turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Misc cleanup:

Browse source 
Simplify verify_foo() calls.
More orderly output.
Remove Scdc for now.
This commit is contained in:
Heiko Schaefer 2021-09-10 23:01:14 +02:00
parent be95b9de43
commit 77b2ca98b0
1 changed files with 104 additions and 143 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

247
openpgp-card-sequoia/src/main.rs
View file

@ -10,14 +10,13 @@ use sequoia_openpgp::policy::StandardPolicy;
use sequoia_openpgp::Cert;
use openpgp_card::card_do::Sex;
use openpgp_card::{CardApp, KeyType};
use openpgp_card::KeyType;
use openpgp_card_pcsc::PcscClient;
// use openpgp_card_scdc::ScdClient;
use openpgp_card_sequoia::card::Open;
use openpgp_card_sequoia::sq_util::{decryption_helper, sign_helper};
// Filename of test key and test message to use:
// Filename of test key and test message to use
// const TEST_KEY_PATH: &str = "../example/test4k.sec";
// const TEST_ENC_MSG: &str = "../example/encrypted_to_rsa4k.asc";
@ -31,67 +30,50 @@ const TEST_ENC_MSG: &str = "../example/encrypted_to_25519.asc";
fn main() -> Result<(), Box<dyn Error>> {
env_logger::init();
// Ident of the OpenPGP Card that will be used for tests.
// Ident of an OpenPGP Card to use for these tests
let test_card_ident = env::var("TEST_CARD_IDENT");
// // "serial" for opening a specific card through scdaemon
// let test_card_serial = env::var("TEST_CARD_SERIAL")?;
if let Ok(test_card_ident) = test_card_ident {
println!("** get card");
let mut oc =
let mut open =
Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?;
println!();
// let mut oc = CardBase::open_card(ScdClient::open_by_serial(
// None,
// &test_card_serial,
// )?)?;
// card metadata
println!("** get aid");
let app_id = oc.application_identifier()?;
println!("app id: {:x?}", app_id);
println!();
let app_id = open.application_identifier()?;
println!("{:x?}\n", app_id);
let eli = oc.extended_length_information()?;
println!("extended_length_info: {:?}", eli);
println!();
let eli = open.extended_length_information()?;
println!("extended_length_info: {:?}\n", eli);
let hist = oc.historical_bytes()?;
println!("{:#x?}", hist);
println!();
let hist = open.historical_bytes()?;
println!("{:#x?}\n", hist);
let ext = oc.extended_capabilities()?;
println!("{:#x?}", ext);
println!();
let ext = open.extended_capabilities()?;
println!("{:#x?}\n", ext);
let pws = oc.pw_status_bytes()?;
println!("{:#x?}", pws);
println!();
let pws = open.pw_status_bytes()?;
println!("{:#x?}\n", pws);
// cardholder
let ch = oc.cardholder_related_data()?;
println!("{:#x?}", ch);
println!();
let ch = open.cardholder_related_data()?;
println!("{:#x?}\n", ch);
// crypto-ish metadata
let fp = oc.fingerprints()?;
println!("Fingerprint {:#x?}", fp);
println!();
let fp = open.fingerprints()?;
println!("Fingerprint {:#x?}\n", fp);
match oc.algorithm_information() {
match open.algorithm_information() {
Ok(Some(ai)) => println!("Algorithm information:\n{}", ai),
Ok(None) => println!("No Algorithm information found"),
Err(e) => println!("Error getting Algorithm information: {:?}", e),
}
let algo = oc.algorithm_attributes(KeyType::Signing)?;
println!("Current algorithm attributes on card:");
let algo = open.algorithm_attributes(KeyType::Signing)?;
println!("Sig: {}", algo);
let algo = oc.algorithm_attributes(KeyType::Decryption)?;
let algo = open.algorithm_attributes(KeyType::Decryption)?;
println!("Dec: {}", algo);
let algo = oc.algorithm_attributes(KeyType::Authentication)?;
let algo = open.algorithm_attributes(KeyType::Authentication)?;
println!("Aut: {}", algo);
println!();
@ -100,144 +82,129 @@ fn main() -> Result<(), Box<dyn Error>> {
// CAUTION: Write commands ahead!
// Try not to overwrite your production cards.
// ---------------------------------------------
assert_eq!(app_id.ident(), test_card_ident);
let check = oc.check_admin_verified();
println!("has pw3 been verified yet? {:x?}\n", check);
let check = open.check_admin_verified();
println!("has admin (pw3) been verified yet?\n{:x?}\n", check);
println!("factory reset");
oc.factory_reset()?;
println!("factory reset\n");
open.factory_reset()?;
if oc.verify_admin("12345678").is_ok() {
println!("pw3 verify ok");
open.verify_admin("12345678")?;
println!("verify for admin ok");
let check = oc.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check);
let check = open.check_user_verified();
println!("has user (pw1/82) been verified yet? {:x?}", check);
// actually take Admin
let mut oc_admin = oc.admin_card().expect("just verified");
// Use Admin access to card
let mut admin = open.admin_card().expect("just verified");
let res = oc_admin.set_name("Bar<<Foo")?;
println!("set name {:x?}", res);
println!();
let res = oc_admin.set_sex(Sex::NotApplicable)?;
println!("set sex {:x?}", res);
let res = admin.set_name("Bar<<Foo")?;
println!("set name {:x?}", res);
let res = oc_admin.set_lang("en")?;
println!("set lang {:x?}", res);
let res = admin.set_sex(Sex::NotApplicable)?;
println!("set sex {:x?}", res);
let res = oc_admin.set_url("https://keys.openpgp.org")?;
println!("set url {:x?}", res);
let res = admin.set_lang("en")?;
println!("set lang {:x?}", res);
let cert = Cert::from_file(TEST_KEY_PATH)?;
let res = admin.set_url("https://keys.openpgp.org")?;
println!("set url {:x?}", res);
openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut oc_admin,
&cert,
KeyType::Decryption,
None,
)?;
let cert = Cert::from_file(TEST_KEY_PATH)?;
openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut oc_admin,
&cert,
KeyType::Signing,
None,
)?;
println!("Upload decryption key");
openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut admin,
&cert,
KeyType::Decryption,
None,
)?;
// TODO: test keys currently have no auth-capable key
// openpgp_card_sequoia::upload_from_cert(
// &oc_admin,
// &cert,
// KeyType::Authentication,
// None,
// )?;
} else {
panic!()
}
println!("Upload signing key");
openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut admin,
&cert,
KeyType::Signing,
None,
)?;
// FIXME: Test keys have no authentication subkey
// openpgp_card_sequoia::util::upload_from_cert_yolo(
// &mut admin,
// &cert,
// KeyType::Authentication,
// None,
// )?;
println!();
// -----------------------------
// Open fresh Card for decrypt
// -----------------------------
let mut oc =
let mut open =
Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?;
// let mut oc = CardBase::open_card(ScdClient::open_by_serial(
// None,
// &test_card_serial,
// )?)?;
let app_id = oc.application_identifier()?;
// Check that we're still using the expected card
let app_id = open.application_identifier()?;
assert_eq!(app_id.ident(), test_card_ident);
let check = oc.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check);
let check = open.check_user_verified();
println!("has user (pw1/82) been verified yet?\n{:x?}\n", check);
if oc.verify_user("123456").is_ok() {
println!("pw1 82 verify ok");
open.verify_user("123456")?;
println!("verify for user (pw1/82) ok");
let check = oc.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check);
let check = open.check_user_verified();
println!("has user (pw1/82) been verified yet?\n{:x?}\n", check);
// actually take User
let mut oc_user = oc.user_card().expect("just verified");
// Use User access to card
let mut user = open
.user_card()
.expect("We just validated, this should not fail");
let cert = Cert::from_file(TEST_KEY_PATH)?;
let msg = std::fs::read_to_string(TEST_ENC_MSG)
.expect("Unable to read file");
let cert = Cert::from_file(TEST_KEY_PATH)?;
let msg = std::fs::read_to_string(TEST_ENC_MSG)
.expect("Unable to read file");
println!("{:?}", msg);
println!("Encrypted message:\n{}", msg);
let sp = StandardPolicy::new();
let sp = StandardPolicy::new();
let d = user.decryptor(&cert, &sp)?;
let res = decryption_helper(d, msg.into_bytes(), &sp)?;
let d = oc_user.decryptor(&cert, &sp)?;
let plain = String::from_utf8_lossy(&res);
println!("Decrypted plaintext: {}", plain);
let res = decryption_helper(d, msg.into_bytes(), &sp)?;
let plain = String::from_utf8_lossy(&res);
println!("decrypted plaintext: {}", plain);
assert_eq!(plain, "Hello world!\n");
} else {
panic!("verify pw1 failed");
}
assert_eq!(plain, "Hello world!\n");
// -----------------------------
// Open fresh Card for signing
// -----------------------------
let mut oc =
let mut open =
Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?;
// let oc = CardBase::open_card(ScdClient::open_by_serial(
// None,
// &test_card_serial,
// )?)?;
// Sign
if oc.verify_user_for_signing("123456").is_ok() {
println!("pw1 81 verify ok");
open.verify_user_for_signing("123456")?;
println!("verify for sign (pw1/81) ok\n");
// actually take Sign
let mut oc_sign = oc.signing_card().expect("just verified");
// Use Sign access to card
let mut sign = open.signing_card().expect("just verified");
let cert = Cert::from_file(TEST_KEY_PATH)?;
let cert = Cert::from_file(TEST_KEY_PATH)?;
let text = "Hello world, I am signed.";
let text = "Hello world, I am signed.";
let signer = oc_sign.signer(&cert, &StandardPolicy::new())?;
let res = sign_helper(signer, &mut text.as_bytes());
let signer = sign.signer(&cert, &StandardPolicy::new())?;
let sig = sign_helper(signer, &mut text.as_bytes())?;
println!("res sign {:?}", res);
println!("Signature from card:\n{}", sig)
println!("res: {}", res?)
// FIXME: validate sig
} else {
panic!("verify pw1 failed");
}
// FIXME: validate sig
} else {
println!("Please set environment variable TEST_CARD_IDENT.");
println!();
@ -248,15 +215,9 @@ fn main() -> Result<(), Box<dyn Error>> {
println!("The following OpenPGP cards are connected to your system:");
let cards = PcscClient::cards()?;
for c in cards {
let mut ca = CardApp::from(c);
let ard = ca.get_application_related_data()?;
let app_id = ard.get_application_id()?;
let ident = app_id.ident();
println!(" '{}'", ident);
for card in PcscClient::cards()? {
let open = Open::open_card(card)?;
println!(" {}", open.application_identifier()?.ident());
}
}