turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Model PINs as &[u8] in openpgp-card-sequoia

Browse source
This commit is contained in:
Heiko Schaefer 2022-03-29 18:14:00 +02:00
parent e95b8c33bf
commit f069fb1e20
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D
10 changed files with 44 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
card-functionality/src/tests.rs
View file

@ -255,7 +255,7 @@ pub fn test_keygen(
key_sig, key_sig,
Some(key_dec), Some(key_dec),
Some(key_aut), Some(key_aut),
Some("123456".to_string()), Some(b"123456"),
&|| {}, &|| {},
)?; )?;
let armored = String::from_utf8(cert.armored().to_vec()?)?; let armored = String::from_utf8(cert.armored().to_vec()?)?;

2
openpgp-card-examples/src/bin/decrypt.rs
View file

@ -27,7 +27,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let mut open = Open::new(pgp.transaction()?)?; let mut open = Open::new(pgp.transaction()?)?;
let pin = std::fs::read_to_string(pin_file)?; let pin = std::fs::read(pin_file)?;
open.verify_user(&pin)?; open.verify_user(&pin)?;

2
openpgp-card-examples/src/bin/detach-sign.rs
View file

@ -27,7 +27,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let mut open = Open::new(pgp.transaction()?)?; let mut open = Open::new(pgp.transaction()?)?;
let pin = std::fs::read_to_string(pin_file)?; let pin = std::fs::read(pin_file)?;
open.verify_user_for_signing(&pin)?; open.verify_user_for_signing(&pin)?;

25
openpgp-card-sequoia/src/card.rs
View file

@ -64,8 +64,8 @@ impl<'a> Open<'a> {
self.opt.feature_pinpad_modify() self.opt.feature_pinpad_modify()
} }
pub fn verify_user(&mut self, pin: &str) -> Result<(), Error> { pub fn verify_user(&mut self, pin: &[u8]) -> Result<(), Error> {
let _ = self.opt.verify_pw1_user(pin.as_bytes())?; let _ = self.opt.verify_pw1_user(pin)?;
self.pw1 = true; self.pw1 = true;
Ok(()) Ok(())
} }
@ -78,8 +78,8 @@ impl<'a> Open<'a> {
Ok(()) Ok(())
} }
pub fn verify_user_for_signing(&mut self, pin: &str) -> Result<(), Error> { pub fn verify_user_for_signing(&mut self, pin: &[u8]) -> Result<(), Error> {
let _ = self.opt.verify_pw1_sign(pin.as_bytes())?; let _ = self.opt.verify_pw1_sign(pin)?;
// FIXME: depending on card mode, pw1_sign is only usable once // FIXME: depending on card mode, pw1_sign is only usable once
@ -98,8 +98,8 @@ impl<'a> Open<'a> {
Ok(()) Ok(())
} }
pub fn verify_admin(&mut self, pin: &str) -> Result<(), Error> { pub fn verify_admin(&mut self, pin: &[u8]) -> Result<(), Error> {
let _ = self.opt.verify_pw3(pin.as_bytes())?; let _ = self.opt.verify_pw3(pin)?;
self.pw3 = true; self.pw3 = true;
Ok(()) Ok(())
} }
@ -126,8 +126,8 @@ impl<'a> Open<'a> {
self.opt.check_pw3() self.opt.check_pw3()
} }
pub fn change_user_pin(&mut self, old: &str, new: &str) -> Result<(), Error> { pub fn change_user_pin(&mut self, old: &[u8], new: &[u8]) -> Result<(), Error> {
self.opt.change_pw1(old.as_bytes(), new.as_bytes()) self.opt.change_pw1(old, new)
} }
pub fn change_user_pin_pinpad(&mut self, prompt: &dyn Fn()) -> Result<(), Error> { pub fn change_user_pin_pinpad(&mut self, prompt: &dyn Fn()) -> Result<(), Error> {
@ -135,13 +135,12 @@ impl<'a> Open<'a> {
self.opt.change_pw1_pinpad() self.opt.change_pw1_pinpad()
} }
pub fn reset_user_pin(&mut self, rst: &str, new: &str) -> Result<(), Error> { pub fn reset_user_pin(&mut self, rst: &[u8], new: &[u8]) -> Result<(), Error> {
self.opt self.opt.reset_retry_counter_pw1(new, Some(rst))
.reset_retry_counter_pw1(new.as_bytes(), Some(rst.as_bytes()))
} }
pub fn change_admin_pin(&mut self, old: &str, new: &str) -> Result<(), Error> { pub fn change_admin_pin(&mut self, old: &[u8], new: &[u8]) -> Result<(), Error> {
self.opt.change_pw3(old.as_bytes(), new.as_bytes()) self.opt.change_pw3(old, new)
} }
pub fn change_admin_pin_pinpad(&mut self, prompt: &dyn Fn()) -> Result<(), Error> { pub fn change_admin_pin_pinpad(&mut self, prompt: &dyn Fn()) -> Result<(), Error> {

6
openpgp-card-sequoia/src/lib.rs
View file

@ -64,7 +64,7 @@
//! let mut open = Open::new(pgp.transaction()?)?; //! let mut open = Open::new(pgp.transaction()?)?;
//! //!
//! // Get authorization for user access to the card with password //! // Get authorization for user access to the card with password
//! open.verify_user("123456")?; //! open.verify_user(b"123456")?;
//! let mut user = open.user_card().expect("This should not fail"); //! let mut user = open.user_card().expect("This should not fail");
//! //!
//! // Get decryptor (`cert` must contain a public key that corresponds //! // Get decryptor (`cert` must contain a public key that corresponds
@ -107,7 +107,7 @@
//! let mut open = Open::new(pgp.transaction()?)?; //! let mut open = Open::new(pgp.transaction()?)?;
//! //!
//! // Get authorization for signing access to the card with password //! // Get authorization for signing access to the card with password
//! open.verify_user_for_signing("123456")?; //! open.verify_user_for_signing(b"123456")?;
//! let mut user = open.signing_card().expect("This should not fail"); //! let mut user = open.signing_card().expect("This should not fail");
//! //!
//! // Get signer (`cert` must contain a public key that corresponds //! // Get signer (`cert` must contain a public key that corresponds
@ -139,7 +139,7 @@
//! let mut open = Open::new(pgp.transaction()?)?; //! let mut open = Open::new(pgp.transaction()?)?;
//! //!
//! // Get authorization for admin access to the card with password //! // Get authorization for admin access to the card with password
//! open.verify_admin("12345678")?; //! open.verify_admin(b"12345678")?;
//! let mut admin = open.admin_card().expect("This should not fail"); //! let mut admin = open.admin_card().expect("This should not fail");
//! //!
//! // Set the Name and URL fields on the card //! // Set the Name and URL fields on the card

6
openpgp-card-sequoia/src/main.rs
View file

@ -94,7 +94,7 @@ fn main() -> Result<(), Box<dyn Error>> {
println!("factory reset\n"); println!("factory reset\n");
open.factory_reset()?; open.factory_reset()?;
open.verify_admin("12345678")?; open.verify_admin(b"12345678")?;
println!("verify for admin ok"); println!("verify for admin ok");
let check = open.check_user_verified(); let check = open.check_user_verified();
@ -152,7 +152,7 @@ fn main() -> Result<(), Box<dyn Error>> {
let check = open.check_user_verified(); let check = open.check_user_verified();
println!("has user (pw1/82) been verified yet?\n{:x?}\n", check); println!("has user (pw1/82) been verified yet?\n{:x?}\n", check);
open.verify_user("123456")?; open.verify_user(b"123456")?;
println!("verify for user (pw1/82) ok"); println!("verify for user (pw1/82) ok");
let check = open.check_user_verified(); let check = open.check_user_verified();
@ -186,7 +186,7 @@ fn main() -> Result<(), Box<dyn Error>> {
let mut open = Open::new(pgp.transaction()?)?; let mut open = Open::new(pgp.transaction()?)?;
// Sign // Sign
open.verify_user_for_signing("123456")?; open.verify_user_for_signing(b"123456")?;
println!("verify for sign (pw1/81) ok\n"); println!("verify for sign (pw1/81) ok\n");
// Use Sign access to card // Use Sign access to card

12
openpgp-card-sequoia/src/util.rs
View file

@ -47,7 +47,7 @@ pub fn make_cert<'app>(
key_sig: PublicKey, key_sig: PublicKey,
key_dec: Option<PublicKey>, key_dec: Option<PublicKey>,
key_aut: Option<PublicKey>, key_aut: Option<PublicKey>,
pw1: Option<String>, pw1: Option<&[u8]>,
prompt: &dyn Fn(), prompt: &dyn Fn(),
) -> Result<Cert> { ) -> Result<Cert> {
let mut pp = vec![]; let mut pp = vec![];
@ -76,8 +76,8 @@ pub fn make_cert<'app>(
)?; )?;
// Allow signing on the card // Allow signing on the card
if let Some(pw1) = pw1.clone() { if let Some(pw1) = pw1 {
open.verify_user_for_signing(&pw1)?; open.verify_user_for_signing(pw1)?;
} else { } else {
open.verify_user_for_signing_pinpad(prompt)?; open.verify_user_for_signing_pinpad(prompt)?;
} }
@ -107,8 +107,8 @@ pub fn make_cert<'app>(
.set_key_flags(KeyFlags::empty().set_authentication())?; .set_key_flags(KeyFlags::empty().set_authentication())?;
// Allow signing on the card // Allow signing on the card
if let Some(pw1) = pw1.clone() { if let Some(pw1) = pw1 {
open.verify_user_for_signing(&pw1)?; open.verify_user_for_signing(pw1)?;
} else { } else {
open.verify_user_for_signing_pinpad(prompt)?; open.verify_user_for_signing_pinpad(prompt)?;
} }
@ -151,7 +151,7 @@ pub fn make_cert<'app>(
// Allow signing on the card // Allow signing on the card
if let Some(pw1) = pw1 { if let Some(pw1) = pw1 {
open.verify_user_for_signing(&pw1)?; open.verify_user_for_signing(pw1)?;
} else { } else {
open.verify_user_for_signing_pinpad(prompt)?; open.verify_user_for_signing_pinpad(prompt)?;
} }

14
tools/src/bin/opgpcard-pin/main.rs
View file

@ -31,7 +31,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let pin = rpassword::read_password_from_tty(Some("Enter user PIN: "))?; let pin = rpassword::read_password_from_tty(Some("Enter user PIN: "))?;
// verify pin // verify pin
open.verify_user(&pin)?; open.verify_user(pin.as_bytes())?;
println!("PIN was accepted by the card.\n"); println!("PIN was accepted by the card.\n");
// get new user pin // get new user pin
@ -43,7 +43,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
} }
// set new user pin // set new user pin
open.change_user_pin(&pin, &newpin1) open.change_user_pin(pin.as_bytes(), newpin1.as_bytes())
} else { } else {
// set new user pin via pinpad // set new user pin via pinpad
open.change_user_pin_pinpad(&|| { open.change_user_pin_pinpad(&|| {
@ -69,7 +69,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?; let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?;
// verify pin // verify pin
open.verify_admin(&pin)?; open.verify_admin(pin.as_bytes())?;
// get new admin pin // get new admin pin
let newpin1 = rpassword::read_password_from_tty(Some("Enter new admin PIN: "))?; let newpin1 = rpassword::read_password_from_tty(Some("Enter new admin PIN: "))?;
@ -81,7 +81,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
} }
// set new admin pin from input // set new admin pin from input
open.change_admin_pin(&pin, &newpin1)?; open.change_admin_pin(pin.as_bytes(), newpin1.as_bytes())?;
} else { } else {
// set new admin pin with pinpad // set new admin pin with pinpad
open.change_admin_pin_pinpad(&|| { open.change_admin_pin_pinpad(&|| {
@ -100,7 +100,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// get current admin pin // get current admin pin
let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?; let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?;
open.verify_admin(&pin)?; open.verify_admin(pin.as_bytes())?;
} else { } else {
open.verify_admin_pinpad(&|| println!("Enter admin PIN on card reader pinpad."))?; open.verify_admin_pinpad(&|| println!("Enter admin PIN on card reader pinpad."))?;
} }
@ -132,7 +132,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?; let pin = rpassword::read_password_from_tty(Some("Enter admin PIN: "))?;
// verify pin // verify pin
open.verify_admin(&pin)?; open.verify_admin(pin.as_bytes())?;
} else { } else {
open.verify_admin_pinpad(&|| { open.verify_admin_pinpad(&|| {
println!("Enter admin PIN on card reader pinpad.") println!("Enter admin PIN on card reader pinpad.")
@ -160,7 +160,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
let res = if let Some(rst) = rst { let res = if let Some(rst) = rst {
// reset to new user pin // reset to new user pin
open.reset_user_pin(&rst, &newpin1) open.reset_user_pin(rst.as_bytes(), newpin1.as_bytes())
} else if let Some(mut admin) = open.admin_card() { } else if let Some(mut admin) = open.admin_card() {
admin.reset_user_pin(&newpin1) admin.reset_user_pin(&newpin1)
} else { } else {

11
tools/src/bin/opgpcard/main.rs
View file

@ -554,9 +554,14 @@ fn generate_keys(
None None
}; };
let cert = make_cert(&mut open, key_sig, key_dec, key_aut, pin, &|| { let cert = make_cert(
println!("Enter user PIN on card reader pinpad.") &mut open,
})?; key_sig,
key_dec,
key_aut,
pin.as_deref(),
&|| println!("Enter user PIN on card reader pinpad."),
)?;
let armored = String::from_utf8(cert.armored().to_vec()?)?; let armored = String::from_utf8(cert.armored().to_vec()?)?;
// Write armored certificate to the output file (or stdout) // Write armored certificate to the output file (or stdout)

4
tools/src/bin/opgpcard/util.rs
View file

@ -71,9 +71,9 @@ pub(crate) fn verify_to_admin<'app, 'open>(
.ok_or_else(|| anyhow!("Couldn't get admin access").into()) .ok_or_else(|| anyhow!("Couldn't get admin access").into())
} }
pub(crate) fn load_pin(pin_file: &Path) -> Result<String> { pub(crate) fn load_pin(pin_file: &Path) -> Result<Vec<u8>> {
let pin = std::fs::read_to_string(pin_file)?; let pin = std::fs::read_to_string(pin_file)?;
Ok(pin.trim().to_string()) Ok(pin.trim().as_bytes().to_vec())
} }
pub(crate) fn open_or_stdin(f: Option<&Path>) -> Result<Box<dyn std::io::Read + Send + Sync>> { pub(crate) fn open_or_stdin(f: Option<&Path>) -> Result<Box<dyn std::io::Read + Send + Sync>> {