openpgp-card-tools 0.11.11

A tool for inspecting, configuring and using OpenPGP cards
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

// SPDX-FileCopyrightText: 2021-2024 Heiko Schaefer <heiko@schaefer.name>
// SPDX-FileCopyrightText: 2022 Nora Widdecke <mail@nora.pink>
// SPDX-FileCopyrightText: 2024 David Runge <dave@sleepmap.de>
// SPDX-License-Identifier: MIT OR Apache-2.0

use std::io::Cursor;
use std::path::{Path, PathBuf};

use anyhow::{anyhow, Result};
use clap::Parser;
use openpgp_card::ocard::KeyType;
use openpgp_card_rpgp::CardSlot;
use pgp::composed::{ArmorOptions, CleartextSignedMessage, MessageBuilder};
use pgp::types::{Password, SecretKeyTrait};
use rand::thread_rng;

use crate::util;

#[derive(Parser, Debug)]
pub struct SignCommand {
    #[arg(
        name = "card ident",
        short = 'c',
        long = "card",
        help = "Identifier of the card to use"
    )]
    pub ident: String,

    #[arg(
        name = "User PIN file",
        short = 'p',
        long = "user-pin",
        help = "Optionally, get User PIN from a file"
    )]
    pub user_pin: Option<PathBuf>,

    #[command(subcommand)]
    pub form: SignSubCommand,
}

#[derive(Debug, Parser, PartialEq)]
pub enum SignSubCommand {
    /// Create a detached signature
    Detached {
        /// Input file (stdin if unset)
        #[arg(name = "input")]
        input: Option<PathBuf>,

        /// Output file (stdout if unset)
        #[arg(name = "output", long = "output", short = 'o')]
        output: Option<PathBuf>,
    },

    /// Create a cleartext signature
    Cleartext {
        /// Input file (stdin if unset)
        #[arg(name = "input")]
        input: Option<PathBuf>,

        /// Output file (stdout if unset)
        #[arg(name = "output", long = "output", short = 'o')]
        output: Option<PathBuf>,
    },

    /// Create an inline signature
    Inline {
        /// Input file (stdin if unset)
        #[arg(name = "input")]
        input: Option<PathBuf>,

        /// Output file (stdout if unset)
        #[arg(name = "output", long = "output", short = 'o')]
        output: Option<PathBuf>,
    },
}

impl SignSubCommand {
    /// Get optional input and output Paths from the subcommand
    pub fn get_input_output(&self) -> (Option<&Path>, Option<&Path>) {
        match self {
            SignSubCommand::Detached { input, output }
            | SignSubCommand::Cleartext { input, output }
            | SignSubCommand::Inline { input, output } => (input.as_deref(), output.as_deref()),
        }
    }

    /// Evaluate whether the subcommand is used for creating a cleartext signature
    pub fn is_cleartext(&self) -> bool {
        matches!(self, SignSubCommand::Cleartext { .. })
    }

    /// Evaluate whether the subcommand is used for creating a detached signature
    pub fn is_detached(&self) -> bool {
        matches!(self, SignSubCommand::Detached { .. })
    }
}

pub fn sign(command: SignCommand) -> Result<(), Box<dyn std::error::Error>> {
    sign_message(&command.ident, command.user_pin, command.form)
}

pub fn sign_message(
    ident: &str,
    pin_file: Option<PathBuf>,
    form: SignSubCommand,
) -> Result<(), Box<dyn std::error::Error>> {
    let cleartext = form.is_cleartext();
    let detached = form.is_detached();
    let (input, output) = form.get_input_output();

    let mut input = util::open_or_stdin(input)?;

    let mut open = util::open_card(ident)?;
    let mut tx = open.transaction()?;

    if tx.fingerprints()?.signature().is_none() {
        return Err(anyhow!("Can't sign: this card has no key in the signing slot.").into());
    }

    let user_pin = util::get_pin(&mut tx, pin_file, crate::ENTER_USER_PIN)?;
    let _ = util::verify_to_sign(&mut tx, user_pin)?;

    let cs = CardSlot::init_from_card(&mut tx, KeyType::Signing, &|| {
        eprintln!("Touch confirmation needed for signing");
    })?;

    let mut data = vec![];
    input.read_to_end(&mut data)?;

    let mut sink = util::open_or_stdout(output)?;

    if cleartext {
        // Cleartext framework signature

        let text = String::from_utf8(data)?;

        let csf = CleartextSignedMessage::sign(thread_rng(), &text, &cs, &Password::empty())?;
        csf.to_armored_writer(&mut sink, ArmorOptions::default())?;
    } else if detached {
        // Detached signature

        let signature = cs.sign_data(
            &data,
            false, // binary signature
            &Password::empty(),
            cs.hash_alg(),
        )?;

        rpgpie::signature::save(&[signature], true, &mut sink)?
    } else {
        // Inline signature
        // (Complete OPS message, including both payload and signature)

        let mut builder = MessageBuilder::from_reader("", Cursor::new(data));
        builder.sign(&cs, Password::empty(), cs.hash_alg());

        builder.to_armored_writer(thread_rng(), ArmorOptions::default(), sink)?;
    }

    Ok(())
}