Struct openpgp_card::CardApp [−][src]
pub struct CardApp { /* fields omitted */ }
Expand description
Low-level access to OpenPGP card functionality.
Not many checks are performed here (e.g. for valid data lengths). Such checks should be performed on a higher layer, if needed.
Also, no caching of data is done here. If necessary, caching should be done on a higher layer.
Implementations
Get a CardApp based on a CardClient.
It is expected that SELECT has already been performed on the card beforehand.
This fn initializes the CardCaps by requesting application_related_data from the card, and setting the capabilities accordingly.
Get the “application related data” from the card.
(This data should probably be cached in a higher layer. Some parts of it are needed regularly, and it does not usually change during normal use of a card.)
Get cardholder related data (65)
Get security support template (7a)
Get cardholder certificate (each for AUT, DEC and SIG).
Call select_data() before calling this fn, to select a particular certificate (if the card supports multiple certificates).
Get “Algorithm Information”
Firmware Version (YubiKey specific (?))
Set identity (Nitrokey Start specific (?)). [see: https://docs.nitrokey.com/start/linux/multiple-identities.html https://github.com/Nitrokey/nitrokey-start-firmware/pull/33/]
SELECT DATA (“select a DO in the current template”, e.g. for cardholder certificate)
Get data from “private use” DO.
num
must be between 1 and 4.
Set data of “private use” DO.
num
must be between 1 and 4.
Access condition:
- 1/3 need PW1 (82)
- 2/4 need PW3
Reset all state on this OpenPGP card.
Note: the “factory reset” operation is not directly offered by the card spec. It is implemented as a series of OpenPGP card commands:
- send 4 bad requests to verify pw1,
- send 4 bad requests to verify pw3,
- terminate_df,
- activate_file.
With most cards, this sequence of operations causes the card to revert to a “blank” state.
(However, e.g. vanilla Gnuk doesn’t support this functionality.
Gnuk needs to be built with the --enable-factory-reset
option to the configure
script to enable this functionality).
Does the cardreader support direct pinpad verify?
Does the cardreader support direct pinpad modify?
Verify pw1 (user) for signing operation (mode 81).
Depending on the PW1 status byte (see Extended Capabilities) this access condition is only valid for one PSO:CDS command or remains valid for several attempts.
Verify pw1 (user) for signing operation (mode 81) using a pinpad on the card reader. If no usable pinpad is found, an error is returned.
Depending on the PW1 status byte (see Extended Capabilities) this access condition is only valid for one PSO:CDS command or remains valid for several attempts.
Check the current access of PW1 for signing (mode 81).
If verification is not required, an empty Ok Response is returned.
(Note: some cards don’t correctly implement this feature, e.g. YubiKey 5)
Verify PW1 (user). (For operations except signing, mode 82).
Verify PW1 (user) for operations except signing (mode 82), using a pinpad on the card reader. If no usable pinpad is found, an error is returned.
Check the current access of PW1. (For operations except signing, mode 82).
If verification is not required, an empty Ok Response is returned.
(Note: some cards don’t correctly implement this feature, e.g. YubiKey 5)
Verify PW3 (admin) using a pinpad on the card reader. If no usable pinpad is found, an error is returned.
Check the current access of PW3 (admin).
If verification is not required, an empty Ok Response is returned.
(Note: some cards don’t correctly implement this feature, e.g. YubiKey 5)
Change the value of PW1 (user password).
The current value of PW1 must be presented in old
for authorization.
Change the value of PW1 (user password) using a pinpad on the card reader. If no usable pinpad is found, an error is returned.
Change the value of PW3 (admin password).
The current value of PW3 must be presented in old
for authorization.
Change the value of PW3 (admin password) using a pinpad on the card reader. If no usable pinpad is found, an error is returned.
Reset the error counter for PW1 (user password) and set a new value for PW1.
For authorization, either:
- PW3 must have been verified previously,
- secure messaging must be currently used,
- the resetting_code must be presented.
Decrypt the ciphertext in dm
, on the card.
(This is a wrapper around the low-level pso_decipher
operation, it builds the required data
field from dm
)
Sign hash
, on the card.
This is a wrapper around the low-level
pso_compute_digital_signature operation.
It builds the required data
field from hash
.
For RSA, this means a “DigestInfo” data structure is generated. (see 7.2.10.2 DigestInfo for RSA).
With ECC the hash data is processed as is, using pso_compute_digital_signature.
Run signing operation on the smartcard (low level operation) (7.2.10 PSO: COMPUTE DIGITAL SIGNATURE)
Auth-sign hash
, on the card.
This is a wrapper around the low-level
internal_authenticate operation.
It builds the required data
field from hash
.
For RSA, this means a “DigestInfo” data structure is generated. (see 7.2.10.2 DigestInfo for RSA).
With ECC the hash data is processed as is.
Run signing operation on the smartcard (low level operation) (7.2.13 INTERNAL AUTHENTICATE)
pub fn set_creation_time(
&mut self,
time: KeyGenerationTime,
key_type: KeyType
) -> Result<Response, Error>
pub fn set_fingerprint(
&mut self,
fp: Fingerprint,
key_type: KeyType
) -> Result<Response, Error>
pub fn set_pw_status_bytes(
&mut self,
pw_status: &PWStatusBytes,
long: bool
) -> Result<Response, Error>
pub fn set_pw_status_bytes(
&mut self,
pw_status: &PWStatusBytes,
long: bool
) -> Result<Response, Error>
Set PW Status Bytes.
If long
is false, send 1 byte to the card, otherwise 4.
According to the spec, length information should not be changed.
So, effectively, with ‘long == false’ the setting pw1_cds_multi
can be changed.
With ‘long == true’, the settings pw1_pin_block
and pw3_pin_block
can also be changed.
(See OpenPGP card spec, pg. 28)
Set cardholder certificate (for AUT, DEC or SIG).
Call select_data() before calling this fn, to select a particular certificate (if the card supports multiple certificates).
Set algorithm attributes (4.4.3.9 Algorithm Attributes)
Set resetting code (4.3.4 Resetting Code)
pub fn key_import(
&mut self,
key: Box<dyn CardUploadableKey>,
key_type: KeyType
) -> Result<(), Error>
pub fn key_import(
&mut self,
key: Box<dyn CardUploadableKey>,
key_type: KeyType
) -> Result<(), Error>
Import an existing private key to the card. (This implicitly sets the algorithm info, fingerprint and timestamp)
pub fn generate_key(
&mut self,
fp_from_pub: fn(_: &PublicKeyMaterial, _: KeyGenerationTime, _: KeyType) -> Result<Fingerprint, Error>,
key_type: KeyType,
algo: Option<&Algo>
) -> Result<(PublicKeyMaterial, KeyGenerationTime), Error>
pub fn generate_key(
&mut self,
fp_from_pub: fn(_: &PublicKeyMaterial, _: KeyGenerationTime, _: KeyType) -> Result<Fingerprint, Error>,
key_type: KeyType,
algo: Option<&Algo>
) -> Result<(PublicKeyMaterial, KeyGenerationTime), Error>
Generate a key on the card. (7.2.14 GENERATE ASYMMETRIC KEY PAIR)
If the algo
parameter is Some, then this algorithm will be set on
the card for “key_type”.
Note: algo
needs to precisely specify the RSA bitsize of e (if
applicable), and import format, with values that the current card
supports.
pub fn generate_key_simple(
&mut self,
fp_from_pub: fn(_: &PublicKeyMaterial, _: KeyGenerationTime, _: KeyType) -> Result<Fingerprint, Error>,
key_type: KeyType,
simple: AlgoSimple
) -> Result<(PublicKeyMaterial, KeyGenerationTime), Error>
pub fn generate_key_simple(
&mut self,
fp_from_pub: fn(_: &PublicKeyMaterial, _: KeyGenerationTime, _: KeyType) -> Result<Fingerprint, Error>,
key_type: KeyType,
simple: AlgoSimple
) -> Result<(PublicKeyMaterial, KeyGenerationTime), Error>
Generate a key on the card. (7.2.14 GENERATE ASYMMETRIC KEY PAIR)
This is a wrapper around generate_key() which allows
using the simplified AlgoSimple
algorithm selector enum.
Note: AlgoSimple doesn’t specify card specific details (such as bitsize of e for RSA, and import format). This function determines these values based on information from the card.
Get public key material from the card.
Note: this fn returns a set of raw public key data (not an OpenPGP data structure).
Note also that the information from the card is insufficient to reconstruct a pre-existing OpenPGP public key that corresponds to the private key on the card.
Auto Trait Implementations
impl !RefUnwindSafe for CardApp
impl !UnwindSafe for CardApp
Blanket Implementations
Mutably borrows from an owned value. Read more
fn fmt_binary(self) -> FmtBinary<Self> where
Self: Binary,
fn fmt_binary(self) -> FmtBinary<Self> where
Self: Binary,
Causes self
to use its Binary
implementation when Debug
-formatted.
fn fmt_display(self) -> FmtDisplay<Self> where
Self: Display,
fn fmt_display(self) -> FmtDisplay<Self> where
Self: Display,
Causes self
to use its Display
implementation when
Debug
-formatted. Read more
fn fmt_lower_exp(self) -> FmtLowerExp<Self> where
Self: LowerExp,
fn fmt_lower_exp(self) -> FmtLowerExp<Self> where
Self: LowerExp,
Causes self
to use its LowerExp
implementation when
Debug
-formatted. Read more
fn fmt_lower_hex(self) -> FmtLowerHex<Self> where
Self: LowerHex,
fn fmt_lower_hex(self) -> FmtLowerHex<Self> where
Self: LowerHex,
Causes self
to use its LowerHex
implementation when
Debug
-formatted. Read more
Causes self
to use its Octal
implementation when Debug
-formatted.
fn fmt_pointer(self) -> FmtPointer<Self> where
Self: Pointer,
fn fmt_pointer(self) -> FmtPointer<Self> where
Self: Pointer,
Causes self
to use its Pointer
implementation when
Debug
-formatted. Read more
fn fmt_upper_exp(self) -> FmtUpperExp<Self> where
Self: UpperExp,
fn fmt_upper_exp(self) -> FmtUpperExp<Self> where
Self: UpperExp,
Causes self
to use its UpperExp
implementation when
Debug
-formatted. Read more
fn fmt_upper_hex(self) -> FmtUpperHex<Self> where
Self: UpperHex,
fn fmt_upper_hex(self) -> FmtUpperHex<Self> where
Self: UpperHex,
Causes self
to use its UpperHex
implementation when
Debug
-formatted. Read more
impl<T> Pipe for T where
T: ?Sized,
impl<T> Pipe for T where
T: ?Sized,
Pipes by value. This is generally the method you want to use. Read more
Borrows self
and passes that borrow into the pipe function. Read more
fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> R where
R: 'a,
fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> R where
R: 'a,
Mutably borrows self
and passes that borrow into the pipe function. Read more
fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R where
Self: Borrow<B>,
B: 'a + ?Sized,
R: 'a,
fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R where
Self: Borrow<B>,
B: 'a + ?Sized,
R: 'a,
Borrows self
, then passes self.borrow()
into the pipe function. Read more
fn pipe_borrow_mut<'a, B, R>(
&'a mut self,
func: impl FnOnce(&'a mut B) -> R
) -> R where
Self: BorrowMut<B>,
B: 'a + ?Sized,
R: 'a,
fn pipe_borrow_mut<'a, B, R>(
&'a mut self,
func: impl FnOnce(&'a mut B) -> R
) -> R where
Self: BorrowMut<B>,
B: 'a + ?Sized,
R: 'a,
Mutably borrows self
, then passes self.borrow_mut()
into the pipe
function. Read more
fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R where
Self: AsRef<U>,
U: 'a + ?Sized,
R: 'a,
fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R where
Self: AsRef<U>,
U: 'a + ?Sized,
R: 'a,
Borrows self
, then passes self.as_ref()
into the pipe function.
fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R where
Self: AsMut<U>,
U: 'a + ?Sized,
R: 'a,
fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R where
Self: AsMut<U>,
U: 'a + ?Sized,
R: 'a,
Mutably borrows self
, then passes self.as_mut()
into the pipe
function. Read more
fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R where
Self: Deref<Target = T>,
T: 'a + ?Sized,
R: 'a,
fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R where
Self: Deref<Target = T>,
T: 'a + ?Sized,
R: 'a,
Borrows self
, then passes self.deref()
into the pipe function.
fn pipe_as_ref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R where
Self: AsRef<T>,
T: 'a,
R: 'a,
fn pipe_as_ref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R where
Self: AsRef<T>,
T: 'a,
R: 'a,
Pipes a trait borrow into a function that cannot normally be called in suffix position. Read more
fn pipe_as_mut<'a, T, R>(&'a mut self, func: impl FnOnce(&'a mut T) -> R) -> R where
Self: AsMut<T>,
T: 'a,
R: 'a,
fn pipe_as_mut<'a, T, R>(&'a mut self, func: impl FnOnce(&'a mut T) -> R) -> R where
Self: AsMut<T>,
T: 'a,
R: 'a,
Pipes a trait mutable borrow into a function that cannot normally be called in suffix position. Read more
fn pipe_borrow<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R where
Self: Borrow<T>,
T: 'a,
R: 'a,
fn pipe_borrow<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R where
Self: Borrow<T>,
T: 'a,
R: 'a,
Pipes a trait borrow into a function that cannot normally be called in suffix position. Read more
fn pipe_borrow_mut<'a, T, R>(
&'a mut self,
func: impl FnOnce(&'a mut T) -> R
) -> R where
Self: BorrowMut<T>,
T: 'a,
R: 'a,
fn pipe_borrow_mut<'a, T, R>(
&'a mut self,
func: impl FnOnce(&'a mut T) -> R
) -> R where
Self: BorrowMut<T>,
T: 'a,
R: 'a,
Pipes a trait mutable borrow into a function that cannot normally be called in suffix position. Read more
fn pipe_deref<'a, R>(&'a self, func: impl FnOnce(&'a Self::Target) -> R) -> R where
Self: Deref,
R: 'a,
fn pipe_deref<'a, R>(&'a self, func: impl FnOnce(&'a Self::Target) -> R) -> R where
Self: Deref,
R: 'a,
Pipes a dereference into a function that cannot normally be called in suffix position. Read more
fn pipe_deref_mut<'a, R>(
&'a mut self,
func: impl FnOnce(&'a mut Self::Target) -> R
) -> R where
Self: DerefMut,
R: 'a,
fn pipe_deref_mut<'a, R>(
&'a mut self,
func: impl FnOnce(&'a mut Self::Target) -> R
) -> R where
Self: DerefMut,
R: 'a,
Pipes a mutable dereference into a function that cannot normally be called in suffix position. Read more
Pipes a reference into a function that cannot ordinarily be called in suffix position. Read more
fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Self where
Self: Borrow<B>,
B: ?Sized,
fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Self where
Self: Borrow<B>,
B: ?Sized,
Immutable access to the Borrow<B>
of a value. Read more
fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Self where
Self: BorrowMut<B>,
B: ?Sized,
fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Self where
Self: BorrowMut<B>,
B: ?Sized,
Mutable access to the BorrowMut<B>
of a value. Read more
Immutable access to the AsRef<R>
view of a value. Read more
fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Self where
Self: AsMut<R>,
R: ?Sized,
fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Self where
Self: AsMut<R>,
R: ?Sized,
Mutable access to the AsMut<R>
view of a value. Read more
Immutable access to the Deref::Target
of a value. Read more
Mutable access to the Deref::Target
of a value. Read more
Calls .tap()
only in debug builds, and is erased in release builds.
fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self
fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self
Calls .tap_mut()
only in debug builds, and is erased in release
builds. Read more
fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Self where
Self: Borrow<B>,
B: ?Sized,
fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Self where
Self: Borrow<B>,
B: ?Sized,
Calls .tap_borrow()
only in debug builds, and is erased in release
builds. Read more
fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Self where
Self: BorrowMut<B>,
B: ?Sized,
fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Self where
Self: BorrowMut<B>,
B: ?Sized,
Calls .tap_borrow_mut()
only in debug builds, and is erased in release
builds. Read more
fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Self where
Self: AsRef<R>,
R: ?Sized,
fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Self where
Self: AsRef<R>,
R: ?Sized,
Calls .tap_ref()
only in debug builds, and is erased in release
builds. Read more
fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Self where
Self: AsMut<R>,
R: ?Sized,
fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Self where
Self: AsMut<R>,
R: ?Sized,
Calls .tap_ref_mut()
only in debug builds, and is erased in release
builds. Read more
Provides immutable access for inspection. Read more
Calls tap
in debug builds, and does nothing in release builds.
Provides mutable access for modification. Read more
fn tap_mut_dbg<F, R>(self, func: F) -> Self where
F: FnOnce(&mut Self) -> R,
fn tap_mut_dbg<F, R>(self, func: F) -> Self where
F: FnOnce(&mut Self) -> R,
Calls tap_mut
in debug builds, and does nothing in release builds.
impl<T, U> TapAsRef<U> for T where
U: ?Sized,
impl<T, U> TapAsRef<U> for T where
U: ?Sized,
Provides immutable access to the reference for inspection.
fn tap_ref_dbg<F, R>(self, func: F) -> Self where
Self: AsRef<T>,
F: FnOnce(&T) -> R,
fn tap_ref_dbg<F, R>(self, func: F) -> Self where
Self: AsRef<T>,
F: FnOnce(&T) -> R,
Calls tap_ref
in debug builds, and does nothing in release builds.
fn tap_ref_mut<F, R>(self, func: F) -> Self where
Self: AsMut<T>,
F: FnOnce(&mut T) -> R,
fn tap_ref_mut<F, R>(self, func: F) -> Self where
Self: AsMut<T>,
F: FnOnce(&mut T) -> R,
Provides mutable access to the reference for modification.
fn tap_ref_mut_dbg<F, R>(self, func: F) -> Self where
Self: AsMut<T>,
F: FnOnce(&mut T) -> R,
fn tap_ref_mut_dbg<F, R>(self, func: F) -> Self where
Self: AsMut<T>,
F: FnOnce(&mut T) -> R,
Calls tap_ref_mut
in debug builds, and does nothing in release builds.
impl<T, U> TapBorrow<U> for T where
U: ?Sized,
impl<T, U> TapBorrow<U> for T where
U: ?Sized,
fn tap_borrow<F, R>(self, func: F) -> Self where
Self: Borrow<T>,
F: FnOnce(&T) -> R,
fn tap_borrow<F, R>(self, func: F) -> Self where
Self: Borrow<T>,
F: FnOnce(&T) -> R,
Provides immutable access to the borrow for inspection. Read more
fn tap_borrow_dbg<F, R>(self, func: F) -> Self where
Self: Borrow<T>,
F: FnOnce(&T) -> R,
fn tap_borrow_dbg<F, R>(self, func: F) -> Self where
Self: Borrow<T>,
F: FnOnce(&T) -> R,
Calls tap_borrow
in debug builds, and does nothing in release builds.
fn tap_borrow_mut<F, R>(self, func: F) -> Self where
Self: BorrowMut<T>,
F: FnOnce(&mut T) -> R,
fn tap_borrow_mut<F, R>(self, func: F) -> Self where
Self: BorrowMut<T>,
F: FnOnce(&mut T) -> R,
Provides mutable access to the borrow for modification.
fn tap_borrow_mut_dbg<F, R>(self, func: F) -> Self where
Self: BorrowMut<T>,
F: FnOnce(&mut T) -> R,
fn tap_borrow_mut_dbg<F, R>(self, func: F) -> Self where
Self: BorrowMut<T>,
F: FnOnce(&mut T) -> R,
Calls tap_borrow_mut
in debug builds, and does nothing in release
builds. Read more
Immutably dereferences self
for inspection.
fn tap_deref_dbg<F, R>(self, func: F) -> Self where
Self: Deref,
F: FnOnce(&Self::Target) -> R,
fn tap_deref_dbg<F, R>(self, func: F) -> Self where
Self: Deref,
F: FnOnce(&Self::Target) -> R,
Calls tap_deref
in debug builds, and does nothing in release builds.
fn tap_deref_mut<F, R>(self, func: F) -> Self where
Self: DerefMut,
F: FnOnce(&mut Self::Target) -> R,
fn tap_deref_mut<F, R>(self, func: F) -> Self where
Self: DerefMut,
F: FnOnce(&mut Self::Target) -> R,
Mutably dereferences self
for modification.
fn tap_deref_mut_dbg<F, R>(self, func: F) -> Self where
Self: DerefMut,
F: FnOnce(&mut Self::Target) -> R,
fn tap_deref_mut_dbg<F, R>(self, func: F) -> Self where
Self: DerefMut,
F: FnOnce(&mut Self::Target) -> R,
Calls tap_deref_mut
in debug builds, and does nothing in release
builds. Read more