opgpcard: Move attestation key metadata to its own KeySlotInfo

2022-10-27 21:35:31 +02:00 · 2022-10-27 21:35:31 +02:00 · fe885a4b1c
commit fe885a4b1c
parent 375c002730
2 changed files with 48 additions and 30 deletions
--- a/tools/src/bin/opgpcard/commands/status.rs
+++ b/tools/src/bin/opgpcard/commands/status.rs
@ -165,22 +165,40 @@ pub fn print_status(
    }
    output.authentication_key(authentication_key);

-    // technical details about the card's state
+    let mut attestation_key = output::KeySlotInfo::default();
+    if let Ok(Some(fp)) = card.attestation_key_fingerprint() {
+        attestation_key.fingerprint(fp.to_spaced_hex());
+    }
+    if let Ok(Some(algo)) = card.attestation_key_algorithm_attributes() {
+        attestation_key.algorithm(format!("{}", algo));
+    }
+    if let Ok(Some(kgt)) = card.attestation_key_generation_time() {
+        attestation_key.created(format!("{}", kgt.to_datetime()));
+    }
+    if let Some(uif) = card.uif_attestation()? {
+        attestation_key.touch_policy(format!("{}", uif.touch_policy()));
+        attestation_key.touch_features(format!("{}", uif.features()));
+    }

+    // TODO: get public key data for the attestation key from the card
+    // if command.pkm {
+    //     if let Ok(pkm) = card.public_key(KeyType::Attestation) {
+    //         attestation_key.public_key_material(pkm.to_string());
+    //     }
+    // }
+
+    // TODO: clarify how to reliably map `card.key_information()` output into this field (see below)
+    // if let Some(ks) = ki.as_ref().map(|ki| ki.aut_status()) {
+    //     attestation_key.status(format!("{}", ks));
+    // }
+
+    output.attestation_key(attestation_key);
+
+    // technical details about the card's state
    output.user_pin_remaining_attempts(pws.err_count_pw1());
    output.admin_pin_remaining_attempts(pws.err_count_pw3());
    output.reset_code_remaining_attempts(pws.err_count_rc());

-    // FIXME: Handle attestation key information as a separate
-    // KeySlotInfo! Attestation touch information should go into its
-    // own `Option<KeySlotInfo>`, and (if any information about the
-    // attestation key exists at all, which is not the case for most
-    // cards) it should be printed as a fourth KeySlot block.
-    if let Some(uif) = card.uif_attestation()? {
-        output.card_touch_policy(uif.touch_policy().to_string());
-        output.card_touch_features(uif.features().to_string());
-    }
-
    if let Some(ki) = ki {
        let num = ki.num_additional();
        for i in 0..num {
--- a/tools/src/bin/opgpcard/output/status.rs
+++ b/tools/src/bin/opgpcard/output/status.rs
@ -18,11 +18,10 @@ pub struct Status {
    signature_count: u32,
    decryption_key: KeySlotInfo,
    authentication_key: KeySlotInfo,
+    attestation_key: Option<KeySlotInfo>,
    user_pin_remaining_attempts: u8,
    admin_pin_remaining_attempts: u8,
    reset_code_remaining_attempts: u8,
-    card_touch_policy: String,
-    card_touch_features: String,
    key_statuses: Vec<(u8, String)>,
    ca_fingerprints: Vec<String>,
 }
@ -68,6 +67,10 @@ impl Status {
        self.authentication_key = key;
    }

+    pub fn attestation_key(&mut self, key: KeySlotInfo) {
+        self.attestation_key = Some(key);
+    }
+
    pub fn user_pin_remaining_attempts(&mut self, count: u8) {
        self.user_pin_remaining_attempts = count;
    }
@ -80,14 +83,6 @@ impl Status {
        self.reset_code_remaining_attempts = count;
    }

-    pub fn card_touch_policy(&mut self, policy: String) {
-        self.card_touch_policy = policy;
-    }
-
-    pub fn card_touch_features(&mut self, features: String) {
-        self.card_touch_features = features;
-    }
-
    pub fn key_status(&mut self, keyref: u8, status: String) {
        self.key_statuses.push((keyref, status));
    }
@ -150,6 +145,18 @@ impl Status {
        }
        s.push('\n');

+        if self.verbose {
+            if let Some(attestation_key) = &self.attestation_key {
+                if attestation_key.touch_policy.is_some() || attestation_key.algorithm.is_some() {
+                    s.push_str("Attestation key:\n");
+                    for line in attestation_key.format(self.verbose) {
+                        s.push_str(&format!("  {}\n", line));
+                    }
+                    s.push('\n');
+                }
+            }
+        }
+
        s.push_str(&format!(
            "Remaining PIN attempts: User: {}, Admin: {}, Reset Code: {}\n",
            self.user_pin_remaining_attempts,
@ -158,11 +165,6 @@ impl Status {
        ));

        if self.verbose {
-            s.push_str(&format!(
-                "Touch policy attestation: {}\n",
-                self.card_touch_policy
-            ));
-
            for (keyref, status) in self.key_statuses.iter() {
                s.push_str(&format!("Key status (#{}): {}\n", keyref, status));
            }
@ -183,11 +185,10 @@ impl Status {
            signature_count: self.signature_count,
            decryption_key: self.decryption_key.clone(),
            authentication_key: self.authentication_key.clone(),
+            attestation_key: self.attestation_key.clone(),
            user_pin_remaining_attempts: self.user_pin_remaining_attempts,
            admin_pin_remaining_attempts: self.admin_pin_remaining_attempts,
            reset_code_remaining_attempts: self.reset_code_remaining_attempts,
-            card_touch_policy: self.card_touch_policy.clone(),
-            card_touch_features: self.card_touch_features.clone(),
            key_statuses: self.key_statuses.clone(),
            ca_fingerprints: self.ca_fingerprints.clone(),
        })
@ -232,11 +233,10 @@ pub struct StatusV0 {
    signature_count: u32,
    decryption_key: KeySlotInfo,
    authentication_key: KeySlotInfo,
+    attestation_key: Option<KeySlotInfo>,
    user_pin_remaining_attempts: u8,
    admin_pin_remaining_attempts: u8,
    reset_code_remaining_attempts: u8,
-    card_touch_policy: String,
-    card_touch_features: String,
    key_statuses: Vec<(u8, String)>,
    ca_fingerprints: Vec<String>,
 }