script_sign/

lib.rs

mod keymap;
mod sign;
mod signature;
mod util;

pub use crate::keymap::KeyMap;
use crate::sign::{ecdsaverify, EcdsaAlgorithm};
use crate::signature::{
    CardEcSignResult, ScriptSignature, ScriptSignatureAlgorithm, SIGNATURE_PREFIX,
};
use crate::util::current_time;
use digest::Digest;
use rust_util::{debugging, opt_result, simple_error, util_cmd, XResult};
use sha2::Sha256;
use std::fs;

#[derive(Debug)]
pub struct Script {
    pub content_lines: Vec<String>,
    pub signature: Option<ScriptSignature>,
}

impl Script {
    pub fn verify_script_file_with_system_key_map(script_file: &str) -> XResult<bool> {
        Self::verify_script_file(script_file, &KeyMap::system()?)
    }

    pub fn verify_script_file(script_file: &str, key_map: &KeyMap) -> XResult<bool> {
        let script_content = opt_result!(
            fs::read_to_string(script_file),
            "Read script file: {script_file} failed: {}"
        );
        let script = opt_result!(
            Script::parse(&script_content),
            "Parse script file: {script_file} failed: {}"
        );
        match &script.signature {
            None => Ok(false),
            Some(_) => script.verify(key_map),
        }
    }

    pub fn parse(script: &str) -> XResult<Script> {
        let lines = script.lines().collect::<Vec<_>>();
        let last_non_empty_line = lines.iter().rev().find(|ln| !ln.is_empty());
        match last_non_empty_line {
            Some(last_non_empty_line) if last_non_empty_line.starts_with(SIGNATURE_PREFIX) => {
                let script_signature = ScriptSignature::parse(last_non_empty_line)?;
                let final_lines = lines
                    .iter()
                    .rev()
                    .skip_while(|ln| ln.is_empty())
                    .skip(1)
                    .collect::<Vec<_>>()
                    .into_iter()
                    .rev()
                    .collect::<Vec<_>>();
                Ok(Script {
                    content_lines: final_lines.iter().map(ToString::to_string).collect(),
                    signature: Some(script_signature),
                })
            }
            _ => Ok(Script {
                content_lines: lines.iter().map(ToString::to_string).collect(),
                signature: None,
            }),
        }
    }

    pub fn as_string(&self) -> String {
        let mut joined_content_liens = self.content_lines.join("\n");
        match &self.signature {
            None => joined_content_liens,
            Some(signature) => {
                if joined_content_liens.ends_with("\n\n") {
                    // SKIP add \n
                } else if joined_content_liens.ends_with("\n") {
                    joined_content_liens.push('\n');
                } else {
                    joined_content_liens.push_str("\n\n");
                }
                joined_content_liens.push_str(&signature.as_string());
                joined_content_liens.push('\n');
                joined_content_liens
            }
        }
    }

    pub fn has_signature(&self) -> bool {
        self.signature.is_some()
    }

    pub fn verify(&self, key_map: &KeyMap) -> XResult<bool> {
        let signature = match &self.signature {
            None => return simple_error!("Script is not signed."),
            Some(signature) => signature,
        };
        let key = match key_map.find(&signature.key_id) {
            None => return simple_error!("Sign key id: {} not found", &signature.key_id),
            Some(key) => key,
        };
        let key_bytes = hex::decode(key)?;
        let digest_sha256 = self.normalize_content_lines_and_sha256(&signature.time);
        match signature.algorithm {
            ScriptSignatureAlgorithm::ES256 => {
                match ecdsaverify(
                    EcdsaAlgorithm::P256,
                    &key_bytes,
                    &digest_sha256,
                    &signature.signature,
                ) {
                    Ok(_) => Ok(true),
                    Err(e) => {
                        debugging!("Verify ecdsa signature failed: {}", e);
                        Ok(false)
                    }
                }
            }
            _ => simple_error!("Not supported algorithm: {:?}", signature.algorithm),
        }
    }

    pub fn sign(&mut self) -> XResult<()> {
        let (time, digest_sha256) = self.normalize_content_lines_and_sha256_with_current_time();
        let digest_sha256_hex = hex::encode(&digest_sha256);
        let output = util_cmd::run_command_or_exit(
            "card-cli",
            &["piv-ecsign", "--json", "-s", "r1", "-x", &digest_sha256_hex],
        );
        let ecsign_result: CardEcSignResult = opt_result!(
            serde_json::from_slice(&output.stdout),
            "Parse card piv-ecsign failed: {}"
        );
        if ecsign_result.algorithm == "ecdsa_p256_with_sha256" {
            self.signature = Some(ScriptSignature {
                key_id: "yk-r1".to_string(),
                algorithm: ScriptSignatureAlgorithm::ES256,
                time,
                signature: hex::decode(&ecsign_result.signed_data_hex)?,
            });
        } else {
            return simple_error!("Not supported algorithm: {}", ecsign_result.algorithm);
        }
        Ok(())
    }

    fn normalize_content_lines(&self) -> Vec<String> {
        let mut normalized_content_lines = Vec::with_capacity(self.content_lines.len());
        for ln in &self.content_lines {
            let trimed_ln = ln.trim();
            if !trimed_ln.is_empty() {
                normalized_content_lines.push(trimed_ln.to_string());
            }
        }
        normalized_content_lines
    }

    fn normalize_content_lines_and_sha256_with_current_time(&self) -> (String, Vec<u8>) {
        let current_time = current_time();
        (
            current_time.clone(),
            self.normalize_content_lines_and_sha256(&current_time),
        )
    }

    fn normalize_content_lines_and_sha256(&self, current_time: &str) -> Vec<u8> {
        let normalized_content_lines = self.normalize_content_lines();
        let joined_normalized_content_lines = normalized_content_lines.join("\n");
        let mut hasher = Sha256::new();
        hasher.update(current_time.as_bytes());
        hasher.update(joined_normalized_content_lines.as_bytes());
        hasher.finalize().to_vec()
    }
}

#[test]
fn test_script_parse_01() {
    let script = Script::parse("test script").unwrap();
    assert_eq!(1, script.content_lines.len());
    assert!(script.signature.is_none());
}

#[test]
fn test_script_parse_02() {
    use base64::engine::general_purpose::STANDARD as standard_base64;
    use base64::Engine;
    let script =
        Script::parse("test script\n\n// @SCRIPT-SIGNATURE-V1: key-id.RS256.2025-01-05T20:57:14+08:00.aGVsbG93b3JsZA==\n")
            .unwrap();
    assert_eq!(2, script.content_lines.len());
    assert_eq!("test script", script.content_lines[0]);
    assert_eq!("", script.content_lines[1]);
    let current_time = "2025-01-05T20:57:14+08:00";
    let digest_sha256 = script.normalize_content_lines_and_sha256(&current_time);
    assert_eq!(
        "sybQ8O5TgRlkQ0i8pNIA6huHvAd5XbVZF+U60WMrdco=",
        standard_base64.encode(&digest_sha256)
    );
    assert!(script.signature.is_some());
    let s = script.signature.unwrap();
    assert_eq!("key-id", s.key_id);
    assert_eq!(ScriptSignatureAlgorithm::RS256, s.algorithm);
    assert_eq!("2025-01-05T20:57:14+08:00", s.time);
    assert_eq!(b"helloworld".to_vec(), s.signature);
}