Model PINs as &[u8] in openpgp-card-sequoia
This commit is contained in:
Heiko Schaefer
parent
e95b8c33bf
commit
f069fb1e20
10 changed files with 44 additions and 40 deletions
|
|
@ -255,7 +255,7 @@ pub fn test_keygen(
|
|||
key_sig,
|
||||
Some(key_dec),
|
||||
Some(key_aut),
|
||||
Some("123456".to_string()),
|
||||
Some(b"123456"),
|
||||
&|| {},
|
||||
)?;
|
||||
let armored = String::from_utf8(cert.armored().to_vec()?)?;
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
|
||||
let mut open = Open::new(pgp.transaction()?)?;
|
||||
|
||||
let pin = std::fs::read_to_string(pin_file)?;
|
||||
let pin = std::fs::read(pin_file)?;
|
||||
|
||||
open.verify_user(&pin)?;
|
||||
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
|
||||
let mut open = Open::new(pgp.transaction()?)?;
|
||||
|
||||
let pin = std::fs::read_to_string(pin_file)?;
|
||||
let pin = std::fs::read(pin_file)?;
|
||||
|
||||
open.verify_user_for_signing(&pin)?;
|
||||
|
||||
|
|
|
|||
|
|
@ -64,8 +64,8 @@ impl<'a> Open<'a> {
|
|||
self.opt.feature_pinpad_modify()
|
||||
}
|
||||
|
||||
pub fn verify_user(&mut self, pin: &str) -> Result<(), Error> {
|
||||
let _ = self.opt.verify_pw1_user(pin.as_bytes())?;
|
||||
pub fn verify_user(&mut self, pin: &[u8]) -> Result<(), Error> {
|
||||
let _ = self.opt.verify_pw1_user(pin)?;
|
||||
self.pw1 = true;
|
||||
Ok(())
|
||||
}
|
||||
|
|
@ -78,8 +78,8 @@ impl<'a> Open<'a> {
|
|||
Ok(())
|
||||
}
|
||||
|
||||
pub fn verify_user_for_signing(&mut self, pin: &str) -> Result<(), Error> {
|
||||
let _ = self.opt.verify_pw1_sign(pin.as_bytes())?;
|
||||
pub fn verify_user_for_signing(&mut self, pin: &[u8]) -> Result<(), Error> {
|
||||
let _ = self.opt.verify_pw1_sign(pin)?;
|
||||
|
||||
// FIXME: depending on card mode, pw1_sign is only usable once
|
||||
|
||||
|
|
@ -98,8 +98,8 @@ impl<'a> Open<'a> {
|
|||
Ok(())
|
||||
}
|
||||
|
||||
pub fn verify_admin(&mut self, pin: &str) -> Result<(), Error> {
|
||||
let _ = self.opt.verify_pw3(pin.as_bytes())?;
|
||||
pub fn verify_admin(&mut self, pin: &[u8]) -> Result<(), Error> {
|
||||
let _ = self.opt.verify_pw3(pin)?;
|
||||
self.pw3 = true;
|
||||
Ok(())
|
||||
}
|
||||
|
|
@ -126,8 +126,8 @@ impl<'a> Open<'a> {
|
|||
self.opt.check_pw3()
|
||||
}
|
||||
|
||||
pub fn change_user_pin(&mut self, old: &str, new: &str) -> Result<(), Error> {
|
||||
self.opt.change_pw1(old.as_bytes(), new.as_bytes())
|
||||
pub fn change_user_pin(&mut self, old: &[u8], new: &[u8]) -> Result<(), Error> {
|
||||
self.opt.change_pw1(old, new)
|
||||
}
|
||||
|
||||
pub fn change_user_pin_pinpad(&mut self, prompt: &dyn Fn()) -> Result<(), Error> {
|
||||
|
|
@ -135,13 +135,12 @@ impl<'a> Open<'a> {
|
|||
self.opt.change_pw1_pinpad()
|
||||
}
|
||||
|
||||
pub fn reset_user_pin(&mut self, rst: &str, new: &str) -> Result<(), Error> {
|
||||
self.opt
|
||||
.reset_retry_counter_pw1(new.as_bytes(), Some(rst.as_bytes()))
|
||||
pub fn reset_user_pin(&mut self, rst: &[u8], new: &[u8]) -> Result<(), Error> {
|
||||
self.opt.reset_retry_counter_pw1(new, Some(rst))
|
||||
}
|
||||
|
||||
pub fn change_admin_pin(&mut self, old: &str, new: &str) -> Result<(), Error> {
|
||||
self.opt.change_pw3(old.as_bytes(), new.as_bytes())
|
||||
pub fn change_admin_pin(&mut self, old: &[u8], new: &[u8]) -> Result<(), Error> {
|
||||
self.opt.change_pw3(old, new)
|
||||
}
|
||||
|
||||
pub fn change_admin_pin_pinpad(&mut self, prompt: &dyn Fn()) -> Result<(), Error> {
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@
|
|||
//! let mut open = Open::new(pgp.transaction()?)?;
|
||||
//!
|
||||
//! // Get authorization for user access to the card with password
|
||||
//! open.verify_user("123456")?;
|
||||
//! open.verify_user(b"123456")?;
|
||||
//! let mut user = open.user_card().expect("This should not fail");
|
||||
//!
|
||||
//! // Get decryptor (`cert` must contain a public key that corresponds
|
||||
|
|
@ -107,7 +107,7 @@
|
|||
//! let mut open = Open::new(pgp.transaction()?)?;
|
||||
//!
|
||||
//! // Get authorization for signing access to the card with password
|
||||
//! open.verify_user_for_signing("123456")?;
|
||||
//! open.verify_user_for_signing(b"123456")?;
|
||||
//! let mut user = open.signing_card().expect("This should not fail");
|
||||
//!
|
||||
//! // Get signer (`cert` must contain a public key that corresponds
|
||||
|
|
@ -139,7 +139,7 @@
|
|||
//! let mut open = Open::new(pgp.transaction()?)?;
|
||||
//!
|
||||
//! // Get authorization for admin access to the card with password
|
||||
//! open.verify_admin("12345678")?;
|
||||
//! open.verify_admin(b"12345678")?;
|
||||
//! let mut admin = open.admin_card().expect("This should not fail");
|
||||
//!
|
||||
//! // Set the Name and URL fields on the card
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ fn main() -> Result<(), Box<dyn Error>> {
|
|||
println!("factory reset\n");
|
||||
open.factory_reset()?;
|
||||
|
||||
open.verify_admin("12345678")?;
|
||||
open.verify_admin(b"12345678")?;
|
||||
println!("verify for admin ok");
|
||||
|
||||
let check = open.check_user_verified();
|
||||
|
|
@ -152,7 +152,7 @@ fn main() -> Result<(), Box<dyn Error>> {
|
|||
let check = open.check_user_verified();
|
||||
println!("has user (pw1/82) been verified yet?\n{:x?}\n", check);
|
||||
|
||||
open.verify_user("123456")?;
|
||||
open.verify_user(b"123456")?;
|
||||
println!("verify for user (pw1/82) ok");
|
||||
|
||||
let check = open.check_user_verified();
|
||||
|
|
@ -186,7 +186,7 @@ fn main() -> Result<(), Box<dyn Error>> {
|
|||
let mut open = Open::new(pgp.transaction()?)?;
|
||||
|
||||
// Sign
|
||||
open.verify_user_for_signing("123456")?;
|
||||
open.verify_user_for_signing(b"123456")?;
|
||||
println!("verify for sign (pw1/81) ok\n");
|
||||
|
||||
// Use Sign access to card
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ pub fn make_cert<'app>(
|
|||
key_sig: PublicKey,
|
||||
key_dec: Option<PublicKey>,
|
||||
key_aut: Option<PublicKey>,
|
||||
pw1: Option<String>,
|
||||
pw1: Option<&[u8]>,
|
||||
prompt: &dyn Fn(),
|
||||
) -> Result<Cert> {
|
||||
let mut pp = vec![];
|
||||
|
|
@ -76,8 +76,8 @@ pub fn make_cert<'app>(
|
|||
)?;
|
||||
|
||||
// Allow signing on the card
|
||||
if let Some(pw1) = pw1.clone() {
|
||||
open.verify_user_for_signing(&pw1)?;
|
||||
if let Some(pw1) = pw1 {
|
||||
open.verify_user_for_signing(pw1)?;
|
||||
} else {
|
||||
open.verify_user_for_signing_pinpad(prompt)?;
|
||||
}
|
||||
|
|
@ -107,8 +107,8 @@ pub fn make_cert<'app>(
|
|||
.set_key_flags(KeyFlags::empty().set_authentication())?;
|
||||
|
||||
// Allow signing on the card
|
||||
if let Some(pw1) = pw1.clone() {
|
||||
open.verify_user_for_signing(&pw1)?;
|
||||
if let Some(pw1) = pw1 {
|
||||
open.verify_user_for_signing(pw1)?;
|
||||
} else {
|
||||
open.verify_user_for_signing_pinpad(prompt)?;
|
||||
}
|
||||
|
|
@ -151,7 +151,7 @@ pub fn make_cert<'app>(
|
|||
|
||||
// Allow signing on the card
|
||||
if let Some(pw1) = pw1 {
|
||||
open.verify_user_for_signing(&pw1)?;
|
||||
open.verify_user_for_signing(pw1)?;
|
||||
} else {
|
||||
open.verify_user_for_signing_pinpad(prompt)?;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
let pin = rpassword::read_password_from_tty(Some("Enter user PIN: "))?;
|
||||
|
||||
// verify pin
|
||||
open.verify_user(&pin)?;
|
||||
open.verify_user(pin.as_bytes())?;
|
||||
println!("PIN was accepted by the card.\n");
|
||||
|
||||
// get new user pin
|
||||
|
|
@ -43,7 +43,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
}
|
||||
|
||||
// set new user pin
|
||||
open.change_user_pin(&pin, &newpin1)
|
||||
open.change_user_pin(pin.as_bytes(), newpin1.as_bytes())
|
||||
} else {
|
||||
// set new user pin via pinpad
|
||||
open.change_user_pin_pinpad(&|| {
|
||||
|
|
@ -69,7 +69,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?;
|
||||
|
||||
// verify pin
|
||||
open.verify_admin(&pin)?;
|
||||
open.verify_admin(pin.as_bytes())?;
|
||||
|
||||
// get new admin pin
|
||||
let newpin1 = rpassword::read_password_from_tty(Some("Enter new admin PIN: "))?;
|
||||
|
|
@ -81,7 +81,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
}
|
||||
|
||||
// set new admin pin from input
|
||||
open.change_admin_pin(&pin, &newpin1)?;
|
||||
open.change_admin_pin(pin.as_bytes(), newpin1.as_bytes())?;
|
||||
} else {
|
||||
// set new admin pin with pinpad
|
||||
open.change_admin_pin_pinpad(&|| {
|
||||
|
|
@ -100,7 +100,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
// get current admin pin
|
||||
let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?;
|
||||
|
||||
open.verify_admin(&pin)?;
|
||||
open.verify_admin(pin.as_bytes())?;
|
||||
} else {
|
||||
open.verify_admin_pinpad(&|| println!("Enter admin PIN on card reader pinpad."))?;
|
||||
}
|
||||
|
|
@ -132,7 +132,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?;
|
||||
|
||||
// verify pin
|
||||
open.verify_admin(&pin)?;
|
||||
open.verify_admin(pin.as_bytes())?;
|
||||
} else {
|
||||
open.verify_admin_pinpad(&|| {
|
||||
println!("Enter admin PIN on card reader pinpad.")
|
||||
|
|
@ -160,7 +160,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
|
|||
|
||||
let res = if let Some(rst) = rst {
|
||||
// reset to new user pin
|
||||
open.reset_user_pin(&rst, &newpin1)
|
||||
open.reset_user_pin(rst.as_bytes(), newpin1.as_bytes())
|
||||
} else if let Some(mut admin) = open.admin_card() {
|
||||
admin.reset_user_pin(&newpin1)
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -554,9 +554,14 @@ fn generate_keys(
|
|||
None
|
||||
};
|
||||
|
||||
let cert = make_cert(&mut open, key_sig, key_dec, key_aut, pin, &|| {
|
||||
println!("Enter user PIN on card reader pinpad.")
|
||||
})?;
|
||||
let cert = make_cert(
|
||||
&mut open,
|
||||
key_sig,
|
||||
key_dec,
|
||||
key_aut,
|
||||
pin.as_deref(),
|
||||
&|| println!("Enter user PIN on card reader pinpad."),
|
||||
)?;
|
||||
let armored = String::from_utf8(cert.armored().to_vec()?)?;
|
||||
|
||||
// Write armored certificate to the output file (or stdout)
|
||||
|
|
|
|||
|
|
@ -71,9 +71,9 @@ pub(crate) fn verify_to_admin<'app, 'open>(
|
|||
.ok_or_else(|| anyhow!("Couldn't get admin access").into())
|
||||
}
|
||||
|
||||
pub(crate) fn load_pin(pin_file: &Path) -> Result<String> {
|
||||
pub(crate) fn load_pin(pin_file: &Path) -> Result<Vec<u8>> {
|
||||
let pin = std::fs::read_to_string(pin_file)?;
|
||||
Ok(pin.trim().to_string())
|
||||
Ok(pin.trim().as_bytes().to_vec())
|
||||
}
|
||||
|
||||
pub(crate) fn open_or_stdin(f: Option<&Path>) -> Result<Box<dyn std::io::Read + Send + Sync>> {
|
||||
|
|
|
|||
Loading…
Reference in a new issue