Add explicit support for identities stored on hardware keys (like Yubikey)

yoavamit · yoavamit · commit 06f426b6dccc · 2021-06-10T12:14:55.000-04:00
Since Apple no longer support enumerating certificates stored on hardware keys in the Keychain Access application,
this PR explicitly tries enumerate certificates stored in the "signature" slot for hardware keys that support PIV applets.

Implementation details:
- The hardware key PIN is prompted for at the beginning to make sure we don't interfere with the output git expects while signing
- To make this as easy as possible, this PR adds a new struct called `PivIdentity` which implements `certstore.Identity` interface
- The `PivIdentity` struct has an open handle to a `*piv.Yubikey` and needs to be closed properly when done using it
diff --git a/command_sign.go b/command_sign.go
@@ -23,11 +23,6 @@ func commandSign() error {
 		return fmt.Errorf("could not find identity matching specified user-id: %s", *localUserOpt)
 	}
 
-	// Git is looking for "\n[GNUPG:] SIG_CREATED ", meaning we need to print a
-	// line before SIG_CREATED. BEGIN_SIGNING seems appropraite. GPG emits this,
-	// though GPGSM does not.
-	sBeginSigning.emit()
-
 	cert, err := userIdent.Certificate()
 	if err != nil {
 		return errors.Wrap(err, "failed to get idenity certificate")
@@ -60,6 +55,10 @@ func commandSign() error {
 	if err = sd.Sign([]*x509.Certificate{cert}, signer); err != nil {
 		return errors.Wrap(err, "failed to sign message")
 	}
+	// Git is looking for "\n[GNUPG:] SIG_CREATED ", meaning we need to print a
+	// line before SIG_CREATED. BEGIN_SIGNING seems appropraite. GPG emits this,
+	// though GPGSM does not.
+	sBeginSigning.emit()
 	if *detachSignFlag {
 		sd.Detached()
 	}
diff --git a/command_sign_test.go b/command_sign_test.go
@@ -4,8 +4,8 @@ import (
 	"crypto/x509"
 	"testing"
 
-	"github.com/github/ietf-cms/protocol"
 	"github.com/github/ietf-cms"
+	"github.com/github/ietf-cms/protocol"
 	"github.com/stretchr/testify/require"
 )
 
diff --git a/go.mod b/go.mod
@@ -8,9 +8,11 @@ require (
 	github.com/github/certstore v0.1.0
 	github.com/github/fakeca v0.1.0
 	github.com/github/ietf-cms v0.1.0
+	github.com/go-piv/piv-go v1.7.0 // indirect
 	github.com/pborman/getopt v0.0.0-20180811024354-2b5b3bfb099b
 	github.com/pkg/errors v0.8.1
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/stretchr/testify v1.3.0
 	golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734
+	golang.org/x/term v0.0.0-20210503060354-a79de5458b56 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -9,6 +9,8 @@ github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
 github.com/github/ietf-cms v0.1.0 h1:D+O9re6xDeWTYRpAFTfM0dm5NqJUcXZKFGOQg5Iq6Ls=
 github.com/github/ietf-cms v0.1.0/go.mod h1:eJEmhqWUqjpuS6OoXiqtuTmzOx4u81npQrXOzt/sPqo=
+github.com/go-piv/piv-go v1.7.0 h1:rfjdFdASfGV5KLJhSjgpGJ5lzVZVtRWn8ovy/H9HQ/U=
+github.com/go-piv/piv-go v1.7.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
 github.com/pborman/getopt v0.0.0-20180811024354-2b5b3bfb099b h1:K1wa7ads2Bu1PavI6LfBRMYSy6Zi+Rky0OhWBfrmkmY=
 github.com/pborman/getopt v0.0.0-20180811024354-2b5b3bfb099b/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
@@ -27,4 +29,8 @@ golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20210503060354-a79de5458b56 h1:b8jxX3zqjpqb2LklXPzKSGJhzyxCOZSz8ncv8Nv+y7w=
+golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/main.go b/main.go
@@ -80,10 +80,22 @@ func runCommand() error {
 	defer store.Close()
 
 	// Get list of identities
-	idents, err = store.Identities()
+	pivIdents, err := PivIdentities()
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "skipping hardware keys")
+	}
+	for _, pivIdent := range pivIdents {
+		idents = append(idents, &pivIdent)
+	}
+
+	storeIdents, err := store.Identities()
 	if err != nil {
 		return errors.Wrap(err, "failed to get identities from certificate store")
 	}
+	for _, ident := range storeIdents {
+		idents = append(idents, ident)
+	}
+
 	for _, ident := range idents {
 		defer ident.Close()
 	}
diff --git a/pinentry/pinentry.go b/pinentry/pinentry.go
@@ -0,0 +1,129 @@
+package pinentry
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+// Pinentry gets the PIN from the user to access the smart card or hardware key
+type Pinentry struct {
+	path string
+}
+
+// NewPinentry initializes the pinentry program used to get the PIN
+func NewPinentry() (*Pinentry, error) {
+	fromEnv := os.Getenv("SMIMESIGM_PINENTRY")
+	if len(fromEnv) > 0 {
+		pinentryFromEnv, err := exec.LookPath(fromEnv)
+		if err == nil && len(pinentryFromEnv) > 0 {
+			return &Pinentry{path: pinentryFromEnv}, nil
+		}
+	}
+
+	executables := pinentryPaths()
+	for _, programName := range executables {
+		pinentry, err := exec.LookPath(programName)
+		if err == nil && len(pinentry) > 0 {
+			return &Pinentry{path: pinentry}, nil
+		}
+	}
+
+	return nil, fmt.Errorf("failed to find suitable program to enter pin")
+}
+
+// Get executes the pinentry program and returns the PIN entered by the user
+// see https://www.gnupg.org/documentation/manuals/assuan/Introduction.html for more details
+func (pin *Pinentry) Get(prompt string) (string, error) {
+	cmd := exec.Command(pin.path)
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return "", err
+	}
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return "", err
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		return "", err
+	}
+
+	bufferReader := bufio.NewReader(stdout)
+	lineBytes, _, err := bufferReader.ReadLine()
+	if err != nil {
+		return "", err
+	}
+
+	line := string(lineBytes)
+	if !strings.HasPrefix(line, "OK") {
+		return "", fmt.Errorf("failed to initialize pinentry, got response: %v", line)
+	}
+
+	terminal := os.Getenv("TERM")
+	if len(terminal) > 0 {
+		if ok := setOption(stdin, bufferReader, fmt.Sprintf("OPTION ttytype=%s\n", terminal)); !ok {
+			return "", fmt.Errorf("failed to set ttytype")
+		}
+	}
+
+	if ok := setOption(stdin, bufferReader, fmt.Sprintf("OPTION ttyname=%v\n", tty())); !ok {
+		return "", fmt.Errorf("failed to set ttyname")
+	}
+
+	if ok := setOption(stdin, bufferReader, "SETPROMPT PIN:\n"); !ok {
+		return "", fmt.Errorf("failed to set prompt")
+	}
+	if ok := setOption(stdin, bufferReader, "SETTITLE smimesign\n"); !ok {
+		return "", fmt.Errorf("failed to set title")
+	}
+	if ok := setOption(stdin, bufferReader, fmt.Sprintf("SETDESC %s\n", prompt)); !ok {
+		return "", fmt.Errorf("failed to set description")
+	}
+
+	_, err = fmt.Fprint(stdin, "GETPIN\n")
+	if err != nil {
+		return "", err
+	}
+
+	lineBytes, _, err = bufferReader.ReadLine()
+	if err != nil {
+		return "", err
+	}
+
+	line = string(lineBytes)
+
+	_, err = fmt.Fprint(stdin, "BYE\n")
+	if err != nil {
+		return "", err
+	}
+
+	if err = cmd.Wait(); err != nil {
+		return "", err
+	}
+
+	if !strings.HasPrefix(line, "D ") {
+		return "", fmt.Errorf(line)
+	}
+
+	return strings.TrimPrefix(line, "D "), nil
+}
+
+func setOption(writer io.Writer, bufferedReader *bufio.Reader, option string) bool {
+	_, err := fmt.Fprintf(writer, option)
+	lineBytes, _, err := bufferedReader.ReadLine()
+	if err != nil {
+		return false
+	}
+
+	line := string(lineBytes)
+	if !strings.HasPrefix(line, "OK") {
+		return false
+	}
+	return true
+}
diff --git a/pinentry/pinentry_darwin.go b/pinentry/pinentry_darwin.go
@@ -0,0 +1,13 @@
+package pinentry
+
+func pinentryPaths() []string {
+	return []string{
+		"pinentry-mac",
+		"pinentry-curses",
+		"pinentry",
+	}
+}
+
+func tty() string {
+	return "/dev/tty"
+}
diff --git a/pinentry/pinentry_linux.go b/pinentry/pinentry_linux.go
@@ -0,0 +1,17 @@
+package pinentry
+
+func pinentryPaths() []string {
+	// there are many flavours for the GnuPG pinentry program for different linux distros
+	// this is a non-exhaustive list of some common implementations
+	return []string{
+		"pinentry-gnome3",
+		"pinentry-gtk",
+		"pinentry-qy",
+		"pinentry-tty",
+		"pinentry",
+	}
+}
+
+func tty() string {
+	return "/dev/tty"
+}
diff --git a/pinentry/pinentry_windows.go b/pinentry/pinentry_windows.go
@@ -0,0 +1,14 @@
+package pinentry
+
+func pinentryPaths() []string {
+	return []string{
+		"pinentry-gtk-2.exe",
+		"pinentry-qt4.exe",
+		"pinentry-w32.exe",
+		"pinentry.exe",
+	}
+}
+
+func tty() string {
+	return "windows"
+}
diff --git a/piv_identity.go b/piv_identity.go
@@ -0,0 +1,113 @@
+package main
+
+import (
+	"crypto"
+	"crypto/x509"
+	"fmt"
+	"io"
+
+	"github.com/github/certstore"
+	"github.com/github/smimesign/pinentry"
+	"github.com/go-piv/piv-go/piv"
+	"github.com/pkg/errors"
+)
+
+// PivIdentities enumerates identities stored in the signature slot inside hardware keys
+func PivIdentities() ([]PivIdentity, error) {
+	cards, err := piv.Cards()
+	if err != nil {
+		return nil, err
+	}
+	var identities []PivIdentity
+	for _, card := range cards {
+		yk, err := piv.Open(card)
+		if err != nil {
+			continue
+		}
+		cert, err := yk.Certificate(piv.SlotSignature)
+		if err != nil {
+			continue
+		}
+		if cert != nil {
+			ident := PivIdentity{card: card, yk: yk}
+			identities = append(identities, ident)
+		}
+	}
+	return identities, nil
+}
+
+// PivIdentity is an entity identity stored in a hardware key PIV applet
+type PivIdentity struct {
+	card string
+	//pin  string
+	yk *piv.YubiKey
+}
+
+var _ certstore.Identity = (*PivIdentity)(nil)
+var _ crypto.Signer = (*PivIdentity)(nil)
+
+// Certificate implements the certstore.Identity interface
+func (ident *PivIdentity) Certificate() (*x509.Certificate, error) {
+	return ident.yk.Certificate(piv.SlotSignature)
+}
+
+// CertificateChain implements the certstore.Identity interface
+func (ident *PivIdentity) CertificateChain() ([]*x509.Certificate, error) {
+	cert, err := ident.Certificate()
+	if err != nil {
+		return nil, err
+	}
+
+	return []*x509.Certificate{cert}, nil
+}
+
+// Signer implements the certstore.Identity interface
+func (ident *PivIdentity) Signer() (crypto.Signer, error) {
+	return ident, nil
+}
+
+// Delete implements the certstore.Identity interface
+func (ident *PivIdentity) Delete() error {
+	panic("deleting identities on PIV applet is not supported")
+}
+
+// Close implements the certstore.Identity interface
+func (ident *PivIdentity) Close() {
+	_ = ident.yk.Close()
+}
+
+// Public implements the crypto.Signer interface
+func (ident *PivIdentity) Public() crypto.PublicKey {
+	cert, err := ident.Certificate()
+	if err != nil {
+		return nil
+	}
+
+	return cert.PublicKey
+}
+
+// Sign implements the crypto.Signer interface
+func (ident *PivIdentity) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	entry, err := pinentry.NewPinentry()
+	if err != nil {
+		return nil, err
+	}
+
+	pin, err := entry.Get(fmt.Sprintf("Enter PIN for \"%v\"", ident.card))
+	if err != nil {
+		return nil, err
+	}
+	private, err := ident.yk.PrivateKey(piv.SlotSignature, ident.Public(), piv.KeyAuth{
+		PIN: pin,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get private key for signing")
+	}
+
+	switch private.(type) {
+	case *piv.ECDSAPrivateKey:
+		return private.(*piv.ECDSAPrivateKey).Sign(rand, digest, opts)
+	default:
+		return nil, fmt.Errorf("invalid key type")
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -4,8 +4,8 @@ import (`
`4`	`4`	`"crypto/x509"`
`5`	`5`	`"testing"`
`6`	`6`
`7`		`- "github.com/github/ietf-cms/protocol"`
`8`	`7`	`"github.com/github/ietf-cms"`
	`8`	`+ "github.com/github/ietf-cms/protocol"`
`9`	`9`	`"github.com/stretchr/testify/require"`
`10`	`10`	`)`
`11`	`11`