Merge PR #1784

Yubico · Feb 6, 2025 · afcaf56 · afcaf56
2 parents 41dad78 + d2a1da4
commit afcaf56
Show file tree

Hide file tree

Showing 16 changed files with 223 additions and 52 deletions.
diff --git a/helper/helper/piv.py b/helper/helper/piv.py
@@ -262,26 +262,6 @@ def reset(self):
     def slots(self):
         return SlotsNode(self.session)
 
-    @action(closes_child=False)
-    def examine_file(self, data: bytes, password: str | None = None):
-        try:
-            private_key, certs = _parse_file(data, password)
-            certificate = _choose_cert(certs)
-
-            return dict(
-                status=True,
-                password=password is not None,
-                key_type=(
-                    KEY_TYPE.from_public_key(private_key.public_key())
-                    if private_key
-                    else None
-                ),
-                cert_info=_get_cert_info(certificate),
-            )
-        except InvalidPasswordError:
-            logger.debug("Invalid or missing password", exc_info=True)
-            return dict(status=False)
-
     @action(closes_child=False)
     def validate_rfc4514(self, data: str):
         try:
@@ -347,6 +327,18 @@ def _get_cert_info(cert):
     )
 
 
+def _public_key_match(cert, metadata):
+    if not cert or not metadata:
+        return None
+    slot_public_key = metadata.public_key
+    cert_public_key = cert.public_key()
+    return slot_public_key.public_bytes(
+        encoding=Encoding.DER, format=PublicFormat.SubjectPublicKeyInfo
+    ) == cert_public_key.public_bytes(
+        encoding=Encoding.DER, format=PublicFormat.SubjectPublicKeyInfo
+    )
+
+
 class SlotsNode(RpcNode):
     def __init__(self, session):
         super().__init__()
@@ -383,6 +375,7 @@ def list_children(self):
                 name=slot.name,
                 metadata=_metadata_dict(metadata),
                 cert_info=_get_cert_info(cert),
+                public_key_match=_public_key_match(cert, metadata),
             )
             for slot, (metadata, cert) in self._slots.items()
         }
@@ -459,6 +452,35 @@ def move_key(
         self._refresh()
         return dict()
 
+    @action
+    def examine_file(self, data: bytes, password: str | None = None):
+        try:
+            private_key, certs = _parse_file(data, password)
+            certificate = _choose_cert(certs)
+
+            response = dict(
+                status=True,
+                password=password is not None,
+                key_type=(
+                    KEY_TYPE.from_public_key(private_key.public_key())
+                    if private_key
+                    else None
+                ),
+                cert_info=_get_cert_info(certificate),
+            )
+
+            if self.metadata and certificate and not private_key:
+                # Verify that the public key of a cert matches the
+                # private key in the slot
+                response["public_key_match"] = _public_key_match(
+                    certificate, self.metadata
+                )
+
+            return response
+        except InvalidPasswordError:
+            logger.debug("Invalid or missing password", exc_info=True)
+            return dict(status=False)
+
     @action
     def import_file(self, data: bytes, password: str | None = None, **kwargs):
         try:

diff --git a/lib/desktop/piv/state.dart b/lib/desktop/piv/state.dart
@@ -436,8 +436,12 @@ class _DesktopPivSlotsNotifier extends PivSlotsNotifier {
   }
 
   @override
-  Future<PivExamineResult> examine(String data, {String? password}) async {
-    final result = await _session.command('examine_file', params: {
+  Future<PivExamineResult> examine(SlotId slot, String data,
+      {String? password}) async {
+    final result = await _session.command('examine_file', target: [
+      'slots',
+      slot.hexId
+    ], params: {
       'data': data,
       'password': password,
     });

diff --git a/lib/l10n/app_de.arb b/lib/l10n/app_de.arb
@@ -710,6 +710,7 @@
             "slot": {}
         }
     },
+    "l_warning_public_key_mismatch": null,
     "l_key_moved": "Schlüssel verschoben",
     "l_key_and_certificate_moved": "Schlüssel und Zertifikat verschoben",
     "p_subject_desc": "Distinguished Name (DN) RFC 4514 konform formatiert.",

diff --git a/lib/l10n/app_en.arb b/lib/l10n/app_en.arb
@@ -710,6 +710,7 @@
             "slot": {}
         }
     },
+    "l_warning_public_key_mismatch": "The public key of the certificate does not match the private key in the slot",
     "l_key_moved": "Key moved",
     "l_key_and_certificate_moved": "Key and certificate moved",
     "p_subject_desc": "A distinguished name (DN) formatted in accordance to the RFC 4514 specification.",

diff --git a/lib/l10n/app_fr.arb b/lib/l10n/app_fr.arb
@@ -710,6 +710,7 @@
             "slot": {}
         }
     },
+    "l_warning_public_key_mismatch": null,
     "l_key_moved": "Clé déplacée",
     "l_key_and_certificate_moved": "Clé et certificat déplacés",
     "p_subject_desc": "DN (nom distinctif) formaté conformément à la spécification RFC 4514.",

diff --git a/lib/l10n/app_ja.arb b/lib/l10n/app_ja.arb
@@ -710,6 +710,7 @@
             "slot": {}
         }
     },
+    "l_warning_public_key_mismatch": null,
     "l_key_moved": "キーを移動しました",
     "l_key_and_certificate_moved": "キーと証明書が移動されました",
     "p_subject_desc": "RFC 4514仕様に準拠した形式の識別名（DN）。",

diff --git a/lib/l10n/app_pl.arb b/lib/l10n/app_pl.arb
@@ -710,6 +710,7 @@
             "slot": {}
         }
     },
+    "l_warning_public_key_mismatch": null,
     "l_key_moved": "Klucz został przeniesiony",
     "l_key_and_certificate_moved": "Klucz i certyfikat został przeniesiony",
     "p_subject_desc": "Nazwa wyróżniająca (DN) sformatowana zgodnie ze specyfikacją RFC 4514.",

diff --git a/lib/l10n/app_sk.arb b/lib/l10n/app_sk.arb
@@ -710,6 +710,7 @@
             "slot": {}
         }
     },
+    "l_warning_public_key_mismatch": null,
     "l_key_moved": "Kľúč bol presunutý",
     "l_key_and_certificate_moved": "Kľúč a certifikát boli presunuté",
     "p_subject_desc": "Rozlišujúci názov (DN) naformátovaný v súlade so špecifikáciou RFC 4514.",

diff --git a/lib/l10n/app_vi.arb b/lib/l10n/app_vi.arb
@@ -710,6 +710,7 @@
             "slot": {}
         }
     },
+    "l_warning_public_key_mismatch": null,
     "l_key_moved": "Khóa đã được di chuyển",
     "l_key_and_certificate_moved": "Khóa và chứng chỉ đã được di chuyển",
     "p_subject_desc": "Tên phân biệt (DN) được định dạng theo tiêu chuẩn RFC 4514.",

diff --git a/lib/piv/models.dart b/lib/piv/models.dart
@@ -307,6 +307,7 @@ class PivSlot with _$PivSlot {
     required SlotId slot,
     SlotMetadata? metadata,
     CertInfo? certInfo,
+    bool? publicKeyMatch,
   }) = _PivSlot;
 
   factory PivSlot.fromJson(Map<String, dynamic> json) =>
@@ -319,6 +320,7 @@ class PivExamineResult with _$PivExamineResult {
     required bool password,
     required KeyType? keyType,
     required CertInfo? certInfo,
+    bool? publicKeyMatch,
   }) = _ExamineResult;
   factory PivExamineResult.invalidPassword() = _InvalidPassword;