Add certificate functionality

obelisk · Mar 18, 2021 · ac34a18 · ac34a18
1 parent 36baee6
commit ac34a18
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 4 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "sshcerts"
-version = "0.3.13"
+version = "0.3.14"
 authors = ["Mitchell Grenier <[email protected]>"]
 edition = "2018"
 license-file = "LICENSE"

diff --git a/src/yubikey/management.rs b/src/yubikey/management.rs
@@ -43,6 +43,20 @@ fn subject(yk: &mut YubiKey, slot: SlotId) -> Result<String, Error> {
     }
 }
 
+/// Fetch the certificate from a given Yubikey slot. If there is not one, this
+/// will fail
+pub fn fetch_certificate(slot: SlotId) -> Result<Vec<u8>, Error> {
+    let mut yk = match YubiKey::open() {
+        Ok(yk) => yk,
+        Err(e) => return Err(Error::InternalYubiKeyError(e)),
+    };
+
+    match yubikey_piv::certificate::Certificate::read(&mut yk, slot) {
+        Ok(cert) => {Ok(cert.as_ref().to_vec())},
+        Err(e) => Err(Error::InternalYubiKeyError(e)),
+    }
+}
+
 /// Fetch a public key from the provided slot. If there is not exactly one
 /// Yubikey this will fail.
 pub fn fetch_pubkey(slot: SlotId) -> Result<PublicKeyInfo, Error> {

diff --git a/src/yubikey/mod.rs b/src/yubikey/mod.rs
@@ -8,4 +8,12 @@ mod management;
 pub use yubikey_piv::key::{AlgorithmId, RetiredSlotId, SlotId};
 
 pub use management::Error;
-pub use management::{configured, fetch_attestation, fetch_pubkey, fetch_subject, provision, sign_data};
+pub use management::{
+    configured,
+    fetch_attestation,
+    fetch_certificate,
+    fetch_pubkey,
+    fetch_subject,
+    provision,
+    sign_data,
+};
diff --git a/src/yubikey/ssh.rs b/src/yubikey/ssh.rs
@@ -1,5 +1,5 @@
 use yubikey_piv::key::{AlgorithmId, SlotId};
-use yubikey_piv::certificate::PublicKeyInfo;
+use yubikey_piv::certificate::{Certificate, PublicKeyInfo};
 
 use crate::yubikey::management::{fetch_pubkey, sign_data};
 
@@ -51,6 +51,20 @@ pub fn convert_to_ssh_pubkey(pki: &PublicKeyInfo) -> Option<PublicKey> {
     }
 }
 
+/// This function is used to convert a der encoded certificate to the internal
+/// PublicKey type.
+pub fn convert_x509_to_ssh_pubkey(certificate: &[u8]) -> Option<PublicKey> {
+    let certificate = match Certificate::from_bytes(certificate.to_vec()) {
+        Ok(c) => c,
+        Err(e) => {
+            error!("Parsing Error: {:?}", e);
+            return None
+        }
+    };
+    convert_to_ssh_pubkey(certificate.subject_pki())
+}
+
+
 /// Pull the public key from the YubiKey and wrap it in a sshcerts
 /// PublicKey object.
 pub fn ssh_cert_fetch_pubkey(slot: SlotId) -> Option<PublicKey> {