shimun/ctap
1
0
Fork 0
Code Issues Pull Requests 1 Releases Wiki Activity

Compare commits

base: shimun:0.4.0
Branches Tags
shimun:master shimun:tolerate_unknown shimun:serde_cbor shimun:2.1 shimun:instant_timeout shimun:assert_multiple shimun:ctap_hmac shimun:builder shimun:assert_mul shimun:hmac_ext
shimun:0.4.1 shimun:0.4.0 shimun:0.3.0
..
compare: shimun:builder
Branches Tags
shimun:master shimun:tolerate_unknown shimun:serde_cbor shimun:2.1 shimun:instant_timeout shimun:assert_multiple shimun:ctap_hmac shimun:builder shimun:assert_mul shimun:hmac_ext
shimun:0.4.1 shimun:0.4.0 shimun:0.3.0

2 Commits
0.4.0 ... builder

Author SHA1 Message Date
shimun
501b28e0d9 added feature assert_devices 2020-03-31 21:10:33 +02:00
shimun
d4c9dd913f use builder pattern to expose all possible options 2020-03-30 22:59:37 +02:00
8 changed files with 113 additions and 160 deletions
Expand all files Collapse all files

7
Cargo.toml
View File

@@ -1,13 +1,12 @@
[package] [package]
name = "ctap_hmac" name = "ctap_hmac"
description = "A Rust implementation of the FIDO2 CTAP protocol, including the HMAC extension" description = "A Rust implementation of the FIDO2 CTAP protocol, including the HMAC extension"
version = "0.4.0" version = "0.3.0"
license = "Apache-2.0/MIT" license = "Apache-2.0/MIT"
homepage = "https://github.com/shimunn/ctap" homepage = "https://github.com/ArdaXi/ctap/pull/2"
repository = "https://github.com/shimunn/ctap" repository = "https://github.com/shimunn/ctap"
authors = ["Arda Xi <arda@ardaxi.com>", "shimun <shimun@shimun.net>"] authors = ["Arda Xi <arda@ardaxi.com>", "shimun <shimun@shimun.net>"]
edition = "2018" edition = "2018"
readme = "README.md"
[dependencies] [dependencies]
rand = "0.6" rand = "0.6"
@@ -28,4 +27,4 @@ crossbeam = "0.7.3"
hex = "0.4.0" hex = "0.4.0"
[features] [features]
request_multiple = ["crossbeam"] assert_devices = ["crossbeam"]

27
examples/hmac.rs
View File

@@ -3,7 +3,7 @@ extern crate ctap_hmac as ctap;
use crypto::digest::Digest; use crypto::digest::Digest;
use crypto::sha2::Sha256; use crypto::sha2::Sha256;
use ctap::extensions::hmac::HmacExtension; use ctap::extensions::hmac::HmacExtension;
use ctap::{FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder}; use ctap::{FidoCredential, FidoCredentialRequestBuilder, AuthenticatorOptions};
use hex; use hex;
use std::env::args; use std::env::args;
use std::io::prelude::*; use std::io::prelude::*;
@@ -17,30 +17,23 @@ fn main() -> ctap::FidoResult<()> {
let device_info = &mut devices.next().expect("No authenticator found"); let device_info = &mut devices.next().expect("No authenticator found");
let mut device = ctap::FidoDevice::new(device_info)?; let mut device = ctap::FidoDevice::new(device_info)?;
let credential = match args().skip(1).next().map(|h| FidoCredential { let mut credential = match args().skip(1).next().map(|h| FidoCredential {
id: hex::decode(&h).expect("Invalid credential"), id: hex::decode(&h).expect("Invalid credential"),
public_key: None, public_key: None,
}) { }) {
Some(cred) => cred, Some(cred) => cred,
_ => { _ => {
let req = FidoCredentialRequestBuilder::default() let req = FidoCredentialRequestBuilder::default().rp_id(RP_ID).rp_name("ctap_hmac crate").user_name("example").uv(false).build().unwrap();
.rp_id(RP_ID)
.rp_name("ctap_hmac crate")
.user_name("example")
.uv(false)
.build()
.unwrap();
println!("Authorize using your device"); println!("Authorize using your device");
let cred = device let cred = device.make_hmac_credential(req).expect("Failed to request credential");
.make_hmac_credential(&req)
.expect("Failed to request credential");
println!("Credential: {}\nNote: You can pass this credential as first argument in order to reproduce results", hex::encode(&cred.id)); println!("Credential: {}\nNote: You can pass this credential as first argument in order to reproduce results", hex::encode(&cred.id));
cred cred
} }
}; };
let credential = credential;
print!("Type in your message: "); print!("Type in your message: ");
stdout().flush().unwrap(); stdout().flush();
let mut message = String::new(); let mut message = String::new();
stdin() stdin()
.read_line(&mut message) .read_line(&mut message)
@@ -51,13 +44,7 @@ fn main() -> ctap::FidoResult<()> {
let mut digest = Sha256::new(); let mut digest = Sha256::new();
digest.input(&message.as_bytes()); digest.input(&message.as_bytes());
digest.result(&mut salt); digest.result(&mut salt);
let credential = &&credential; let (cred, (hash1, _hash2)) = device.get_hmac_assertion(RP_ID, &[&credential], &salt, None, None)?;
let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID)
.credential(credential)
.build()
.unwrap();
let (_cred, (hash1, _hash2)) = device.get_hmac_assertion(&request, &salt, None)?;
println!("Hash: {}", hex::encode(&hash1)); println!("Hash: {}", hex::encode(&hash1));
Ok(()) Ok(())
} }

24
examples/multiple.rs
View File

@@ -1,16 +1,24 @@
extern crate ctap_hmac as ctap; extern crate ctap_hmac as ctap;
use crossbeam::thread;
use crypto::digest::Digest;
use crypto::sha2::Sha256;
use ctap::{ use ctap::{
FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder, FidoDevice,
FidoResult, FidoError, FidoResult,
}; };
use failure::_core::time::Duration;
use hex; use hex;
use std::env::args; use std::env::args;
use std::time::Duration; use std::io::prelude::*;
use std::io::stdin;
use std::io::stdout;
use std::sync::mpsc::channel;
use std::sync::Mutex;
const RP_ID: &str = "ctap_demo"; const RP_ID: &str = "ctap_demo";
fn main() -> ctap::FidoResult<()> { fn run() -> ctap::FidoResult<()> {
let mut credentials = args() let mut credentials = args()
.skip(1) .skip(1)
.map(|id| FidoCredential { .map(|id| FidoCredential {
@@ -40,9 +48,11 @@ fn main() -> ctap::FidoResult<()> {
let mut devices = ctap::get_devices()? let mut devices = ctap::get_devices()?
.map(|handle| FidoDevice::new(&handle)) .map(|handle| FidoDevice::new(&handle))
.collect::<FidoResult<Vec<_>>>()?; .collect::<FidoResult<Vec<_>>>()?;
// run with --features request_multiple let (cred, _) = ctap::get_assertion_devices(&req, devices.iter_mut())?;
let (cred, _) =
ctap::get_assertion_devices(&req, devices.iter_mut(), Some(Duration::from_secs(10)))?;
println!("Success, got assertion for: {}", hex::encode(&cred.id)); println!("Success, got assertion for: {}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
fn main() {
dbg!(run());
}

4
src/cbor.rs
View File

@@ -423,9 +423,7 @@ impl OptionsInfo {
"clientPin" => options.client_pin = Some(decoder.bool()?), "clientPin" => options.client_pin = Some(decoder.bool()?),
"up" => options.up = decoder.bool()?, "up" => options.up = decoder.bool()?,
"uv" => options.uv = Some(decoder.bool()?), "uv" => options.uv = Some(decoder.bool()?),
_ => { _ => continue,
decoder.bool()?;
}
} }
} }
Ok(options) Ok(options)

4
src/error.rs
View File

@@ -23,8 +23,6 @@ pub struct CborErrorCode(u8);
pub enum FidoErrorKind { pub enum FidoErrorKind {
#[fail(display = "Read/write error with device.")] #[fail(display = "Read/write error with device.")]
Io, Io,
#[fail(display = "Operation timed out")]
Timeout,
#[fail(display = "Error while reading packet from device.")] #[fail(display = "Error while reading packet from device.")]
ReadPacket, ReadPacket,
#[fail(display = "Error while writing packet to device.")] #[fail(display = "Error while writing packet to device.")]
@@ -49,7 +47,7 @@ pub enum FidoErrorKind {
DecryptPin, DecryptPin,
#[fail(display = "Failed to verify response signature.")] #[fail(display = "Failed to verify response signature.")]
VerifySignature, VerifySignature,
#[fail(display = "Failed to verify response signature.")] #[fail(display = "Supplied key has incorrect type.")]
KeyType, KeyType,
#[fail(display = "Device returned error: {}", _0)] #[fail(display = "Device returned error: {}", _0)]
CborError(CborErrorCode), CborError(CborErrorCode),

72
src/extensions/hmac.rs
View File

@@ -1,4 +1,7 @@
use crate::{FidoAssertionRequest, FidoAssertionRequestBuilder, FidoCredentialRequest}; use crate::{
AuthenticatorOptions, FidoAssertionRequestBuilder,
FidoCredentialRequest,
};
use crate::{FidoCredential, FidoDevice, FidoErrorKind, FidoResult}; use crate::{FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
use cbor_codec::value::{Bytes, Int, Key, Text, Value}; use cbor_codec::value::{Bytes, Int, Key, Text, Value};
use cbor_codec::Encoder; use cbor_codec::Encoder;
@@ -10,6 +13,7 @@ use rust_crypto::mac::Mac;
use rust_crypto::sha2::Sha256; use rust_crypto::sha2::Sha256;
use std::collections::BTreeMap; use std::collections::BTreeMap;
use std::io::Cursor; use std::io::Cursor;
use std::iter::FromIterator;
pub trait HmacExtension { pub trait HmacExtension {
fn extension_name() -> &'static str { fn extension_name() -> &'static str {
@@ -36,10 +40,8 @@ pub trait HmacExtension {
/// Convenience function to create an credential which includes extension specific data /// Convenience function to create an credential which includes extension specific data
/// Use `FidoDevice::make_credential` if you need more control /// Use `FidoDevice::make_credential` if you need more control
fn make_hmac_credential( fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential>;
&mut self,
request: &FidoCredentialRequest,
) -> FidoResult<FidoCredential>;
/// Request an assertion from the authenticator for a given credential and salt(s). /// Request an assertion from the authenticator for a given credential and salt(s).
/// at least one `salt` must be provided, consider using a hashing function like SHA256 /// at least one `salt` must be provided, consider using a hashing function like SHA256
@@ -51,11 +53,13 @@ pub trait HmacExtension {
/// provided, and will fail if a PIN is required but not provided or if the /// provided, and will fail if a PIN is required but not provided or if the
/// device returns malformed data. /// device returns malformed data.
/// ///
fn get_hmac_assertion<'a: 'b, 'b>( fn get_hmac_assertion<'a>(
&mut self, &mut self,
assertion: &FidoAssertionRequest<'a, 'b>, rp_id: &str,
credentials: &'a [&'a FidoCredential],
salt: &[u8; 32], salt: &[u8; 32],
salt2: Option<&[u8; 32]>, salt2: Option<&[u8; 32]>,
options: Option<AuthenticatorOptions>,
) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))>; ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))>;
/// Convenience function for `get_hmac_assertion` that will accept arbitrary /// Convenience function for `get_hmac_assertion` that will accept arbitrary
@@ -71,13 +75,11 @@ pub trait HmacExtension {
digest.input(input); digest.input(input);
digest.result(&mut salt); digest.result(&mut salt);
self.get_hmac_assertion( self.get_hmac_assertion(
&FidoAssertionRequestBuilder::default() rp_id,
.rp_id(rp_id) &[credential],
.credential(&credential)
.build()
.unwrap(),
&salt, &salt,
None, None,
Some(AuthenticatorOptions { uv: true, rk: true, up: false }),
) )
.map(|(_cred, secret)| secret.0) .map(|(_cred, secret)| secret.0)
} }
@@ -136,35 +138,43 @@ impl HmacExtension for FidoDevice {
Ok(Value::Map(map)) Ok(Value::Map(map))
} }
fn make_hmac_credential( fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential> {
&mut self, let mut request = request;
request: &FidoCredentialRequest,
) -> FidoResult<FidoCredential> {
let mut request = request.clone();
request.rk = true; request.rk = true;
request.extension_data.insert( request.extension_data.insert(<Self as HmacExtension>::extension_name(), <Self as HmacExtension>::extension_input());
<Self as HmacExtension>::extension_name(),
<Self as HmacExtension>::extension_input(),
);
self.make_credential(&request) self.make_credential(&request)
} }
fn get_hmac_assertion<'a: 'b, 'b>( fn get_hmac_assertion<'a>(
&mut self, &mut self,
request: &FidoAssertionRequest<'a, 'b>, rp_id: &str,
credentials: &'a [&'a FidoCredential],
salt: &[u8; 32], salt: &[u8; 32],
salt2: Option<&[u8; 32]>, salt2: Option<&[u8; 32]>,
options: Option<AuthenticatorOptions>,
) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> { ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> {
while self.shared_secret.is_none() { while self.shared_secret.is_none() {
self.init_shared_secret()?; self.init_shared_secret()?;
} }
let ext_data: Value = self.get_data(salt, salt2)?; let ext_data: Value = self.get_data(salt, salt2)?;
let mut request = request.clone();
request
.extension_data
.insert(<Self as HmacExtension>::extension_name(), &ext_data);
let (cred, auth_data) = self.get_assertion(&request)?; let ext_data: BTreeMap<&str, &Value> = BTreeMap::from_iter(
[(<Self as HmacExtension>::extension_name(), &ext_data)]
.iter()
.cloned(),
);
let mut builder = FidoAssertionRequestBuilder::default()
.credentials(credentials)
.rp_id(rp_id)
.extension_data(ext_data);
if let Some(opts) = options {
builder = builder.uv(opts.uv).up(opts.up);
}
let (cred, auth_data) =
self.get_assertion(&builder.build().unwrap())?;
let shared_secret = self.shared_secret.as_ref().unwrap(); let shared_secret = self.shared_secret.as_ref().unwrap();
let mut decryptor = shared_secret.decryptor(); let mut decryptor = shared_secret.decryptor();
let mut hmac_secret_combined = [0u8; 64]; let mut hmac_secret_combined = [0u8; 64];
@@ -196,11 +206,7 @@ impl HmacExtension for FidoDevice {
let mut hmac_secret_1 = [0u8; 32]; let mut hmac_secret_1 = [0u8; 32];
hmac_secret_0.copy_from_slice(&hmac_secret[0..32]); hmac_secret_0.copy_from_slice(&hmac_secret[0..32]);
hmac_secret_1.copy_from_slice(&hmac_secret[32..]); hmac_secret_1.copy_from_slice(&hmac_secret[32..]);
let cred = request let cred = credentials.into_iter().find(|c| c.id == cred.id).unwrap();
.credentials
.into_iter()
.find(|c| c.id == cred.id)
.unwrap();
Ok((cred, (hmac_secret_0, salt2.and(Some(hmac_secret_1))))) Ok((cred, (hmac_secret_0, salt2.and(Some(hmac_secret_1)))))
} }
} }

13
src/lib.rs
View File

@@ -217,7 +217,7 @@ impl<'a> FidoCredentialRequest<'a> {
#[derive(Clone, Debug, Builder)] #[derive(Clone, Debug, Builder)]
#[builder(setter(into))] #[builder(setter(into))]
#[builder(pattern = "owned")] #[builder(pattern = "owned")]
pub struct FidoAssertionRequest<'a, 'b> { pub struct FidoAssertionRequest<'a> {
#[builder(default)] #[builder(default)]
up: bool, up: bool,
#[builder(default)] #[builder(default)]
@@ -232,16 +232,16 @@ pub struct FidoAssertionRequest<'a, 'b> {
#[builder(default = "&[0u8; 32]")] #[builder(default = "&[0u8; 32]")]
client_data_hash: &'a [u8], client_data_hash: &'a [u8],
#[builder(default)] #[builder(default)]
extension_data: BTreeMap<&'b str, &'b cbor_codec::value::Value>, extension_data: BTreeMap<&'a str, &'a cbor_codec::value::Value>,
} }
impl<'a, 'b> FidoAssertionRequest<'a, 'b> { impl<'a> FidoAssertionRequest<'a> {
pub fn get_assertion(&self, device: &mut FidoDevice) -> FidoResult<&'a FidoCredential> { pub fn get_assertion(&self, device: &mut FidoDevice) -> FidoResult<&'a FidoCredential> {
device.get_assertion(self).map(|res| res.0) device.get_assertion(self).map(|res| res.0)
} }
} }
impl<'a, 'b> FidoAssertionRequestBuilder<'a, 'b> { impl<'a> FidoAssertionRequestBuilder<'a> {
pub fn credential(mut self, credential: &'a &'a FidoCredential) -> Self { pub fn credential(mut self, credential: &'a &'a FidoCredential) -> Self {
self.credentials = Some(std::slice::from_ref(credential)); self.credentials = Some(std::slice::from_ref(credential));
self self
@@ -457,9 +457,10 @@ impl FidoDevice {
/// ///
/// This method will fail if a PIN is required but the device is not /// This method will fail if a PIN is required but the device is not
/// unlocked or if the device returns malformed data. /// unlocked or if the device returns malformed data.
pub fn get_assertion<'a, 'b>(
pub fn get_assertion<'a>(
&mut self, &mut self,
assertion: &FidoAssertionRequest<'a, 'b>, assertion: &FidoAssertionRequest<'a>,
) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> { ) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
while self.shared_secret.is_none() { while self.shared_secret.is_none() {
self.init_shared_secret()?; self.init_shared_secret()?;

122
src/util.rs
View File

@@ -1,90 +1,44 @@
#[cfg(feature = "request_multiple")] use crate::cbor::AuthenticatorData;
use crate::{ use crate::{FidoAssertionRequest, FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
cbor::AuthenticatorData, FidoAssertionRequest, FidoCredential, FidoCredentialRequest,
FidoDevice, FidoErrorKind, FidoResult,
};
#[cfg(feature = "request_multiple")]
use crossbeam::thread;
#[cfg(feature = "request_multiple")]
use std::sync::mpsc::channel; use std::sync::mpsc::channel;
#[cfg(feature = "request_multiple")] #[cfg(feature = "assert_devices")]
use std::time::Duration; use crossbeam::thread;
#[cfg(feature = "request_multiple")]
pub fn request_multiple_devices< /// Will send the `assertion` to all supplied `devices` and return either the first successful assertion or the last error
'a, #[cfg(feature = "assert_devices")]
T: Send + 'a, pub fn get_assertion_devices<'a>(
F: Fn(&mut FidoDevice) -> FidoResult<T> + 'a + Sync, assertion: &'a FidoAssertionRequest,
>( devices: impl Iterator<Item = &'a mut FidoDevice>,
devices: impl Iterator<Item = (&'a mut FidoDevice, &'a F)>, ) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
timeout: Option<Duration>, thread::scope(
) -> FidoResult<T> { |scope| -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
thread::scope(|scope| -> FidoResult<T> { let (tx, rx) = channel();
let (tx, rx) = channel(); let handles = devices
let handles = devices .map(|device| {
.map(|(device, fn_)| { let cancel = device.cancel_handle()?;
let cancel = device.cancel_handle()?; let tx = tx.clone();
let tx = tx.clone(); let thread_handle =
let thread_handle = scope.spawn(move |_| tx.send(fn_(device))); scope.spawn(move |_| tx.send(device.get_assertion(assertion)));
Ok((cancel, thread_handle)) Ok((cancel, thread_handle))
}) })
.collect::<FidoResult<Vec<_>>>()?; .collect::<FidoResult<Vec<_>>>()?;
let mut err = None;
let mut slept = Duration::from_millis(0); let mut err = None;
let interval = Duration::from_millis(10); for res in rx.iter().take(handles.len()) {
let mut received = 0usize; match res {
let res = loop { Ok(_) => {
if timeout.map(|t| t < slept).unwrap_or(true) { for (mut cancel, join) in handles {
break if let Some(cause) = err { // Canceling out of courtesy don't care if it fails
cause let _ = cancel.cancel();
} else { let _ = join.join();
Err(FidoErrorKind::Timeout.into()) }
}; return res;
}
if received == handles.len() {
break err.unwrap();
}
if let Ok(msg) = rx.recv_timeout(interval) {
received += 1;
match msg {
e @ Err(_) => {
err = Some(e);
}
res @ Ok(_) => {
break res;
} }
e => err = Some(e),
} }
} else {
slept += interval;
} }
}; err.unwrap_or(Err(FidoErrorKind::DeviceUnsupported.into()))
for (mut cancel, join) in handles { },
// Canceling out of courtesy don't care if it fails )
let _ = cancel.cancel();
let _ = join.join();
}
res
})
.unwrap() .unwrap()
} }
/// Will send the `assertion_request` to all supplied `devices` and return either the first successful assertion or the last error
#[cfg(feature = "request_multiple")]
pub fn get_assertion_devices<'a>(
assertion_request: &'a FidoAssertionRequest,
devices: impl Iterator<Item = &'a mut FidoDevice>,
timeout: Option<Duration>,
) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
let get_assertion = |device: &mut FidoDevice| device.get_assertion(assertion_request);
request_multiple_devices(devices.map(|device| (device, &get_assertion)), timeout)
}
/// Will send the `credential_request` to all supplied `devices` and return either the first credential or the last error
#[cfg(feature = "request_multiple")]
pub fn make_credential_devices<'a>(
credential_request: &'a FidoCredentialRequest,
devices: impl Iterator<Item = &'a mut FidoDevice>,
timeout: Option<Duration>,
) -> FidoResult<FidoCredential> {
let make_credential = |device: &mut FidoDevice| device.make_credential(credential_request);
request_multiple_devices(devices.map(|device| (device, &make_credential)), timeout)
}