Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@OnkelDe
OnkelDe authored Jun 22, 2024
1 parent 6ecbac3 commit c7c14e7
Showing 1 changed file with 0 additions and 115 deletions.
115 changes: 0 additions & 115 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,121 +54,6 @@ x509-cert = "0.5"



#Example
Below is an example of how to use the YubiKeyProvider to sign data.
use super::YubiKeyProvider;
use crate::{
common::{
crypto::algorithms::{
encryption::{AsymmetricEncryption, EccCurves, EccSchemeAlgorithm},
KeyBits,
},
error::SecurityModuleError,
traits::key_handle::KeyHandle,
},
hsm::core::error::HsmError,
};
use yubikey::{piv, AlgorithmId, SlotId, MgmKey};
use base64::{engine::general_purpose, Engine};
use openssl::{ec::EcKey, hash::MessageDigest, pkey::PKey, rsa::{Padding, Rsa}, sign::Verifier};
use rsa::sha2::Digest;
use sha2::Sha256;
use tracing::instrument;
use x509_cert::der::zeroize::Zeroizing;

const BYTES_1024: usize = 128;
const BYTES_2048: usize = 256;

/// Provides cryptographic operations for asymmetric keys on a YubiKey.
pub struct YubiKeyProvider {
yubikey: Option<Mutex<YubiKey>>,
pin: Option<String>,
management_key: Option<Vec<u8>>,
key_algo: Option<AsymmetricEncryption>,
slot_id: Option<u8>,
pkey: String,
}

impl KeyHandle for YubiKeyProvider {
/// Signs data using the cryptographic key on a YubiKey.
#[instrument]
fn sign_data(&self, data: &[u8]) -> Result<Vec<u8>, SecurityModuleError> {
let yubikey = self.yubikey.as_ref().unwrap();
let mut yubikey = yubikey.lock().unwrap();
let data = data.to_vec();
let key_algo = self.key_algo.unwrap();

// Input gets hashed with SHA-256
let mut hasher = Sha256::new();
hasher.update(data);
let data = hasher.finalize();
let mut data: &[u8] = &data;

// TODO: After PIN input implementation in App, insert code for re-authentication
let verify = yubikey.verify_pin(self.pin.as_ref());
if !verify.is_ok() {
return Err(SecurityModuleError::Hsm(HsmError::DeviceSpecific(
"PIN verification failed".to_string(),
)));
}
let auth = yubikey.authenticate(MgmKey::new(self.management_key.unwrap()).unwrap());
if !auth.is_ok() {
return Err(SecurityModuleError::Hsm(HsmError::DeviceSpecific(
"Authentication failed".to_string(),
)));
}

let signature: Result<Zeroizing<Vec<u8>>, yubikey::Error>;
let mut vec_data: Vec<u8> = create_digest_info(data).unwrap();
let algorithm_id: AlgorithmId;

match key_algo {
AsymmetricEncryption::Rsa(KeyBits::Bits1024) => {
algorithm_id = AlgorithmId::Rsa1024;
vec_data = apply_pkcs1v15_padding(&vec_data, BYTES_1024);
data = &vec_data.as_slice();
}
AsymmetricEncryption::Rsa(KeyBits::Bits2048) => {
algorithm_id = AlgorithmId::Rsa2048;
vec_data = apply_pkcs1v15_padding(&vec_data, BYTES_2048);
data = vec_data.as_slice();
}

AsymmetricEncryption::Ecc(EccSchemeAlgorithm::EcDsa(EccCurves::P256)) => {
algorithm_id = AlgorithmId::EccP256;
}
AsymmetricEncryption::Ecc(EccSchemeAlgorithm::EcDsa(EccCurves::P384)) => {
algorithm_id = AlgorithmId::EccP384;
}
_ => {
return Err(SecurityModuleError::Hsm(HsmError::DeviceSpecific(
"Key Algorithm not supported".to_string(),
)));
}
}
signature = piv::sign_data(
&mut yubikey,
data,
algorithm_id,
SlotId::Retired(self.slot_id.unwrap()),
);
match signature {
Ok(buffer) => {
let signature = general_purpose::STANDARD.encode(&buffer);
let signature = general_purpose::STANDARD
.decode(signature)
.expect("Failed to decode signature");
Ok(signature)
}
Err(err) => Err(SecurityModuleError::Hsm(HsmError::DeviceSpecific(
err.to_string(),
))),
}
}
}





## Contribution:
Expand Down

0 comments on commit c7c14e7

Please sign in to comment.