openpgp-card-tools 0.11.11

A tool for inspecting, configuring and using OpenPGP cards
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

// SPDX-FileCopyrightText: 2021-2023 Heiko Schaefer <heiko@schaefer.name>
// SPDX-FileCopyrightText: 2022 Lars Wirzenius <liw@liw.fi>
// SPDX-FileCopyrightText: 2022 Nora Widdecke <mail@nora.pink>
// SPDX-License-Identifier: MIT OR Apache-2.0

use std::path::PathBuf;

use anyhow::Result;
use clap::{Parser, ValueEnum};
use openpgp_card::ocard::KeyType;

use crate::versioned_output::{OutputBuilder, OutputFormat, OutputVersion};
use crate::ENTER_USER_PIN;
use crate::{output, pick_card_for_reading, util};

#[derive(Parser, Debug)]
pub struct AttestationCommand {
    #[command(subcommand)]
    pub cmd: AttSubCommand,
}

#[derive(Parser, Debug)]
pub enum AttSubCommand {
    /// Print the card's attestation certificate
    ///
    /// New YubiKeys are preloaded with an attestation certificate issued by the Yubico CA.
    Cert {
        #[arg(
            name = "card ident",
            short = 'c',
            long = "card",
            help = "Identifier of the card to use"
        )]
        ident: Option<String>,
    },

    /// Generate attestation statement for one of the key slots on the card
    ///
    /// An attestation statement can only be generated for key slots that contain keys that were
    /// generated by the card. See 'oct admin generate' and 'oct status -v'.
    Generate {
        #[arg(
            name = "card ident",
            short = 'c',
            long = "card",
            help = "Identifier of the card to use"
        )]
        ident: String,

        /// Key slot to use
        #[arg(name = "Key slot", short = 'k', long = "key", value_enum)]
        key: BaseKeySlot,

        #[arg(
            name = "User PIN file",
            short = 'p',
            long = "user-pin",
            help = "Optionally, get User PIN from a file"
        )]
        user_pin: Option<PathBuf>,
    },

    /// Print the attestation statement for one of the key slots on the card
    ///
    /// An attestation statement can only be printed after generating it. See 'oct attestation generate'.
    Statement {
        #[arg(
            name = "card ident",
            short = 'c',
            long = "card",
            help = "Identifier of the card to reset"
        )]
        ident: Option<String>,

        /// Key slot to use
        #[arg(name = "Key slot", short = 'k', long = "key", value_enum)]
        key: BaseKeySlot,
    },
}

#[derive(ValueEnum, Debug, Clone)]
#[value(rename_all = "UPPER")]
pub enum BaseKeySlot {
    Sig,
    Dec,
    Aut,
}

impl From<BaseKeySlot> for KeyType {
    fn from(ks: BaseKeySlot) -> Self {
        match ks {
            BaseKeySlot::Sig => KeyType::Signing,
            BaseKeySlot::Dec => KeyType::Decryption,
            BaseKeySlot::Aut => KeyType::Authentication,
        }
    }
}

pub fn attestation(
    output_format: OutputFormat,
    output_version: OutputVersion,
    command: AttestationCommand,
) -> Result<(), Box<dyn std::error::Error>> {
    match command.cmd {
        AttSubCommand::Cert { ident } => cert(output_format, output_version, ident),
        AttSubCommand::Generate {
            ident,
            key,
            user_pin,
        } => generate(&ident, key, user_pin),
        AttSubCommand::Statement { ident, key } => statement(ident, key),
    }
}

fn cert(
    output_format: OutputFormat,
    output_version: OutputVersion,
    ident: Option<String>,
) -> Result<(), Box<dyn std::error::Error>> {
    let mut output = output::AttestationCert::default();

    let mut open = pick_card_for_reading(ident)?;
    let mut card = open.transaction()?;

    output.ident(card.application_identifier()?.ident());

    if let Ok(ac) = card.attestation_certificate() {
        let pem = util::pem_encode(ac);
        output.attestation_cert(pem);
    }

    println!("{}", output.print(output_format, output_version)?);
    Ok(())
}

fn generate(
    ident: &str,
    key: BaseKeySlot,
    user_pin: Option<PathBuf>,
) -> Result<(), Box<dyn std::error::Error>> {
    let mut open = util::open_card(ident)?;
    let mut card = open.transaction()?;

    let user_pin = util::get_pin(&mut card, user_pin, ENTER_USER_PIN)?;

    let mut sign = util::verify_to_sign(&mut card, user_pin)?;

    let kt = KeyType::from(key);
    sign.generate_attestation(kt, &|| {
        eprintln!("Touch confirmation needed to generate an attestation")
    })?;
    Ok(())
}

fn statement(ident: Option<String>, key: BaseKeySlot) -> Result<(), Box<dyn std::error::Error>> {
    let mut open = pick_card_for_reading(ident)?;
    let mut card = open.transaction()?;

    // Get cardholder certificate from card.

    // Select cardholder certificate
    match key {
        BaseKeySlot::Aut => card.select_data(0, &[0x7F, 0x21])?,
        BaseKeySlot::Dec => card.select_data(1, &[0x7F, 0x21])?,
        BaseKeySlot::Sig => card.select_data(2, &[0x7F, 0x21])?,
    };

    // Get DO "cardholder certificate" (returns the slot that was previously selected)
    let cert = card.cardholder_certificate()?;

    if !cert.is_empty() {
        let pem = util::pem_encode(cert);
        println!("{pem}");
    } else {
        eprintln!("Cardholder certificate slot is empty");
    }
    Ok(())
}