keyfork-shard: slightly improved error handling
This commit is contained in:
parent
0768339487
commit
307941087a
|
@ -1073,6 +1073,7 @@ version = "0.1.0"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"anyhow",
|
"anyhow",
|
||||||
"bincode",
|
"bincode",
|
||||||
|
"card-backend",
|
||||||
"card-backend-pcsc",
|
"card-backend-pcsc",
|
||||||
"keyfork-derive-openpgp",
|
"keyfork-derive-openpgp",
|
||||||
"keyfork-pinentry",
|
"keyfork-pinentry",
|
||||||
|
|
|
@ -8,12 +8,13 @@ edition = "2021"
|
||||||
[features]
|
[features]
|
||||||
default = ["openpgp", "openpgp-card"]
|
default = ["openpgp", "openpgp-card"]
|
||||||
openpgp = ["sequoia-openpgp", "prompt"]
|
openpgp = ["sequoia-openpgp", "prompt"]
|
||||||
openpgp-card = ["openpgp-card-sequoia", "card-backend-pcsc"]
|
openpgp-card = ["openpgp-card-sequoia", "card-backend-pcsc", "card-backend"]
|
||||||
prompt = ["keyfork-pinentry"]
|
prompt = ["keyfork-pinentry"]
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
anyhow = "1.0.75"
|
anyhow = "1.0.75"
|
||||||
bincode = "1.3.3"
|
bincode = "1.3.3"
|
||||||
|
card-backend = { version = "0.2.0", optional = true }
|
||||||
card-backend-pcsc = { version = "0.5.0", optional = true }
|
card-backend-pcsc = { version = "0.5.0", optional = true }
|
||||||
keyfork-derive-openpgp = { version = "0.1.0", path = "../keyfork-derive-openpgp" }
|
keyfork-derive-openpgp = { version = "0.1.0", path = "../keyfork-derive-openpgp" }
|
||||||
keyfork-pinentry = { version = "0.5.0", path = "../keyfork-pinentry", optional = true }
|
keyfork-pinentry = { version = "0.5.0", path = "../keyfork-pinentry", optional = true }
|
||||||
|
|
|
@ -58,6 +58,11 @@ fn main() -> ExitCode {
|
||||||
let result = run();
|
let result = run();
|
||||||
if let Err(e) = result {
|
if let Err(e) = result {
|
||||||
eprintln!("Error: {e}");
|
eprintln!("Error: {e}");
|
||||||
|
let mut source = e.source();
|
||||||
|
while let Some(new_error) = source.take() {
|
||||||
|
eprintln!("Source: {new_error}");
|
||||||
|
source = new_error.source();
|
||||||
|
}
|
||||||
return ExitCode::FAILURE;
|
return ExitCode::FAILURE;
|
||||||
}
|
}
|
||||||
ExitCode::SUCCESS
|
ExitCode::SUCCESS
|
||||||
|
|
|
@ -23,7 +23,7 @@ use openpgp::{
|
||||||
Marshal,
|
Marshal,
|
||||||
},
|
},
|
||||||
types::KeyFlags,
|
types::KeyFlags,
|
||||||
KeyID, PacketPile,
|
Fingerprint, KeyID, PacketPile,
|
||||||
};
|
};
|
||||||
pub use sequoia_openpgp as openpgp;
|
pub use sequoia_openpgp as openpgp;
|
||||||
use sharks::{Share, Sharks};
|
use sharks::{Share, Sharks};
|
||||||
|
@ -34,20 +34,43 @@ use keyring::Keyring;
|
||||||
mod smartcard;
|
mod smartcard;
|
||||||
use smartcard::SmartcardManager;
|
use smartcard::SmartcardManager;
|
||||||
|
|
||||||
// TODO: better error handling
|
#[derive(Debug, thiserror::Error)]
|
||||||
|
pub enum Error {
|
||||||
|
#[error("Error with creating Share: {0}")]
|
||||||
|
Share(String),
|
||||||
|
|
||||||
#[derive(Debug, Clone)]
|
#[error("Error combining shares: {0}")]
|
||||||
pub struct WrappedError(String);
|
CombineShares(String),
|
||||||
|
|
||||||
impl std::fmt::Display for WrappedError {
|
#[error("Derived secret hash {0} != expected {1}")]
|
||||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
InvalidSecret(Fingerprint, Fingerprint),
|
||||||
f.write_str(&self.0)
|
|
||||||
}
|
#[error("OpenPGP error: {0}")]
|
||||||
|
Sequoia(#[source] anyhow::Error),
|
||||||
|
|
||||||
|
#[error("OpenPGP IO error: {0}")]
|
||||||
|
SequoiaIo(#[source] std::io::Error),
|
||||||
|
|
||||||
|
#[error("Keyring error: {0}")]
|
||||||
|
Keyring(#[from] keyring::KeyringError),
|
||||||
|
|
||||||
|
#[error("Smartcard error: {0}")]
|
||||||
|
Smartcard(#[from] smartcard::SmartcardError),
|
||||||
|
|
||||||
|
#[error("IO error: {0}")]
|
||||||
|
Io(#[source] std::io::Error),
|
||||||
|
|
||||||
|
#[error("Derivation path: {0}")]
|
||||||
|
DerivationPath(#[from] keyfork_derive_openpgp::derive_util::path::Error),
|
||||||
|
|
||||||
|
#[error("Derivation request: {0}")]
|
||||||
|
DerivationRequest(#[from] keyfork_derive_openpgp::derive_util::request::DerivationError),
|
||||||
|
|
||||||
|
#[error("Keyfork OpenPGP: {0}")]
|
||||||
|
KeyforkOpenPGP(#[from] keyfork_derive_openpgp::Error),
|
||||||
}
|
}
|
||||||
|
|
||||||
impl std::error::Error for WrappedError {}
|
pub type Result<T, E = Error> = std::result::Result<T, E>;
|
||||||
|
|
||||||
pub type Result<T, E = Box<dyn std::error::Error>> = std::result::Result<T, E>;
|
|
||||||
|
|
||||||
#[derive(Debug, Clone)]
|
#[derive(Debug, Clone)]
|
||||||
pub struct EncryptedMessage {
|
pub struct EncryptedMessage {
|
||||||
|
@ -71,24 +94,30 @@ impl EncryptedMessage {
|
||||||
|
|
||||||
for pkesk in &self.pkesks {
|
for pkesk in &self.pkesks {
|
||||||
let mut packet = vec![];
|
let mut packet = vec![];
|
||||||
pkesk.serialize(&mut packet)?;
|
pkesk.serialize(&mut packet).map_err(Error::Sequoia)?;
|
||||||
let message = Message::new(&mut packets);
|
let message = Message::new(&mut packets);
|
||||||
let mut message = ArbitraryWriter::new(message, Tag::PKESK)?;
|
let mut message = ArbitraryWriter::new(message, Tag::PKESK).map_err(Error::Sequoia)?;
|
||||||
message.write_all(&packet)?;
|
message.write_all(&packet).map_err(Error::SequoiaIo)?;
|
||||||
message.finalize()?;
|
message.finalize().map_err(Error::Sequoia)?;
|
||||||
}
|
}
|
||||||
let mut packet = vec![];
|
let mut packet = vec![];
|
||||||
self.message.serialize(&mut packet)?;
|
self.message
|
||||||
|
.serialize(&mut packet)
|
||||||
|
.map_err(Error::Sequoia)?;
|
||||||
let message = Message::new(&mut packets);
|
let message = Message::new(&mut packets);
|
||||||
let mut message = ArbitraryWriter::new(message, Tag::SEIP)?;
|
let mut message = ArbitraryWriter::new(message, Tag::SEIP).map_err(Error::Sequoia)?;
|
||||||
message.write_all(&packet)?;
|
message.write_all(&packet).map_err(Error::SequoiaIo)?;
|
||||||
message.finalize()?;
|
message.finalize().map_err(Error::Sequoia)?;
|
||||||
|
|
||||||
let mut decryptor =
|
let mut decryptor = DecryptorBuilder::from_bytes(&packets)
|
||||||
DecryptorBuilder::from_bytes(&packets)?.with_policy(policy, None, decryptor)?;
|
.map_err(Error::Sequoia)?
|
||||||
|
.with_policy(policy, None, decryptor)
|
||||||
|
.map_err(Error::Sequoia)?;
|
||||||
|
|
||||||
let mut content = vec![];
|
let mut content = vec![];
|
||||||
decryptor.read_to_end(&mut content)?;
|
decryptor
|
||||||
|
.read_to_end(&mut content)
|
||||||
|
.map_err(Error::SequoiaIo)?;
|
||||||
Ok(content)
|
Ok(content)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -98,18 +127,19 @@ pub fn discover_certs(path: impl AsRef<Path>) -> Result<Vec<Cert>> {
|
||||||
|
|
||||||
if path.is_file() {
|
if path.is_file() {
|
||||||
let mut vec = vec![];
|
let mut vec = vec![];
|
||||||
for cert in CertParser::from_file(path)? {
|
for cert in CertParser::from_file(path).map_err(Error::Sequoia)? {
|
||||||
vec.push(cert?);
|
vec.push(cert.map_err(Error::Sequoia)?);
|
||||||
}
|
}
|
||||||
Ok(vec)
|
Ok(vec)
|
||||||
} else {
|
} else {
|
||||||
let mut vec = vec![];
|
let mut vec = vec![];
|
||||||
for entry in path
|
for entry in path
|
||||||
.read_dir()?
|
.read_dir()
|
||||||
|
.map_err(Error::Io)?
|
||||||
.filter_map(Result::ok)
|
.filter_map(Result::ok)
|
||||||
.filter(|p| p.path().is_file())
|
.filter(|p| p.path().is_file())
|
||||||
{
|
{
|
||||||
vec.push(Cert::from_file(entry.path())?);
|
vec.push(Cert::from_file(entry.path()).map_err(Error::Sequoia)?);
|
||||||
}
|
}
|
||||||
Ok(vec)
|
Ok(vec)
|
||||||
}
|
}
|
||||||
|
@ -119,7 +149,10 @@ pub fn parse_messages(reader: impl Read + Send + Sync) -> Result<VecDeque<Encryp
|
||||||
let mut pkesks = Vec::new();
|
let mut pkesks = Vec::new();
|
||||||
let mut encrypted_messages = VecDeque::new();
|
let mut encrypted_messages = VecDeque::new();
|
||||||
|
|
||||||
for packet in PacketPile::from_reader(reader)?.into_children() {
|
for packet in PacketPile::from_reader(reader)
|
||||||
|
.map_err(Error::Sequoia)?
|
||||||
|
.into_children()
|
||||||
|
{
|
||||||
match packet {
|
match packet {
|
||||||
Packet::PKESK(p) => pkesks.push(p),
|
Packet::PKESK(p) => pkesks.push(p),
|
||||||
Packet::SEIP(s) => {
|
Packet::SEIP(s) => {
|
||||||
|
@ -186,13 +219,15 @@ pub fn combine(
|
||||||
metadata.decrypt_with(&policy, &mut keyring)?
|
metadata.decrypt_with(&policy, &mut keyring)?
|
||||||
};
|
};
|
||||||
|
|
||||||
let mut cert_parser = CertParser::from_bytes(&content)?;
|
let mut cert_parser = CertParser::from_bytes(&content).map_err(Error::Sequoia)?;
|
||||||
let root_cert = match cert_parser.next() {
|
let root_cert = match cert_parser.next() {
|
||||||
Some(Ok(c)) => c,
|
Some(Ok(c)) => c,
|
||||||
Some(Err(e)) => panic!("Could not find root (first) certificate: {e}"),
|
Some(Err(e)) => panic!("Could not find root (first) certificate: {e}"),
|
||||||
None => panic!("No certs found in cert parser"),
|
None => panic!("No certs found in cert parser"),
|
||||||
};
|
};
|
||||||
let certs = cert_parser.collect::<openpgp::Result<Vec<_>>>()?;
|
let certs = cert_parser
|
||||||
|
.collect::<openpgp::Result<Vec<_>>>()
|
||||||
|
.map_err(Error::Sequoia)?;
|
||||||
keyring.set_root_cert(root_cert.clone());
|
keyring.set_root_cert(root_cert.clone());
|
||||||
manager.set_root_cert(root_cert);
|
manager.set_root_cert(root_cert);
|
||||||
let mut messages: HashMap<KeyID, EncryptedMessage> =
|
let mut messages: HashMap<KeyID, EncryptedMessage> =
|
||||||
|
@ -202,12 +237,14 @@ pub fn combine(
|
||||||
// NOTE: This is ONLY stable because we control the generation of PKESK packets and
|
// NOTE: This is ONLY stable because we control the generation of PKESK packets and
|
||||||
// encode the policy to ourselves.
|
// encode the policy to ourselves.
|
||||||
for valid_cert in certs.iter().map(|cert| cert.with_policy(&policy, None)) {
|
for valid_cert in certs.iter().map(|cert| cert.with_policy(&policy, None)) {
|
||||||
let valid_cert = valid_cert?;
|
let valid_cert = valid_cert.map_err(Error::Sequoia)?;
|
||||||
// get keys from keyring for cert
|
// get keys from keyring for cert
|
||||||
let Some(secret_cert) = keyring.get_cert_for_primary_keyid(&valid_cert.keyid()) else {
|
let Some(secret_cert) = keyring.get_cert_for_primary_keyid(&valid_cert.keyid()) else {
|
||||||
continue;
|
continue;
|
||||||
};
|
};
|
||||||
let secret_cert = secret_cert.with_policy(&policy, None)?;
|
let secret_cert = secret_cert
|
||||||
|
.with_policy(&policy, None)
|
||||||
|
.map_err(Error::Sequoia)?;
|
||||||
let keys = get_decryption_keys(&secret_cert).collect::<Vec<_>>();
|
let keys = get_decryption_keys(&secret_cert).collect::<Vec<_>>();
|
||||||
if !keys.is_empty() {
|
if !keys.is_empty() {
|
||||||
if let Some(message) = messages.get_mut(&valid_cert.keyid()) {
|
if let Some(message) = messages.get_mut(&valid_cert.keyid()) {
|
||||||
|
@ -252,7 +289,7 @@ pub fn combine(
|
||||||
.iter()
|
.iter()
|
||||||
.map(|cert| cert.with_policy(&policy, None))
|
.map(|cert| cert.with_policy(&policy, None))
|
||||||
{
|
{
|
||||||
let valid_cert = valid_cert?;
|
let valid_cert = valid_cert.map_err(Error::Sequoia)?;
|
||||||
let fp = valid_cert
|
let fp = valid_cert
|
||||||
.keys()
|
.keys()
|
||||||
.for_storage_encryption()
|
.for_storage_encryption()
|
||||||
|
@ -282,8 +319,10 @@ pub fn combine(
|
||||||
.values()
|
.values()
|
||||||
.map(|message| Share::try_from(message.as_slice()))
|
.map(|message| Share::try_from(message.as_slice()))
|
||||||
.collect::<Result<Vec<_>, &str>>()
|
.collect::<Result<Vec<_>, &str>>()
|
||||||
.map_err(|e| WrappedError(e.to_string()))?;
|
.map_err(|e| Error::Share(e.to_string()))?;
|
||||||
let secret = Sharks(threshold).recover(&shares)?;
|
let secret = Sharks(threshold)
|
||||||
|
.recover(&shares)
|
||||||
|
.map_err(|e| Error::CombineShares(e.to_string()))?;
|
||||||
|
|
||||||
let userid = UserID::from("keyfork-sss");
|
let userid = UserID::from("keyfork-sss");
|
||||||
let kdr = DerivationRequest::new(
|
let kdr = DerivationRequest::new(
|
||||||
|
@ -298,19 +337,18 @@ pub fn combine(
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
// NOTE: Signatures on certs will be different. Compare fingerprints instead.
|
// NOTE: Signatures on certs will be different. Compare fingerprints instead.
|
||||||
if Some(derived_cert.fingerprint()) != keyring.root_cert().map(Cert::fingerprint) {
|
let derived_fp = derived_cert.fingerprint();
|
||||||
return Err(WrappedError(format!(
|
let expected_fp = keyring
|
||||||
"Derived {} != expected {}",
|
.root_cert()
|
||||||
derived_cert.fingerprint(),
|
.expect("cert was previously set")
|
||||||
keyring
|
.fingerprint();
|
||||||
.root_cert()
|
if derived_fp != expected_fp {
|
||||||
.expect("cert was previously set")
|
return Err(Error::InvalidSecret(derived_fp, expected_fp));
|
||||||
.fingerprint()
|
|
||||||
))
|
|
||||||
.into());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
output.write_all(smex::encode(&secret).as_bytes())?;
|
output
|
||||||
|
.write_all(smex::encode(&secret).as_bytes())
|
||||||
|
.map_err(Error::Io)?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
@ -330,23 +368,25 @@ pub fn split(threshold: u8, certs: Vec<Cert>, secret: &[u8], output: impl Write)
|
||||||
)?;
|
)?;
|
||||||
let signing_key = derived_cert
|
let signing_key = derived_cert
|
||||||
.primary_key()
|
.primary_key()
|
||||||
.parts_into_secret()?
|
.parts_into_secret()
|
||||||
|
.map_err(Error::Sequoia)?
|
||||||
.key()
|
.key()
|
||||||
.clone()
|
.clone()
|
||||||
.into_keypair()?;
|
.into_keypair()
|
||||||
|
.map_err(Error::Sequoia)?;
|
||||||
|
|
||||||
let sharks = Sharks(threshold);
|
let sharks = Sharks(threshold);
|
||||||
let dealer = sharks.dealer(secret);
|
let dealer = sharks.dealer(secret);
|
||||||
let shares = dealer.map(|s| Vec::from(&s)).collect::<Vec<_>>();
|
let shares = dealer.map(|s| Vec::from(&s)).collect::<Vec<_>>();
|
||||||
let policy = StandardPolicy::new();
|
let policy = StandardPolicy::new();
|
||||||
let mut writer = Writer::new(output, Kind::Message)?;
|
let mut writer = Writer::new(output, Kind::Message).map_err(Error::SequoiaIo)?;
|
||||||
|
|
||||||
let mut total_recipients = vec![];
|
let mut total_recipients = vec![];
|
||||||
let mut messages = vec![];
|
let mut messages = vec![];
|
||||||
|
|
||||||
for (share, cert) in shares.iter().zip(certs) {
|
for (share, cert) in shares.iter().zip(certs) {
|
||||||
total_recipients.push(cert.clone());
|
total_recipients.push(cert.clone());
|
||||||
let valid_cert = cert.with_policy(&policy, None)?;
|
let valid_cert = cert.with_policy(&policy, None).map_err(Error::Sequoia)?;
|
||||||
let encryption_keys = get_encryption_keys(&valid_cert).collect::<Vec<_>>();
|
let encryption_keys = get_encryption_keys(&valid_cert).collect::<Vec<_>>();
|
||||||
|
|
||||||
let mut message_output = vec![];
|
let mut message_output = vec![];
|
||||||
|
@ -357,28 +397,34 @@ pub fn split(threshold: u8, certs: Vec<Cert>, secret: &[u8], output: impl Write)
|
||||||
.iter()
|
.iter()
|
||||||
.map(|k| Recipient::new(KeyID::wildcard(), k.key())),
|
.map(|k| Recipient::new(KeyID::wildcard(), k.key())),
|
||||||
)
|
)
|
||||||
.build()?;
|
.build()
|
||||||
let message = Signer::new(message, signing_key.clone()).build()?;
|
.map_err(Error::Sequoia)?;
|
||||||
let mut message = LiteralWriter::new(message).build()?;
|
let message = Signer::new(message, signing_key.clone())
|
||||||
message.write_all(share)?;
|
.build()
|
||||||
message.finalize()?;
|
.map_err(Error::Sequoia)?;
|
||||||
|
let mut message = LiteralWriter::new(message)
|
||||||
|
.build()
|
||||||
|
.map_err(Error::Sequoia)?;
|
||||||
|
message.write_all(share).map_err(Error::SequoiaIo)?;
|
||||||
|
message.finalize().map_err(Error::Sequoia)?;
|
||||||
|
|
||||||
messages.push(message_output);
|
messages.push(message_output);
|
||||||
}
|
}
|
||||||
|
|
||||||
let mut pp = vec![];
|
let mut pp = vec![];
|
||||||
// store derived cert to verify provided shares
|
// store derived cert to verify provided shares
|
||||||
derived_cert.serialize(&mut pp)?;
|
derived_cert.serialize(&mut pp).map_err(Error::Sequoia)?;
|
||||||
for recipient in &total_recipients {
|
for recipient in &total_recipients {
|
||||||
recipient.serialize(&mut pp)?;
|
recipient.serialize(&mut pp).map_err(Error::Sequoia)?;
|
||||||
}
|
}
|
||||||
|
|
||||||
// verify packet pile
|
// verify packet pile
|
||||||
for (packet_cert, cert) in openpgp::cert::CertParser::from_bytes(&pp)?
|
for (packet_cert, cert) in openpgp::cert::CertParser::from_bytes(&pp)
|
||||||
|
.map_err(Error::Sequoia)?
|
||||||
.skip(1)
|
.skip(1)
|
||||||
.zip(total_recipients.iter())
|
.zip(total_recipients.iter())
|
||||||
{
|
{
|
||||||
if packet_cert? != *cert {
|
if packet_cert.map_err(Error::Sequoia)? != *cert {
|
||||||
panic!(
|
panic!(
|
||||||
"packet pile could not recreate cert: {}",
|
"packet pile could not recreate cert: {}",
|
||||||
cert.fingerprint()
|
cert.fingerprint()
|
||||||
|
@ -389,7 +435,8 @@ pub fn split(threshold: u8, certs: Vec<Cert>, secret: &[u8], output: impl Write)
|
||||||
let valid_certs = total_recipients
|
let valid_certs = total_recipients
|
||||||
.iter()
|
.iter()
|
||||||
.map(|c| c.with_policy(&policy, None))
|
.map(|c| c.with_policy(&policy, None))
|
||||||
.collect::<openpgp::Result<Vec<_>>>()?;
|
.collect::<openpgp::Result<Vec<_>>>()
|
||||||
|
.map_err(Error::Sequoia)?;
|
||||||
|
|
||||||
let total_recipients = valid_certs.iter().flat_map(|vc| {
|
let total_recipients = valid_certs.iter().flat_map(|vc| {
|
||||||
get_encryption_keys(vc).map(|key| Recipient::new(KeyID::wildcard(), key.key()))
|
get_encryption_keys(vc).map(|key| Recipient::new(KeyID::wildcard(), key.key()))
|
||||||
|
@ -398,17 +445,23 @@ pub fn split(threshold: u8, certs: Vec<Cert>, secret: &[u8], output: impl Write)
|
||||||
// metadata
|
// metadata
|
||||||
let mut message_output = vec![];
|
let mut message_output = vec![];
|
||||||
let message = Message::new(&mut message_output);
|
let message = Message::new(&mut message_output);
|
||||||
let message = Encryptor2::for_recipients(message, total_recipients).build()?;
|
let message = Encryptor2::for_recipients(message, total_recipients)
|
||||||
let mut message = LiteralWriter::new(message).build()?;
|
.build()
|
||||||
message.write_all(&pp)?;
|
.map_err(Error::Sequoia)?;
|
||||||
message.finalize()?;
|
let mut message = LiteralWriter::new(message)
|
||||||
writer.write_all(&message_output)?;
|
.build()
|
||||||
|
.map_err(Error::Sequoia)?;
|
||||||
|
message.write_all(&pp).map_err(Error::SequoiaIo)?;
|
||||||
|
message.finalize().map_err(Error::Sequoia)?;
|
||||||
|
writer
|
||||||
|
.write_all(&message_output)
|
||||||
|
.map_err(Error::SequoiaIo)?;
|
||||||
|
|
||||||
for message in messages {
|
for message in messages {
|
||||||
writer.write_all(&message)?;
|
writer.write_all(&message).map_err(Error::SequoiaIo)?;
|
||||||
}
|
}
|
||||||
|
|
||||||
writer.finalize()?;
|
writer.finalize().map_err(Error::SequoiaIo)?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,27 +9,18 @@ use super::openpgp::{
|
||||||
KeyHandle, KeyID,
|
KeyHandle, KeyID,
|
||||||
};
|
};
|
||||||
|
|
||||||
use crate::prompt_manager::PromptManager;
|
use crate::prompt_manager::{PromptManager, PinentryError};
|
||||||
|
|
||||||
#[derive(Clone, Debug)]
|
#[derive(thiserror::Error, Debug)]
|
||||||
pub enum KeyringFailure {
|
pub enum KeyringError {
|
||||||
|
#[error("Secret key was not found")]
|
||||||
SecretKeyNotFound,
|
SecretKeyNotFound,
|
||||||
#[allow(dead_code)]
|
|
||||||
SmartcardDecrypt,
|
#[error("Prompt failed: {0}")]
|
||||||
|
Prompt(#[from] PinentryError)
|
||||||
}
|
}
|
||||||
|
|
||||||
impl std::fmt::Display for KeyringFailure {
|
pub type Result<T, E = KeyringError> = std::result::Result<T, E>;
|
||||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
|
||||||
match self {
|
|
||||||
KeyringFailure::SecretKeyNotFound => f.write_str("Secret key was not found"),
|
|
||||||
KeyringFailure::SmartcardDecrypt => {
|
|
||||||
f.write_str("Smartcard could not decrypt any PKESKs")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl std::error::Error for KeyringFailure {}
|
|
||||||
|
|
||||||
pub struct Keyring {
|
pub struct Keyring {
|
||||||
full_certs: Vec<Cert>,
|
full_certs: Vec<Cert>,
|
||||||
|
@ -38,7 +29,7 @@ pub struct Keyring {
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Keyring {
|
impl Keyring {
|
||||||
pub fn new(certs: impl AsRef<[Cert]>) -> Result<Self, Box<dyn std::error::Error>> {
|
pub fn new(certs: impl AsRef<[Cert]>) -> Result<Self> {
|
||||||
Ok(Self {
|
Ok(Self {
|
||||||
full_certs: certs.as_ref().to_vec(),
|
full_certs: certs.as_ref().to_vec(),
|
||||||
root: Default::default(),
|
root: Default::default(),
|
||||||
|
@ -164,6 +155,6 @@ impl DecryptionHelper for &mut Keyring {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Err(KeyringFailure::SecretKeyNotFound.into())
|
Err(KeyringError::SecretKeyNotFound.into())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,27 +9,30 @@ use super::openpgp::{
|
||||||
parse::stream::{DecryptionHelper, MessageLayer, MessageStructure, VerificationHelper},
|
parse::stream::{DecryptionHelper, MessageLayer, MessageStructure, VerificationHelper},
|
||||||
Fingerprint,
|
Fingerprint,
|
||||||
};
|
};
|
||||||
use crate::prompt_manager::PromptManager;
|
use crate::prompt_manager::{PinentryError, PromptManager};
|
||||||
|
|
||||||
use card_backend_pcsc::PcscBackend;
|
use card_backend_pcsc::PcscBackend;
|
||||||
use openpgp_card_sequoia::{state::Open, Card};
|
use openpgp_card_sequoia::{state::Open, Card};
|
||||||
|
|
||||||
#[derive(Clone, Debug)]
|
#[derive(thiserror::Error, Debug)]
|
||||||
pub enum SmartcardFailure {
|
pub enum SmartcardError {
|
||||||
|
#[error("No smart card backend was stored")]
|
||||||
SmartCardNotFound,
|
SmartCardNotFound,
|
||||||
|
|
||||||
|
#[error("Selected smart card has no decryption key")]
|
||||||
SmartCardHasNoDecrypt,
|
SmartCardHasNoDecrypt,
|
||||||
|
|
||||||
|
#[error("Smart card backend error: {0}")]
|
||||||
|
SmartCardBackendError(#[from] card_backend::SmartcardError),
|
||||||
|
|
||||||
|
#[error("Smart card error: {0}")]
|
||||||
|
SmartCardEncounteredError(#[from] openpgp_card_sequoia::types::Error),
|
||||||
|
|
||||||
|
#[error("Prompt failed: {0}")]
|
||||||
|
Prompt(#[from] PinentryError),
|
||||||
}
|
}
|
||||||
|
|
||||||
impl std::fmt::Display for SmartcardFailure {
|
pub type Result<T, E = SmartcardError> = std::result::Result<T, E>;
|
||||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
|
||||||
match self {
|
|
||||||
Self::SmartCardNotFound => f.write_str("No smart card backend was stored"),
|
|
||||||
Self::SmartCardHasNoDecrypt => f.write_str("Selected smart card has no decrypt key"),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl std::error::Error for SmartcardFailure {}
|
|
||||||
|
|
||||||
fn format_name(input: impl AsRef<str>) -> String {
|
fn format_name(input: impl AsRef<str>) -> String {
|
||||||
let mut n = input
|
let mut n = input
|
||||||
|
@ -49,7 +52,7 @@ pub struct SmartcardManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
impl SmartcardManager {
|
impl SmartcardManager {
|
||||||
pub fn new() -> Result<Self, Box<dyn std::error::Error>> {
|
pub fn new() -> Result<Self> {
|
||||||
Ok(Self {
|
Ok(Self {
|
||||||
current_card: None,
|
current_card: None,
|
||||||
root: None,
|
root: None,
|
||||||
|
@ -65,20 +68,20 @@ impl SmartcardManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Load any backend.
|
/// Load any backend.
|
||||||
pub fn load_any_card(&mut self) -> Result<Fingerprint, Box<dyn std::error::Error>> {
|
pub fn load_any_card(&mut self) -> Result<Fingerprint> {
|
||||||
PcscBackend::cards(None)?
|
PcscBackend::cards(None)?
|
||||||
.next()
|
.next()
|
||||||
.transpose()?
|
.transpose()?
|
||||||
.ok_or(SmartcardFailure::SmartCardNotFound.into())
|
.ok_or(SmartcardError::SmartCardNotFound)
|
||||||
.and_then(
|
.and_then(
|
||||||
|backend| -> Result<Fingerprint, Box<dyn std::error::Error>> {
|
|backend| {
|
||||||
let mut card = Card::<Open>::new(backend)?;
|
let mut card = Card::<Open>::new(backend)?;
|
||||||
let transaction = card.transaction()?;
|
let transaction = card.transaction()?;
|
||||||
let fingerprint = transaction
|
let fingerprint = transaction
|
||||||
.fingerprints()?
|
.fingerprints()?
|
||||||
.decryption()
|
.decryption()
|
||||||
.map(|fp| Fingerprint::from_bytes(fp.as_bytes()))
|
.map(|fp| Fingerprint::from_bytes(fp.as_bytes()))
|
||||||
.ok_or(SmartcardFailure::SmartCardHasNoDecrypt)?;
|
.ok_or(SmartcardError::SmartCardHasNoDecrypt)?;
|
||||||
drop(transaction);
|
drop(transaction);
|
||||||
self.current_card.replace(card);
|
self.current_card.replace(card);
|
||||||
Ok(fingerprint)
|
Ok(fingerprint)
|
||||||
|
@ -92,7 +95,7 @@ impl SmartcardManager {
|
||||||
pub fn load_any_fingerprint(
|
pub fn load_any_fingerprint(
|
||||||
&mut self,
|
&mut self,
|
||||||
fingerprints: impl IntoIterator<Item = Fingerprint>,
|
fingerprints: impl IntoIterator<Item = Fingerprint>,
|
||||||
) -> Result<Option<Fingerprint>, Box<dyn std::error::Error>> {
|
) -> Result<Option<Fingerprint>> {
|
||||||
// NOTE: This can't be HashSet::from_iter() because from_iter() requires a passed-in state
|
// NOTE: This can't be HashSet::from_iter() because from_iter() requires a passed-in state
|
||||||
// I do not want to provide.
|
// I do not want to provide.
|
||||||
let mut requested_fingerprints = HashSet::new();
|
let mut requested_fingerprints = HashSet::new();
|
||||||
|
@ -178,7 +181,7 @@ impl DecryptionHelper for &mut SmartcardManager {
|
||||||
{
|
{
|
||||||
let mut card = self.current_card.take();
|
let mut card = self.current_card.take();
|
||||||
let Some(card) = card.as_mut() else {
|
let Some(card) = card.as_mut() else {
|
||||||
return Err(SmartcardFailure::SmartCardNotFound.into());
|
return Err(SmartcardError::SmartCardNotFound.into());
|
||||||
};
|
};
|
||||||
|
|
||||||
let mut transaction = card.transaction()?;
|
let mut transaction = card.transaction()?;
|
||||||
|
@ -187,7 +190,7 @@ impl DecryptionHelper for &mut SmartcardManager {
|
||||||
.decryption()
|
.decryption()
|
||||||
.map(|fp| Fingerprint::from_bytes(fp.as_bytes()));
|
.map(|fp| Fingerprint::from_bytes(fp.as_bytes()));
|
||||||
let Some(fp) = fp else {
|
let Some(fp) = fp else {
|
||||||
return Err(SmartcardFailure::SmartCardHasNoDecrypt.into());
|
return Err(SmartcardError::SmartCardHasNoDecrypt.into());
|
||||||
};
|
};
|
||||||
let cardholder_name = format_name(transaction.cardholder_name()?);
|
let cardholder_name = format_name(transaction.cardholder_name()?);
|
||||||
let card_id = transaction.application_identifier()?.ident();
|
let card_id = transaction.application_identifier()?.ident();
|
||||||
|
@ -210,6 +213,6 @@ impl DecryptionHelper for &mut SmartcardManager {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Err(SmartcardFailure::SmartCardNotFound.into())
|
Err(SmartcardError::SmartCardNotFound.into())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue