signstar_yubihsm2/automation/
command.rs

1//! Scenario commands.
2
3use std::path::PathBuf;
4
5use serde::{Deserialize, Serialize};
6use yubihsm::command::Code;
7
8use crate::{object::Capabilities, object::KeyInfo, object::ObjectId};
9
10/// Authentication data: login and a location of the passphrase file.
11#[derive(Debug, Deserialize, Serialize)]
12pub struct Auth {
13    /// The identifier of the authentication key to use.
14    pub user: u16,
15
16    /// The file containing passphrase of the authenticating user.
17    pub passphrase_file: PathBuf,
18}
19
20/// Indicates the setting of the auditing.
21#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
22#[serde(rename_all = "lowercase")]
23pub enum AuditOption {
24    /// Auditing is enabled but can be disabled.
25    On,
26
27    /// Auditing is disabled.
28    Off,
29
30    /// Auditing is permanently enabled and cannot be disabled.
31    Fix,
32}
33
34impl From<AuditOption> for yubihsm::AuditOption {
35    fn from(value: AuditOption) -> Self {
36        match value {
37            AuditOption::On => Self::On,
38            AuditOption::Off => Self::Off,
39            AuditOption::Fix => Self::Fix,
40        }
41    }
42}
43
44/// A single command that is atomically executed against a YubiHSM2.
45#[derive(Debug, Deserialize, Serialize)]
46pub enum Command {
47    /// Query the device state.
48    Info,
49
50    /// Reset the device to factory settings and reconnect afterwards.
51    ///
52    /// Note that this is a destructive operation and the authenticating user will need to have
53    /// appropriate capabilities.
54    Reset,
55
56    /// Query the command log of the device and print it to standard output.
57    GetLog,
58
59    /// Authenticate against the device.
60    ///
61    /// This command *must* be used as a first command in the scenario file as it is not possible to
62    /// connect to the device without any credentials.
63    Auth(Auth),
64
65    /// Change audit settings.
66    ///
67    /// This mode prevents the device from performing additional operations when the Logs and Error
68    /// Codes is full.
69    ///
70    /// See [Force Audit](https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#force-audit) for more details.
71    ForceAudit(AuditOption),
72
73    /// Changes command audit settings.
74    ///
75    /// This is used to manage auditing options for specific commands. By default all commands are
76    /// logged.
77    ///
78    /// See [Force Audit](https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#command-audit) for more details.
79    #[allow(clippy::enum_variant_names)]
80    CommandAudit {
81        /// Command of which the setting should be changed.
82        command: Code,
83
84        /// New setting value.
85        setting: AuditOption,
86    },
87
88    /// Put authentication key on the device.
89    ///
90    /// This command is used to append new authentication keys.
91    PutAuthKey {
92        /// The key identity and capabilities.
93        #[serde(flatten)]
94        info: KeyInfo,
95
96        /// Additional delegated capabilities which would apply to objects that are created or
97        /// imported.
98        delegated_caps: Capabilities,
99
100        /// The file containing passphrase of the authenticating user.
101        passphrase_file: PathBuf,
102    },
103
104    /// Generates new `ed25519` signing key on the device.
105    GenerateKey {
106        /// The key identity and capabilities.
107        #[serde(flatten)]
108        info: KeyInfo,
109    },
110
111    /// Signs data using provided `ed25519` key.
112    SignEd25519 {
113        /// The key to be used for signing.
114        key_id: u16,
115
116        /// Raw data blob which should be signed.
117        data: Vec<u8>,
118    },
119
120    /// Puts new wrapping key on the device.
121    ///
122    /// This command is used to append new wrapping keys which serve as encryption keys for other
123    /// objects.
124    PutWrapKey {
125        /// The key identity and capabilities.
126        #[serde(flatten)]
127        info: KeyInfo,
128
129        /// Additional delegated capabilities which would apply to objects that are created or
130        /// imported.
131        delegated_caps: Capabilities,
132
133        /// The file containing raw value of the wrapping key.
134        passphrase_file: PathBuf,
135    },
136
137    /// Export object under wrap (encrypted).
138    ExportWrapped {
139        /// Wrapping key which should encrypt the exported object.
140        wrap_key_id: u16,
141
142        /// Object that will be exported.
143        #[serde(flatten)]
144        object: ObjectId,
145
146        /// Output file which will contain the exported object encrypted with the wrapping key.
147        wrapped_file: PathBuf,
148    },
149
150    /// Imports objects under wrap (encrypted).
151    ImportWrapped {
152        /// Wrapping key which would decrypt the imported object.
153        wrap_key_id: u16,
154
155        /// Input file which contains the imported object encrypted with the wrapping key.
156        wrapped_file: PathBuf,
157    },
158
159    /// Permanently remove an object from the device.
160    Delete(ObjectId),
161
162    /// Query data about the object and print it to standard output.
163    GetInfo(ObjectId),
164}