//! <https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/developer-guidelines#-interoperability-with-msroots>
|
||||
//! PKCS#7 formatted certificate store for enterprise trusted roots.
|
||||
|
||||
// Adapted from yubico-piv-tool:
|
||||
// <https://github.com/Yubico/yubico-piv-tool/>
|
||||
@@ -37,8 +30,11 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{error::Error, serialization::*, yubikey::YubiKey};
|
||||
use crate::{CB_OBJ_MAX, CB_OBJ_TAG_MAX};
|
||||
use crate::{
|
||||
consts::{CB_OBJ_MAX, CB_OBJ_TAG_MAX},
|
||||
serialization::*,
|
||||
Error, Result, YubiKey,
|
||||
};
|
||||
use log::error;
|
||||
|
||||
const OBJ_MSROOTS1: u32 = 0x005f_ff11;
|
||||
@@ -53,17 +49,25 @@ const OBJ_MSROOTS5: u32 = 0x005f_ff15;
|
||||
const TAG_MSROOTS_END: u8 = 0x82;
|
||||
const TAG_MSROOTS_MID: u8 = 0x83;
|
||||
|
||||
/// `msroots` file: PKCS#7-formatted certificate store for enterprise trust roots
|
||||
/// PKCS#7-formatted certificate store for enterprise trust roots.
|
||||
///
|
||||
/// The `msroots` file contains a bag of certificates with empty content and
|
||||
/// an empty signature, allowing an enterprise root certificate truststore to
|
||||
/// be written to and read from a YubiKey.
|
||||
///
|
||||
/// For more information, see:
|
||||
/// <https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/developer-guidelines#-interoperability-with-msroots>
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub struct MsRoots(Vec<u8>);
|
||||
|
||||
impl MsRoots {
|
||||
/// Initialize a local certificate struct from the given bytebuffer
|
||||
pub fn new(msroots: impl AsRef<[u8]>) -> Result<Self, Error> {
|
||||
pub fn new(msroots: impl AsRef<[u8]>) -> Result<Self> {
|
||||
Ok(MsRoots(msroots.as_ref().into()))
|
||||
}
|
||||
|
||||
/// Read `msroots` file from YubiKey
|
||||
pub fn read(yubikey: &mut YubiKey) -> Result<Option<Self>, Error> {
|
||||
pub fn read(yubikey: &mut YubiKey) -> Result<Option<Self>> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
// allocate first page
|
||||
@@ -100,14 +104,14 @@ impl MsRoots {
|
||||
}
|
||||
|
||||
/// Write `msroots` file to YubiKey
|
||||
pub fn write(&self, yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||
pub fn write(&self, yubikey: &mut YubiKey) -> Result<()> {
|
||||
let mut buf = [0u8; CB_OBJ_MAX];
|
||||
let mut offset: usize;
|
||||
let mut data_offset: usize = 0;
|
||||
let mut data_chunk: usize;
|
||||
let data = &self.0;
|
||||
let data_len = data.len();
|
||||
let n_objs: usize;
|
||||
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
if data_len == 0 {
|
||||
@@ -115,7 +119,7 @@ impl MsRoots {
|
||||
}
|
||||
|
||||
// Calculate number of objects required to store blob
|
||||
n_objs = (data_len / (CB_OBJ_MAX - CB_OBJ_TAG_MAX)) + 1;
|
||||
let n_objs: usize = (data_len / (CB_OBJ_MAX - CB_OBJ_TAG_MAX)) + 1;
|
||||
|
||||
if n_objs > 5 {
|
||||
return Err(Error::SizeError);
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
/// YubiKey OTP Applet Name
|
||||
pub(crate) const APPLET_NAME: &str = "YubiKey OTP";
|
||||
|
||||
/// YubiKey OTP Applet ID. Needed to query serial on YK4.
|
||||
pub(crate) const APPLET_ID: &[u8] = &[0xa0, 0x00, 0x00, 0x05, 0x27, 0x20, 0x01, 0x01];
|
||||
+509
-149
@@ -1,11 +1,16 @@
|
||||
//! PIV cryptographic keys stored in a YubiKey.
|
||||
//! Personal Identity Verification (PIV) cryptographic keys stored in a YubiKey.
|
||||
//!
|
||||
//! Support for public-key cryptography using keys stored within the PIV
|
||||
//! slots of a YubiKey.
|
||||
//!
|
||||
//! Supported algorithms:
|
||||
//!
|
||||
//! - **Encryption**: `RSA1024`, `RSA2048`, `ECCP256`, `ECCP384`
|
||||
//! - **Encryption**:
|
||||
//! - RSA: `RSA1024`, `RSA2048`
|
||||
//! - ECC: `ECCP256`, `ECCP384` (NIST curves: P-256, P-384)
|
||||
//! - **Signatures**:
|
||||
//! - RSASSA-PKCS#1v1.5: `RSA1024`, `RSA2048`
|
||||
//! - ECDSA: `ECCP256`, `ECCP384`
|
||||
//! - ECDSA: `ECCP256`, `ECCP384` (NIST curves: P-256, P-384)
|
||||
|
||||
// Adapted from yubico-piv-tool:
|
||||
// <https://github.com/Yubico/yubico-piv-tool/>
|
||||
@@ -39,35 +44,41 @@
|
||||
|
||||
use crate::{
|
||||
apdu::{Ins, StatusWords},
|
||||
certificate::{self, Certificate},
|
||||
error::Error,
|
||||
serialization::*,
|
||||
settings,
|
||||
yubikey::YubiKey,
|
||||
ObjectId,
|
||||
};
|
||||
use log::debug;
|
||||
use std::convert::TryFrom;
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use crate::CB_OBJ_MAX;
|
||||
use crate::{
|
||||
certificate::PublicKeyInfo,
|
||||
certificate::{self, Certificate, PublicKeyInfo},
|
||||
consts::CB_OBJ_MAX,
|
||||
error::{Error, Result},
|
||||
policy::{PinPolicy, TouchPolicy},
|
||||
Buffer,
|
||||
serialization::*,
|
||||
setting,
|
||||
yubikey::YubiKey,
|
||||
Buffer, ObjectId,
|
||||
};
|
||||
use elliptic_curve::sec1::EncodedPoint as EcPublicKey;
|
||||
use log::{error, warn};
|
||||
use log::{debug, error, warn};
|
||||
use p256::NistP256;
|
||||
use p384::NistP384;
|
||||
use rsa::{BigUint, RsaPublicKey};
|
||||
use std::{
|
||||
fmt::{Display, Formatter},
|
||||
str::FromStr,
|
||||
};
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use num_bigint::traits::ModInverse;
|
||||
#[cfg(feature = "untested")]
|
||||
use num_integer::Integer;
|
||||
#[cfg(feature = "untested")]
|
||||
use num_traits::{FromPrimitive, One};
|
||||
use rsa::{BigUint, RSAPublicKey};
|
||||
use {
|
||||
num_bigint_dig::traits::ModInverse,
|
||||
num_integer::Integer,
|
||||
num_traits::{FromPrimitive, One},
|
||||
};
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use zeroize::Zeroizing;
|
||||
|
||||
/// PIV Applet Name
|
||||
pub(crate) const APPLET_NAME: &str = "PIV";
|
||||
|
||||
/// PIV Applet ID
|
||||
pub(crate) const APPLET_ID: &[u8] = &[0xa0, 0x00, 0x00, 0x03, 0x08];
|
||||
|
||||
const CB_ECC_POINTP256: usize = 65;
|
||||
const CB_ECC_POINTP384: usize = 97;
|
||||
|
||||
@@ -83,7 +94,7 @@ const KEYDATA_RSA_EXP: u64 = 65537;
|
||||
|
||||
/// Slot identifiers.
|
||||
/// <https://developers.yubico.com/PIV/Introduction/Certificate_slots.html>
|
||||
#[derive(Clone, Copy, Debug, PartialEq)]
|
||||
#[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, Ord, PartialOrd)]
|
||||
pub enum SlotId {
|
||||
/// This certificate and its associated private key is used to authenticate the card
|
||||
/// and the cardholder. This slot is used for things like system login. The end user
|
||||
@@ -121,19 +132,24 @@ pub enum SlotId {
|
||||
/// attestation of other keys generated on device with instruction `f9`. This slot is
|
||||
/// not cleared on reset, but can be overwritten.
|
||||
Attestation,
|
||||
|
||||
/// Thse slots are used for management. PIN PUK and Management Key.
|
||||
Management(ManagementSlotId),
|
||||
}
|
||||
|
||||
impl TryFrom<u8> for SlotId {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self, Self::Error> {
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
0x9a => Ok(SlotId::Authentication),
|
||||
0x9c => Ok(SlotId::Signature),
|
||||
0x9d => Ok(SlotId::KeyManagement),
|
||||
0x9e => Ok(SlotId::CardAuthentication),
|
||||
0xf9 => Ok(SlotId::Attestation),
|
||||
_ => RetiredSlotId::try_from(value).map(SlotId::Retired),
|
||||
_ => RetiredSlotId::try_from(value)
|
||||
.map(SlotId::Retired)
|
||||
.or_else(|_| ManagementSlotId::try_from(value).map(SlotId::Management)),
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -147,21 +163,35 @@ impl From<SlotId> for u8 {
|
||||
SlotId::CardAuthentication => 0x9e,
|
||||
SlotId::Retired(retired) => retired.into(),
|
||||
SlotId::Attestation => 0xf9,
|
||||
SlotId::Management(mgmt) => mgmt.into(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<String> for SlotId {
|
||||
type Error = Error;
|
||||
impl Display for SlotId {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
|
||||
match self {
|
||||
SlotId::Management(r) => write!(f, "{:?}", r),
|
||||
SlotId::Retired(r) => write!(f, "{:?}", r),
|
||||
_ => write!(f, "{:?}", self),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fn try_from(s: String) -> Result<SlotId, Error> {
|
||||
match s.as_ref() {
|
||||
impl FromStr for SlotId {
|
||||
type Err = Error;
|
||||
|
||||
fn from_str(s: &str) -> Result<SlotId> {
|
||||
match s {
|
||||
"9a" => Ok(SlotId::Authentication),
|
||||
"9c" => Ok(SlotId::Signature),
|
||||
"9d" => Ok(SlotId::KeyManagement),
|
||||
"9e" => Ok(SlotId::CardAuthentication),
|
||||
"f9" => Ok(SlotId::Attestation),
|
||||
_ => RetiredSlotId::try_from(s).map(SlotId::Retired),
|
||||
_ => s
|
||||
.parse()
|
||||
.map(SlotId::Management)
|
||||
.or_else(|_| s.parse().map(SlotId::Retired)),
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -175,6 +205,7 @@ impl SlotId {
|
||||
SlotId::KeyManagement => 0x005f_c10b,
|
||||
SlotId::CardAuthentication => 0x005f_c101,
|
||||
SlotId::Retired(retired) => retired.object_id(),
|
||||
SlotId::Management(mgmt) => mgmt.object_id(),
|
||||
SlotId::Attestation => 0x005f_ff01,
|
||||
}
|
||||
}
|
||||
@@ -182,7 +213,7 @@ impl SlotId {
|
||||
|
||||
/// Retired slot IDs.
|
||||
#[allow(missing_docs)]
|
||||
#[derive(Clone, Copy, Debug, PartialEq)]
|
||||
#[derive(Clone, Copy, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
|
||||
pub enum RetiredSlotId {
|
||||
R1,
|
||||
R2,
|
||||
@@ -209,7 +240,7 @@ pub enum RetiredSlotId {
|
||||
impl TryFrom<u8> for RetiredSlotId {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self, Self::Error> {
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
0x82 => Ok(RetiredSlotId::R1),
|
||||
0x83 => Ok(RetiredSlotId::R2),
|
||||
@@ -236,11 +267,11 @@ impl TryFrom<u8> for RetiredSlotId {
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<String> for RetiredSlotId {
|
||||
type Error = Error;
|
||||
impl FromStr for RetiredSlotId {
|
||||
type Err = Error;
|
||||
|
||||
fn try_from(value: String) -> Result<Self, Self::Error> {
|
||||
match value.as_ref() {
|
||||
fn from_str(value: &str) -> Result<Self> {
|
||||
match value {
|
||||
"82" => Ok(RetiredSlotId::R1),
|
||||
"83" => Ok(RetiredSlotId::R2),
|
||||
"84" => Ok(RetiredSlotId::R3),
|
||||
@@ -293,6 +324,12 @@ impl From<RetiredSlotId> for u8 {
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for RetiredSlotId {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
|
||||
write!(f, "{:?}", self)
|
||||
}
|
||||
}
|
||||
|
||||
impl RetiredSlotId {
|
||||
/// Returns the [`ObjectId`] that corresponds to a given [`RetiredSlotId`].
|
||||
pub(crate) fn object_id(self) -> ObjectId {
|
||||
@@ -321,8 +358,90 @@ impl RetiredSlotId {
|
||||
}
|
||||
}
|
||||
|
||||
/// Management slot IDs.
|
||||
#[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, Ord, PartialOrd)]
|
||||
pub enum ManagementSlotId {
|
||||
/// Personal Identification Number (PIN).
|
||||
Pin,
|
||||
|
||||
/// PIN Unblocking Key (PUK).
|
||||
Puk,
|
||||
|
||||
/// Management Key.
|
||||
Management,
|
||||
}
|
||||
|
||||
impl TryFrom<u8> for ManagementSlotId {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
0x80 => Ok(ManagementSlotId::Pin),
|
||||
0x81 => Ok(ManagementSlotId::Puk),
|
||||
0x9b => Ok(ManagementSlotId::Management),
|
||||
_ => Err(Error::InvalidObject),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl FromStr for ManagementSlotId {
|
||||
type Err = Error;
|
||||
|
||||
fn from_str(value: &str) -> Result<Self> {
|
||||
match value {
|
||||
"80" => Ok(ManagementSlotId::Pin),
|
||||
"81" => Ok(ManagementSlotId::Puk),
|
||||
"9b" => Ok(ManagementSlotId::Management),
|
||||
_ => Err(Error::InvalidObject),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl From<ManagementSlotId> for u8 {
|
||||
fn from(slot: ManagementSlotId) -> u8 {
|
||||
match slot {
|
||||
ManagementSlotId::Pin => 0x80,
|
||||
ManagementSlotId::Puk => 0x81,
|
||||
ManagementSlotId::Management => 0x9b,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for ManagementSlotId {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
|
||||
write!(f, "{:?}", self)
|
||||
}
|
||||
}
|
||||
|
||||
impl ManagementSlotId {
|
||||
/// Returns the [`ObjectId`] that corresponds to a given [`ManagementSlotId`].
|
||||
///
|
||||
/// These correspond to the "BER-TLV Tag" values from Table 3 of [NIST SP 800-73-4]:
|
||||
/// "Object Identifiers of the PIV Data Objects for Interoperable Use".
|
||||
///
|
||||
/// [NIST SP 800-73-4]: https://csrc.nist.gov/publications/detail/sp/800-73/4/final
|
||||
pub(crate) fn object_id(self) -> ObjectId {
|
||||
match self {
|
||||
// Data Object: "X.509 Certificate for Key Management"
|
||||
// OID: 2.16.840.1.101.3.7.2.1.2
|
||||
// BER-TLV Tag: '5FC10B'
|
||||
ManagementSlotId::Pin => 0x005f_c10b,
|
||||
|
||||
// Data Object: "Key History Object"
|
||||
// OID: 2.16.840.1.101.3.7.2.96.96
|
||||
// BER-TLV Tag: '5FC10C'
|
||||
ManagementSlotId::Puk => 0x005f_c10c,
|
||||
|
||||
// Data Object: "Retired X.509 Certificate for Key Management 3"
|
||||
// OID: 2.16.840.1.101.3.7.2.16.3
|
||||
// BER-TLV Tag: '5FC10F'
|
||||
ManagementSlotId::Management => 0x005f_c10f,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Personal Identity Verification (PIV) key slots
|
||||
pub const SLOTS: [SlotId; 24] = [
|
||||
pub const SLOTS: [SlotId; 27] = [
|
||||
SlotId::Authentication,
|
||||
SlotId::Signature,
|
||||
SlotId::KeyManagement,
|
||||
@@ -347,6 +466,9 @@ pub const SLOTS: [SlotId; 24] = [
|
||||
SlotId::Retired(RetiredSlotId::R19),
|
||||
SlotId::Retired(RetiredSlotId::R20),
|
||||
SlotId::CardAuthentication,
|
||||
SlotId::Management(ManagementSlotId::Pin),
|
||||
SlotId::Management(ManagementSlotId::Puk),
|
||||
SlotId::Management(ManagementSlotId::Management),
|
||||
];
|
||||
|
||||
/// Algorithm identifiers
|
||||
@@ -354,10 +476,13 @@ pub const SLOTS: [SlotId; 24] = [
|
||||
pub enum AlgorithmId {
|
||||
/// 1024-bit RSA.
|
||||
Rsa1024,
|
||||
|
||||
/// 2048-bit RSA.
|
||||
Rsa2048,
|
||||
|
||||
/// ECDSA with the NIST P256 curve.
|
||||
EccP256,
|
||||
|
||||
/// ECDSA with the NIST P384 curve.
|
||||
EccP384,
|
||||
}
|
||||
@@ -365,7 +490,7 @@ pub enum AlgorithmId {
|
||||
impl TryFrom<u8> for AlgorithmId {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self, Self::Error> {
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
0x06 => Ok(AlgorithmId::Rsa1024),
|
||||
0x07 => Ok(AlgorithmId::Rsa2048),
|
||||
@@ -389,11 +514,12 @@ impl From<AlgorithmId> for u8 {
|
||||
|
||||
impl AlgorithmId {
|
||||
/// Writes the `AlgorithmId` in the format the YubiKey expects during key generation.
|
||||
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize, Error> {
|
||||
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize> {
|
||||
Tlv::write(buf, 0x80, &[self.into()])
|
||||
}
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
fn get_elem_len(self) -> usize {
|
||||
match self {
|
||||
AlgorithmId::Rsa1024 => 64,
|
||||
@@ -404,6 +530,7 @@ impl AlgorithmId {
|
||||
}
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
fn get_param_tag(self) -> u8 {
|
||||
match self {
|
||||
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => 0x01,
|
||||
@@ -424,7 +551,7 @@ pub struct Key {
|
||||
|
||||
impl Key {
|
||||
/// List Personal Identity Verification (PIV) keys stored in a YubiKey
|
||||
pub fn list(yubikey: &mut YubiKey) -> Result<Vec<Self>, Error> {
|
||||
pub fn list(yubikey: &mut YubiKey) -> Result<Vec<Self>> {
|
||||
let mut keys = vec![];
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
@@ -457,15 +584,14 @@ impl Key {
|
||||
}
|
||||
}
|
||||
|
||||
/// Generate key
|
||||
#[allow(clippy::cognitive_complexity)]
|
||||
/// Generate new key.
|
||||
pub fn generate(
|
||||
yubikey: &mut YubiKey,
|
||||
slot: SlotId,
|
||||
algorithm: AlgorithmId,
|
||||
pin_policy: PinPolicy,
|
||||
touch_policy: TouchPolicy,
|
||||
) -> Result<PublicKeyInfo, Error> {
|
||||
) -> Result<PublicKeyInfo> {
|
||||
// Keygen messages
|
||||
// TODO(tarcieri): extract these into an I18N-handling type?
|
||||
const SZ_SETTING_ROCA: &str = "Enable_Unsafe_Keygen_ROCA";
|
||||
@@ -477,7 +603,7 @@ pub fn generate(
|
||||
const SZ_ROCA_BLOCK_ADMIN: &str = "was blocked due to an administrator configuration setting.";
|
||||
const SZ_ROCA_DEFAULT: &str = "was permitted by default, but is not recommended. The default behavior will change in a future Yubico release.";
|
||||
|
||||
let setting_roca: settings::BoolValue;
|
||||
let setting_roca: setting::Setting;
|
||||
|
||||
match algorithm {
|
||||
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => {
|
||||
@@ -485,17 +611,17 @@ pub fn generate(
|
||||
&& (yubikey.version.minor < 3
|
||||
|| yubikey.version.minor == 3 && (yubikey.version.patch < 5))
|
||||
{
|
||||
setting_roca = settings::BoolValue::get(SZ_SETTING_ROCA, true);
|
||||
setting_roca = setting::Setting::get(SZ_SETTING_ROCA, true);
|
||||
|
||||
let psz_msg = match setting_roca.source {
|
||||
settings::Source::User => {
|
||||
setting::SettingSource::User => {
|
||||
if setting_roca.value {
|
||||
SZ_ROCA_ALLOW_USER
|
||||
} else {
|
||||
SZ_ROCA_BLOCK_USER
|
||||
}
|
||||
}
|
||||
settings::Source::Admin => {
|
||||
setting::SettingSource::Admin => {
|
||||
if setting_roca.value {
|
||||
SZ_ROCA_ALLOW_ADMIN
|
||||
} else {
|
||||
@@ -570,100 +696,12 @@ pub fn generate(
|
||||
}
|
||||
}
|
||||
|
||||
// TODO(str4d): Response is wrapped in an ASN.1 TLV:
|
||||
//
|
||||
// 0x7f 0x49 -> Application | Constructed | 0x49
|
||||
match algorithm {
|
||||
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => {
|
||||
// It appears that the inner application-specific value returned by the
|
||||
// YubiKey is constructed such that RSA pubkeys can be parsed in two ways:
|
||||
//
|
||||
// - Use a full ASN.1 parser on the entire datastructure:
|
||||
//
|
||||
// RSA 1024:
|
||||
// [127, 73, 129, 136, 129, 129, 128, [ 128 octets ], 130, 3, 1, 0, 1]
|
||||
// | tag | len:136 |0x81| len:128 | modulus |0x82|len3| exp |
|
||||
//
|
||||
// RSA 2048:
|
||||
// [127, 73, 130, 1, 9, 129, 130, 1, 0, [ 256 octets ], 130, 3, 1, 0, 1]
|
||||
// | tag | len:265 |0x81| len:256 | modulus |0x82|len3| exp |
|
||||
//
|
||||
// - Skip the first 5 bytes and use crate::serialize::get_length during TLV
|
||||
// parsing (which treats 128 as a single-byte definite length instead of an
|
||||
// indefinite length):
|
||||
//
|
||||
// RSA 1024:
|
||||
// [127, 73, 129, 136, 129, 129, 128, [ 128 octets ], 130, 3, 1, 0, 1]
|
||||
// | |0x81|len128| modulus |0x82|len3| exp |
|
||||
//
|
||||
// RSA 2048:
|
||||
// [127, 73, 130, 1, 9, 129, 130, 1, 0, [ 256 octets ], 130, 3, 1, 0, 1]
|
||||
// | |0x81| len:256 | modulus |0x82|len3| exp |
|
||||
//
|
||||
// Because of the above, treat this for now as a 2-byte ASN.1 tag with a
|
||||
// 3-byte length.
|
||||
let data = &response.data()[5..];
|
||||
|
||||
let (data, modulus_tlv) = Tlv::parse(data)?;
|
||||
if modulus_tlv.tag != TAG_RSA_MODULUS {
|
||||
error!("Failed to parse public key structure (modulus)");
|
||||
return Err(Error::ParseError);
|
||||
}
|
||||
let modulus = modulus_tlv.value.to_vec();
|
||||
|
||||
let (_, exp_tlv) = Tlv::parse(data)?;
|
||||
if exp_tlv.tag != TAG_RSA_EXP {
|
||||
error!("failed to parse public key structure (public exponent)");
|
||||
return Err(Error::ParseError);
|
||||
}
|
||||
let exp = exp_tlv.value.to_vec();
|
||||
|
||||
Ok(PublicKeyInfo::Rsa {
|
||||
algorithm,
|
||||
pubkey: RSAPublicKey::new(
|
||||
BigUint::from_bytes_be(&modulus),
|
||||
BigUint::from_bytes_be(&exp),
|
||||
)
|
||||
.map_err(|_| Error::InvalidObject)?,
|
||||
})
|
||||
}
|
||||
AlgorithmId::EccP256 | AlgorithmId::EccP384 => {
|
||||
// 2-byte ASN.1 tag, 1-byte length (because all supported EC pubkey lengths
|
||||
// are shorter than 128 bytes, fitting into a definite short ASN.1 length).
|
||||
let data = &response.data()[3..];
|
||||
|
||||
let len = if let AlgorithmId::EccP256 = algorithm {
|
||||
CB_ECC_POINTP256
|
||||
} else {
|
||||
CB_ECC_POINTP384
|
||||
};
|
||||
|
||||
let (_, tlv) = Tlv::parse(data)?;
|
||||
|
||||
if tlv.tag != TAG_ECC_POINT {
|
||||
error!("failed to parse public key structure");
|
||||
return Err(Error::ParseError);
|
||||
}
|
||||
|
||||
// the curve point should always be determined by the curve
|
||||
if tlv.value.len() != len {
|
||||
error!("unexpected length");
|
||||
return Err(Error::AlgorithmError);
|
||||
}
|
||||
|
||||
let point = tlv.value.to_vec();
|
||||
|
||||
if let AlgorithmId::EccP256 = algorithm {
|
||||
EcPublicKey::from_bytes(point).map(PublicKeyInfo::EcP256)
|
||||
} else {
|
||||
EcPublicKey::from_bytes(point).map(PublicKeyInfo::EcP384)
|
||||
}
|
||||
.map_err(|_| Error::InvalidObject)
|
||||
}
|
||||
}
|
||||
let value = response.data();
|
||||
read_public_key(algorithm, value, true)
|
||||
}
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
fn write_key(
|
||||
yubikey: &mut YubiKey,
|
||||
slot: SlotId,
|
||||
@@ -671,7 +709,7 @@ fn write_key(
|
||||
pin_policy: PinPolicy,
|
||||
touch_policy: TouchPolicy,
|
||||
algorithm: AlgorithmId,
|
||||
) -> Result<(), Error> {
|
||||
) -> Result<()> {
|
||||
let mut key_data = Buffer::new(vec![0u8; KEYDATA_LEN]);
|
||||
let templ = [0, Ins::ImportKey.code(), algorithm.into(), slot.into()];
|
||||
let mut offset = 0;
|
||||
@@ -712,6 +750,7 @@ fn write_key(
|
||||
|
||||
/// The key data that makes up an RSA key.
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub struct RsaKeyData {
|
||||
/// The secret prime `p`.
|
||||
p: Buffer,
|
||||
@@ -773,6 +812,7 @@ impl RsaKeyData {
|
||||
///
|
||||
/// Errors if `algorithm` isn't `AlgorithmId::Rsa1024` or `AlgorithmId::Rsa2048`.
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn import_rsa_key(
|
||||
yubikey: &mut YubiKey,
|
||||
slot: SlotId,
|
||||
@@ -780,7 +820,7 @@ pub fn import_rsa_key(
|
||||
key_data: RsaKeyData,
|
||||
touch_policy: TouchPolicy,
|
||||
pin_policy: PinPolicy,
|
||||
) -> Result<(), Error> {
|
||||
) -> Result<()> {
|
||||
match algorithm {
|
||||
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => (),
|
||||
_ => return Err(Error::AlgorithmError),
|
||||
@@ -807,6 +847,7 @@ pub fn import_rsa_key(
|
||||
///
|
||||
/// Errors if `algorithm` isn't `AlgorithmId::EccP256` or ` AlgorithmId::EccP384`.
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn import_ecc_key(
|
||||
yubikey: &mut YubiKey,
|
||||
slot: SlotId,
|
||||
@@ -814,7 +855,7 @@ pub fn import_ecc_key(
|
||||
key_data: &[u8],
|
||||
touch_policy: TouchPolicy,
|
||||
pin_policy: PinPolicy,
|
||||
) -> Result<(), Error> {
|
||||
) -> Result<()> {
|
||||
match algorithm {
|
||||
AlgorithmId::EccP256 | AlgorithmId::EccP384 => (),
|
||||
_ => return Err(Error::AlgorithmError),
|
||||
@@ -832,9 +873,11 @@ pub fn import_ecc_key(
|
||||
}
|
||||
|
||||
/// Generate an attestation certificate for a stored key.
|
||||
///
|
||||
/// <https://developers.yubico.com/PIV/Introduction/PIV_attestation.html>
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn attest(yubikey: &mut YubiKey, key: SlotId) -> Result<Buffer, Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn attest(yubikey: &mut YubiKey, key: SlotId) -> Result<Buffer> {
|
||||
let templ = [0, Ins::Attest.code(), key.into(), 0];
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
let response = txn.transfer_data(&templ, &[], CB_OBJ_MAX)?;
|
||||
@@ -854,29 +897,346 @@ pub fn attest(yubikey: &mut YubiKey, key: SlotId) -> Result<Buffer, Error> {
|
||||
Ok(Buffer::new(response.data().into()))
|
||||
}
|
||||
|
||||
/// Sign data using a PIV key
|
||||
/// Sign data using a PIV key.
|
||||
pub fn sign_data(
|
||||
yubikey: &mut YubiKey,
|
||||
raw_in: &[u8],
|
||||
algorithm: AlgorithmId,
|
||||
key: SlotId,
|
||||
) -> Result<Buffer, Error> {
|
||||
) -> Result<Buffer> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
// don't attempt to reselect in crypt operations to avoid problems with PIN_ALWAYS
|
||||
txn.authenticated_command(raw_in, algorithm, key, false)
|
||||
}
|
||||
|
||||
/// Decrypt data using a PIV key
|
||||
/// Decrypt data using a PIV key.
|
||||
#[cfg(feature = "untested")]
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn decrypt_data(
|
||||
yubikey: &mut YubiKey,
|
||||
input: &[u8],
|
||||
algorithm: AlgorithmId,
|
||||
key: SlotId,
|
||||
) -> Result<Buffer, Error> {
|
||||
) -> Result<Buffer> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
// don't attempt to reselect in crypt operations to avoid problems with PIN_ALWAYS
|
||||
txn.authenticated_command(input, algorithm, key, true)
|
||||
}
|
||||
|
||||
/// Read metadata
|
||||
pub fn metadata(yubikey: &mut YubiKey, slot: SlotId) -> Result<SlotMetadata> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
let templ = [0, Ins::GetMetadata.code(), 0, slot.into()];
|
||||
|
||||
let response = txn.transfer_data(&templ, &[], CB_OBJ_MAX)?;
|
||||
|
||||
if !response.is_success() {
|
||||
if response.status_words() == StatusWords::NotSupportedError {
|
||||
return Err(Error::NotSupported); // Requires firmware 5.2.3
|
||||
} else {
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
}
|
||||
|
||||
let buf = Buffer::new(response.data().into());
|
||||
|
||||
SlotMetadata::try_from(buf)
|
||||
}
|
||||
|
||||
/// Metadata from a slot
|
||||
#[derive(Debug)]
|
||||
pub struct SlotMetadata {
|
||||
/// Algorithm / Type of key
|
||||
pub algorithm: ManagementAlgorithmId,
|
||||
/// PIN and touch policy
|
||||
pub policy: Option<(PinPolicy, TouchPolicy)>,
|
||||
/// Imported or generated key
|
||||
pub origin: Option<Origin>,
|
||||
/// Pub key of the key
|
||||
pub public: Option<PublicKeyInfo>,
|
||||
/// Whether PIN PUK and management key are default
|
||||
pub default: Option<bool>,
|
||||
/// Number of retries left
|
||||
pub retries: Option<Retries>,
|
||||
}
|
||||
|
||||
impl TryFrom<Buffer> for SlotMetadata {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(buf: Buffer) -> Result<Self> {
|
||||
use nom::{
|
||||
combinator::{eof, map_res},
|
||||
multi::fold_many1,
|
||||
number::complete::u8,
|
||||
};
|
||||
|
||||
let out = fold_many1(
|
||||
|input| Tlv::parse(input).map_err(|_| nom::Err::Error(())),
|
||||
|| {
|
||||
Ok(SlotMetadata {
|
||||
algorithm: ManagementAlgorithmId::PinPuk,
|
||||
policy: None,
|
||||
origin: None,
|
||||
public: None,
|
||||
default: None,
|
||||
retries: None,
|
||||
})
|
||||
},
|
||||
|acc: Result<SlotMetadata>, tlv| match acc {
|
||||
Ok(mut metadata) => match tlv.tag {
|
||||
1 => {
|
||||
metadata.algorithm = ManagementAlgorithmId::try_from(tlv.value[0])?;
|
||||
Ok(metadata)
|
||||
}
|
||||
2 => {
|
||||
fn policy_parser(
|
||||
i: &[u8],
|
||||
) -> nom::IResult<&[u8], (PinPolicy, TouchPolicy)> {
|
||||
let (i, pin) = map_res(u8, PinPolicy::try_from)(i)?;
|
||||
let (i, touch) = map_res(u8, TouchPolicy::try_from)(i)?;
|
||||
let (i, _) = eof(i)?;
|
||||
|
||||
Ok((i, (pin, touch)))
|
||||
}
|
||||
|
||||
metadata.policy =
|
||||
Some(policy_parser(tlv.value).map_err(|_| Error::ParseError)?.1);
|
||||
Ok(metadata)
|
||||
}
|
||||
3 => {
|
||||
fn origin_parser(i: &[u8]) -> nom::IResult<&[u8], Origin> {
|
||||
let (i, origin) = map_res(u8, Origin::try_from)(i)?;
|
||||
let (i, _) = eof(i)?;
|
||||
|
||||
Ok((i, origin))
|
||||
}
|
||||
|
||||
metadata.origin =
|
||||
Some(origin_parser(tlv.value).map_err(|_| Error::ParseError)?.1);
|
||||
Ok(metadata)
|
||||
}
|
||||
4 => {
|
||||
match metadata.algorithm {
|
||||
ManagementAlgorithmId::Asymmetric(alg) => {
|
||||
metadata.public = Some(read_public_key(alg, tlv.value, false)?);
|
||||
}
|
||||
_ => Err(Error::ParseError)?,
|
||||
}
|
||||
Ok(metadata)
|
||||
}
|
||||
5 => {
|
||||
fn default_parser(i: &[u8]) -> nom::IResult<&[u8], bool> {
|
||||
let (i, default) = u8(i)?;
|
||||
let (i, _) = eof(i)?;
|
||||
|
||||
Ok((i, default == 1))
|
||||
}
|
||||
|
||||
metadata.default =
|
||||
Some(default_parser(tlv.value).map_err(|_| Error::ParseError)?.1);
|
||||
Ok(metadata)
|
||||
}
|
||||
|
||||
6 => {
|
||||
fn retries_parser(i: &[u8]) -> nom::IResult<&[u8], Retries> {
|
||||
let (i, retry_count) = u8(i)?;
|
||||
let (i, remaining_count) = u8(i)?;
|
||||
let (i, _) = eof(i)?;
|
||||
|
||||
Ok((
|
||||
i,
|
||||
Retries {
|
||||
retry_count,
|
||||
remaining_count,
|
||||
},
|
||||
))
|
||||
}
|
||||
|
||||
metadata.retries =
|
||||
Some(retries_parser(tlv.value).map_err(|_| Error::ParseError)?.1);
|
||||
Ok(metadata)
|
||||
}
|
||||
|
||||
_unsupported => {
|
||||
// New unsupported tags
|
||||
// https://docs.yubico.com/yesdk/users-manual/application-piv/apdu/metadata.html
|
||||
Ok(metadata)
|
||||
}
|
||||
},
|
||||
err => err,
|
||||
},
|
||||
)(buf.as_ref());
|
||||
|
||||
match out {
|
||||
Ok((_, res)) => res,
|
||||
_ => Err(Error::ParseError),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// The number of retries used and remaining.
|
||||
#[derive(Debug, PartialEq, Eq)]
|
||||
pub struct Retries {
|
||||
/// TODO
|
||||
pub retry_count: u8,
|
||||
/// Remaining attempts
|
||||
pub remaining_count: u8,
|
||||
}
|
||||
|
||||
/// Origin of a slot
|
||||
#[derive(Debug, PartialEq, Eq, Copy, Clone)]
|
||||
pub enum Origin {
|
||||
/// The key has been imported
|
||||
Imported,
|
||||
/// The key has been generated on the YubiKey
|
||||
Generated,
|
||||
}
|
||||
|
||||
impl TryFrom<u8> for Origin {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
1 => Ok(Origin::Generated),
|
||||
2 => Ok(Origin::Imported),
|
||||
_ => Err(Error::GenericError),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fn read_public_key(
|
||||
algorithm: AlgorithmId,
|
||||
input: &[u8],
|
||||
skip_asn1_tag: bool,
|
||||
) -> Result<PublicKeyInfo> {
|
||||
// TODO(str4d): Response is wrapped in an ASN.1 TLV:
|
||||
//
|
||||
// 0x7f 0x49 -> Application | Constructed | 0x49
|
||||
match algorithm {
|
||||
AlgorithmId::Rsa1024 | AlgorithmId::Rsa2048 => {
|
||||
// It appears that the inner application-specific value returned by the
|
||||
// YubiKey is constructed such that RSA pubkeys can be parsed in two ways:
|
||||
//
|
||||
// - Use a full ASN.1 parser on the entire datastructure:
|
||||
//
|
||||
// RSA 1024:
|
||||
// [127, 73, 129, 136, 129, 129, 128, [ 128 octets ], 130, 3, 1, 0, 1]
|
||||
// | tag | len:136 |0x81| len:128 | modulus |0x82|len3| exp |
|
||||
//
|
||||
// RSA 2048:
|
||||
// [127, 73, 130, 1, 9, 129, 130, 1, 0, [ 256 octets ], 130, 3, 1, 0, 1]
|
||||
// | tag | len:265 |0x81| len:256 | modulus |0x82|len3| exp |
|
||||
//
|
||||
// - Skip the first 5 bytes and use crate::serialize::get_length during TLV
|
||||
// parsing (which treats 128 as a single-byte definite length instead of an
|
||||
// indefinite length):
|
||||
//
|
||||
// RSA 1024:
|
||||
// [127, 73, 129, 136, 129, 129, 128, [ 128 octets ], 130, 3, 1, 0, 1]
|
||||
// | |0x81|len128| modulus |0x82|len3| exp |
|
||||
//
|
||||
// RSA 2048:
|
||||
// [127, 73, 130, 1, 9, 129, 130, 1, 0, [ 256 octets ], 130, 3, 1, 0, 1]
|
||||
// | |0x81| len:256 | modulus |0x82|len3| exp |
|
||||
//
|
||||
// Because of the above, treat this for now as a 2-byte ASN.1 tag with a
|
||||
// 3-byte length.
|
||||
let data = if skip_asn1_tag { &input[5..] } else { input };
|
||||
|
||||
let (data, modulus_tlv) = Tlv::parse(data)?;
|
||||
if modulus_tlv.tag != TAG_RSA_MODULUS {
|
||||
error!("Failed to parse public key structure (modulus)");
|
||||
return Err(Error::ParseError);
|
||||
}
|
||||
let modulus = modulus_tlv.value.to_vec();
|
||||
|
||||
let (_, exp_tlv) = Tlv::parse(data)?;
|
||||
if exp_tlv.tag != TAG_RSA_EXP {
|
||||
error!("failed to parse public key structure (public exponent)");
|
||||
return Err(Error::ParseError);
|
||||
}
|
||||
let exp = exp_tlv.value.to_vec();
|
||||
|
||||
Ok(PublicKeyInfo::Rsa {
|
||||
algorithm,
|
||||
pubkey: RsaPublicKey::new(
|
||||
BigUint::from_bytes_be(&modulus),
|
||||
BigUint::from_bytes_be(&exp),
|
||||
)
|
||||
.map_err(|_| Error::InvalidObject)?,
|
||||
})
|
||||
}
|
||||
AlgorithmId::EccP256 | AlgorithmId::EccP384 => {
|
||||
// 2-byte ASN.1 tag, 1-byte length (because all supported EC pubkey lengths
|
||||
// are shorter than 128 bytes, fitting into a definite short ASN.1 length).
|
||||
let data = if skip_asn1_tag { &input[3..] } else { input };
|
||||
|
||||
let len = if let AlgorithmId::EccP256 = algorithm {
|
||||
CB_ECC_POINTP256
|
||||
} else {
|
||||
CB_ECC_POINTP384
|
||||
};
|
||||
|
||||
let (_, tlv) = Tlv::parse(data)?;
|
||||
|
||||
if tlv.tag != TAG_ECC_POINT {
|
||||
error!("failed to parse public key structure");
|
||||
return Err(Error::ParseError);
|
||||
}
|
||||
|
||||
// the curve point should always be determined by the curve
|
||||
if tlv.value.len() != len {
|
||||
error!("unexpected length");
|
||||
return Err(Error::AlgorithmError);
|
||||
}
|
||||
|
||||
let point = tlv.value.to_vec();
|
||||
|
||||
match algorithm {
|
||||
AlgorithmId::EccP256 => {
|
||||
EcPublicKey::<NistP256>::from_bytes(point).map(PublicKeyInfo::EcP256)
|
||||
}
|
||||
AlgorithmId::EccP384 => {
|
||||
EcPublicKey::<NistP384>::from_bytes(point).map(PublicKeyInfo::EcP384)
|
||||
}
|
||||
_ => return Err(Error::AlgorithmError),
|
||||
}
|
||||
.map_err(|_| Error::InvalidObject)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
|
||||
/// Algorithms as reported by the metadata command.
|
||||
pub enum ManagementAlgorithmId {
|
||||
/// Used on PIN and PUK slots.
|
||||
PinPuk,
|
||||
/// Used on the key management slot.
|
||||
ThreeDes,
|
||||
/// Used on all other slots.
|
||||
Asymmetric(AlgorithmId),
|
||||
}
|
||||
|
||||
impl TryFrom<u8> for ManagementAlgorithmId {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
0xff => Ok(ManagementAlgorithmId::PinPuk),
|
||||
0x03 => Ok(ManagementAlgorithmId::ThreeDes),
|
||||
oth => AlgorithmId::try_from(oth).map(ManagementAlgorithmId::Asymmetric),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl From<ManagementAlgorithmId> for u8 {
|
||||
fn from(id: ManagementAlgorithmId) -> u8 {
|
||||
match id {
|
||||
ManagementAlgorithmId::PinPuk => 0xff,
|
||||
ManagementAlgorithmId::ThreeDes => 0x03,
|
||||
ManagementAlgorithmId::Asymmetric(oth) => oth.into(),
|
||||
}
|
||||
}
|
||||
}
|
||||
+39
-9
@@ -1,11 +1,12 @@
|
||||
//! Enums representing key policies.
|
||||
|
||||
use crate::{error::Error, serialization::Tlv};
|
||||
use crate::{serialization::Tlv, Error, Result};
|
||||
|
||||
/// Specifies how often the PIN needs to be entered for access to the credential in a
|
||||
/// given slot. This policy must be set upon key generation or importation, and cannot be
|
||||
/// changed later.
|
||||
#[derive(Clone, Copy, Debug, PartialEq)]
|
||||
/// given slot.
|
||||
///
|
||||
/// This policy must be set when keys are generated or imported, and cannot be changed later.
|
||||
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
|
||||
pub enum PinPolicy {
|
||||
/// Use the default PIN policy for the slot. See the slot's documentation for details.
|
||||
Default,
|
||||
@@ -34,10 +35,24 @@ impl From<PinPolicy> for u8 {
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<u8> for PinPolicy {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
0 => Ok(PinPolicy::Default),
|
||||
1 => Ok(PinPolicy::Never),
|
||||
2 => Ok(PinPolicy::Once),
|
||||
3 => Ok(PinPolicy::Always),
|
||||
_ => Err(Error::GenericError),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl PinPolicy {
|
||||
/// Writes the `PinPolicy` in the format the YubiKey expects during key generation or
|
||||
/// importation.
|
||||
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize, Error> {
|
||||
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize> {
|
||||
match self {
|
||||
PinPolicy::Default => Ok(0),
|
||||
_ => Tlv::write(buf, 0xaa, &[self.into()]),
|
||||
@@ -46,9 +61,10 @@ impl PinPolicy {
|
||||
}
|
||||
|
||||
/// Specifies under what conditions a physical touch on the metal contact is required, in
|
||||
/// addition to the [`PinPolicy`]. This policy must be set upon key generation or
|
||||
/// importation, and cannot be changed later.
|
||||
#[derive(Clone, Copy, Debug, PartialEq)]
|
||||
/// addition to the [`PinPolicy`].
|
||||
///
|
||||
/// This policy must be set when keys are generated or imported, and cannot be changed later.
|
||||
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
|
||||
pub enum TouchPolicy {
|
||||
/// Use the default touch policy for the slot.
|
||||
Default,
|
||||
@@ -81,10 +97,24 @@ impl From<TouchPolicy> for u8 {
|
||||
impl TouchPolicy {
|
||||
/// Writes the `TouchPolicy` in the format the YubiKey expects during key generation
|
||||
/// or importation.
|
||||
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize, Error> {
|
||||
pub(crate) fn write(self, buf: &mut [u8]) -> Result<usize> {
|
||||
match self {
|
||||
TouchPolicy::Default => Ok(0),
|
||||
_ => Tlv::write(buf, 0xab, &[self.into()]),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<u8> for TouchPolicy {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self> {
|
||||
match value {
|
||||
0 => Ok(TouchPolicy::Default),
|
||||
1 => Ok(TouchPolicy::Never),
|
||||
2 => Ok(TouchPolicy::Always),
|
||||
3 => Ok(TouchPolicy::Cached),
|
||||
_ => Err(Error::GenericError),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,18 +1,18 @@
|
||||
//! Support for enumerating available readers
|
||||
//! Support for enumerating available PC/SC card readers.
|
||||
|
||||
use crate::{error::Error, yubikey::YubiKey};
|
||||
use crate::{Result, YubiKey};
|
||||
use std::{
|
||||
borrow::Cow,
|
||||
convert::TryInto,
|
||||
ffi::CStr,
|
||||
fmt,
|
||||
sync::{Arc, Mutex},
|
||||
};
|
||||
|
||||
/// Iterator over connected readers
|
||||
pub type Iter<'ctx> = std::vec::IntoIter<Reader<'ctx>>;
|
||||
|
||||
/// Enumeration support for available readers
|
||||
pub struct Readers {
|
||||
/// PC/SC reader context: used to enumerate available PC/SC [`Reader`]s.
|
||||
pub struct Context {
|
||||
/// PC/SC context
|
||||
ctx: Arc<Mutex<pcsc::Context>>,
|
||||
|
||||
@@ -20,10 +20,16 @@ pub struct Readers {
|
||||
reader_names: Vec<u8>,
|
||||
}
|
||||
|
||||
impl Readers {
|
||||
impl fmt::Debug for Context {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
f.debug_struct("Context").finish_non_exhaustive()
|
||||
}
|
||||
}
|
||||
|
||||
impl Context {
|
||||
/// Open a PC/SC context, which can be used to enumerate available PC/SC
|
||||
/// readers (which can be used to connect to YubiKeys).
|
||||
pub fn open() -> Result<Self, Error> {
|
||||
pub fn open() -> Result<Self> {
|
||||
let ctx = pcsc::Context::establish(pcsc::Scope::System)?;
|
||||
let reader_names = vec![0u8; ctx.list_readers_len()?];
|
||||
Ok(Self {
|
||||
@@ -32,8 +38,8 @@ impl Readers {
|
||||
})
|
||||
}
|
||||
|
||||
/// Iterate over the available readers
|
||||
pub fn iter(&mut self) -> Result<Iter<'_>, Error> {
|
||||
/// Iterate over the available readers.
|
||||
pub fn iter(&mut self) -> Result<Iter<'_>> {
|
||||
let Self { ctx, reader_names } = self;
|
||||
|
||||
let reader_cstrs: Vec<_> = {
|
||||
@@ -45,6 +51,7 @@ impl Readers {
|
||||
c.list_readers(reader_names)?.collect()
|
||||
};
|
||||
|
||||
#[allow(clippy::needless_collect)]
|
||||
let readers: Vec<_> = reader_cstrs
|
||||
.iter()
|
||||
.map(|name| Reader::new(name, Arc::clone(ctx)))
|
||||
@@ -54,7 +61,7 @@ impl Readers {
|
||||
}
|
||||
}
|
||||
|
||||
/// An individual connected reader
|
||||
/// An individual connected PC/SC card reader.
|
||||
pub struct Reader<'ctx> {
|
||||
/// Name of this reader
|
||||
name: &'ctx CStr,
|
||||
@@ -64,25 +71,25 @@ pub struct Reader<'ctx> {
|
||||
}
|
||||
|
||||
impl<'ctx> Reader<'ctx> {
|
||||
/// Create a new reader from its name and context
|
||||
/// Create a new reader from its name and context.
|
||||
fn new(name: &'ctx CStr, ctx: Arc<Mutex<pcsc::Context>>) -> Self {
|
||||
// TODO(tarcieri): open devices, determine they're YubiKeys, get serial?
|
||||
Self { name, ctx }
|
||||
}
|
||||
|
||||
/// Get this reader's name
|
||||
/// Get this reader's name.
|
||||
pub fn name(&self) -> Cow<'_, str> {
|
||||
// TODO(tarcieri): is lossy ok here? try to avoid lossiness?
|
||||
self.name.to_string_lossy()
|
||||
}
|
||||
|
||||
/// Open a connection to this reader, returning a `YubiKey` if successful
|
||||
pub fn open(&self) -> Result<YubiKey, Error> {
|
||||
/// Open a connection to this reader, returning a `YubiKey` if successful.
|
||||
pub fn open(&self) -> Result<YubiKey> {
|
||||
self.try_into()
|
||||
}
|
||||
|
||||
/// Connect to this reader, returning its `pcsc::Card`
|
||||
pub(crate) fn connect(&self) -> Result<pcsc::Card, Error> {
|
||||
/// Connect to this reader, returning its `pcsc::Card`.
|
||||
pub(crate) fn connect(&self) -> Result<pcsc::Card> {
|
||||
let ctx = self.ctx.lock().unwrap();
|
||||
Ok(ctx.connect(self.name, pcsc::ShareMode::Shared, pcsc::Protocols::T1)?)
|
||||
}
|
||||
+12
-9
@@ -30,7 +30,7 @@
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{error::Error, Buffer, ObjectId, CB_OBJ_TAG_MIN};
|
||||
use crate::{consts::CB_OBJ_TAG_MIN, Buffer, Error, ObjectId, Result};
|
||||
|
||||
pub const OBJ_DISCOVERY: u32 = 0x7e;
|
||||
|
||||
@@ -44,24 +44,27 @@ pub(crate) struct Tlv<'a> {
|
||||
|
||||
impl<'a> Tlv<'a> {
|
||||
/// Parses a `Tlv` from a buffer, returning the remainder of the buffer.
|
||||
pub(crate) fn parse(buffer: &'a [u8]) -> Result<(&'a [u8], Self), Error> {
|
||||
pub(crate) fn parse(buffer: &'a [u8]) -> Result<(&'a [u8], Self)> {
|
||||
if buffer.len() < CB_OBJ_TAG_MIN || !has_valid_length(&buffer[1..], buffer.len() - 1) {
|
||||
return Err(Error::SizeError);
|
||||
}
|
||||
|
||||
let tag = buffer[0];
|
||||
|
||||
let mut len = 0;
|
||||
let offset = 1 + get_length(&buffer[1..], &mut len);
|
||||
let buffer = buffer.get(offset..).ok_or(Error::SizeError)?;
|
||||
|
||||
let (value, buffer) = buffer[offset..].split_at(len);
|
||||
|
||||
if buffer.len() >= len {
|
||||
let (value, buffer) = buffer.split_at(len);
|
||||
Ok((buffer, Tlv { tag, value }))
|
||||
} else {
|
||||
Err(Error::SizeError)
|
||||
}
|
||||
}
|
||||
|
||||
/// Takes a [`Buffer`] containing a single `Tlv` with the given tag, and returns a
|
||||
/// `Buffer` containing only the value part of the `Tlv`.
|
||||
pub(crate) fn parse_single(mut buffer: Buffer, tag: u8) -> Result<Buffer, Error> {
|
||||
pub(crate) fn parse_single(mut buffer: Buffer, tag: u8) -> Result<Buffer> {
|
||||
if buffer.len() < CB_OBJ_TAG_MIN || !has_valid_length(&buffer[1..], buffer.len() - 1) {
|
||||
return Err(Error::SizeError);
|
||||
}
|
||||
@@ -79,7 +82,7 @@ impl<'a> Tlv<'a> {
|
||||
}
|
||||
|
||||
/// Writes a TLV to the given buffer.
|
||||
pub(crate) fn write(buffer: &mut [u8], tag: u8, value: &[u8]) -> Result<usize, Error> {
|
||||
pub(crate) fn write(buffer: &mut [u8], tag: u8, value: &[u8]) -> Result<usize> {
|
||||
if buffer.len() < CB_OBJ_TAG_MIN {
|
||||
return Err(Error::SizeError);
|
||||
}
|
||||
@@ -103,7 +106,7 @@ impl<'a> Tlv<'a> {
|
||||
tag: u8,
|
||||
length: usize,
|
||||
value: Gen,
|
||||
) -> Result<usize, Error>
|
||||
) -> Result<usize>
|
||||
where
|
||||
Gen: FnOnce(&mut [u8]),
|
||||
{
|
||||
@@ -124,7 +127,7 @@ impl<'a> Tlv<'a> {
|
||||
}
|
||||
|
||||
/// Set length
|
||||
pub(crate) fn set_length(buffer: &mut [u8], length: usize) -> Result<usize, Error> {
|
||||
pub(crate) fn set_length(buffer: &mut [u8], length: usize) -> Result<usize> {
|
||||
if length < 0x80 {
|
||||
if buffer.is_empty() {
|
||||
Err(Error::SizeError)
|
||||
|
||||
+132
@@ -0,0 +1,132 @@
|
||||
//! Configuration setting values parsed from the environment and config file:
|
||||
//! `/etc/yubico/yubikeypiv.conf`
|
||||
|
||||
// Adapted from yubico-piv-tool:
|
||||
// <https://github.com/Yubico/yubico-piv-tool/>
|
||||
//
|
||||
// Copyright (c) 2014-2016 Yubico AB
|
||||
// All rights reserved.
|
||||
//
|
||||
// Redistribution and use in source and binary forms, with or without
|
||||
// modification, are permitted provided that the following conditions are
|
||||
// met:
|
||||
//
|
||||
// * Redistributions of source code must retain the above copyright
|
||||
// notice, this list of conditions and the following disclaimer.
|
||||
//
|
||||
// * Redistributions in binary form must reproduce the above
|
||||
// copyright notice, this list of conditions and the following
|
||||
// disclaimer in the documentation and/or other materials provided
|
||||
// with the distribution.
|
||||
//
|
||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
/// Default location of the YubiKey PIV configuration file
|
||||
pub const DEFAULT_CONFIG_FILE: &str = "/etc/yubico/yubikeypiv.conf";
|
||||
|
||||
use std::{
|
||||
env,
|
||||
fs::File,
|
||||
io::{BufRead, BufReader},
|
||||
};
|
||||
|
||||
/// Source of how a setting was configured.
|
||||
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
|
||||
pub enum SettingSource {
|
||||
/// User-specified setting: sourced via `YUBIKEY_PIV_*` environment vars.
|
||||
User,
|
||||
|
||||
/// Admin-specified setting: sourced via the `/etc/yubico/yubikeypiv.conf`
|
||||
/// configuration file.
|
||||
Admin,
|
||||
|
||||
/// Default setting.
|
||||
Default,
|
||||
}
|
||||
|
||||
impl Default for SettingSource {
|
||||
fn default() -> Self {
|
||||
Self::Default
|
||||
}
|
||||
}
|
||||
|
||||
/// Setting booleans: configuration values sourced from a file or the environment.
|
||||
///
|
||||
/// These can be configured globally in `/etc/yubico/yubikeypiv.conf` by a
|
||||
/// system administrator, or by the local user via `YUBIKEY_PIV_*` environment
|
||||
/// variables.
|
||||
#[derive(Copy, Clone, Debug, Default)]
|
||||
pub struct Setting {
|
||||
/// Boolean value
|
||||
pub value: bool,
|
||||
|
||||
/// Source of the configuration setting (user, admin, or default)
|
||||
pub source: SettingSource,
|
||||
}
|
||||
|
||||
impl Setting {
|
||||
/// Get a setting by name.
|
||||
pub fn get(key: &str, default: bool) -> Self {
|
||||
Self::from_file(key)
|
||||
.or_else(|| Self::from_env(key))
|
||||
.unwrap_or(Self {
|
||||
value: default,
|
||||
source: SettingSource::Default,
|
||||
})
|
||||
}
|
||||
|
||||
/// Get a boolean config value from the provided config file
|
||||
fn from_file(key: &str) -> Option<Self> {
|
||||
if let Ok(file) = File::open(DEFAULT_CONFIG_FILE) {
|
||||
for line in BufReader::new(file).lines() {
|
||||
let line = match line {
|
||||
Ok(line) => line,
|
||||
_ => continue,
|
||||
};
|
||||
|
||||
if line.starts_with('#') || line.starts_with('\r') || line.starts_with('\n') {
|
||||
continue;
|
||||
}
|
||||
|
||||
let (name, value) = {
|
||||
let mut parts = line.splitn(2, '=');
|
||||
let name = parts.next();
|
||||
let value = parts.next();
|
||||
match (name, value, parts.next()) {
|
||||
(Some(name), Some(value), None) => (name.trim(), value.trim()),
|
||||
_ => continue,
|
||||
}
|
||||
};
|
||||
|
||||
if name == key {
|
||||
return Some(Setting {
|
||||
source: SettingSource::Admin,
|
||||
value: value == "1" || value == "true",
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
None
|
||||
}
|
||||
|
||||
/// Get a setting boolean from an environment variable
|
||||
fn from_env(key: &str) -> Option<Self> {
|
||||
env::var(format!("YUBIKEY_PIV_{}", key))
|
||||
.ok()
|
||||
.map(|value| Setting {
|
||||
source: SettingSource::User,
|
||||
value: value == "1" || value == "true",
|
||||
})
|
||||
}
|
||||
}
|
||||
-138
@@ -1,138 +0,0 @@
|
||||
//! Configuration setting values parsed from the environment and config file:
|
||||
//! `/etc/yubico/yubikeypiv.conf`
|
||||
|
||||
// Adapted from yubico-piv-tool:
|
||||
// <https://github.com/Yubico/yubico-piv-tool/>
|
||||
//
|
||||
// Copyright (c) 2014-2016 Yubico AB
|
||||
// All rights reserved.
|
||||
//
|
||||
// Redistribution and use in source and binary forms, with or without
|
||||
// modification, are permitted provided that the following conditions are
|
||||
// met:
|
||||
//
|
||||
// * Redistributions of source code must retain the above copyright
|
||||
// notice, this list of conditions and the following disclaimer.
|
||||
//
|
||||
// * Redistributions in binary form must reproduce the above
|
||||
// copyright notice, this list of conditions and the following
|
||||
// disclaimer in the documentation and/or other materials provided
|
||||
// with the distribution.
|
||||
//
|
||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
/// Default location of the YubiKey PIV configuration file
|
||||
pub const DEFAULT_CONFIG_FILE: &str = "/etc/yubico/yubikeypiv.conf";
|
||||
|
||||
use std::{
|
||||
env,
|
||||
fs::File,
|
||||
io::{BufRead, BufReader},
|
||||
};
|
||||
|
||||
/// Source of how a setting was configured
|
||||
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
|
||||
pub enum Source {
|
||||
/// User-specified setting
|
||||
User,
|
||||
|
||||
/// Admin-specified setting
|
||||
Admin,
|
||||
|
||||
/// Default setting
|
||||
Default,
|
||||
}
|
||||
|
||||
/// Setting booleans
|
||||
#[derive(Copy, Clone, Debug)]
|
||||
pub struct BoolValue {
|
||||
/// Boolean value
|
||||
pub value: bool,
|
||||
|
||||
/// Source of the configuration setting (user/admin/default)
|
||||
pub source: Source,
|
||||
}
|
||||
|
||||
impl BoolValue {
|
||||
/// Get a [`BoolValue`] value
|
||||
pub fn get(key: &str, def: bool) -> Self {
|
||||
let mut setting = get_setting_from_file(key);
|
||||
|
||||
if setting.source == Source::Default {
|
||||
setting = get_setting_from_env(key);
|
||||
}
|
||||
|
||||
if setting.source == Source::Default {
|
||||
setting.value = def;
|
||||
}
|
||||
|
||||
setting
|
||||
}
|
||||
}
|
||||
|
||||
/// Get a boolean config value
|
||||
fn get_setting_from_file(key: &str) -> BoolValue {
|
||||
let mut setting: BoolValue = BoolValue {
|
||||
value: false,
|
||||
source: Source::Default,
|
||||
};
|
||||
|
||||
let file = match File::open(DEFAULT_CONFIG_FILE) {
|
||||
Ok(f) => f,
|
||||
Err(_) => return setting,
|
||||
};
|
||||
|
||||
for line in BufReader::new(file).lines() {
|
||||
let line = match line {
|
||||
Ok(line) => line,
|
||||
_ => continue,
|
||||
};
|
||||
|
||||
if line.starts_with('#') || line.starts_with('\r') || line.starts_with('\n') {
|
||||
continue;
|
||||
}
|
||||
|
||||
let (name, value) = {
|
||||
let mut parts = line.splitn(1, '=');
|
||||
let name = parts.next();
|
||||
let value = parts.next();
|
||||
match (name, value, parts.next()) {
|
||||
(Some(name), Some(value), None) => (name.trim(), value.trim()),
|
||||
_ => continue,
|
||||
}
|
||||
};
|
||||
|
||||
if name == key {
|
||||
setting.source = Source::Admin;
|
||||
setting.value = value == "1" || value == "true";
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
setting
|
||||
}
|
||||
|
||||
/// Get a setting boolean from an environment variable
|
||||
fn get_setting_from_env(key: &str) -> BoolValue {
|
||||
let mut setting: BoolValue = BoolValue {
|
||||
value: false,
|
||||
source: Source::Default,
|
||||
};
|
||||
|
||||
if let Ok(value) = env::var(format!("YUBIKEY_PIV_{}", key)) {
|
||||
setting.source = Source::User;
|
||||
setting.value = value == "1" || value == "true";
|
||||
}
|
||||
|
||||
setting
|
||||
}
|
||||
+80
-73
@@ -2,15 +2,16 @@
|
||||
|
||||
use crate::{
|
||||
apdu::Response,
|
||||
apdu::{Ins, StatusWords, APDU},
|
||||
error::Error,
|
||||
key::{AlgorithmId, SlotId},
|
||||
apdu::{Apdu, Ins, StatusWords},
|
||||
consts::{CB_BUF_MAX, CB_OBJ_MAX},
|
||||
error::{Error, Result},
|
||||
otp,
|
||||
piv::{self, AlgorithmId, SlotId},
|
||||
serialization::*,
|
||||
yubikey::*,
|
||||
Buffer, ObjectId, CB_BUF_MAX, CB_OBJ_MAX, PIV_AID, YK_AID,
|
||||
Buffer, ObjectId,
|
||||
};
|
||||
use log::{error, trace};
|
||||
use std::convert::TryInto;
|
||||
use zeroize::Zeroizing;
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
@@ -32,7 +33,7 @@ pub(crate) struct Transaction<'tx> {
|
||||
|
||||
impl<'tx> Transaction<'tx> {
|
||||
/// Create a new transaction with the given card.
|
||||
pub fn new(card: &'tx mut pcsc::Card) -> Result<Self, Error> {
|
||||
pub fn new(card: &'tx mut pcsc::Card) -> Result<Self> {
|
||||
Ok(Transaction {
|
||||
inner: card.transaction()?,
|
||||
})
|
||||
@@ -45,7 +46,7 @@ impl<'tx> Transaction<'tx> {
|
||||
/// single APDU messages at a time. For larger messages that need to be
|
||||
/// split into multiple APDUs, use the [`Transaction::transfer_data`]
|
||||
/// method instead.
|
||||
pub fn transmit(&self, send_buffer: &[u8], recv_len: usize) -> Result<Vec<u8>, Error> {
|
||||
pub fn transmit(&self, send_buffer: &[u8], recv_len: usize) -> Result<Vec<u8>> {
|
||||
trace!(">>> {:?}", send_buffer);
|
||||
|
||||
let mut recv_buffer = vec![0u8; recv_len];
|
||||
@@ -60,10 +61,10 @@ impl<'tx> Transaction<'tx> {
|
||||
}
|
||||
|
||||
/// Select application.
|
||||
pub fn select_application(&self) -> Result<(), Error> {
|
||||
let response = APDU::new(Ins::SelectApplication)
|
||||
pub fn select_application(&self) -> Result<()> {
|
||||
let response = Apdu::new(Ins::SelectApplication)
|
||||
.p1(0x04)
|
||||
.data(&PIV_AID)
|
||||
.data(piv::APPLET_ID)
|
||||
.transmit(self, 0xFF)
|
||||
.map_err(|e| {
|
||||
error!("failed communicating with card: '{}'", e);
|
||||
@@ -75,16 +76,21 @@ impl<'tx> Transaction<'tx> {
|
||||
"failed selecting application: {:04x}",
|
||||
response.status_words().code()
|
||||
);
|
||||
return Err(Error::GenericError);
|
||||
return Err(match response.status_words() {
|
||||
StatusWords::NotFoundError => Error::AppletNotFound {
|
||||
applet_name: piv::APPLET_NAME,
|
||||
},
|
||||
_ => Error::GenericError,
|
||||
});
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Get the version of the PIV application installed on the YubiKey.
|
||||
pub fn get_version(&self) -> Result<Version, Error> {
|
||||
pub fn get_version(&self) -> Result<Version> {
|
||||
// get version from device
|
||||
let response = APDU::new(Ins::GetVersion).transmit(self, 261)?;
|
||||
let response = Apdu::new(Ins::GetVersion).transmit(self, 261)?;
|
||||
|
||||
if !response.is_success() {
|
||||
return Err(Error::GenericError);
|
||||
@@ -98,71 +104,84 @@ impl<'tx> Transaction<'tx> {
|
||||
}
|
||||
|
||||
/// Get YubiKey device serial number.
|
||||
pub fn get_serial(&self, version: Version) -> Result<Serial, Error> {
|
||||
let response = if version.major < 5 {
|
||||
// YK4 requires switching to the yk applet to retrieve the serial
|
||||
let sw = APDU::new(Ins::SelectApplication)
|
||||
pub fn get_serial(&self, version: Version) -> Result<Serial> {
|
||||
match version.major {
|
||||
// YK4 requires switching to the YK applet to retrieve the serial
|
||||
4 => {
|
||||
let sw = Apdu::new(Ins::SelectApplication)
|
||||
.p1(0x04)
|
||||
.data(&YK_AID)
|
||||
.data(otp::APPLET_ID)
|
||||
.transmit(self, 0xFF)?
|
||||
.status_words();
|
||||
|
||||
if !sw.is_success() {
|
||||
error!("failed selecting yk application: {:04x}", sw.code());
|
||||
return Err(Error::GenericError);
|
||||
return Err(match sw {
|
||||
StatusWords::NotFoundError => Error::AppletNotFound {
|
||||
applet_name: otp::APPLET_NAME,
|
||||
},
|
||||
_ => Error::GenericError,
|
||||
});
|
||||
}
|
||||
|
||||
let resp = APDU::new(0x01).p1(0x10).transmit(self, 0xFF)?;
|
||||
let response = Apdu::new(0x01).p1(0x10).transmit(self, 0xFF)?;
|
||||
|
||||
if !resp.is_success() {
|
||||
if !response.is_success() {
|
||||
// TODO(tarcieri): still reselect the PIV applet in this case?
|
||||
error!(
|
||||
"failed retrieving serial number: {:04x}",
|
||||
resp.status_words().code()
|
||||
response.status_words().code()
|
||||
);
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
|
||||
// reselect the PIV applet
|
||||
let sw = APDU::new(Ins::SelectApplication)
|
||||
let sw = Apdu::new(Ins::SelectApplication)
|
||||
.p1(0x04)
|
||||
.data(&PIV_AID)
|
||||
.data(piv::APPLET_ID)
|
||||
.transmit(self, 0xFF)?
|
||||
.status_words();
|
||||
|
||||
if !sw.is_success() {
|
||||
error!("failed selecting application: {:04x}", sw.code());
|
||||
return Err(Error::GenericError);
|
||||
return Err(match sw {
|
||||
StatusWords::NotFoundError => Error::AppletNotFound {
|
||||
applet_name: piv::APPLET_NAME,
|
||||
},
|
||||
_ => Error::GenericError,
|
||||
});
|
||||
}
|
||||
|
||||
resp
|
||||
} else {
|
||||
// YK5 implements getting the serial as a PIV applet command (0xf8)
|
||||
let resp = APDU::new(Ins::GetSerial).transmit(self, 0xFF)?;
|
||||
response.data().try_into()
|
||||
}
|
||||
|
||||
if !resp.is_success() {
|
||||
// YK5 implements getting the serial as a PIV applet command (0xf8)
|
||||
5 => {
|
||||
let response = Apdu::new(Ins::GetSerial).transmit(self, 0xFF)?;
|
||||
|
||||
if !response.is_success() {
|
||||
error!(
|
||||
"failed retrieving serial number: {:04x}",
|
||||
resp.status_words().code()
|
||||
response.status_words().code()
|
||||
);
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
|
||||
resp
|
||||
};
|
||||
response.data().try_into()
|
||||
}
|
||||
|
||||
response.data()[..4]
|
||||
.try_into()
|
||||
.map(|serial| Serial::from(u32::from_be_bytes(serial)))
|
||||
.map_err(|_| Error::SizeError)
|
||||
// Other versions unsupported
|
||||
_ => Err(Error::NotSupported),
|
||||
}
|
||||
}
|
||||
|
||||
/// Verify device PIN.
|
||||
pub fn verify_pin(&self, pin: &[u8]) -> Result<(), Error> {
|
||||
pub fn verify_pin(&self, pin: &[u8]) -> Result<()> {
|
||||
if pin.len() > CB_PIN_MAX {
|
||||
return Err(Error::SizeError);
|
||||
}
|
||||
|
||||
let mut query = APDU::new(Ins::Verify);
|
||||
let mut query = Apdu::new(Ins::Verify);
|
||||
query.params(0x00, 0x80);
|
||||
|
||||
// Empty pin means we are querying the number of retries. We set no data in this
|
||||
@@ -191,7 +210,7 @@ impl<'tx> Transaction<'tx> {
|
||||
action: ChangeRefAction,
|
||||
current_pin: &[u8],
|
||||
new_pin: &[u8],
|
||||
) -> Result<(), Error> {
|
||||
) -> Result<()> {
|
||||
if current_pin.len() > CB_PIN_MAX || new_pin.len() > CB_PIN_MAX {
|
||||
return Err(Error::SizeError);
|
||||
}
|
||||
@@ -229,14 +248,8 @@ impl<'tx> Transaction<'tx> {
|
||||
|
||||
/// Set the management key (MGM).
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn set_mgm_key(&self, new_key: &MgmKey, touch: Option<u8>) -> Result<(), Error> {
|
||||
let p2 = match touch.unwrap_or_default() {
|
||||
0 => 0xff,
|
||||
1 => 0xfe,
|
||||
_ => {
|
||||
return Err(Error::GenericError);
|
||||
}
|
||||
};
|
||||
pub fn set_mgm_key(&self, new_key: &MgmKey, require_touch: bool) -> Result<()> {
|
||||
let p2 = if require_touch { 0xfe } else { 0xff };
|
||||
|
||||
let mut data = [0u8; DES_LEN_3DES + 3];
|
||||
data[0] = ALGO_3DES;
|
||||
@@ -244,9 +257,9 @@ impl<'tx> Transaction<'tx> {
|
||||
data[2] = DES_LEN_3DES as u8;
|
||||
data[3..3 + DES_LEN_3DES].copy_from_slice(new_key.as_ref());
|
||||
|
||||
let status_words = APDU::new(Ins::SetMgmKey)
|
||||
let status_words = Apdu::new(Ins::SetMgmKey)
|
||||
.params(0xff, p2)
|
||||
.data(&data)
|
||||
.data(data)
|
||||
.transmit(self, 261)?
|
||||
.status_words();
|
||||
|
||||
@@ -269,7 +282,7 @@ impl<'tx> Transaction<'tx> {
|
||||
algorithm: AlgorithmId,
|
||||
key: SlotId,
|
||||
decipher: bool,
|
||||
) -> Result<Buffer, Error> {
|
||||
) -> Result<Buffer> {
|
||||
let in_len = sign_in.len();
|
||||
let mut indata = [0u8; 1024];
|
||||
let templ = [0, Ins::Authenticate.code(), algorithm.into(), key.into()];
|
||||
@@ -364,12 +377,7 @@ impl<'tx> Transaction<'tx> {
|
||||
/// messages into smaller APDU-sized messages (using the provided APDU
|
||||
/// template to construct them), and then sending those via
|
||||
/// [`Transaction::transmit`].
|
||||
pub fn transfer_data(
|
||||
&self,
|
||||
templ: &[u8],
|
||||
in_data: &[u8],
|
||||
max_out: usize,
|
||||
) -> Result<Response, Error> {
|
||||
pub fn transfer_data(&self, templ: &[u8], in_data: &[u8], max_out: usize) -> Result<Response> {
|
||||
let mut in_offset = 0;
|
||||
let mut out_data = vec![];
|
||||
let mut sw;
|
||||
@@ -386,17 +394,18 @@ impl<'tx> Transaction<'tx> {
|
||||
|
||||
trace!("going to send {} bytes in this go", this_size);
|
||||
|
||||
let response = APDU::new(templ[1])
|
||||
let response = Apdu::new(templ[1])
|
||||
.cla(cla)
|
||||
.params(templ[2], templ[3])
|
||||
.data(&in_data[in_offset..(in_offset + this_size)])
|
||||
.transmit(self, 261)?;
|
||||
|
||||
sw = response.status_words().code();
|
||||
sw = response.status_words();
|
||||
|
||||
if !response.is_success() && (sw >> 8 != 0x61) {
|
||||
match sw {
|
||||
StatusWords::Success | StatusWords::BytesRemaining { .. } => (),
|
||||
// TODO(tarcieri): is this really OK?
|
||||
return Ok(Response::new(sw.into(), out_data));
|
||||
_ => return Ok(Response::new(sw, out_data)),
|
||||
}
|
||||
|
||||
if !out_data.is_empty() && (out_data.len() - response.data().len() > max_out) {
|
||||
@@ -417,17 +426,15 @@ impl<'tx> Transaction<'tx> {
|
||||
}
|
||||
}
|
||||
|
||||
while sw >> 8 == 0x61 {
|
||||
trace!(
|
||||
"The card indicates there is {} bytes more data for us",
|
||||
sw & 0xff
|
||||
);
|
||||
while let StatusWords::BytesRemaining { len } = sw {
|
||||
trace!("The card indicates there is {} bytes more data for us", len);
|
||||
|
||||
let response = APDU::new(Ins::GetResponseApdu).transmit(self, 261)?;
|
||||
sw = response.status_words().code();
|
||||
let response = Apdu::new(Ins::GetResponseApdu).transmit(self, 261)?;
|
||||
sw = response.status_words();
|
||||
|
||||
if sw != StatusWords::Success.code() && (sw >> 8 != 0x61) {
|
||||
return Ok(Response::new(sw.into(), vec![]));
|
||||
match sw {
|
||||
StatusWords::Success | StatusWords::BytesRemaining { .. } => (),
|
||||
_ => return Ok(Response::new(sw, vec![])),
|
||||
}
|
||||
|
||||
if out_data.len() + response.data().len() > max_out {
|
||||
@@ -443,11 +450,11 @@ impl<'tx> Transaction<'tx> {
|
||||
out_data.extend_from_slice(&response.data()[..response.data().len()]);
|
||||
}
|
||||
|
||||
Ok(Response::new(sw.into(), out_data))
|
||||
Ok(Response::new(sw, out_data))
|
||||
}
|
||||
|
||||
/// Fetch an object.
|
||||
pub fn fetch_object(&self, object_id: ObjectId) -> Result<Buffer, Error> {
|
||||
pub fn fetch_object(&self, object_id: ObjectId) -> Result<Buffer> {
|
||||
let mut indata = [0u8; 5];
|
||||
let templ = [0, Ins::GetData.code(), 0x3f, 0xff];
|
||||
|
||||
@@ -481,7 +488,7 @@ impl<'tx> Transaction<'tx> {
|
||||
}
|
||||
|
||||
/// Save an object.
|
||||
pub fn save_object(&self, object_id: ObjectId, indata: &[u8]) -> Result<(), Error> {
|
||||
pub fn save_object(&self, object_id: ObjectId, indata: &[u8]) -> Result<()> {
|
||||
let templ = [0, Ins::PutData.code(), 0x3f, 0xff];
|
||||
|
||||
// TODO(tarcieri): replace with vector
|
||||
|
||||
+220
-126
@@ -31,33 +31,37 @@
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
use crate::{
|
||||
apdu::{Ins, APDU},
|
||||
cccid::CCC,
|
||||
chuid::CHUID,
|
||||
apdu::{Apdu, Ins},
|
||||
cccid::CccId,
|
||||
chuid::ChuId,
|
||||
config::Config,
|
||||
error::Error,
|
||||
error::{Error, Result},
|
||||
mgm::MgmKey,
|
||||
readers::{Reader, Readers},
|
||||
piv,
|
||||
reader::{Context, Reader},
|
||||
transaction::Transaction,
|
||||
};
|
||||
use log::{error, info};
|
||||
use pcsc::Card;
|
||||
use pcsc::{Card, Disposition};
|
||||
use rand_core::{OsRng, RngCore};
|
||||
use std::{
|
||||
convert::{TryFrom, TryInto},
|
||||
fmt::{self, Display},
|
||||
str::FromStr,
|
||||
};
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
use crate::{
|
||||
apdu::StatusWords, metadata, transaction::ChangeRefAction, Buffer, ObjectId, CB_BUF_MAX,
|
||||
CB_OBJ_MAX, MGMT_AID, TAG_ADMIN, TAG_ADMIN_FLAGS_1, TAG_ADMIN_TIMESTAMP,
|
||||
use {
|
||||
crate::{
|
||||
apdu::StatusWords,
|
||||
consts::{TAG_ADMIN_FLAGS_1, TAG_ADMIN_TIMESTAMP},
|
||||
metadata::AdminData,
|
||||
mgm,
|
||||
transaction::ChangeRefAction,
|
||||
Buffer, ObjectId,
|
||||
},
|
||||
secrecy::ExposeSecret,
|
||||
std::time::{SystemTime, UNIX_EPOCH},
|
||||
};
|
||||
use getrandom::getrandom;
|
||||
#[cfg(feature = "untested")]
|
||||
use secrecy::ExposeSecret;
|
||||
#[cfg(feature = "untested")]
|
||||
use std::time::{SystemTime, UNIX_EPOCH};
|
||||
|
||||
/// Flag for PUK blocked
|
||||
pub(crate) const ADMIN_FLAGS_1_PUK_BLOCKED: u8 = 0x01;
|
||||
@@ -70,10 +74,10 @@ pub(crate) const KEY_CARDMGM: u8 = 0x9b;
|
||||
|
||||
const TAG_DYN_AUTH: u8 = 0x7c;
|
||||
|
||||
/// Cached YubiKey PIN
|
||||
/// Cached YubiKey PIN.
|
||||
pub type CachedPin = secrecy::SecretVec<u8>;
|
||||
|
||||
/// YubiKey Serial Number
|
||||
/// YubiKey serial number.
|
||||
#[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
|
||||
pub struct Serial(pub u32);
|
||||
|
||||
@@ -89,11 +93,25 @@ impl From<Serial> for u32 {
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<&[u8]> for Serial {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(bytes: &[u8]) -> Result<Self> {
|
||||
if bytes.len() > 4 {
|
||||
return Err(Error::SizeError);
|
||||
}
|
||||
|
||||
let mut arr = [0u8; 4];
|
||||
arr[(4 - bytes.len())..].copy_from_slice(bytes);
|
||||
Ok(Self(u32::from_be_bytes(arr)))
|
||||
}
|
||||
}
|
||||
|
||||
impl FromStr for Serial {
|
||||
type Err = Error;
|
||||
|
||||
fn from_str(s: &str) -> Result<Self, Error> {
|
||||
u32::from_str(s).map(Serial).map_err(|_| Error::ParseError)
|
||||
fn from_str(s: &str) -> Result<Self> {
|
||||
s.parse().map(Serial).map_err(|_| Error::ParseError)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -103,7 +121,7 @@ impl Display for Serial {
|
||||
}
|
||||
}
|
||||
|
||||
/// YubiKey Version
|
||||
/// YubiKey version.
|
||||
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
|
||||
pub struct Version {
|
||||
/// Major version component
|
||||
@@ -133,8 +151,7 @@ impl Display for Version {
|
||||
}
|
||||
}
|
||||
|
||||
/// YubiKey Device: this is the primary API for opening a session and
|
||||
/// performing various operations.
|
||||
/// YubiKey device: primary API for opening a session and performing various operations.
|
||||
///
|
||||
/// Almost all functionality in this library will require an open session
|
||||
/// with a YubiKey which is represented by this type.
|
||||
@@ -148,6 +165,16 @@ pub struct YubiKey {
|
||||
pub(crate) serial: Serial,
|
||||
}
|
||||
|
||||
impl fmt::Debug for YubiKey {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
f.debug_struct("YubiKey")
|
||||
.field("name", &self.name)
|
||||
.field("version", &self.version)
|
||||
.field("serial", &self.serial)
|
||||
.finish_non_exhaustive()
|
||||
}
|
||||
}
|
||||
|
||||
impl YubiKey {
|
||||
/// Open a connection to a YubiKey.
|
||||
///
|
||||
@@ -155,14 +182,10 @@ impl YubiKey {
|
||||
///
|
||||
/// If you need to operate in environments with more than one YubiKey
|
||||
/// attached to the same system, use [`YubiKey::open_by_serial`] or
|
||||
///[`yubikey_piv::Readers`] to select from the available PC/SC readers.
|
||||
pub fn open() -> Result<Self, Error> {
|
||||
let mut readers = Readers::open().map_err(|e| match e {
|
||||
Error::PcscError {
|
||||
inner: Some(pcsc::Error::NoReadersAvailable),
|
||||
} => Error::NotFound,
|
||||
other => other,
|
||||
})?;
|
||||
/// [`yubikey::reader::Context`][`Context`] to select from the available
|
||||
/// PC/SC readers.
|
||||
pub fn open() -> Result<Self> {
|
||||
let mut readers = Context::open()?;
|
||||
let mut reader_iter = readers.iter()?;
|
||||
|
||||
if let Some(reader) = reader_iter.next() {
|
||||
@@ -179,32 +202,49 @@ impl YubiKey {
|
||||
}
|
||||
|
||||
/// Open a YubiKey with a specific serial number.
|
||||
pub fn open_by_serial(serial: Serial) -> Result<Self, Error> {
|
||||
let mut readers = Readers::open().map_err(|e| match e {
|
||||
Error::PcscError {
|
||||
inner: Some(pcsc::Error::NoReadersAvailable),
|
||||
} => Error::NotFound,
|
||||
other => other,
|
||||
})?;
|
||||
pub fn open_by_serial(serial: Serial) -> Result<Self> {
|
||||
let mut readers = Context::open()?;
|
||||
|
||||
let mut open_error = None;
|
||||
|
||||
for reader in readers.iter()? {
|
||||
let yubikey = match reader.open() {
|
||||
Ok(yk) => yk,
|
||||
Err(_) => continue,
|
||||
Err(e) => {
|
||||
// Save the first error we see that indicates we might have been able
|
||||
// to find a matching YubiKey.
|
||||
if open_error.is_none() {
|
||||
if let Error::PcscError {
|
||||
inner: Some(pcsc::Error::SharingViolation),
|
||||
} = e
|
||||
{
|
||||
open_error = Some(e);
|
||||
}
|
||||
}
|
||||
continue;
|
||||
}
|
||||
};
|
||||
|
||||
if serial == yubikey.serial() {
|
||||
return Ok(yubikey);
|
||||
} else {
|
||||
// We didn't want this YubiKey; don't reset it.
|
||||
let _ = yubikey.disconnect(pcsc::Disposition::LeaveCard);
|
||||
}
|
||||
}
|
||||
|
||||
Err(if let Some(e) = open_error {
|
||||
e
|
||||
} else {
|
||||
error!("no YubiKey detected with serial: {}", serial);
|
||||
Err(Error::NotFound)
|
||||
Error::NotFound
|
||||
})
|
||||
}
|
||||
|
||||
/// Reconnect to a YubiKey
|
||||
/// Reconnect to a YubiKey.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn reconnect(&mut self) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn reconnect(&mut self) -> Result<()> {
|
||||
info!("trying to reconnect to current reader");
|
||||
|
||||
self.card.reconnect(
|
||||
@@ -228,13 +268,45 @@ impl YubiKey {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Begin a transaction.
|
||||
pub(crate) fn begin_transaction(&mut self) -> Result<Transaction<'_>, Error> {
|
||||
// TODO(tarcieri): reconnect support
|
||||
Ok(Transaction::new(&mut self.card)?)
|
||||
/// Disconnect from the YubiKey.
|
||||
///
|
||||
/// In case of error, ownership of the YubiKey is returned to the caller.
|
||||
///
|
||||
/// # Note
|
||||
///
|
||||
/// `YubiKey` implements `Drop` which automatically disconnects the card using
|
||||
/// `Disposition::ResetCard`; you only need to call this function if you want to
|
||||
/// handle errors or use a different disposition method.
|
||||
pub fn disconnect(self, disposition: Disposition) -> core::result::Result<(), (Self, Error)> {
|
||||
let Self {
|
||||
card,
|
||||
name,
|
||||
pin,
|
||||
version,
|
||||
serial,
|
||||
} = self;
|
||||
|
||||
card.disconnect(disposition).map_err(|(card, e)| {
|
||||
(
|
||||
Self {
|
||||
card,
|
||||
name,
|
||||
pin,
|
||||
version,
|
||||
serial,
|
||||
},
|
||||
e.into(),
|
||||
)
|
||||
})
|
||||
}
|
||||
|
||||
/// Get the name of the associated PC/SC card reader
|
||||
/// Begin a transaction.
|
||||
pub(crate) fn begin_transaction(&mut self) -> Result<Transaction<'_>> {
|
||||
// TODO(tarcieri): reconnect support
|
||||
Transaction::new(&mut self.card)
|
||||
}
|
||||
|
||||
/// Get the name of the associated PC/SC card reader.
|
||||
pub fn name(&self) -> &str {
|
||||
&self.name
|
||||
}
|
||||
@@ -254,28 +326,28 @@ impl YubiKey {
|
||||
}
|
||||
|
||||
/// Get device configuration.
|
||||
pub fn config(&mut self) -> Result<Config, Error> {
|
||||
pub fn config(&mut self) -> Result<Config> {
|
||||
Config::get(self)
|
||||
}
|
||||
|
||||
/// Get CHUID
|
||||
pub fn chuid(&mut self) -> Result<CHUID, Error> {
|
||||
CHUID::get(self)
|
||||
/// Get Cardholder Unique Identifier (CHUID).
|
||||
pub fn chuid(&mut self) -> Result<ChuId> {
|
||||
ChuId::get(self)
|
||||
}
|
||||
|
||||
/// Get CCCID
|
||||
pub fn cccid(&mut self) -> Result<CCC, Error> {
|
||||
CCC::get(self)
|
||||
/// Get Cardholder Capability Container (CCC) Identifier.
|
||||
pub fn cccid(&mut self) -> Result<CccId> {
|
||||
CccId::get(self)
|
||||
}
|
||||
|
||||
/// Authenticate to the card using the provided management key (MGM).
|
||||
pub fn authenticate(&mut self, mgm_key: MgmKey) -> Result<(), Error> {
|
||||
pub fn authenticate(&mut self, mgm_key: MgmKey) -> Result<()> {
|
||||
let txn = self.begin_transaction()?;
|
||||
|
||||
// get a challenge from the card
|
||||
let challenge = APDU::new(Ins::Authenticate)
|
||||
let challenge = Apdu::new(Ins::Authenticate)
|
||||
.params(ALGO_3DES, KEY_CARDMGM)
|
||||
.data(&[TAG_DYN_AUTH, 0x02, 0x80, 0x00])
|
||||
.data([TAG_DYN_AUTH, 0x02, 0x80, 0x00])
|
||||
.transmit(&txn, 261)?;
|
||||
|
||||
if !challenge.is_success() || challenge.data().len() < 12 {
|
||||
@@ -293,18 +365,14 @@ impl YubiKey {
|
||||
data[4..12].copy_from_slice(&response);
|
||||
data[12] = 0x81;
|
||||
data[13] = 8;
|
||||
|
||||
if getrandom(&mut data[14..22]).is_err() {
|
||||
error!("failed getting randomness for authentication");
|
||||
return Err(Error::RandomnessError);
|
||||
}
|
||||
OsRng.fill_bytes(&mut data[14..22]);
|
||||
|
||||
let mut challenge = [0u8; 8];
|
||||
challenge.copy_from_slice(&data[14..22]);
|
||||
|
||||
let authentication = APDU::new(Ins::Authenticate)
|
||||
let authentication = Apdu::new(Ins::Authenticate)
|
||||
.params(ALGO_3DES, KEY_CARDMGM)
|
||||
.data(&data)
|
||||
.data(data)
|
||||
.transmit(&txn, 261)?;
|
||||
|
||||
if !authentication.is_success() {
|
||||
@@ -322,14 +390,20 @@ impl YubiKey {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Deauthenticate
|
||||
/// Get the PIV keys contained in this YubiKey.
|
||||
pub fn piv_keys(&mut self) -> Result<Vec<piv::Key>> {
|
||||
piv::Key::list(self)
|
||||
}
|
||||
|
||||
/// Deauthenticate.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn deauthenticate(&mut self) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn deauthenticate(&mut self) -> Result<()> {
|
||||
let txn = self.begin_transaction()?;
|
||||
|
||||
let status_words = APDU::new(Ins::SelectApplication)
|
||||
let status_words = Apdu::new(Ins::SelectApplication)
|
||||
.p1(0x04)
|
||||
.data(MGMT_AID)
|
||||
.data(mgm::APPLET_ID)
|
||||
.transmit(&txn, 255)?
|
||||
.status_words();
|
||||
|
||||
@@ -338,14 +412,19 @@ impl YubiKey {
|
||||
"Failed selecting mgmt application: {:04x}",
|
||||
status_words.code()
|
||||
);
|
||||
return Err(Error::GenericError);
|
||||
return Err(match status_words {
|
||||
StatusWords::NotFoundError => Error::AppletNotFound {
|
||||
applet_name: mgm::APPLET_NAME,
|
||||
},
|
||||
_ => Error::GenericError,
|
||||
});
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Verify device PIN.
|
||||
pub fn verify_pin(&mut self, pin: &[u8]) -> Result<(), Error> {
|
||||
pub fn verify_pin(&mut self, pin: &[u8]) -> Result<()> {
|
||||
{
|
||||
let txn = self.begin_transaction()?;
|
||||
txn.verify_pin(pin)?;
|
||||
@@ -358,8 +437,8 @@ impl YubiKey {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Get the number of PIN retries
|
||||
pub fn get_pin_retries(&mut self) -> Result<u8, Error> {
|
||||
/// Get the number of PIN retries.
|
||||
pub fn get_pin_retries(&mut self) -> Result<u8> {
|
||||
let txn = self.begin_transaction()?;
|
||||
|
||||
// Force a re-select to unverify, because once verified the spec dictates that
|
||||
@@ -375,9 +454,10 @@ impl YubiKey {
|
||||
}
|
||||
}
|
||||
|
||||
/// Set the number of PIN retries
|
||||
/// Set the number of PIN retries.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn set_pin_retries(&mut self, pin_tries: u8, puk_tries: u8) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn set_pin_retries(&mut self, pin_tries: u8, puk_tries: u8) -> Result<()> {
|
||||
// Special case: if either retry count is 0, it's a successful no-op
|
||||
if pin_tries == 0 || puk_tries == 0 {
|
||||
return Ok(());
|
||||
@@ -399,9 +479,10 @@ impl YubiKey {
|
||||
|
||||
/// Change the Personal Identification Number (PIN).
|
||||
///
|
||||
/// The default PIN code is 123456
|
||||
/// The default PIN code is `123456`.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn change_pin(&mut self, current_pin: &[u8], new_pin: &[u8]) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn change_pin(&mut self, current_pin: &[u8], new_pin: &[u8]) -> Result<()> {
|
||||
{
|
||||
let txn = self.begin_transaction()?;
|
||||
txn.change_ref(ChangeRefAction::ChangePin, current_pin, new_pin)?;
|
||||
@@ -414,15 +495,13 @@ impl YubiKey {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Set PIN last changed
|
||||
/// Set PIN last changed.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn set_pin_last_changed(yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||
let mut data = [0u8; CB_BUF_MAX];
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn set_pin_last_changed(yubikey: &mut YubiKey) -> Result<()> {
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
|
||||
let buffer = metadata::read(&txn, TAG_ADMIN)?;
|
||||
let mut cb_data = buffer.len();
|
||||
data[..cb_data].copy_from_slice(&buffer);
|
||||
let mut admin_data = AdminData::read(&txn)?;
|
||||
|
||||
// TODO(tarcieri): double check this is little endian
|
||||
let tnow = SystemTime::now()
|
||||
@@ -431,19 +510,14 @@ impl YubiKey {
|
||||
.as_secs()
|
||||
.to_le_bytes();
|
||||
|
||||
metadata::set_item(
|
||||
&mut data,
|
||||
&mut cb_data,
|
||||
CB_OBJ_MAX,
|
||||
TAG_ADMIN_TIMESTAMP,
|
||||
&tnow,
|
||||
)
|
||||
admin_data
|
||||
.set_item(TAG_ADMIN_TIMESTAMP, &tnow)
|
||||
.map_err(|e| {
|
||||
error!("could not set pin timestamp, err = {}", e);
|
||||
e
|
||||
})?;
|
||||
|
||||
metadata::write(&txn, TAG_ADMIN, &data).map_err(|e| {
|
||||
admin_data.write(&txn).map_err(|e| {
|
||||
error!("could not write admin data, err = {}", e);
|
||||
e
|
||||
})?;
|
||||
@@ -457,21 +531,23 @@ impl YubiKey {
|
||||
///
|
||||
/// The PUK is part of the PIV standard that the YubiKey follows.
|
||||
///
|
||||
/// The default PUK code is 12345678.
|
||||
/// The default PUK code is `12345678`.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn change_puk(&mut self, current_puk: &[u8], new_puk: &[u8]) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn change_puk(&mut self, current_puk: &[u8], new_puk: &[u8]) -> Result<()> {
|
||||
let txn = self.begin_transaction()?;
|
||||
txn.change_ref(ChangeRefAction::ChangePuk, current_puk, new_puk)
|
||||
}
|
||||
|
||||
/// Block PUK: permanently prevent the PIN from becoming unblocked
|
||||
/// Block PUK: permanently prevent the PIN from becoming unblocked.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn block_puk(yubikey: &mut YubiKey) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn block_puk(&mut self) -> Result<()> {
|
||||
let mut puk = [0x30, 0x42, 0x41, 0x44, 0x46, 0x30, 0x30, 0x44];
|
||||
let mut tries_remaining: i32 = -1;
|
||||
let mut flags = [0];
|
||||
|
||||
let txn = yubikey.begin_transaction()?;
|
||||
let txn = self.begin_transaction()?;
|
||||
|
||||
while tries_remaining != 0 {
|
||||
// 2 -> change puk
|
||||
@@ -494,8 +570,10 @@ impl YubiKey {
|
||||
}
|
||||
}
|
||||
|
||||
if let Ok(data) = metadata::read(&txn, TAG_ADMIN) {
|
||||
if let Ok(item) = metadata::get_item(&data, TAG_ADMIN_FLAGS_1) {
|
||||
// Attempt to set the "PUK blocked" flag in admin data.
|
||||
let mut admin_data = AdminData::read(&txn)
|
||||
.map(|data| {
|
||||
if let Ok(item) = data.get_item(TAG_ADMIN_FLAGS_1) {
|
||||
if item.len() == flags.len() {
|
||||
flags.copy_from_slice(item)
|
||||
} else {
|
||||
@@ -506,22 +584,15 @@ impl YubiKey {
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
data
|
||||
})
|
||||
.unwrap_or_default();
|
||||
|
||||
flags[0] |= ADMIN_FLAGS_1_PUK_BLOCKED;
|
||||
let mut data = [0u8; CB_BUF_MAX];
|
||||
let mut cb_data: usize = data.len();
|
||||
|
||||
if metadata::set_item(
|
||||
&mut data,
|
||||
&mut cb_data,
|
||||
CB_OBJ_MAX,
|
||||
TAG_ADMIN_FLAGS_1,
|
||||
&flags,
|
||||
)
|
||||
.is_ok()
|
||||
{
|
||||
if metadata::write(&txn, TAG_ADMIN, &data[..cb_data]).is_err() {
|
||||
if admin_data.set_item(TAG_ADMIN_FLAGS_1, &flags).is_ok() {
|
||||
if admin_data.write(&txn).is_err() {
|
||||
error!("could not write admin metadata");
|
||||
}
|
||||
} else {
|
||||
@@ -534,33 +605,37 @@ impl YubiKey {
|
||||
/// Unblock a Personal Identification Number (PIN) using a previously
|
||||
/// configured PIN Unblocking Key (PUK).
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn unblock_pin(&mut self, puk: &[u8], new_pin: &[u8]) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn unblock_pin(&mut self, puk: &[u8], new_pin: &[u8]) -> Result<()> {
|
||||
let txn = self.begin_transaction()?;
|
||||
txn.change_ref(ChangeRefAction::UnblockPin, puk, new_pin)
|
||||
}
|
||||
|
||||
/// Fetch an object from the YubiKey
|
||||
/// Fetch an object from the YubiKey.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn fetch_object(&mut self, object_id: ObjectId) -> Result<Buffer, Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn fetch_object(&mut self, object_id: ObjectId) -> Result<Buffer> {
|
||||
let txn = self.begin_transaction()?;
|
||||
txn.fetch_object(object_id)
|
||||
}
|
||||
|
||||
/// Save an object
|
||||
/// Save an object.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn save_object(&mut self, object_id: ObjectId, indata: &mut [u8]) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn save_object(&mut self, object_id: ObjectId, indata: &mut [u8]) -> Result<()> {
|
||||
let txn = self.begin_transaction()?;
|
||||
txn.save_object(object_id, indata)
|
||||
}
|
||||
|
||||
/// Get an auth challenge
|
||||
/// Get an auth challenge.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn get_auth_challenge(&mut self) -> Result<[u8; 8], Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn get_auth_challenge(&mut self) -> Result<[u8; 8]> {
|
||||
let txn = self.begin_transaction()?;
|
||||
|
||||
let response = APDU::new(Ins::Authenticate)
|
||||
let response = Apdu::new(Ins::Authenticate)
|
||||
.params(ALGO_3DES, KEY_CARDMGM)
|
||||
.data(&[0x7c, 0x02, 0x81, 0x00])
|
||||
.data([0x7c, 0x02, 0x81, 0x00])
|
||||
.transmit(&txn, 261)?;
|
||||
|
||||
if !response.is_success() {
|
||||
@@ -570,9 +645,10 @@ impl YubiKey {
|
||||
Ok(response.data()[4..12].try_into().unwrap())
|
||||
}
|
||||
|
||||
/// Verify an auth response
|
||||
/// Verify an auth response.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn verify_auth_response(&mut self, response: [u8; 8]) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn verify_auth_response(&mut self, response: [u8; 8]) -> Result<()> {
|
||||
let mut data = [0u8; 12];
|
||||
data[0] = 0x7c;
|
||||
data[1] = 0x0a;
|
||||
@@ -583,9 +659,9 @@ impl YubiKey {
|
||||
let txn = self.begin_transaction()?;
|
||||
|
||||
// send the response to the card and a challenge of our own.
|
||||
let status_words = APDU::new(Ins::Authenticate)
|
||||
let status_words = Apdu::new(Ins::Authenticate)
|
||||
.params(ALGO_3DES, KEY_CARDMGM)
|
||||
.data(&data)
|
||||
.data(data)
|
||||
.transmit(&txn, 261)?
|
||||
.status_words();
|
||||
|
||||
@@ -602,7 +678,8 @@ impl YubiKey {
|
||||
///
|
||||
/// The reset function is only available when both pins are blocked.
|
||||
#[cfg(feature = "untested")]
|
||||
pub fn reset_device(&mut self) -> Result<(), Error> {
|
||||
#[cfg_attr(docsrs, doc(cfg(feature = "untested")))]
|
||||
pub fn reset_device(&mut self) -> Result<()> {
|
||||
let templ = [0, Ins::Reset.code(), 0, 0];
|
||||
let txn = self.begin_transaction()?;
|
||||
let status_words = txn.transfer_data(&templ, &[], 255)?.status_words();
|
||||
@@ -618,7 +695,7 @@ impl YubiKey {
|
||||
impl<'a> TryFrom<&'a Reader<'_>> for YubiKey {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(reader: &'a Reader<'_>) -> Result<Self, Error> {
|
||||
fn try_from(reader: &'a Reader<'_>) -> Result<Self> {
|
||||
let mut card = reader.connect().map_err(|e| {
|
||||
error!("error connecting to reader '{}': {}", reader.name(), e);
|
||||
e
|
||||
@@ -626,15 +703,30 @@ impl<'a> TryFrom<&'a Reader<'_>> for YubiKey {
|
||||
|
||||
info!("connected to reader: {}", reader.name());
|
||||
|
||||
let (version, serial) = {
|
||||
let mut app_version_serial = || -> Result<(Version, Serial)> {
|
||||
let txn = Transaction::new(&mut card)?;
|
||||
txn.select_application()?;
|
||||
|
||||
let v = txn.get_version()?;
|
||||
let s = txn.get_serial(v)?;
|
||||
(v, s)
|
||||
Ok((v, s))
|
||||
};
|
||||
|
||||
match app_version_serial() {
|
||||
Err(e) => {
|
||||
error!("Could not use reader: {}", e);
|
||||
|
||||
// We were unable to use the card, so we've effectively only connected as
|
||||
// a side-effect of determining this. Avoid disrupting its internal state
|
||||
// any further (e.g. preserve the PIN cache of whatever applet is selected
|
||||
// currently).
|
||||
if let Err((_, e)) = card.disconnect(pcsc::Disposition::LeaveCard) {
|
||||
error!("Failed to disconnect gracefully from card: {}", e);
|
||||
}
|
||||
|
||||
Err(e)
|
||||
}
|
||||
Ok((version, serial)) => {
|
||||
let yubikey = YubiKey {
|
||||
card,
|
||||
name: String::from(reader.name()),
|
||||
@@ -645,4 +737,6 @@ impl<'a> TryFrom<&'a Reader<'_>> for YubiKey {
|
||||
|
||||
Ok(yubikey)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,85 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
d4:29:8f:df:8a:af:7b:c0:d7:bf:19:9d:90:d5:ef:ca
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: CN=Ferdinand Linnenberg CA
|
||||
Validity
|
||||
Not Before: Feb 10 12:25:37 2022 GMT
|
||||
Not After : May 15 12:25:37 2024 GMT
|
||||
Subject: CN=Bob
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:d5:27:9b:99:1b:3a:36:64:36:c8:e5:78:64:b6:
|
||||
9d:70:9d:29:6c:0e:85:91:4b:78:3b:dc:16:c3:09:
|
||||
8c:d3:74:20:8c:6f:ed:c3:90:c9:1b:4d:80:d5:46:
|
||||
da:52:7f:d2:2f:bc:b2:f7:40:8d:ad:dd:24:b9:5c:
|
||||
dc:a2:21:2f:48:ec:06:93:8b:89:f0:cd:63:ff:a1:
|
||||
fd:ce:36:d5:07:7a:1e:0e:cf:68:a8:c1:b3:7f:62:
|
||||
84:b7:e1:cf:25:7b:3f:a8:3c:ac:07:1a:fd:c2:e1:
|
||||
e0:9e:26:24:c1:0d:6d:9d:c6:57:6a:b4:39:28:3d:
|
||||
88:3e:c9:6a:89:90:72:4a:7b:75:c5:5e:1b:5e:5c:
|
||||
32:54:a3:ff:eb:01:68:7f:89:b4:4c:01:3f:08:8e:
|
||||
6c:61:49:60:26:0b:26:58:81:d7:1a:57:ee:52:5c:
|
||||
05:47:de:da:eb:b5:92:9d:5b:ce:26:18:44:59:3e:
|
||||
27:d0:61:86:e2:f4:c6:d9:c7:2b:1f:cb:ea:78:f0:
|
||||
a1:a9:57:d7:98:4c:c1:2f:ae:6a:38:b4:34:53:2e:
|
||||
5a:9e:f8:58:c7:51:e7:fd:b8:27:cd:87:72:26:c1:
|
||||
7d:14:c7:cd:fb:f2:04:8a:c4:8f:61:cf:a8:78:bd:
|
||||
21:be:28:cb:e8:a8:65:29:28:82:46:2f:18:e6:ff:
|
||||
6f:53
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
X509v3 Subject Key Identifier:
|
||||
B5:A5:F0:37:25:97:AD:BE:F1:43:52:45:4D:8B:A0:5E:E9:78:21:B8
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:26:4E:EB:B0:A5:1B:08:A8:90:2A:85:04:73:84:B5:A5:2C:61:D6:91
|
||||
DirName:/CN=Ferdinand Linnenberg CA
|
||||
serial:8C:E0:40:D9:D8:60:E5:77
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Client Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
19:f3:eb:c1:95:e6:d5:a9:33:d7:2e:02:d8:3a:91:84:81:14:
|
||||
93:fc:03:4d:b1:4b:9d:0b:9b:94:93:9f:1a:0d:87:31:a1:fa:
|
||||
a6:c7:3a:6b:18:24:12:ab:28:fb:c8:e3:09:a2:5d:50:49:00:
|
||||
d9:18:e6:4a:09:18:e0:1c:da:d3:19:96:3d:74:72:fe:e0:8f:
|
||||
ee:59:54:66:2e:57:72:b8:91:55:06:13:e5:9e:89:a2:3a:13:
|
||||
3b:45:30:d3:cd:15:0e:81:eb:4f:b0:6a:a4:6d:00:7d:5b:c0:
|
||||
4a:7f:97:d0:27:27:31:ae:3e:72:f1:74:fe:86:8e:29:a9:42:
|
||||
23:26:22:db:08:8b:df:e9:d3:83:8d:81:10:36:d7:33:68:5e:
|
||||
cb:93:cb:1e:12:c8:cb:be:5e:5c:8e:58:b0:1d:06:5e:c9:98:
|
||||
b7:f1:49:fe:c4:03:de:b4:2b:da:9d:2c:7d:98:37:1c:6c:a8:
|
||||
95:21:6f:23:e3:2e:09:bc:6c:e5:ed:e2:50:d8:f7:da:45:39:
|
||||
d8:34:8a:57:0c:4f:d0:0d:80:06:d6:34:63:72:27:d1:50:d1:
|
||||
d2:21:2c:97:57:17:98:02:95:3a:96:ed:75:9f:cc:f3:b8:f1:
|
||||
3a:85:f9:58:08:9b:a0:75:fd:9b:fd:31:dd:08:dc:14:3d:f4:
|
||||
68:aa:d4:30
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDXzCCAkegAwIBAgIRANQpj9+Kr3vA178ZnZDV78owDQYJKoZIhvcNAQELBQAw
|
||||
IjEgMB4GA1UEAwwXRmVyZGluYW5kIExpbm5lbmJlcmcgQ0EwHhcNMjIwMjEwMTIy
|
||||
NTM3WhcNMjQwNTE1MTIyNTM3WjAOMQwwCgYDVQQDDANCb2IwggEiMA0GCSqGSIb3
|
||||
DQEBAQUAA4IBDwAwggEKAoIBAQDVJ5uZGzo2ZDbI5Xhktp1wnSlsDoWRS3g73BbD
|
||||
CYzTdCCMb+3DkMkbTYDVRtpSf9IvvLL3QI2t3SS5XNyiIS9I7AaTi4nwzWP/of3O
|
||||
NtUHeh4Oz2iowbN/YoS34c8lez+oPKwHGv3C4eCeJiTBDW2dxldqtDkoPYg+yWqJ
|
||||
kHJKe3XFXhteXDJUo//rAWh/ibRMAT8IjmxhSWAmCyZYgdcaV+5SXAVH3trrtZKd
|
||||
W84mGERZPifQYYbi9MbZxysfy+p48KGpV9eYTMEvrmo4tDRTLlqe+FjHUef9uCfN
|
||||
h3ImwX0Ux8378gSKxI9hz6h4vSG+KMvoqGUpKIJGLxjm/29TAgMBAAGjgaMwgaAw
|
||||
CQYDVR0TBAIwADAdBgNVHQ4EFgQUtaXwNyWXrb7xQ1JFTYugXul4IbgwUgYDVR0j
|
||||
BEswSYAUJk7rsKUbCKiQKoUEc4S1pSxh1pGhJqQkMCIxIDAeBgNVBAMMF0ZlcmRp
|
||||
bmFuZCBMaW5uZW5iZXJnIENBggkAjOBA2dhg5XcwEwYDVR0lBAwwCgYIKwYBBQUH
|
||||
AwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQAZ8+vBlebVqTPXLgLY
|
||||
OpGEgRST/ANNsUudC5uUk58aDYcxofqmxzprGCQSqyj7yOMJol1QSQDZGOZKCRjg
|
||||
HNrTGZY9dHL+4I/uWVRmLldyuJFVBhPlnomiOhM7RTDTzRUOgetPsGqkbQB9W8BK
|
||||
f5fQJycxrj5y8XT+ho4pqUIjJiLbCIvf6dODjYEQNtczaF7Lk8seEsjLvl5cjliw
|
||||
HQZeyZi38Un+xAPetCvanSx9mDccbKiVIW8j4y4JvGzl7eJQ2PfaRTnYNIpXDE/Q
|
||||
DYAG1jRjcifRUNHSISyXVxeYApU6lu11n8zzuPE6hflYCJugdf2b/THdCNwUPfRo
|
||||
qtQw
|
||||
-----END CERTIFICATE-----
|
||||
Binary file not shown.
@@ -0,0 +1,30 @@
|
||||
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIi6DixMpf5PQCAggA
|
||||
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLgvCsIAjjXRBIIEyDAss0V4NrI5
|
||||
W7KXPRgRJ1tqvQrWZQTIFu4Crzs9Inb4TtSv5mATI9ZU2RMFF6MYXlhIxJng861P
|
||||
5IWcU6VeOjRFej8wcB3uTvD2z7NB2cyA5BZSojrZfX5OIEKL9sBzn0vinqmm5N1z
|
||||
oXhLMgf0FZssA3+zjIf04vtvmk5pxTCE6dq6vlsEIJyQ0xGc39bStIwk2a4E9wvi
|
||||
XayKNJnRFSrTahuI3DvQJPd9TdmM6sBKnrcJrDa6LvH51SrGzW8bBEjDAmC7yJdi
|
||||
mBckFTjZ6rGrSxOI6HdnF9RP+y9OiLE4ou5OJ9MbBtngq9OrTImAMZ5ftWowaqX/
|
||||
Do1UTqixi4ecWrr5fr1+A2Vch0I1drds2e/mmLR+5GEQXQXZPZKjtPMwxM/AYnTZ
|
||||
w/M3T9KtwSj0s5G6Saz4WpzaUL7wATb/UNqMr8Ifl8mHEVoFZhvoRpMWA7Yj1oPb
|
||||
cHz8lsfoSrTnK+zLR8ZK3HRu4MtpdCNVwQIJ67T6Feb8YLwYSccTNHBSqUmWRD95
|
||||
wOOqY33xcfplaQ2Y+/8+mHScGSEPNmC4f7EggDeUnG3ow0f4n95DENO+aYqGLjSF
|
||||
+XdCjhD+NTNdlV0z50B6P2XWUoBZOOnPfgFf4nAgn7xQbkZZOk5bQDKo2Zu9jW9/
|
||||
uJyTHqI58tcopI3cjd5iQXOJUrM4OWpPIu3p+VWaIAA8JzJIfDN6fyQ3qsMr305L
|
||||
30JcjrH6if/6J+2g+DpMAK928JY2hfE8VNWH7096ZnArp42/hLYsNuYnSrL1eS+g
|
||||
F/4mvyZyLLTFyB0Frnic4I1QTuNkNmwSrm/B5wIWLqkS7XAyyDDXAcaTHdZCN6nM
|
||||
O2OuF7DfBsFcNMM4VagG5adPS9CYkvz0EEh6ho5XiP2yL3tZfsHyuB4njAsV3aFi
|
||||
D0Yq7QiCf5iA2d4KsYO6yr1wPfVhlsmPi3++mrHulBwwCQWHTlPgRZnjj1xgmPcQ
|
||||
00KsUVh+CMWlf20O5sKhzjvkzbwUj1K+ZfMDuuq1RbzFRSx+Gx8vIaThFg9kVyoP
|
||||
zuvzsT6qc3BGNHmaGZ3d5Re25AuGRTF4cTpDfjW0UL7Wnvnis7iMrUasDhyF7CFn
|
||||
/KG7eKzxqS08o6D4AM5S/fzZEtszoEgAga6DS2R75FVskDweWuEIsar9UGg3UlmW
|
||||
q3+rRPRf1CzrLtyYenkkLg/ajr8JOnFGqZVaLmMnegZQH6rF3aEzlQLNgbNepcuA
|
||||
ObSmAO6MR3MlQgdsH/lNzOPdj1gKcE25hOjGfmwgbOXSJv9Cz0bcBLFEyLZSNpRk
|
||||
HhNejj6BEz/Cmqg1wm7SOBHsXJGcOTnLO1Y3FBt0I7heWvWmj9rOLG9tvvx9dtrP
|
||||
pQyDbIcWonuXLrXYSPyOjmeWoQSzdH3NsCswBV4G+iOiLCJDkElR+mrwKbhtS88T
|
||||
3YeZnsCTsmH+jZpxGgPTObjIG91U4UE4Pnkwc2df355VuOKrf0rB/NK0A9hZGqsV
|
||||
nxtodjn92P6UFzmfEdt95pMcmurK9wkm1kRkP7cIyAs2lCOIdbgGsszz6Mk16Xqy
|
||||
49RdhLxJrJ4gkYZIAbY+KNGVc7uPhm/T9xGrIstbEsoUM7jy7nHMOCCDgdbwX/4X
|
||||
caMeSMZcZ+RvraDDBEbSbg==
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
||||
+207
-37
@@ -3,38 +3,39 @@
|
||||
#![forbid(unsafe_code)]
|
||||
#![warn(missing_docs, rust_2018_idioms, trivial_casts, unused_qualifications)]
|
||||
|
||||
use getrandom::getrandom;
|
||||
use lazy_static::lazy_static;
|
||||
use log::trace;
|
||||
use rsa::{hash::Hash::SHA2_256, PaddingScheme, PublicKey};
|
||||
use once_cell::sync::Lazy;
|
||||
use rand_core::{OsRng, RngCore};
|
||||
use rsa::pkcs1v15;
|
||||
use sha2::{Digest, Sha256};
|
||||
use std::convert::TryInto;
|
||||
use std::{env, sync::Mutex};
|
||||
use yubikey_piv::{
|
||||
use signature::hazmat::PrehashVerifier;
|
||||
use std::{env, str::FromStr, sync::Mutex};
|
||||
use x509::RelativeDistinguishedName;
|
||||
use yubikey::{
|
||||
certificate,
|
||||
certificate::{Certificate, PublicKeyInfo},
|
||||
key::{self, AlgorithmId, Key, RetiredSlotId, SlotId},
|
||||
policy::{PinPolicy, TouchPolicy},
|
||||
Error, MgmKey, YubiKey,
|
||||
piv::{self, AlgorithmId, Key, ManagementSlotId, RetiredSlotId, SlotId},
|
||||
Error, MgmKey, PinPolicy, Serial, TouchPolicy, YubiKey,
|
||||
};
|
||||
|
||||
lazy_static! {
|
||||
/// Provide thread-safe access to a YubiKey
|
||||
static ref YUBIKEY: Mutex<YubiKey> = init_yubikey();
|
||||
}
|
||||
|
||||
/// One-time test initialization and setup
|
||||
fn init_yubikey() -> Mutex<YubiKey> {
|
||||
static YUBIKEY: Lazy<Mutex<YubiKey>> = Lazy::new(|| {
|
||||
// Only show logs if `RUST_LOG` is set
|
||||
if env::var("RUST_LOG").is_ok() {
|
||||
env_logger::builder().format_timestamp(None).init();
|
||||
}
|
||||
|
||||
let yubikey = YubiKey::open().unwrap();
|
||||
let yubikey = if let Ok(serial) = env::var("YUBIKEY_SERIAL") {
|
||||
let serial = Serial::from_str(&serial).unwrap();
|
||||
YubiKey::open_by_serial(serial).unwrap()
|
||||
} else {
|
||||
YubiKey::open().unwrap()
|
||||
};
|
||||
|
||||
trace!("serial: {}", yubikey.serial());
|
||||
trace!("version: {}", yubikey.version());
|
||||
|
||||
Mutex::new(yubikey)
|
||||
}
|
||||
});
|
||||
|
||||
//
|
||||
// CCCID support
|
||||
@@ -106,6 +107,42 @@ fn test_verify_pin() {
|
||||
assert!(yubikey.verify_pin(b"123456").is_ok());
|
||||
}
|
||||
|
||||
//
|
||||
// Management key support
|
||||
//
|
||||
|
||||
#[cfg(feature = "untested")]
|
||||
#[test]
|
||||
#[ignore]
|
||||
fn test_set_mgmkey() {
|
||||
let mut yubikey = YUBIKEY.lock().unwrap();
|
||||
|
||||
assert!(yubikey.verify_pin(b"123456").is_ok());
|
||||
assert!(MgmKey::get_protected(&mut yubikey).is_err());
|
||||
assert!(yubikey.authenticate(MgmKey::default()).is_ok());
|
||||
|
||||
// Set a protected management key.
|
||||
assert!(MgmKey::generate().set_protected(&mut yubikey).is_ok());
|
||||
let protected = MgmKey::get_protected(&mut yubikey).unwrap();
|
||||
assert!(yubikey.authenticate(MgmKey::default()).is_err());
|
||||
assert!(yubikey.authenticate(protected.clone()).is_ok());
|
||||
|
||||
// Set a manual management key.
|
||||
let manual = MgmKey::generate();
|
||||
assert!(manual.set_manual(&mut yubikey, false).is_ok());
|
||||
assert!(MgmKey::get_protected(&mut yubikey).is_err());
|
||||
assert!(yubikey.authenticate(MgmKey::default()).is_err());
|
||||
assert!(yubikey.authenticate(protected.clone()).is_err());
|
||||
assert!(yubikey.authenticate(manual.clone()).is_ok());
|
||||
|
||||
// Set back to the default management key.
|
||||
assert!(MgmKey::set_default(&mut yubikey).is_ok());
|
||||
assert!(MgmKey::get_protected(&mut yubikey).is_err());
|
||||
assert!(yubikey.authenticate(protected).is_err());
|
||||
assert!(yubikey.authenticate(manual).is_err());
|
||||
assert!(yubikey.authenticate(MgmKey::default()).is_ok());
|
||||
}
|
||||
|
||||
//
|
||||
// Certificate support
|
||||
//
|
||||
@@ -119,7 +156,7 @@ fn generate_self_signed_cert(algorithm: AlgorithmId) -> Certificate {
|
||||
let slot = SlotId::Retired(RetiredSlotId::R1);
|
||||
|
||||
// Generate a new key in the selected slot.
|
||||
let generated = key::generate(
|
||||
let generated = piv::generate(
|
||||
&mut yubikey,
|
||||
slot,
|
||||
algorithm,
|
||||
@@ -129,16 +166,18 @@ fn generate_self_signed_cert(algorithm: AlgorithmId) -> Certificate {
|
||||
.unwrap();
|
||||
|
||||
let mut serial = [0u8; 20];
|
||||
getrandom(&mut serial).unwrap();
|
||||
OsRng.fill_bytes(&mut serial);
|
||||
|
||||
// Generate a self-signed certificate for the new key.
|
||||
let extensions: &[x509::Extension<'_, &[u64]>] = &[];
|
||||
let cert_result = Certificate::generate_self_signed(
|
||||
&mut yubikey,
|
||||
slot,
|
||||
serial,
|
||||
None,
|
||||
"testSubject".to_owned(),
|
||||
&[RelativeDistinguishedName::common_name("testSubject")],
|
||||
generated,
|
||||
extensions,
|
||||
);
|
||||
|
||||
assert!(cert_result.is_ok());
|
||||
@@ -157,26 +196,17 @@ fn generate_self_signed_rsa_cert() {
|
||||
//
|
||||
|
||||
let pubkey = match cert.subject_pki() {
|
||||
PublicKeyInfo::Rsa { pubkey, .. } => pubkey,
|
||||
PublicKeyInfo::Rsa { pubkey, .. } => pkcs1v15::VerifyingKey::<Sha256>::from(pubkey.clone()),
|
||||
_ => unreachable!(),
|
||||
};
|
||||
|
||||
let data = cert.as_ref();
|
||||
let tbs_cert_len = u16::from_be_bytes(data[6..8].try_into().unwrap()) as usize;
|
||||
let msg = &data[4..8 + tbs_cert_len];
|
||||
let sig = &data[data.len() - 128..];
|
||||
|
||||
let sig = pkcs1v15::Signature::try_from(&data[data.len() - 128..]).unwrap();
|
||||
let hash = Sha256::digest(msg);
|
||||
|
||||
assert!(pubkey
|
||||
.verify(
|
||||
PaddingScheme::PKCS1v15Sign {
|
||||
hash: Some(SHA2_256)
|
||||
},
|
||||
&hash,
|
||||
sig
|
||||
)
|
||||
.is_ok());
|
||||
assert!(pubkey.verify_prehash(&hash, &sig).is_ok());
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -198,9 +228,149 @@ fn generate_self_signed_ec_cert() {
|
||||
let sig_algo_len = data[7 + tbs_cert_len + 1] as usize;
|
||||
let sig_start = 7 + tbs_cert_len + 2 + sig_algo_len + 3;
|
||||
let msg = &data[4..7 + tbs_cert_len];
|
||||
let sig = &data[sig_start..];
|
||||
let sig = p256::ecdsa::Signature::from_der(&data[sig_start..]).unwrap();
|
||||
let vk = p256::ecdsa::VerifyingKey::from_sec1_bytes(pubkey.as_bytes()).unwrap();
|
||||
|
||||
use ring::signature::{UnparsedPublicKey, ECDSA_P256_SHA256_ASN1};
|
||||
let ring_pk = UnparsedPublicKey::new(&ECDSA_P256_SHA256_ASN1, pubkey.as_bytes());
|
||||
assert!(ring_pk.verify(msg, sig).is_ok());
|
||||
use p256::ecdsa::signature::Verifier;
|
||||
assert!(vk.verify(msg, &sig).is_ok());
|
||||
}
|
||||
|
||||
#[test]
|
||||
#[ignore]
|
||||
fn test_slot_id_display() {
|
||||
assert_eq!(format!("{}", SlotId::Authentication), "Authentication");
|
||||
assert_eq!(format!("{}", SlotId::Signature), "Signature");
|
||||
assert_eq!(format!("{}", SlotId::KeyManagement), "KeyManagement");
|
||||
assert_eq!(
|
||||
format!("{}", SlotId::CardAuthentication),
|
||||
"CardAuthentication"
|
||||
);
|
||||
assert_eq!(format!("{}", SlotId::Attestation), "Attestation");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R1)), "R1");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R2)), "R2");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R3)), "R3");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R4)), "R4");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R5)), "R5");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R6)), "R6");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R7)), "R7");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R8)), "R8");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R9)), "R9");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R10)), "R10");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R11)), "R11");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R12)), "R12");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R13)), "R13");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R14)), "R14");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R15)), "R15");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R16)), "R16");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R17)), "R17");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R18)), "R18");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R19)), "R19");
|
||||
assert_eq!(format!("{}", SlotId::Retired(RetiredSlotId::R20)), "R20");
|
||||
|
||||
assert_eq!(
|
||||
format!("{}", SlotId::Management(ManagementSlotId::Pin)),
|
||||
"PIN"
|
||||
);
|
||||
assert_eq!(
|
||||
format!("{}", SlotId::Management(ManagementSlotId::Puk)),
|
||||
"PUK"
|
||||
);
|
||||
assert_eq!(
|
||||
format!("{}", SlotId::Management(ManagementSlotId::Management)),
|
||||
"Management"
|
||||
);
|
||||
}
|
||||
|
||||
//
|
||||
// Metadata
|
||||
//
|
||||
|
||||
#[test]
|
||||
#[ignore]
|
||||
fn test_read_metadata() {
|
||||
let mut yubikey = YUBIKEY.lock().unwrap();
|
||||
|
||||
assert!(yubikey.verify_pin(b"123456").is_ok());
|
||||
assert!(yubikey.authenticate(MgmKey::default()).is_ok());
|
||||
|
||||
let slot = SlotId::Retired(RetiredSlotId::R1);
|
||||
|
||||
// Generate a new key in the selected slot.
|
||||
let generated = piv::generate(
|
||||
&mut yubikey,
|
||||
slot,
|
||||
AlgorithmId::EccP256,
|
||||
PinPolicy::Default,
|
||||
TouchPolicy::Default,
|
||||
)
|
||||
.unwrap();
|
||||
|
||||
let metadata = piv::metadata(&mut yubikey, slot).unwrap();
|
||||
|
||||
assert_eq!(metadata.public, Some(generated));
|
||||
}
|
||||
|
||||
#[test]
|
||||
#[ignore]
|
||||
fn test_serial_string_conversions() {
|
||||
//2^152+1
|
||||
let serial: [u8; 20] = [
|
||||
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x01,
|
||||
];
|
||||
|
||||
let s = certificate::Serial::from(serial);
|
||||
assert_eq!(
|
||||
s.as_x509_int(),
|
||||
"5708990770823839524233143877797980545530986497"
|
||||
);
|
||||
assert_eq!(
|
||||
s.as_x509_hex(),
|
||||
"01:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01"
|
||||
);
|
||||
|
||||
let serial2: [u8; 20] = [
|
||||
0xA1, 0xF3, 0x02, 0x30, 0x76, 0x01, 0x32, 0x48, 0x09, 0x9C, 0x10, 0xAA, 0x3F, 0xA0, 0x54,
|
||||
0x0D, 0xC0, 0xB7, 0x65, 0x01,
|
||||
];
|
||||
|
||||
let s2 = certificate::Serial::from(serial2);
|
||||
assert_eq!(
|
||||
s2.as_x509_int(),
|
||||
"924566785900861696177829411010986812227211191553"
|
||||
);
|
||||
assert_eq!(
|
||||
s2.as_x509_hex(),
|
||||
"a1:f3:02:30:76:01:32:48:09:9c:10:aa:3f:a0:54:0d:c0:b7:65:01"
|
||||
);
|
||||
|
||||
let serial3: [u8; 20] = [
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAA, 0x3F, 0xA0, 0x54,
|
||||
0x0D, 0xC0, 0xB7, 0x65, 0x01,
|
||||
];
|
||||
|
||||
let s3 = certificate::Serial::from(serial3);
|
||||
assert_eq!(s3.as_x509_int(), "3140531249369331492097");
|
||||
assert_eq!(s3.as_x509_hex(), "aa:3f:a0:54:0d:c0:b7:65:01");
|
||||
}
|
||||
|
||||
#[test]
|
||||
#[ignore]
|
||||
fn test_parse_cert_from_der() {
|
||||
let bob_der = std::fs::read("tests/assets/Bob.der").expect(".der file not found");
|
||||
let cert =
|
||||
certificate::Certificate::from_bytes(bob_der).expect("Failed to parse valid certificate");
|
||||
assert_eq!(
|
||||
cert.subject(),
|
||||
"CN=Bob",
|
||||
"Subject is {} should be CN=Bob",
|
||||
cert.subject()
|
||||
);
|
||||
assert_eq!(
|
||||
cert.issuer(),
|
||||
"CN=Ferdinand Linnenberg CA",
|
||||
"Issuer is {} should be {}",
|
||||
cert.issuer(),
|
||||
"CN=Ferdinand Linnenberg CA"
|
||||
);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user