[WIP] Implement smartcard section form save/load_device.

Author: AureliaDolo

Cargo.lock

@@ -99,6 +99,7 @@ libparsec_platform_device_loader = { path = "libparsec/crates/platform_device_lo
 libparsec_platform_http_proxy = { path = "libparsec/crates/platform_http_proxy", default-features = false }
 libparsec_platform_ipc = { path = "libparsec/crates/platform_ipc", default-features = false }
 libparsec_platform_mountpoint = { path = "libparsec/crates/platform_mountpoint", default-features = false }
+libparsec_platform_pki = { path = "libparsec/crates/platform_pki", default-features = false }
 libparsec_platform_realm_export = { path = "libparsec/crates/platform_realm_export", default-features = false }
 libparsec_platform_storage = { path = "libparsec/crates/platform_storage", default-features = false }
 libparsec_protocol = { path = "libparsec/crates/protocol", default-features = false }

Cargo.toml

@@ -53,9 +53,13 @@ pub async fn main(args: Args) -> anyhow::Result<()> {
             }
         }
 
-        AvailableDeviceType::Smartcard => DeviceAccessStrategy::Smartcard {
-            key_file: device.key_file_path.clone(),
-        },
+        AvailableDeviceType::Smartcard => {
+            todo!("read smartcard");
+            DeviceAccessStrategy::Smartcard {
+                certificate_reference: todo!(),
+                key_file: device.key_file_path.clone(),
+            }
+        }
 
         AvailableDeviceType::Keyring => DeviceAccessStrategy::Keyring {
             key_file: device.key_file_path.clone(),

cli/src/commands/device/change_authentication.rs

@@ -34,6 +34,7 @@ pub async fn main(args: Args) -> anyhow::Result<()> {
 
         AvailableDeviceType::Smartcard => DeviceAccessStrategy::Smartcard {
             key_file: device.key_file_path.clone(),
+            certificate_reference: todo!("read smartcard"),
         },
 
         AvailableDeviceType::Keyring => DeviceAccessStrategy::Keyring {

cli/src/commands/device/overwrite_server_url.rs

@@ -248,6 +248,7 @@ pub async fn load_and_unlock_device(
         }
         AvailableDeviceType::Smartcard => DeviceAccessStrategy::Smartcard {
             key_file: device.key_file_path.clone(),
+            certificate_reference: todo!("read smartcard"),
         },
         AvailableDeviceType::Keyring => DeviceAccessStrategy::Keyring {
             key_file: device.key_file_path.clone(),

cli/src/utils.rs

@@ -18,6 +18,7 @@ vendored-dbus = ["keyring/vendored"]
 [dependencies]
 libparsec_crypto = { workspace = true }
 libparsec_platform_async = { workspace = true }
+libparsec_platform_pki = { workspace = true }
 libparsec_testbed = { workspace = true, optional = true }
 libparsec_types = { workspace = true }
 

libparsec/crates/platform_device_loader/Cargo.toml

@@ -6,13 +6,13 @@ use libparsec_platform_async::future::FutureExt as _;
 use std::path::{Path, PathBuf};
 use uuid::Uuid;
 
-use libparsec_types::prelude::*;
-
 use crate::{
-    get_device_archive_path, ArchiveDeviceError, ListAvailableDeviceError, LoadCiphertextKeyError,
-    LoadDeviceError, ReadFileError, RemoveDeviceError, SaveDeviceError, UpdateDeviceError,
-    DEVICE_FILE_EXT,
+    encrypt_device, get_device_archive_path, ArchiveDeviceError, ListAvailableDeviceError,
+    LoadCiphertextKeyError, LoadDeviceError, ReadFileError, RemoveDeviceError, SaveDeviceError,
+    UpdateDeviceError, DEVICE_FILE_EXT,
 };
+use libparsec_platform_pki::{decrypt_secret_key, encrypt_secret_key};
+use libparsec_types::prelude::*;
 
 const KEYRING_SERVICE: &str = "parsec";
 
@@ -152,9 +152,16 @@ pub(super) async fn load_ciphertext_key(
             Ok(key)
         }
 
-        (DeviceAccessStrategy::Smartcard { .. }, DeviceFile::Smartcard(_)) => {
-            todo!("Load smartcard device")
-        }
+        (
+            DeviceAccessStrategy::Smartcard {
+                certificate_reference,
+                ..
+            },
+            DeviceFile::Smartcard(device),
+        ) => Ok(
+            decrypt_secret_key(&device.encrypted_key, certificate_reference)
+                .map_err(|_| LoadCiphertextKeyError::InvalidData)?,
+        ),
 
         (
             DeviceAccessStrategy::AccountVault { ciphertext_key, .. },
@@ -303,8 +310,48 @@ pub(super) async fn save_device(
             save_content(key_file, &file_content).await?;
         }
 
-        DeviceAccessStrategy::Smartcard { .. } => {
-            todo!("Save smartcard device")
+        DeviceAccessStrategy::Smartcard {
+            key_file,
+            certificate_reference,
+        } => {
+            // Generate a random key
+            let secret_key = SecretKey::generate();
+
+            // Encrypt the key using the public key related to a certificate from the store
+
+            let (encrypted_key, certificate_id, certificate_sha1) =
+                encrypt_secret_key(&secret_key, certificate_reference)
+                    .map_err(|e| SaveDeviceError::Internal(e.into()))?;
+
+            // May check if we are able to decrypt the encrypted key from the previous step
+            assert_eq!(
+                decrypt_secret_key(&encrypted_key, certificate_reference)
+                    .map_err(|e| SaveDeviceError::Internal(e.into()))?,
+                secret_key
+            );
+
+            // Use the generated key to encrypt the device content
+            let ciphertext = encrypt_device(device, &secret_key);
+
+            // Save
+            let file_content = DeviceFile::Smartcard(DeviceFileSmartcard {
+                created_on,
+                protected_on,
+                server_url: server_url.clone(),
+                organization_id: device.organization_id().to_owned(),
+                user_id: device.user_id,
+                device_id: device.device_id,
+                human_handle: device.human_handle.to_owned(),
+                device_label: device.device_label.to_owned(),
+                certificate_id,
+                certificate_sha1: Some(Bytes::copy_from_slice(certificate_sha1.as_ref())),
+                encrypted_key,
+                ciphertext,
+            });
+
+            let file_content = file_content.dump();
+
+            save_content(key_file, &file_content).await?;
         }
 
         DeviceAccessStrategy::AccountVault {

libparsec/crates/platform_device_loader/src/native/mod.rs

@@ -342,9 +342,12 @@ pub(crate) fn maybe_load_device(
                         }
                     }
                     (
-                        DeviceAccessStrategy::Smartcard { key_file: kf },
-                        DeviceAccessStrategy::Smartcard { key_file: c_kf },
-                    ) if c_kf == kf => Some(Ok(c_device.to_owned())),
+                        DeviceAccessStrategy::Smartcard { key_file: kf, .. },
+                        DeviceAccessStrategy::Smartcard { key_file: c_kf, .. },
+                    ) if c_kf == kf => {
+                        todo!("compare certificate reference");
+                        //Some(Ok(c_device.to_owned()))
+                    }
                     (
                         DeviceAccessStrategy::Keyring { key_file: kf },
                         DeviceAccessStrategy::Keyring { key_file: c_kf },

libparsec/crates/platform_device_loader/src/testbed.rs

@@ -165,7 +165,7 @@ async fn list_devices(tmp_path: TmpPath) {
             .parse()
             .unwrap(),
         device_label: "PC1".parse().unwrap(),
-        certificate_id: "Mallory's certificate".to_string(),
+        certificate_id: "Mallory's certificate".into(),
         certificate_sha1: Some(
             hex!("4682e01bc3e22fdfff1c33b551dfad8e49295005")
                 .as_ref()

libparsec/crates/platform_device_loader/tests/units/list.rs

@@ -15,6 +15,9 @@ workspace = true
 thiserror = { workspace = true }
 bytes = { workspace = true }
 
+libparsec_crypto = { workspace = true }
+
+
 [target.'cfg(target_os = "windows")'.dependencies]
 schannel = { workspace = true }
 windows-sys = { workspace = true, features = ["Win32_Security_Cryptography_UI"] }