turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Don't require a certificate for signing or decryption (use the public key material from the card instead).

Browse source
This commit is contained in:
Heiko Schaefer 2022-07-25 16:20:02 +02:00
parent 6e630254fa
commit b614716c0b
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D
3 changed files with 8 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
tools/README.md
View file

@ -453,13 +453,13 @@ For now, this tool only supports creating detached signatures, like this
(if no input file is set, stdin is read): (if no input file is set, stdin is read):
``` ```
$ opgpcard sign --detached -c ABCD:01234567 -p <user-pin-file> -s <cert-file> <input-file> $ opgpcard sign --detached -c ABCD:01234567 -p <user-pin-file> <input-file>
``` ```
or interactively or interactively
``` ```
$ opgpcard sign --detached -c ABCD:01234567 -s <cert-file> <input-file> $ opgpcard sign --detached -c ABCD:01234567 <input-file>
``` ```
### Decrypting ### Decrypting
@ -467,13 +467,13 @@ $ opgpcard sign --detached -c ABCD:01234567 -s <cert-file> <input-file>
Decryption using a card (if no input file is set, stdin is read): Decryption using a card (if no input file is set, stdin is read):
``` ```
$ opgpcard decrypt -c ABCD:01234567 -p <user-pin-file> -r <cert-file> <input-file> $ opgpcard decrypt -c ABCD:01234567 -p <user-pin-file> <input-file>
``` ```
or interactively or interactively
``` ```
$ opgpcard decrypt -c ABCD:01234567 -r <cert-file> <input-file> $ opgpcard decrypt -c ABCD:01234567 <input-file>
``` ```
### PIN management ### PIN management

6
tools/src/bin/opgpcard/cli.rs
View file

@ -85,9 +85,6 @@ pub enum Command {
#[clap(name = "User PIN file", short = 'p', long = "user-pin")] #[clap(name = "User PIN file", short = 'p', long = "user-pin")]
user_pin: Option<PathBuf>, user_pin: Option<PathBuf>,
#[clap(name = "recipient-cert-file", short = 'r', long = "recipient-cert")]
cert_file: PathBuf,
/// Input file (stdin if unset) /// Input file (stdin if unset)
#[clap(name = "input")] #[clap(name = "input")]
input: Option<PathBuf>, input: Option<PathBuf>,
@ -105,9 +102,6 @@ pub enum Command {
#[clap(name = "detached", short = 'd', long = "detached")] #[clap(name = "detached", short = 'd', long = "detached")]
detached: bool, detached: bool,
#[clap(name = "signer-cert-file", short = 's', long = "signer-cert")]
cert_file: PathBuf,
/// Input file (stdin if unset) /// Input file (stdin if unset)
#[clap(name = "input")] #[clap(name = "input")]
input: Option<PathBuf>, input: Option<PathBuf>,

17
tools/src/bin/opgpcard/main.rs
View file

@ -62,20 +62,18 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
cli::Command::Decrypt { cli::Command::Decrypt {
ident, ident,
user_pin, user_pin,
cert_file,
input, input,
} => { } => {
decrypt(&ident, user_pin, &cert_file, input.as_deref())?; decrypt(&ident, user_pin, input.as_deref())?;
} }
cli::Command::Sign { cli::Command::Sign {
ident, ident,
user_pin, user_pin,
cert_file,
detached, detached,
input, input,
} => { } => {
if detached { if detached {
sign_detached(&ident, user_pin, &cert_file, input.as_deref())?; sign_detached(&ident, user_pin, input.as_deref())?;
} else { } else {
return Err( return Err(
anyhow::anyhow!("Only detached signatures are supported for now").into(), anyhow::anyhow!("Only detached signatures are supported for now").into(),
@ -878,11 +876,9 @@ fn print_pubkey(ident: Option<String>, user_pin: Option<PathBuf>) -> Result<()>
fn decrypt( fn decrypt(
ident: &str, ident: &str,
pin_file: Option<PathBuf>, pin_file: Option<PathBuf>,
cert_file: &Path,
input: Option<&Path>, input: Option<&Path>,
) -> Result<(), Box<dyn std::error::Error>> { ) -> Result<(), Box<dyn std::error::Error>> {
let p = StandardPolicy::new(); let p = StandardPolicy::new();
let cert = Cert::from_file(cert_file)?;
let input = util::open_or_stdin(input)?; let input = util::open_or_stdin(input)?;
@ -894,9 +890,7 @@ fn decrypt(
let user_pin = util::get_pin(&mut open, pin_file, ENTER_USER_PIN); let user_pin = util::get_pin(&mut open, pin_file, ENTER_USER_PIN);
let mut user = util::verify_to_user(&mut open, user_pin.as_deref())?; let mut user = util::verify_to_user(&mut open, user_pin.as_deref())?;
let d = user.decryptor(&cert, &|| { let d = user.decryptor(&|| println!("Touch confirmation needed for decryption"))?;
println!("Touch confirmation needed for decryption")
})?;
let db = DecryptorBuilder::from_reader(input)?; let db = DecryptorBuilder::from_reader(input)?;
let mut decryptor = db.with_policy(&p, None, d)?; let mut decryptor = db.with_policy(&p, None, d)?;
@ -909,11 +903,8 @@ fn decrypt(
fn sign_detached( fn sign_detached(
ident: &str, ident: &str,
pin_file: Option<PathBuf>, pin_file: Option<PathBuf>,
cert_file: &Path,
input: Option<&Path>, input: Option<&Path>,
) -> Result<(), Box<dyn std::error::Error>> { ) -> Result<(), Box<dyn std::error::Error>> {
let cert = Cert::from_file(cert_file)?;
let mut input = util::open_or_stdin(input)?; let mut input = util::open_or_stdin(input)?;
let mut card = util::open_card(ident)?; let mut card = util::open_card(ident)?;
@ -924,7 +915,7 @@ fn sign_detached(
let user_pin = util::get_pin(&mut open, pin_file, ENTER_USER_PIN); let user_pin = util::get_pin(&mut open, pin_file, ENTER_USER_PIN);
let mut sign = util::verify_to_sign(&mut open, user_pin.as_deref())?; let mut sign = util::verify_to_sign(&mut open, user_pin.as_deref())?;
let s = sign.signer(&cert, &|| println!("Touch confirmation needed for signing"))?; let s = sign.signer(&|| println!("Touch confirmation needed for signing"))?;
let message = Armorer::new(Message::new(std::io::stdout())).build()?; let message = Armorer::new(Message::new(std::io::stdout())).build()?;
let mut signer = Signer::new(message, s).detached().build()?; let mut signer = Signer::new(message, s).detached().build()?;