turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix the assumptions about authorization underlying the card::* types:

Browse source 
Multiple passwords can be validated on a card at the same time.
Rename verify_* fn to be more easily legible ("user" instead of "pw1", ...)
This commit is contained in:
Heiko Schaefer 2021-09-10 21:59:02 +02:00
parent 1613f23ecc
commit 0e2b53feb4
2 changed files with 177 additions and 177 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

214
openpgp-card-sequoia/src/card.rs
View file

@ -5,7 +5,6 @@
//! different types, such as `Open`, `User`, `Sign`, `Admin`.
use anyhow::{anyhow, Result};
use std::ops::{Deref, DerefMut};
use sequoia_openpgp::policy::Policy;
use sequoia_openpgp::Cert;
@ -32,9 +31,28 @@ pub struct Open {
// FIXME: Should be invalidated when changing data on the card!
// (e.g. uploading keys, etc)
ard: ApplicationRelatedData,
// verify status of pw1
pw1: bool,
// verify status of pw1 for signing
pw1_sign: bool,
// verify status of pw3
pw3: bool,
}
impl Open {
fn new(card_app: CardApp, ard: ApplicationRelatedData) -> Self {
Self {
card_app,
ard,
pw1: false,
pw1_sign: false,
pw3: false,
}
}
/// Set up connection to a CardClient (read and cache "application
/// related data").
///
@ -47,7 +65,68 @@ impl Open {
card_app.init_caps(&ard)?;
Ok(Self { card_app, ard })
Ok(Self::new(card_app, ard))
}
pub fn verify_user(&mut self, pin: &str) -> Result<(), Error> {
let _ = self.card_app.verify_pw1(pin)?;
self.pw1 = true;
Ok(())
}
pub fn verify_user_for_signing(&mut self, pin: &str) -> Result<(), Error> {
let _ = self.card_app.verify_pw1_for_signing(pin)?;
// FIXME: depending on card mode, pw1_sign is only usable once
self.pw1_sign = true;
Ok(())
}
pub fn verify_admin(&mut self, pin: &str) -> Result<(), Error> {
let _ = self.card_app.verify_pw3(pin)?;
self.pw3 = true;
Ok(())
}
/// Ask the card if the user password has been successfully verified.
///
/// NOTE: on some cards this functionality seems broken.
pub fn check_user_verified(&mut self) -> Result<Response, Error> {
self.card_app.check_pw1()
}
/// Ask the card if the admin password has been successfully verified.
///
/// NOTE: on some cards this functionality seems broken.
pub fn check_admin_verified(&mut self) -> Result<Response, Error> {
self.card_app.check_pw3()
}
/// Get a view of the card authenticated for "User" commands.
pub fn get_user(&mut self) -> Option<User> {
if self.pw1 {
Some(User { oc: self })
} else {
None
}
}
/// Get a view of the card authenticated for Signing.
pub fn get_sign(&mut self) -> Option<Sign> {
if self.pw1_sign {
Some(Sign { oc: self })
} else {
None
}
}
/// Get a view of the card authenticated for "Admin" commands.
pub fn get_admin(&mut self) -> Option<Admin> {
if self.pw3 {
Some(Admin { oc: self })
} else {
None
}
}
// --- application data ---
@ -172,134 +251,49 @@ impl Open {
pub fn factory_reset(&mut self) -> Result<()> {
self.card_app.factory_reset()
}
pub fn verify_pw1_for_signing(mut self, pin: &str) -> Result<Sign, Open> {
assert!(pin.len() >= 6); // FIXME: Err
if self.card_app.verify_pw1_for_signing(pin).is_ok() {
Ok(Sign { oc: self })
} else {
Err(self)
}
}
pub fn check_pw1(&mut self) -> Result<Response, Error> {
self.card_app.check_pw1()
}
pub fn verify_pw1(mut self, pin: &str) -> Result<User, Open> {
assert!(pin.len() >= 6); // FIXME: Err
if self.card_app.verify_pw1(pin).is_ok() {
Ok(User { oc: self })
} else {
Err(self)
}
}
pub fn check_pw3(&mut self) -> Result<Response, Error> {
self.card_app.check_pw3()
}
pub fn verify_pw3(mut self, pin: &str) -> Result<Admin, Open> {
assert!(pin.len() >= 8); // FIXME: Err
if self.card_app.verify_pw3(pin).is_ok() {
Ok(Admin { oc: self })
} else {
Err(self)
}
}
}
/// An OpenPGP card after successful verification of PW1 in mode 82
/// (verification for operations other than signing)
pub struct User {
oc: Open,
/// An OpenPGP card after successfully verifying PW1 in mode 82
/// (verification for user operations other than signing)
pub struct User<'a> {
oc: &'a mut Open,
}
/// Allow access to fn of OpenPGPCard, through OpenPGPCardUser.
impl Deref for User {
type Target = Open;
fn deref(&self) -> &Self::Target {
&self.oc
}
}
/// Allow access to fn of CardBase, through CardUser.
impl DerefMut for User {
fn deref_mut(&mut self) -> &mut Self::Target {
&mut self.oc
}
}
impl User {
impl User<'_> {
pub fn decryptor(
&mut self,
cert: &Cert,
policy: &dyn Policy,
) -> Result<CardDecryptor, Error> {
CardDecryptor::new(&mut self.card_app, cert, policy)
CardDecryptor::new(&mut self.oc.card_app, cert, policy)
}
}
/// An OpenPGP card after successful verification of PW1 in mode 81
/// An OpenPGP card after successfully verifying PW1 in mode 81
/// (verification for signing)
pub struct Sign {
oc: Open,
pub struct Sign<'a> {
oc: &'a mut Open,
}
/// Allow access to fn of CardBase, through CardSign.
impl Deref for Sign {
type Target = Open;
fn deref(&self) -> &Self::Target {
&self.oc
}
}
/// Allow access to fn of CardBase, through CardSign.
impl DerefMut for Sign {
fn deref_mut(&mut self) -> &mut Self::Target {
&mut self.oc
}
}
// FIXME: depending on the setting in "PW1 Status byte", only one
// signature can be made after verification for signing
impl Sign {
impl Sign<'_> {
pub fn signer(
&mut self,
cert: &Cert,
policy: &dyn Policy,
) -> std::result::Result<CardSigner, Error> {
CardSigner::new(&mut self.card_app, cert, policy)
// FIXME: depending on the setting in "PW1 Status byte", only one
// signature can be made after verification for signing
CardSigner::new(&mut self.oc.card_app, cert, policy)
}
}
/// An OpenPGP card after successful verification of PW3 ("Admin privileges")
pub struct Admin {
oc: Open,
pub struct Admin<'a> {
oc: &'a mut Open,
}
/// Allow access to fn of OpenPGPCard, through OpenPGPCardAdmin.
impl Deref for Admin {
type Target = Open;
fn deref(&self) -> &Self::Target {
&self.oc
}
}
/// Allow access to fn of OpenPGPCard, through OpenPGPCardAdmin.
impl DerefMut for Admin {
fn deref_mut(&mut self) -> &mut Self::Target {
&mut self.oc
}
}
impl Admin {
impl Admin<'_> {
pub fn set_name(&mut self, name: &str) -> Result<Response, Error> {
if name.len() >= 40 {
return Err(anyhow!("name too long").into());
@ -310,7 +304,7 @@ impl Admin {
return Err(anyhow!("Invalid char in name").into());
};
self.card_app.set_name(name)
self.oc.card_app.set_name(name)
}
pub fn set_lang(&mut self, lang: &str) -> Result<Response, Error> {
@ -318,11 +312,11 @@ impl Admin {
return Err(anyhow!("lang too long").into());
}
self.card_app.set_lang(lang)
self.oc.card_app.set_lang(lang)
}
pub fn set_sex(&mut self, sex: Sex) -> Result<Response, Error> {
self.card_app.set_sex(sex)
self.oc.card_app.set_sex(sex)
}
pub fn set_url(&mut self, url: &str) -> Result<Response, Error> {
@ -331,10 +325,10 @@ impl Admin {
}
// Check for max len
let ec = self.get_extended_capabilities()?;
let ec = self.oc.get_extended_capabilities()?;
if url.len() < ec.max_len_special_do() as usize {
self.card_app.set_url(url)
self.oc.card_app.set_url(url)
} else {
Err(anyhow!("URL too long").into())
}
@ -345,6 +339,6 @@ impl Admin {
key: Box<dyn CardUploadableKey>,
key_type: KeyType,
) -> Result<(), Error> {
self.card_app.key_import(key, key_type)
self.oc.card_app.key_import(key, key_type)
}
}

140
openpgp-card-sequoia/src/main.rs
View file

@ -102,56 +102,58 @@ fn main() -> Result<(), Box<dyn Error>> {
// ---------------------------------------------
assert_eq!(app_id.ident(), test_card_ident);
let check = oc.check_pw3();
let check = oc.check_admin_verified();
println!("has pw3 been verified yet? {:x?}\n", check);
println!("factory reset");
oc.factory_reset()?;
match oc.verify_pw3("12345678") {
Ok(mut oc_admin) => {
println!("pw3 verify ok");
if oc.verify_admin("12345678").is_ok() {
println!("pw3 verify ok");
let check = oc_admin.check_pw3();
println!("has pw3 been verified yet? {:x?}", check);
let check = oc.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check);
let res = oc_admin.set_name("Bar<<Foo")?;
println!("set name {:x?}", res);
// actually take Admin
let mut oc_admin = oc.get_admin().expect("just verified");
let res = oc_admin.set_sex(Sex::NotApplicable)?;
println!("set sex {:x?}", res);
let res = oc_admin.set_name("Bar<<Foo")?;
println!("set name {:x?}", res);
let res = oc_admin.set_lang("en")?;
println!("set lang {:x?}", res);
let res = oc_admin.set_sex(Sex::NotApplicable)?;
println!("set sex {:x?}", res);
let res = oc_admin.set_url("https://keys.openpgp.org")?;
println!("set url {:x?}", res);
let res = oc_admin.set_lang("en")?;
println!("set lang {:x?}", res);
let cert = Cert::from_file(TEST_KEY_PATH)?;
let res = oc_admin.set_url("https://keys.openpgp.org")?;
println!("set url {:x?}", res);
openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut oc_admin,
&cert,
KeyType::Decryption,
None,
)?;
let cert = Cert::from_file(TEST_KEY_PATH)?;
openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut oc_admin,
&cert,
KeyType::Signing,
None,
)?;
openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut oc_admin,
&cert,
KeyType::Decryption,
None,
)?;
// TODO: test keys currently have no auth-capable key
// openpgp_card_sequoia::upload_from_cert(
// &oc_admin,
// &cert,
// KeyType::Authentication,
// None,
// )?;
}
_ => panic!(),
openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut oc_admin,
&cert,
KeyType::Signing,
None,
)?;
// TODO: test keys currently have no auth-capable key
// openpgp_card_sequoia::upload_from_cert(
// &oc_admin,
// &cert,
// KeyType::Authentication,
// None,
// )?;
} else {
panic!()
}
// -----------------------------
@ -171,40 +173,42 @@ fn main() -> Result<(), Box<dyn Error>> {
// Check that we're still using the expected card
assert_eq!(app_id.ident(), test_card_ident);
let check = oc.check_pw1();
let check = oc.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check);
match oc.verify_pw1("123456") {
Ok(mut oc_user) => {
println!("pw1 82 verify ok");
if oc.verify_user("123456").is_ok() {
println!("pw1 82 verify ok");
let check = oc_user.check_pw1();
println!("has pw1/82 been verified yet? {:x?}", check);
let check = oc.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check);
let cert = Cert::from_file(TEST_KEY_PATH)?;
let msg = std::fs::read_to_string(TEST_ENC_MSG)
.expect("Unable to read file");
// actually take User
let mut oc_user = oc.get_user().expect("just verified");
println!("{:?}", msg);
let cert = Cert::from_file(TEST_KEY_PATH)?;
let msg = std::fs::read_to_string(TEST_ENC_MSG)
.expect("Unable to read file");
let sp = StandardPolicy::new();
println!("{:?}", msg);
let d = oc_user.decryptor(&cert, &sp)?;
let sp = StandardPolicy::new();
let res = decryption_helper(d, msg.into_bytes(), &sp)?;
let d = oc_user.decryptor(&cert, &sp)?;
let plain = String::from_utf8_lossy(&res);
println!("decrypted plaintext: {}", plain);
let res = decryption_helper(d, msg.into_bytes(), &sp)?;
assert_eq!(plain, "Hello world!\n");
}
_ => panic!("verify pw1 failed"),
let plain = String::from_utf8_lossy(&res);
println!("decrypted plaintext: {}", plain);
assert_eq!(plain, "Hello world!\n");
} else {
panic!("verify pw1 failed");
}
// -----------------------------
// Open fresh Card for signing
// -----------------------------
let oc =
let mut oc =
Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?;
// let oc = CardBase::open_card(ScdClient::open_by_serial(
@ -213,24 +217,26 @@ fn main() -> Result<(), Box<dyn Error>> {
// )?)?;
// Sign
match oc.verify_pw1_for_signing("123456") {
Ok(mut oc_sign) => {
println!("pw1 81 verify ok");
if oc.verify_user_for_signing("123456").is_ok() {
println!("pw1 81 verify ok");
let cert = Cert::from_file(TEST_KEY_PATH)?;
// actually take Sign
let mut oc_sign = oc.get_sign().expect("just verified");
let text = "Hello world, I am signed.";
let cert = Cert::from_file(TEST_KEY_PATH)?;
let signer = oc_sign.signer(&cert, &StandardPolicy::new())?;
let res = sign_helper(signer, &mut text.as_bytes());
let text = "Hello world, I am signed.";
println!("res sign {:?}", res);
let signer = oc_sign.signer(&cert, &StandardPolicy::new())?;
let res = sign_helper(signer, &mut text.as_bytes());
println!("res: {}", res?)
println!("res sign {:?}", res);
// FIXME: validate sig
}
_ => panic!("verify pw1 failed"),
println!("res: {}", res?)
// FIXME: validate sig
} else {
panic!("verify pw1 failed");
}
} else {
println!("Please set environment variable TEST_CARD_IDENT.");