feat: v1.3.0, support init-piv

jht5945 · Dec 9, 2023 · 3b361eb · 3b361eb
1 parent 381b2e5
commit 3b361eb
Show file tree

Hide file tree

Showing 14 changed files with 369 additions and 107 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "tiny-encrypt"
-version = "1.2.0"
+version = "1.3.0"
 edition = "2021"
 license = "MIT"
 description = "A simple and tiny file encrypt tool"
@@ -10,7 +10,8 @@ repository = "https://git.hatter.ink/hatter/tiny-encrypt-rs"
 
 [features]
 default = ["decrypt", "macos", "secure-enclave"]
-decrypt = ["openpgp-card", "openpgp-card-pcsc", "yubikey"]
+decrypt = ["smartcard"]
+smartcard = ["openpgp-card", "openpgp-card-pcsc", "yubikey"]
 macos = ["security-framework"]
 secure-enclave = ["macos", "swift-rs"]
 
@@ -44,6 +45,7 @@ x509-parser = "0.15"
 yubikey = { version = "0.8", features = ["untested"], optional = true }
 zeroize = "1.7"
 swift-rs = { path = "swift-rs", optional = true }
+spki = "0.7.3"
 
 [build-dependencies]
 swift-rs = { path = "swift-rs", features = ["build"], optional = true }

diff --git a/README.md b/README.md
@@ -70,12 +70,14 @@ Encrypt config `~/.tinyencrypt/config-rs.json`:
 
 Supported PKI encryption types:
 
-| Type       | Algorithm       | Description            |
-|------------|-----------------|------------------------|
-| pgp        | PKCS1-v1.5      | OpenPGP Encryption Key |
-| pgp-x25519 | ECDH(X25519)    | OpenPGP Encryption Key |
-| ecdh       | ECDH(secp256r1) | PIV Slot               |
-| ecdh-p384  | ECDH(secp384r1) | PIV Slot               |
+| Type          | Algorithm       | Description                             |
+|---------------|-----------------|-----------------------------------------|
+| pgp-rsa       | PKCS1-v1.5      | OpenPGP Encryption Key (Previous `pgp`) |
+| pgp-x25519    | ECDH(X25519)    | OpenPGP Encryption Key                  |
+| static-x25519 | ECDH(X25519)    | Key Stored in KeyChain                  |
+| piv-p256      | ECDH(secp256r1) | PIV Slot (Previous `ecdh`)              |
+| piv-p384      | ECDH(secp384r1) | PIV Slot (Previous `ecdh-p384`)         |
+| key-p256      | ECDH(secp256r1) | Key Stored in Secure Enclave            |
 
 Smart Card(Yubikey) protected ECDH Encryption description:
 

diff --git a/src/cmd_decrypt.rs b/src/cmd_decrypt.rs
@@ -41,13 +41,13 @@ use crate::wrap_key::WrapKey;
 pub struct CmdDecrypt {
     /// Files need to be decrypted
     pub paths: Vec<PathBuf>,
-    /// PIN
+    /// PGP or PIV PIN
     #[arg(long, short = 'p')]
     pub pin: Option<String>,
     /// KeyID
     #[arg(long, short = 'k')]
     pub key_id: Option<String>,
-    /// Slot
+    /// PIV slot
     #[arg(long, short = 's')]
     pub slot: Option<String>,
     /// Remove source file
@@ -68,7 +68,7 @@ pub struct CmdDecrypt {
     /// Edit file
     #[arg(long, short = 'E')]
     pub edit_file: bool,
-    // Readonly
+    /// Readonly mode
     #[arg(long)]
     pub readonly: bool,
     /// Digest algorithm (sha1, sha256[default], sha384, sha512 ...)
@@ -432,11 +432,11 @@ pub fn try_decrypt_key(config: &Option<TinyEncryptConfig>,
                        pin: &Option<String>,
                        slot: &Option<String>) -> XResult<Vec<u8>> {
     match envelop.r#type {
-        TinyEncryptEnvelopType::Pgp => try_decrypt_key_pgp(envelop, pin),
+        TinyEncryptEnvelopType::PgpRsa => try_decrypt_key_pgp(envelop, pin),
         TinyEncryptEnvelopType::PgpX25519 => try_decrypt_key_ecdh_pgp_x25519(envelop, pin),
         #[cfg(feature = "macos")]
         TinyEncryptEnvelopType::StaticX25519 => try_decrypt_key_ecdh_static_x25519(config, envelop),
-        TinyEncryptEnvelopType::Ecdh | TinyEncryptEnvelopType::EcdhP384 => try_decrypt_key_ecdh(config, envelop, pin, slot),
+        TinyEncryptEnvelopType::PivP256 | TinyEncryptEnvelopType::PivP384 => try_decrypt_key_ecdh(config, envelop, pin, slot),
         #[cfg(feature = "secure-enclave")]
         TinyEncryptEnvelopType::KeyP256 => try_decrypt_se_key_ecdh(config, envelop),
         unknown_type => simple_error!("Unknown or unsupported type: {}", unknown_type.get_name()),

diff --git a/src/cmd_encrypt.rs b/src/cmd_encrypt.rs
@@ -52,8 +52,8 @@ pub struct CmdEncrypt {
     /// Remove source file
     #[arg(long, short = 'R')]
     pub remove_file: bool,
-    /// Create file
-    #[arg(long)]
+    /// Create file (create a empty encrypted file)
+    #[arg(long, short = 'a')]
     pub create: bool,
     /// Disable compress meta
     #[arg(long)]
@@ -265,16 +265,16 @@ fn encrypt_envelops(cryptor: Cryptor, key: &[u8], envelops: &[&TinyEncryptConfig
     let mut encrypted_envelops = vec![];
     for envelop in envelops {
         match envelop.r#type {
-            TinyEncryptEnvelopType::Pgp => {
+            TinyEncryptEnvelopType::PgpRsa => {
                 encrypted_envelops.push(encrypt_envelop_pgp(key, envelop)?);
             }
             TinyEncryptEnvelopType::PgpX25519 | TinyEncryptEnvelopType::StaticX25519 => {
                 encrypted_envelops.push(encrypt_envelop_ecdh_x25519(cryptor, key, envelop)?);
             }
-            TinyEncryptEnvelopType::Ecdh | TinyEncryptEnvelopType::KeyP256 => {
+            TinyEncryptEnvelopType::PivP256 | TinyEncryptEnvelopType::KeyP256 => {
                 encrypted_envelops.push(encrypt_envelop_ecdh(cryptor, key, envelop)?);
             }
-            TinyEncryptEnvelopType::EcdhP384 => {
+            TinyEncryptEnvelopType::PivP384 => {
                 encrypted_envelops.push(encrypt_envelop_ecdh_p384(cryptor, key, envelop)?);
             }
             _ => return simple_error!("Not supported type: {:?}", envelop.r#type),
@@ -285,7 +285,7 @@ fn encrypt_envelops(cryptor: Cryptor, key: &[u8], envelops: &[&TinyEncryptConfig
 
 fn encrypt_envelop_ecdh(cryptor: Cryptor, key: &[u8], envelop: &TinyEncryptConfigEnvelop) -> XResult<TinyEncryptEnvelop> {
     let public_key_point_hex = &envelop.public_part;
-    let (shared_secret, ephemeral_spki) = util_p256::compute_shared_secret(public_key_point_hex)?;
+    let (shared_secret, ephemeral_spki) = util_p256::compute_p256_shared_secret(public_key_point_hex)?;
     let enc_type = match cryptor {
         Cryptor::Aes256Gcm => ENC_AES256_GCM_P256,
         Cryptor::ChaCha20Poly1305 => ENC_CHACHA20_POLY1305_P256,

diff --git a/src/cmd_execenv.rs b/src/cmd_execenv.rs
@@ -18,19 +18,19 @@ use crate::util_enc_file;
 
 #[derive(Debug, Args)]
 pub struct CmdExecEnv {
-    /// PIN
+    /// PGP or PIV PIN
     #[arg(long, short = 'p')]
     pub pin: Option<String>,
     /// KeyID
     #[arg(long, short = 'k')]
     pub key_id: Option<String>,
-    /// Slot
+    /// PIV slot
     #[arg(long, short = 's')]
     pub slot: Option<String>,
-    // Tiny encrypt file name
+    /// Tiny encrypt file name
     pub file_name: String,
-    // Arguments
-    pub arguments: Vec<String>,
+    /// Command and arguments
+    pub command_arguments: Vec<String>,
 }
 
 impl Drop for CmdExecEnv {
@@ -43,7 +43,7 @@ pub fn exec_env(cmd_exec_env: CmdExecEnv) -> XResult<()> {
     util_msg::set_logger_std_out(false);
     debugging!("Cmd exec env: {:?}", cmd_exec_env);
     let config = TinyEncryptConfig::load(TINY_ENC_CONFIG_FILE).ok();
-    if cmd_exec_env.arguments.is_empty() {
+    if cmd_exec_env.command_arguments.is_empty() {
         return simple_error!("No commands assigned.");
     }
 
@@ -75,7 +75,7 @@ pub fn exec_env(cmd_exec_env: CmdExecEnv) -> XResult<()> {
     let decrypted_content = decrypt_limited_content_to_vec(&mut file_in, &meta, cryptor, &key_nonce)?;
     let exit_code = if let Some(output) = decrypted_content {
         debugging!("Outputs: {}", output);
-        let arguments = &cmd_exec_env.arguments;
+        let arguments = &cmd_exec_env.command_arguments;
         let envs = parse_output_to_env(&output);
 
         let mut command = Command::new(&arguments[0]);