From f069fb1e207505340b2dc9ec18835295fb7dfc8a Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 29 Mar 2022 18:14:00 +0200 Subject: [PATCH] Model PINs as &[u8] in openpgp-card-sequoia --- card-functionality/src/tests.rs | 2 +- openpgp-card-examples/src/bin/decrypt.rs | 2 +- openpgp-card-examples/src/bin/detach-sign.rs | 2 +- openpgp-card-sequoia/src/card.rs | 25 ++++++++++---------- openpgp-card-sequoia/src/lib.rs | 6 ++--- openpgp-card-sequoia/src/main.rs | 6 ++--- openpgp-card-sequoia/src/util.rs | 12 +++++----- tools/src/bin/opgpcard-pin/main.rs | 14 +++++------ tools/src/bin/opgpcard/main.rs | 11 ++++++--- tools/src/bin/opgpcard/util.rs | 4 ++-- 10 files changed, 44 insertions(+), 40 deletions(-) diff --git a/card-functionality/src/tests.rs b/card-functionality/src/tests.rs index fa57d07..e96f87f 100644 --- a/card-functionality/src/tests.rs +++ b/card-functionality/src/tests.rs @@ -255,7 +255,7 @@ pub fn test_keygen( key_sig, Some(key_dec), Some(key_aut), - Some("123456".to_string()), + Some(b"123456"), &|| {}, )?; let armored = String::from_utf8(cert.armored().to_vec()?)?; diff --git a/openpgp-card-examples/src/bin/decrypt.rs b/openpgp-card-examples/src/bin/decrypt.rs index 36e32d4..430897a 100644 --- a/openpgp-card-examples/src/bin/decrypt.rs +++ b/openpgp-card-examples/src/bin/decrypt.rs @@ -27,7 +27,7 @@ fn main() -> Result<(), Box> { let mut open = Open::new(pgp.transaction()?)?; - let pin = std::fs::read_to_string(pin_file)?; + let pin = std::fs::read(pin_file)?; open.verify_user(&pin)?; diff --git a/openpgp-card-examples/src/bin/detach-sign.rs b/openpgp-card-examples/src/bin/detach-sign.rs index cce00b4..5aea145 100644 --- a/openpgp-card-examples/src/bin/detach-sign.rs +++ b/openpgp-card-examples/src/bin/detach-sign.rs @@ -27,7 +27,7 @@ fn main() -> Result<(), Box> { let mut open = Open::new(pgp.transaction()?)?; - let pin = std::fs::read_to_string(pin_file)?; + let pin = std::fs::read(pin_file)?; open.verify_user_for_signing(&pin)?; diff --git a/openpgp-card-sequoia/src/card.rs b/openpgp-card-sequoia/src/card.rs index ac0c08a..434309a 100644 --- a/openpgp-card-sequoia/src/card.rs +++ b/openpgp-card-sequoia/src/card.rs @@ -64,8 +64,8 @@ impl<'a> Open<'a> { self.opt.feature_pinpad_modify() } - pub fn verify_user(&mut self, pin: &str) -> Result<(), Error> { - let _ = self.opt.verify_pw1_user(pin.as_bytes())?; + pub fn verify_user(&mut self, pin: &[u8]) -> Result<(), Error> { + let _ = self.opt.verify_pw1_user(pin)?; self.pw1 = true; Ok(()) } @@ -78,8 +78,8 @@ impl<'a> Open<'a> { Ok(()) } - pub fn verify_user_for_signing(&mut self, pin: &str) -> Result<(), Error> { - let _ = self.opt.verify_pw1_sign(pin.as_bytes())?; + pub fn verify_user_for_signing(&mut self, pin: &[u8]) -> Result<(), Error> { + let _ = self.opt.verify_pw1_sign(pin)?; // FIXME: depending on card mode, pw1_sign is only usable once @@ -98,8 +98,8 @@ impl<'a> Open<'a> { Ok(()) } - pub fn verify_admin(&mut self, pin: &str) -> Result<(), Error> { - let _ = self.opt.verify_pw3(pin.as_bytes())?; + pub fn verify_admin(&mut self, pin: &[u8]) -> Result<(), Error> { + let _ = self.opt.verify_pw3(pin)?; self.pw3 = true; Ok(()) } @@ -126,8 +126,8 @@ impl<'a> Open<'a> { self.opt.check_pw3() } - pub fn change_user_pin(&mut self, old: &str, new: &str) -> Result<(), Error> { - self.opt.change_pw1(old.as_bytes(), new.as_bytes()) + pub fn change_user_pin(&mut self, old: &[u8], new: &[u8]) -> Result<(), Error> { + self.opt.change_pw1(old, new) } pub fn change_user_pin_pinpad(&mut self, prompt: &dyn Fn()) -> Result<(), Error> { @@ -135,13 +135,12 @@ impl<'a> Open<'a> { self.opt.change_pw1_pinpad() } - pub fn reset_user_pin(&mut self, rst: &str, new: &str) -> Result<(), Error> { - self.opt - .reset_retry_counter_pw1(new.as_bytes(), Some(rst.as_bytes())) + pub fn reset_user_pin(&mut self, rst: &[u8], new: &[u8]) -> Result<(), Error> { + self.opt.reset_retry_counter_pw1(new, Some(rst)) } - pub fn change_admin_pin(&mut self, old: &str, new: &str) -> Result<(), Error> { - self.opt.change_pw3(old.as_bytes(), new.as_bytes()) + pub fn change_admin_pin(&mut self, old: &[u8], new: &[u8]) -> Result<(), Error> { + self.opt.change_pw3(old, new) } pub fn change_admin_pin_pinpad(&mut self, prompt: &dyn Fn()) -> Result<(), Error> { diff --git a/openpgp-card-sequoia/src/lib.rs b/openpgp-card-sequoia/src/lib.rs index 76c7e11..dfbb45a 100644 --- a/openpgp-card-sequoia/src/lib.rs +++ b/openpgp-card-sequoia/src/lib.rs @@ -64,7 +64,7 @@ //! let mut open = Open::new(pgp.transaction()?)?; //! //! // Get authorization for user access to the card with password -//! open.verify_user("123456")?; +//! open.verify_user(b"123456")?; //! let mut user = open.user_card().expect("This should not fail"); //! //! // Get decryptor (`cert` must contain a public key that corresponds @@ -107,7 +107,7 @@ //! let mut open = Open::new(pgp.transaction()?)?; //! //! // Get authorization for signing access to the card with password -//! open.verify_user_for_signing("123456")?; +//! open.verify_user_for_signing(b"123456")?; //! let mut user = open.signing_card().expect("This should not fail"); //! //! // Get signer (`cert` must contain a public key that corresponds @@ -139,7 +139,7 @@ //! let mut open = Open::new(pgp.transaction()?)?; //! //! // Get authorization for admin access to the card with password -//! open.verify_admin("12345678")?; +//! open.verify_admin(b"12345678")?; //! let mut admin = open.admin_card().expect("This should not fail"); //! //! // Set the Name and URL fields on the card diff --git a/openpgp-card-sequoia/src/main.rs b/openpgp-card-sequoia/src/main.rs index 1d5bcd0..6213a58 100644 --- a/openpgp-card-sequoia/src/main.rs +++ b/openpgp-card-sequoia/src/main.rs @@ -94,7 +94,7 @@ fn main() -> Result<(), Box> { println!("factory reset\n"); open.factory_reset()?; - open.verify_admin("12345678")?; + open.verify_admin(b"12345678")?; println!("verify for admin ok"); let check = open.check_user_verified(); @@ -152,7 +152,7 @@ fn main() -> Result<(), Box> { let check = open.check_user_verified(); println!("has user (pw1/82) been verified yet?\n{:x?}\n", check); - open.verify_user("123456")?; + open.verify_user(b"123456")?; println!("verify for user (pw1/82) ok"); let check = open.check_user_verified(); @@ -186,7 +186,7 @@ fn main() -> Result<(), Box> { let mut open = Open::new(pgp.transaction()?)?; // Sign - open.verify_user_for_signing("123456")?; + open.verify_user_for_signing(b"123456")?; println!("verify for sign (pw1/81) ok\n"); // Use Sign access to card diff --git a/openpgp-card-sequoia/src/util.rs b/openpgp-card-sequoia/src/util.rs index 5661517..62f90a2 100644 --- a/openpgp-card-sequoia/src/util.rs +++ b/openpgp-card-sequoia/src/util.rs @@ -47,7 +47,7 @@ pub fn make_cert<'app>( key_sig: PublicKey, key_dec: Option, key_aut: Option, - pw1: Option, + pw1: Option<&[u8]>, prompt: &dyn Fn(), ) -> Result { let mut pp = vec![]; @@ -76,8 +76,8 @@ pub fn make_cert<'app>( )?; // Allow signing on the card - if let Some(pw1) = pw1.clone() { - open.verify_user_for_signing(&pw1)?; + if let Some(pw1) = pw1 { + open.verify_user_for_signing(pw1)?; } else { open.verify_user_for_signing_pinpad(prompt)?; } @@ -107,8 +107,8 @@ pub fn make_cert<'app>( .set_key_flags(KeyFlags::empty().set_authentication())?; // Allow signing on the card - if let Some(pw1) = pw1.clone() { - open.verify_user_for_signing(&pw1)?; + if let Some(pw1) = pw1 { + open.verify_user_for_signing(pw1)?; } else { open.verify_user_for_signing_pinpad(prompt)?; } @@ -151,7 +151,7 @@ pub fn make_cert<'app>( // Allow signing on the card if let Some(pw1) = pw1 { - open.verify_user_for_signing(&pw1)?; + open.verify_user_for_signing(pw1)?; } else { open.verify_user_for_signing_pinpad(prompt)?; } diff --git a/tools/src/bin/opgpcard-pin/main.rs b/tools/src/bin/opgpcard-pin/main.rs index e7a5550..cf90e06 100644 --- a/tools/src/bin/opgpcard-pin/main.rs +++ b/tools/src/bin/opgpcard-pin/main.rs @@ -31,7 +31,7 @@ fn main() -> Result<(), Box> { let pin = rpassword::read_password_from_tty(Some("Enter user PIN: "))?; // verify pin - open.verify_user(&pin)?; + open.verify_user(pin.as_bytes())?; println!("PIN was accepted by the card.\n"); // get new user pin @@ -43,7 +43,7 @@ fn main() -> Result<(), Box> { } // set new user pin - open.change_user_pin(&pin, &newpin1) + open.change_user_pin(pin.as_bytes(), newpin1.as_bytes()) } else { // set new user pin via pinpad open.change_user_pin_pinpad(&|| { @@ -69,7 +69,7 @@ fn main() -> Result<(), Box> { let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?; // verify pin - open.verify_admin(&pin)?; + open.verify_admin(pin.as_bytes())?; // get new admin pin let newpin1 = rpassword::read_password_from_tty(Some("Enter new admin PIN: "))?; @@ -81,7 +81,7 @@ fn main() -> Result<(), Box> { } // set new admin pin from input - open.change_admin_pin(&pin, &newpin1)?; + open.change_admin_pin(pin.as_bytes(), newpin1.as_bytes())?; } else { // set new admin pin with pinpad open.change_admin_pin_pinpad(&|| { @@ -100,7 +100,7 @@ fn main() -> Result<(), Box> { // get current admin pin let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?; - open.verify_admin(&pin)?; + open.verify_admin(pin.as_bytes())?; } else { open.verify_admin_pinpad(&|| println!("Enter admin PIN on card reader pinpad."))?; } @@ -132,7 +132,7 @@ fn main() -> Result<(), Box> { let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?; // verify pin - open.verify_admin(&pin)?; + open.verify_admin(pin.as_bytes())?; } else { open.verify_admin_pinpad(&|| { println!("Enter admin PIN on card reader pinpad.") @@ -160,7 +160,7 @@ fn main() -> Result<(), Box> { let res = if let Some(rst) = rst { // reset to new user pin - open.reset_user_pin(&rst, &newpin1) + open.reset_user_pin(rst.as_bytes(), newpin1.as_bytes()) } else if let Some(mut admin) = open.admin_card() { admin.reset_user_pin(&newpin1) } else { diff --git a/tools/src/bin/opgpcard/main.rs b/tools/src/bin/opgpcard/main.rs index 44a1469..dae801c 100644 --- a/tools/src/bin/opgpcard/main.rs +++ b/tools/src/bin/opgpcard/main.rs @@ -554,9 +554,14 @@ fn generate_keys( None }; - let cert = make_cert(&mut open, key_sig, key_dec, key_aut, pin, &|| { - println!("Enter user PIN on card reader pinpad.") - })?; + let cert = make_cert( + &mut open, + key_sig, + key_dec, + key_aut, + pin.as_deref(), + &|| println!("Enter user PIN on card reader pinpad."), + )?; let armored = String::from_utf8(cert.armored().to_vec()?)?; // Write armored certificate to the output file (or stdout) diff --git a/tools/src/bin/opgpcard/util.rs b/tools/src/bin/opgpcard/util.rs index 176facd..b2f6c59 100644 --- a/tools/src/bin/opgpcard/util.rs +++ b/tools/src/bin/opgpcard/util.rs @@ -71,9 +71,9 @@ pub(crate) fn verify_to_admin<'app, 'open>( .ok_or_else(|| anyhow!("Couldn't get admin access").into()) } -pub(crate) fn load_pin(pin_file: &Path) -> Result { +pub(crate) fn load_pin(pin_file: &Path) -> Result> { let pin = std::fs::read_to_string(pin_file)?; - Ok(pin.trim().to_string()) + Ok(pin.trim().as_bytes().to_vec()) } pub(crate) fn open_or_stdin(f: Option<&Path>) -> Result> {