fix api leaking private type
This commit is contained in:
parent
4e14d265b8
commit
822cebd6ff
GPG Key ID:
E81D8382DC2F971B
@ -1,6 +1,5 @@
|
||||
use crate::{
|
||||
AuthenticatorOptions, FidoAssertionRequestBuilder,
|
||||
FidoCredentialRequest,
|
||||
FidoAssertionRequest, FidoAssertionRequestBuilder, FidoCredentialRequest,
|
||||
};
|
||||
use crate::{FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
|
||||
use cbor_codec::value::{Bytes, Int, Key, Text, Value};
|
||||
@ -13,7 +12,7 @@ use rust_crypto::mac::Mac;
|
||||
use rust_crypto::sha2::Sha256;
|
||||
use std::collections::BTreeMap;
|
||||
use std::io::Cursor;
|
||||
use std::iter::FromIterator;
|
||||
|
||||
|
||||
pub trait HmacExtension {
|
||||
fn extension_name() -> &'static str {
|
||||
@ -40,8 +39,10 @@ pub trait HmacExtension {
|
||||
|
||||
/// Convenience function to create an credential which includes extension specific data
|
||||
/// Use `FidoDevice::make_credential` if you need more control
|
||||
fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential>;
|
||||
|
||||
fn make_hmac_credential(
|
||||
&mut self,
|
||||
request: &FidoCredentialRequest,
|
||||
) -> FidoResult<FidoCredential>;
|
||||
|
||||
/// Request an assertion from the authenticator for a given credential and salt(s).
|
||||
/// at least one `salt` must be provided, consider using a hashing function like SHA256
|
||||
@ -53,13 +54,11 @@ pub trait HmacExtension {
|
||||
/// provided, and will fail if a PIN is required but not provided or if the
|
||||
/// device returns malformed data.
|
||||
///
|
||||
fn get_hmac_assertion<'a>(
|
||||
fn get_hmac_assertion<'a: 'b, 'b>(
|
||||
&mut self,
|
||||
rp_id: &str,
|
||||
credentials: &'a [&'a FidoCredential],
|
||||
assertion: &FidoAssertionRequest<'a, 'b>,
|
||||
salt: &[u8; 32],
|
||||
salt2: Option<&[u8; 32]>,
|
||||
options: Option<AuthenticatorOptions>,
|
||||
) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))>;
|
||||
|
||||
/// Convenience function for `get_hmac_assertion` that will accept arbitrary
|
||||
@ -75,11 +74,13 @@ pub trait HmacExtension {
|
||||
digest.input(input);
|
||||
digest.result(&mut salt);
|
||||
self.get_hmac_assertion(
|
||||
rp_id,
|
||||
&[credential],
|
||||
&FidoAssertionRequestBuilder::default()
|
||||
.rp_id(rp_id)
|
||||
.credential(&credential)
|
||||
.build()
|
||||
.unwrap(),
|
||||
&salt,
|
||||
None,
|
||||
Some(AuthenticatorOptions { uv: true, rk: true, up: false }),
|
||||
)
|
||||
.map(|(_cred, secret)| secret.0)
|
||||
}
|
||||
@ -138,43 +139,35 @@ impl HmacExtension for FidoDevice {
|
||||
Ok(Value::Map(map))
|
||||
}
|
||||
|
||||
fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential> {
|
||||
let mut request = request;
|
||||
fn make_hmac_credential(
|
||||
&mut self,
|
||||
request: &FidoCredentialRequest,
|
||||
) -> FidoResult<FidoCredential> {
|
||||
let mut request = request.clone();
|
||||
request.rk = true;
|
||||
request.extension_data.insert(<Self as HmacExtension>::extension_name(), <Self as HmacExtension>::extension_input());
|
||||
request.extension_data.insert(
|
||||
<Self as HmacExtension>::extension_name(),
|
||||
<Self as HmacExtension>::extension_input(),
|
||||
);
|
||||
self.make_credential(&request)
|
||||
}
|
||||
|
||||
fn get_hmac_assertion<'a>(
|
||||
fn get_hmac_assertion<'a: 'b, 'b>(
|
||||
&mut self,
|
||||
rp_id: &str,
|
||||
credentials: &'a [&'a FidoCredential],
|
||||
request: &FidoAssertionRequest<'a, 'b>,
|
||||
salt: &[u8; 32],
|
||||
salt2: Option<&[u8; 32]>,
|
||||
options: Option<AuthenticatorOptions>,
|
||||
) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> {
|
||||
while self.shared_secret.is_none() {
|
||||
self.init_shared_secret()?;
|
||||
}
|
||||
let ext_data: Value = self.get_data(salt, salt2)?;
|
||||
let mut request = request.clone();
|
||||
request
|
||||
.extension_data
|
||||
.insert(<Self as HmacExtension>::extension_name(), &ext_data);
|
||||
|
||||
let ext_data: BTreeMap<&str, &Value> = BTreeMap::from_iter(
|
||||
[(<Self as HmacExtension>::extension_name(), &ext_data)]
|
||||
.iter()
|
||||
.cloned(),
|
||||
);
|
||||
|
||||
let mut builder = FidoAssertionRequestBuilder::default()
|
||||
.credentials(credentials)
|
||||
.rp_id(rp_id)
|
||||
.extension_data(ext_data);
|
||||
|
||||
if let Some(opts) = options {
|
||||
builder = builder.uv(opts.uv).up(opts.up);
|
||||
}
|
||||
|
||||
let (cred, auth_data) =
|
||||
self.get_assertion(&builder.build().unwrap())?;
|
||||
let (cred, auth_data) = self.get_assertion(&request)?;
|
||||
let shared_secret = self.shared_secret.as_ref().unwrap();
|
||||
let mut decryptor = shared_secret.decryptor();
|
||||
let mut hmac_secret_combined = [0u8; 64];
|
||||
@ -206,7 +199,11 @@ impl HmacExtension for FidoDevice {
|
||||
let mut hmac_secret_1 = [0u8; 32];
|
||||
hmac_secret_0.copy_from_slice(&hmac_secret[0..32]);
|
||||
hmac_secret_1.copy_from_slice(&hmac_secret[32..]);
|
||||
let cred = credentials.into_iter().find(|c| c.id == cred.id).unwrap();
|
||||
let cred = request
|
||||
.credentials
|
||||
.into_iter()
|
||||
.find(|c| c.id == cred.id)
|
||||
.unwrap();
|
||||
Ok((cred, (hmac_secret_0, salt2.and(Some(hmac_secret_1)))))
|
||||
}
|
||||
}
|
||||
|
||||
12
src/lib.rs
12
src/lib.rs
@ -217,7 +217,7 @@ impl<'a> FidoCredentialRequest<'a> {
|
||||
#[derive(Clone, Debug, Builder)]
|
||||
#[builder(setter(into))]
|
||||
#[builder(pattern = "owned")]
|
||||
pub struct FidoAssertionRequest<'a> {
|
||||
pub struct FidoAssertionRequest<'a, 'b> {
|
||||
#[builder(default)]
|
||||
up: bool,
|
||||
#[builder(default)]
|
||||
@ -232,16 +232,16 @@ pub struct FidoAssertionRequest<'a> {
|
||||
#[builder(default = "&[0u8; 32]")]
|
||||
client_data_hash: &'a [u8],
|
||||
#[builder(default)]
|
||||
extension_data: BTreeMap<&'a str, &'a cbor_codec::value::Value>,
|
||||
extension_data: BTreeMap<&'b str, &'b cbor_codec::value::Value>,
|
||||
}
|
||||
|
||||
impl<'a> FidoAssertionRequest<'a> {
|
||||
impl<'a, 'b> FidoAssertionRequest<'a, 'b> {
|
||||
pub fn get_assertion(&self, device: &mut FidoDevice) -> FidoResult<&'a FidoCredential> {
|
||||
device.get_assertion(self).map(|res| res.0)
|
||||
}
|
||||
}
|
||||
|
||||
impl<'a> FidoAssertionRequestBuilder<'a> {
|
||||
impl<'a, 'b> FidoAssertionRequestBuilder<'a, 'b> {
|
||||
pub fn credential(mut self, credential: &'a &'a FidoCredential) -> Self {
|
||||
self.credentials = Some(std::slice::from_ref(credential));
|
||||
self
|
||||
@ -458,9 +458,9 @@ impl FidoDevice {
|
||||
/// This method will fail if a PIN is required but the device is not
|
||||
/// unlocked or if the device returns malformed data.
|
||||
|
||||
pub fn get_assertion<'a>(
|
||||
pub fn get_assertion<'a, 'b>(
|
||||
&mut self,
|
||||
assertion: &FidoAssertionRequest<'a>,
|
||||
assertion: &FidoAssertionRequest<'a, 'b>,
|
||||
) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
|
||||
while self.shared_secret.is_none() {
|
||||
self.init_shared_secret()?;
|
||||
|
||||
@ -1,7 +1,11 @@
|
||||
use crate::cbor::AuthenticatorData;
|
||||
use crate::{FidoAssertionRequest, FidoCredentialRequest, FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
|
||||
#[cfg(feature = "request_multiple")]
|
||||
use crate::{
|
||||
cbor::AuthenticatorData, FidoAssertionRequest, FidoCredential, FidoCredentialRequest,
|
||||
FidoDevice, FidoErrorKind, FidoResult,
|
||||
};
|
||||
#[cfg(feature = "request_multiple")]
|
||||
use crossbeam::thread;
|
||||
#[cfg(feature = "request_multiple")]
|
||||
use std::sync::mpsc::channel;
|
||||
|
||||
#[cfg(feature = "request_multiple")]
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user