From c7c14e7cd7f005d06a506393b78d3015fd757516 Mon Sep 17 00:00:00 2001 From: OnkelDe <84448649+OnkelDe@users.noreply.github.com> Date: Sat, 22 Jun 2024 14:55:49 +0200 Subject: [PATCH] Update README.md --- README.md | 115 ------------------------------------------------------ 1 file changed, 115 deletions(-) diff --git a/README.md b/README.md index 74fc446..68912cd 100644 --- a/README.md +++ b/README.md @@ -54,121 +54,6 @@ x509-cert = "0.5" -#Example -Below is an example of how to use the YubiKeyProvider to sign data. -use super::YubiKeyProvider; -use crate::{ - common::{ - crypto::algorithms::{ - encryption::{AsymmetricEncryption, EccCurves, EccSchemeAlgorithm}, - KeyBits, - }, - error::SecurityModuleError, - traits::key_handle::KeyHandle, - }, - hsm::core::error::HsmError, -}; -use yubikey::{piv, AlgorithmId, SlotId, MgmKey}; -use base64::{engine::general_purpose, Engine}; -use openssl::{ec::EcKey, hash::MessageDigest, pkey::PKey, rsa::{Padding, Rsa}, sign::Verifier}; -use rsa::sha2::Digest; -use sha2::Sha256; -use tracing::instrument; -use x509_cert::der::zeroize::Zeroizing; - -const BYTES_1024: usize = 128; -const BYTES_2048: usize = 256; - -/// Provides cryptographic operations for asymmetric keys on a YubiKey. -pub struct YubiKeyProvider { - yubikey: Option>, - pin: Option, - management_key: Option>, - key_algo: Option, - slot_id: Option, - pkey: String, -} - -impl KeyHandle for YubiKeyProvider { - /// Signs data using the cryptographic key on a YubiKey. - #[instrument] - fn sign_data(&self, data: &[u8]) -> Result, SecurityModuleError> { - let yubikey = self.yubikey.as_ref().unwrap(); - let mut yubikey = yubikey.lock().unwrap(); - let data = data.to_vec(); - let key_algo = self.key_algo.unwrap(); - - // Input gets hashed with SHA-256 - let mut hasher = Sha256::new(); - hasher.update(data); - let data = hasher.finalize(); - let mut data: &[u8] = &data; - - // TODO: After PIN input implementation in App, insert code for re-authentication - let verify = yubikey.verify_pin(self.pin.as_ref()); - if !verify.is_ok() { - return Err(SecurityModuleError::Hsm(HsmError::DeviceSpecific( - "PIN verification failed".to_string(), - ))); - } - let auth = yubikey.authenticate(MgmKey::new(self.management_key.unwrap()).unwrap()); - if !auth.is_ok() { - return Err(SecurityModuleError::Hsm(HsmError::DeviceSpecific( - "Authentication failed".to_string(), - ))); - } - - let signature: Result>, yubikey::Error>; - let mut vec_data: Vec = create_digest_info(data).unwrap(); - let algorithm_id: AlgorithmId; - - match key_algo { - AsymmetricEncryption::Rsa(KeyBits::Bits1024) => { - algorithm_id = AlgorithmId::Rsa1024; - vec_data = apply_pkcs1v15_padding(&vec_data, BYTES_1024); - data = &vec_data.as_slice(); - } - AsymmetricEncryption::Rsa(KeyBits::Bits2048) => { - algorithm_id = AlgorithmId::Rsa2048; - vec_data = apply_pkcs1v15_padding(&vec_data, BYTES_2048); - data = vec_data.as_slice(); - } - - AsymmetricEncryption::Ecc(EccSchemeAlgorithm::EcDsa(EccCurves::P256)) => { - algorithm_id = AlgorithmId::EccP256; - } - AsymmetricEncryption::Ecc(EccSchemeAlgorithm::EcDsa(EccCurves::P384)) => { - algorithm_id = AlgorithmId::EccP384; - } - _ => { - return Err(SecurityModuleError::Hsm(HsmError::DeviceSpecific( - "Key Algorithm not supported".to_string(), - ))); - } - } - signature = piv::sign_data( - &mut yubikey, - data, - algorithm_id, - SlotId::Retired(self.slot_id.unwrap()), - ); - match signature { - Ok(buffer) => { - let signature = general_purpose::STANDARD.encode(&buffer); - let signature = general_purpose::STANDARD - .decode(signature) - .expect("Failed to decode signature"); - Ok(signature) - } - Err(err) => Err(SecurityModuleError::Hsm(HsmError::DeviceSpecific( - err.to_string(), - ))), - } - } -} - - - ## Contribution: