Refactor x509, add more extensions, preliminary PIV command, CRL support

elonen · Aug 22, 2024 · 62650d7 · 62650d7
1 parent 0db3be9
commit 62650d7
Show file tree

Hide file tree

Showing 13 changed files with 1,650 additions and 379 deletions.
diff --git a/hsm-conf.yml b/hsm-conf.yml
diff --git a/hsm_secrets/config.py b/hsm_secrets/config.py
diff --git a/hsm_secrets/hsm/__init__.py b/hsm_secrets/hsm/__init__.py
@@ -286,7 +286,7 @@ def delete_object(ctx: HsmSecretsCtx, obj_ids: tuple, alldevs: bool, force: bool
             not_found = set(obj_ids)
             for id_or_label in obj_ids:
                 try:
-                    id_int = ctx.conf.find_def(id_or_label).id
+                    id_int = ctx.conf.find_def_non_typed(id_or_label).id
                 except KeyError:
                     cli_warn(f"Object '{id_or_label}' not found in the configuration file. Assuming it's raw ID on the device.")
                     id_int = parse_keyid(id_or_label)

diff --git a/hsm_secrets/log/yhsm_log.py b/hsm_secrets/log/yhsm_log.py
@@ -10,7 +10,7 @@ def find_info(id: int, conf: HSMConfig) -> str|None:
     try:
         if id in [0, 0xffff]:
             return None
-        kd = conf.find_def(id)
+        kd = conf.find_def_non_typed(id)
         return kd.label
     except KeyError:
         return "(UNKNOWN)"

diff --git a/hsm_secrets/main.py b/hsm_secrets/main.py
@@ -3,6 +3,7 @@
 
 from hsm_secrets.hsm import cmd_hsm
 from hsm_secrets.log import cmd_log
+from hsm_secrets.piv import cmd_piv
 from hsm_secrets.ssh import cmd_ssh
 from hsm_secrets.tls import cmd_tls
 from hsm_secrets.passwd import cmd_pass
@@ -106,6 +107,7 @@ def cmd_nop(ctx: HsmSecretsCtx):
 cli.add_command(cmd_hsm,  "hsm")
 cli.add_command(cmd_log,  "log")
 cli.add_command(cmd_nop,  "nop")
+cli.add_command(cmd_piv, "piv")
 cli.add_command(cmd_x509, "x509")
 cli.add_command(cmd_user, "user")
 register_repl(cli)

diff --git a/hsm_secrets/passwd/__init__.py b/hsm_secrets/passwd/__init__.py
@@ -6,7 +6,8 @@
 import pyescrypt  # type: ignore [import]
 from mnemonic import Mnemonic
 
-from hsm_secrets.config import HSMConfig, HSMHmacKey, PasswordDerivationRule, PwRotationToken, find_config_items_of_class
+from hsm_secrets.config import HSMConfig, HSMHmacKey, find_config_items_of_class
+HSMConfig.PasswordDerivation.PwdRule.PwdRotationToken
 from hsm_secrets.utils import HsmSecretsCtx, cli_code_info, cli_info, cli_result, group_by_4, open_hsm_session, pass_common_args, secure_display_secret
 from hsm_secrets.yubihsm import HSMSession
 
@@ -108,7 +109,7 @@ def rotate_password(ctx: HsmSecretsCtx, name: list[str]|None, rule: str|None, al
 
         def rotate(name: str|None):
             name_hmac = int.from_bytes(ses.sign_hmac(key_def, name.encode('utf8')), 'big') if name else None
-            rotation = PwRotationToken(name_hmac=name_hmac, nonce=nonce, ts=int(datetime.now().timestamp()))
+            rotation = HSMConfig.PasswordDerivation.PwdRule.PwdRotationToken(name_hmac=name_hmac, nonce=nonce, ts=int(datetime.now().timestamp()))
             name_hmac_str = f"name_hmac: 0x{name_hmac:x}, " if name_hmac else ""
             rotation_str = f"          - {{{name_hmac_str}nonce: 0x{rotation.nonce:x}, ts: {rotation.ts}}}"
             if ctx.quiet:
@@ -125,8 +126,8 @@ def rotate(name: str|None):
 # --- Helpers ---
 
 
-def _find_deriv_rule_and_key(conf: HSMConfig, rule_id: str) -> tuple[PasswordDerivationRule, HSMHmacKey]:
-    rules: list[PasswordDerivationRule] = find_config_items_of_class(conf, PasswordDerivationRule)
+def _find_deriv_rule_and_key(conf: HSMConfig, rule_id: str) -> tuple[HSMConfig.PasswordDerivation.PwdRule, HSMHmacKey]:
+    rules: list[HSMConfig.PasswordDerivation.PwdRule] = find_config_items_of_class(conf, HSMConfig.PasswordDerivation.PwdRule)
     matches = [r for r in rules if r.id == rule_id]
     if not matches:
         raise click.ClickException(f"Derivation rule '{rule_id}' not found in config file.")
@@ -138,7 +139,7 @@ def _find_deriv_rule_and_key(conf: HSMConfig, rule_id: str) -> tuple[PasswordDer
 
 
 
-def _secret_to_password(derived_secret: bytes, rule_def: PasswordDerivationRule) -> str:
+def _secret_to_password(derived_secret: bytes, rule_def: HSMConfig.PasswordDerivation.PwdRule) -> str:
     if rule_def.format == "bip39":
         mnemo = Mnemonic("english")
         secret_padded = derived_secret + b'\x00' * max(128//8 - len(derived_secret), 0)