turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Misc cleanup:

Browse source 
Simplify verify_foo() calls.
More orderly output.
Remove Scdc for now.
This commit is contained in:
Heiko Schaefer 2021-09-10 23:01:14 +02:00
parent be95b9de43
commit 77b2ca98b0
1 changed files with 104 additions and 143 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

189
openpgp-card-sequoia/src/main.rs
View file

@ -10,14 +10,13 @@ use sequoia_openpgp::policy::StandardPolicy;
use sequoia_openpgp::Cert; use sequoia_openpgp::Cert;
use openpgp_card::card_do::Sex; use openpgp_card::card_do::Sex;
use openpgp_card::{CardApp, KeyType}; use openpgp_card::KeyType;
use openpgp_card_pcsc::PcscClient; use openpgp_card_pcsc::PcscClient;
// use openpgp_card_scdc::ScdClient;
use openpgp_card_sequoia::card::Open; use openpgp_card_sequoia::card::Open;
use openpgp_card_sequoia::sq_util::{decryption_helper, sign_helper}; use openpgp_card_sequoia::sq_util::{decryption_helper, sign_helper};
// Filename of test key and test message to use: // Filename of test key and test message to use
// const TEST_KEY_PATH: &str = "../example/test4k.sec"; // const TEST_KEY_PATH: &str = "../example/test4k.sec";
// const TEST_ENC_MSG: &str = "../example/encrypted_to_rsa4k.asc"; // const TEST_ENC_MSG: &str = "../example/encrypted_to_rsa4k.asc";
@ -31,67 +30,50 @@ const TEST_ENC_MSG: &str = "../example/encrypted_to_25519.asc";
fn main() -> Result<(), Box<dyn Error>> { fn main() -> Result<(), Box<dyn Error>> {
env_logger::init(); env_logger::init();
// Ident of the OpenPGP Card that will be used for tests. // Ident of an OpenPGP Card to use for these tests
let test_card_ident = env::var("TEST_CARD_IDENT"); let test_card_ident = env::var("TEST_CARD_IDENT");
// // "serial" for opening a specific card through scdaemon
// let test_card_serial = env::var("TEST_CARD_SERIAL")?;
if let Ok(test_card_ident) = test_card_ident { if let Ok(test_card_ident) = test_card_ident {
println!("** get card"); let mut open =
let mut oc =
Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?; Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?;
println!();
// let mut oc = CardBase::open_card(ScdClient::open_by_serial(
// None,
// &test_card_serial,
// )?)?;
// card metadata // card metadata
println!("** get aid"); let app_id = open.application_identifier()?;
let app_id = oc.application_identifier()?; println!("{:x?}\n", app_id);
println!("app id: {:x?}", app_id);
println!();
let eli = oc.extended_length_information()?; let eli = open.extended_length_information()?;
println!("extended_length_info: {:?}", eli); println!("extended_length_info: {:?}\n", eli);
println!();
let hist = oc.historical_bytes()?; let hist = open.historical_bytes()?;
println!("{:#x?}", hist); println!("{:#x?}\n", hist);
println!();
let ext = oc.extended_capabilities()?; let ext = open.extended_capabilities()?;
println!("{:#x?}", ext); println!("{:#x?}\n", ext);
println!();
let pws = oc.pw_status_bytes()?; let pws = open.pw_status_bytes()?;
println!("{:#x?}", pws); println!("{:#x?}\n", pws);
println!();
// cardholder // cardholder
let ch = oc.cardholder_related_data()?; let ch = open.cardholder_related_data()?;
println!("{:#x?}", ch); println!("{:#x?}\n", ch);
println!();
// crypto-ish metadata // crypto-ish metadata
let fp = oc.fingerprints()?; let fp = open.fingerprints()?;
println!("Fingerprint {:#x?}", fp); println!("Fingerprint {:#x?}\n", fp);
println!();
match oc.algorithm_information() { match open.algorithm_information() {
Ok(Some(ai)) => println!("Algorithm information:\n{}", ai), Ok(Some(ai)) => println!("Algorithm information:\n{}", ai),
Ok(None) => println!("No Algorithm information found"), Ok(None) => println!("No Algorithm information found"),
Err(e) => println!("Error getting Algorithm information: {:?}", e), Err(e) => println!("Error getting Algorithm information: {:?}", e),
} }
let algo = oc.algorithm_attributes(KeyType::Signing)?; println!("Current algorithm attributes on card:");
let algo = open.algorithm_attributes(KeyType::Signing)?;
println!("Sig: {}", algo); println!("Sig: {}", algo);
let algo = oc.algorithm_attributes(KeyType::Decryption)?; let algo = open.algorithm_attributes(KeyType::Decryption)?;
println!("Dec: {}", algo); println!("Dec: {}", algo);
let algo = oc.algorithm_attributes(KeyType::Authentication)?; let algo = open.algorithm_attributes(KeyType::Authentication)?;
println!("Aut: {}", algo); println!("Aut: {}", algo);
println!(); println!();
@ -100,144 +82,129 @@ fn main() -> Result<(), Box<dyn Error>> {
// CAUTION: Write commands ahead! // CAUTION: Write commands ahead!
// Try not to overwrite your production cards. // Try not to overwrite your production cards.
// --------------------------------------------- // ---------------------------------------------
assert_eq!(app_id.ident(), test_card_ident); assert_eq!(app_id.ident(), test_card_ident);
let check = oc.check_admin_verified(); let check = open.check_admin_verified();
println!("has pw3 been verified yet? {:x?}\n", check); println!("has admin (pw3) been verified yet?\n{:x?}\n", check);
println!("factory reset"); println!("factory reset\n");
oc.factory_reset()?; open.factory_reset()?;
if oc.verify_admin("12345678").is_ok() { open.verify_admin("12345678")?;
println!("pw3 verify ok"); println!("verify for admin ok");
let check = oc.check_user_verified(); let check = open.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check); println!("has user (pw1/82) been verified yet? {:x?}", check);
// actually take Admin // Use Admin access to card
let mut oc_admin = oc.admin_card().expect("just verified"); let mut admin = open.admin_card().expect("just verified");
let res = oc_admin.set_name("Bar<<Foo")?; println!();
let res = admin.set_name("Bar<<Foo")?;
println!("set name {:x?}", res); println!("set name {:x?}", res);
let res = oc_admin.set_sex(Sex::NotApplicable)?; let res = admin.set_sex(Sex::NotApplicable)?;
println!("set sex {:x?}", res); println!("set sex {:x?}", res);
let res = oc_admin.set_lang("en")?; let res = admin.set_lang("en")?;
println!("set lang {:x?}", res); println!("set lang {:x?}", res);
let res = oc_admin.set_url("https://keys.openpgp.org")?; let res = admin.set_url("https://keys.openpgp.org")?;
println!("set url {:x?}", res); println!("set url {:x?}", res);
let cert = Cert::from_file(TEST_KEY_PATH)?; let cert = Cert::from_file(TEST_KEY_PATH)?;
println!("Upload decryption key");
openpgp_card_sequoia::util::upload_from_cert_yolo( openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut oc_admin, &mut admin,
&cert, &cert,
KeyType::Decryption, KeyType::Decryption,
None, None,
)?; )?;
println!("Upload signing key");
openpgp_card_sequoia::util::upload_from_cert_yolo( openpgp_card_sequoia::util::upload_from_cert_yolo(
&mut oc_admin, &mut admin,
&cert, &cert,
KeyType::Signing, KeyType::Signing,
None, None,
)?; )?;
// TODO: test keys currently have no auth-capable key // FIXME: Test keys have no authentication subkey
// openpgp_card_sequoia::upload_from_cert( // openpgp_card_sequoia::util::upload_from_cert_yolo(
// &oc_admin, // &mut admin,
// &cert, // &cert,
// KeyType::Authentication, // KeyType::Authentication,
// None, // None,
// )?; // )?;
} else {
panic!() println!();
}
// ----------------------------- // -----------------------------
// Open fresh Card for decrypt // Open fresh Card for decrypt
// ----------------------------- // -----------------------------
let mut oc = let mut open =
Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?; Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?;
// let mut oc = CardBase::open_card(ScdClient::open_by_serial(
// None,
// &test_card_serial,
// )?)?;
let app_id = oc.application_identifier()?;
// Check that we're still using the expected card // Check that we're still using the expected card
let app_id = open.application_identifier()?;
assert_eq!(app_id.ident(), test_card_ident); assert_eq!(app_id.ident(), test_card_ident);
let check = oc.check_user_verified(); let check = open.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check); println!("has user (pw1/82) been verified yet?\n{:x?}\n", check);
if oc.verify_user("123456").is_ok() { open.verify_user("123456")?;
println!("pw1 82 verify ok"); println!("verify for user (pw1/82) ok");
let check = oc.check_user_verified(); let check = open.check_user_verified();
println!("has pw1/82 been verified yet? {:x?}", check); println!("has user (pw1/82) been verified yet?\n{:x?}\n", check);
// actually take User // Use User access to card
let mut oc_user = oc.user_card().expect("just verified"); let mut user = open
.user_card()
.expect("We just validated, this should not fail");
let cert = Cert::from_file(TEST_KEY_PATH)?; let cert = Cert::from_file(TEST_KEY_PATH)?;
let msg = std::fs::read_to_string(TEST_ENC_MSG) let msg = std::fs::read_to_string(TEST_ENC_MSG)
.expect("Unable to read file"); .expect("Unable to read file");
println!("{:?}", msg); println!("Encrypted message:\n{}", msg);
let sp = StandardPolicy::new(); let sp = StandardPolicy::new();
let d = user.decryptor(&cert, &sp)?;
let d = oc_user.decryptor(&cert, &sp)?;
let res = decryption_helper(d, msg.into_bytes(), &sp)?; let res = decryption_helper(d, msg.into_bytes(), &sp)?;
let plain = String::from_utf8_lossy(&res); let plain = String::from_utf8_lossy(&res);
println!("decrypted plaintext: {}", plain); println!("Decrypted plaintext: {}", plain);
assert_eq!(plain, "Hello world!\n"); assert_eq!(plain, "Hello world!\n");
} else {
panic!("verify pw1 failed");
}
// ----------------------------- // -----------------------------
// Open fresh Card for signing // Open fresh Card for signing
// ----------------------------- // -----------------------------
let mut oc = let mut open =
Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?; Open::open_card(PcscClient::open_by_ident(&test_card_ident)?)?;
// let oc = CardBase::open_card(ScdClient::open_by_serial(
// None,
// &test_card_serial,
// )?)?;
// Sign // Sign
if oc.verify_user_for_signing("123456").is_ok() { open.verify_user_for_signing("123456")?;
println!("pw1 81 verify ok"); println!("verify for sign (pw1/81) ok\n");
// actually take Sign // Use Sign access to card
let mut oc_sign = oc.signing_card().expect("just verified"); let mut sign = open.signing_card().expect("just verified");
let cert = Cert::from_file(TEST_KEY_PATH)?; let cert = Cert::from_file(TEST_KEY_PATH)?;
let text = "Hello world, I am signed."; let text = "Hello world, I am signed.";
let signer = oc_sign.signer(&cert, &StandardPolicy::new())?; let signer = sign.signer(&cert, &StandardPolicy::new())?;
let res = sign_helper(signer, &mut text.as_bytes()); let sig = sign_helper(signer, &mut text.as_bytes())?;
println!("res sign {:?}", res); println!("Signature from card:\n{}", sig)
println!("res: {}", res?)
// FIXME: validate sig // FIXME: validate sig
} else {
panic!("verify pw1 failed");
}
} else { } else {
println!("Please set environment variable TEST_CARD_IDENT."); println!("Please set environment variable TEST_CARD_IDENT.");
println!(); println!();
@ -248,15 +215,9 @@ fn main() -> Result<(), Box<dyn Error>> {
println!("The following OpenPGP cards are connected to your system:"); println!("The following OpenPGP cards are connected to your system:");
let cards = PcscClient::cards()?; for card in PcscClient::cards()? {
for c in cards { let open = Open::open_card(card)?;
let mut ca = CardApp::from(c); println!(" {}", open.application_identifier()?.ident());
let ard = ca.get_application_related_data()?;
let app_id = ard.get_application_id()?;
let ident = app_id.ident();
println!(" '{}'", ident);
} }
} }