Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
718c9c93e6
|
|||
|
3a6dd90ec4
|
|||
|
f5d52ee8b5
|
|||
|
e6166f7cbd
|
|||
|
d6b20d0ba4
|
|||
|
857c3cd955
|
@ -1,7 +1,7 @@
|
||||
[package]
|
||||
name = "ctap_hmac"
|
||||
description = "A Rust implementation of the FIDO2 CTAP protocol, including the HMAC extension"
|
||||
version = "0.4.2"
|
||||
version = "0.4.5"
|
||||
license = "Apache-2.0/MIT"
|
||||
homepage = "https://github.com/shimunn/ctap"
|
||||
repository = "https://github.com/shimunn/ctap"
|
||||
@ -20,12 +20,16 @@ cbor-codec = "0.7"
|
||||
ring = "0.13"
|
||||
untrusted = "0.6"
|
||||
rust-crypto = "0.2"
|
||||
csv-core = "0.1.6"
|
||||
derive_builder = "0.9.0"
|
||||
crossbeam = { version = "0.7.3", optional = true }
|
||||
[dev-dependencies]
|
||||
crossbeam = "0.7.3"
|
||||
hex = "0.4.0"
|
||||
[build-dependencies]
|
||||
csv = "1.1.3"
|
||||
serde = "1.0.106"
|
||||
serde_derive = "1.0.106"
|
||||
|
||||
|
||||
[features]
|
||||
request_multiple = ["crossbeam"]
|
||||
|
||||
41
build.rs
Normal file
41
build.rs
Normal file
@ -0,0 +1,41 @@
|
||||
use csv::{Reader, StringRecord};
|
||||
use serde_derive::Deserialize;
|
||||
use std::env;
|
||||
use std::fs::File;
|
||||
use std::io::{Result, Write};
|
||||
use std::iter::FromIterator;
|
||||
use std::string::String;
|
||||
|
||||
fn main() {
|
||||
parse_error_codes().expect("Failed to parse error codes")
|
||||
}
|
||||
|
||||
fn parse_error_codes() -> Result<()> {
|
||||
println!("cargo:rerun-if-changed=ctap_error_codes.csv");
|
||||
let mut out_file = File::create(format!(
|
||||
"{}/ctap_error_codes.rs",
|
||||
env::var("OUT_DIR").unwrap()
|
||||
))?;
|
||||
out_file.write_all(b"static CTAP_ERROR_CODES: &[(usize, &str, &str)] = &[")?;
|
||||
let mut rdr = Reader::from_path("ctap_error_codes.csv")?;
|
||||
rdr.set_headers(StringRecord::from_iter(&["code", "name", "desc"]));
|
||||
#[derive(Debug, Deserialize)]
|
||||
struct ErrorCode {
|
||||
code: String,
|
||||
name: String,
|
||||
desc: String,
|
||||
}
|
||||
for result in rdr.deserialize() {
|
||||
let record: ErrorCode = result.unwrap();
|
||||
out_file.write_all(
|
||||
format!(
|
||||
"({}, \"{}\", \"{}\"),\n",
|
||||
i64::from_str_radix(&record.code[2..], 16).unwrap(),
|
||||
record.name,
|
||||
record.desc
|
||||
)
|
||||
.as_bytes(),
|
||||
)?;
|
||||
}
|
||||
out_file.write_all(b"];")
|
||||
}
|
||||
@ -2,7 +2,7 @@ extern crate ctap_hmac as ctap;
|
||||
|
||||
use crypto::digest::Digest;
|
||||
use crypto::sha2::Sha256;
|
||||
use ctap::extensions::{self, FidoExtensionResponseParserExt};
|
||||
use ctap::extensions::hmac::HmacExtension;
|
||||
use ctap::{FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder};
|
||||
use hex;
|
||||
use std::env::args;
|
||||
@ -16,13 +16,14 @@ fn main() -> ctap::FidoResult<()> {
|
||||
let mut devices = ctap::get_devices()?;
|
||||
let device_info = &mut devices.next().expect("No authenticator found");
|
||||
let mut device = ctap::FidoDevice::new(device_info)?;
|
||||
let credential = match args().nth(1).map(|h| FidoCredential {
|
||||
|
||||
let credential = match args().skip(1).next().map(|h| FidoCredential {
|
||||
id: hex::decode(&h).expect("Invalid credential"),
|
||||
public_key: None,
|
||||
}) {
|
||||
Some(cred) => cred,
|
||||
_ => {
|
||||
let mut req = FidoCredentialRequestBuilder::default()
|
||||
let req = FidoCredentialRequestBuilder::default()
|
||||
.rp_id(RP_ID)
|
||||
.rp_name("ctap_hmac crate")
|
||||
.user_name("example")
|
||||
@ -30,16 +31,9 @@ fn main() -> ctap::FidoResult<()> {
|
||||
.build()
|
||||
.unwrap();
|
||||
|
||||
assert!(
|
||||
&device.supports_extension::<extensions::HmacSecret>(),
|
||||
"Your device does not support the hmac extension"
|
||||
);
|
||||
let hmac = extensions::HmacSecret::new();
|
||||
req.with_extension(&hmac)?;
|
||||
dbg!(&req);
|
||||
println!("Authorize using your device");
|
||||
let cred = req
|
||||
.make_credential(&mut device)
|
||||
let cred = device
|
||||
.make_hmac_credential(&req)
|
||||
.expect("Failed to request credential");
|
||||
println!("Credential: {}\nNote: You can pass this credential as first argument in order to reproduce results", hex::encode(&cred.id));
|
||||
cred
|
||||
@ -58,15 +52,12 @@ fn main() -> ctap::FidoResult<()> {
|
||||
digest.input(&message.as_bytes());
|
||||
digest.result(&mut salt);
|
||||
let credential = &&credential;
|
||||
let hmac = extensions::HmacSecret::new().for_device(&mut device, &salt, None)?;
|
||||
let mut request = FidoAssertionRequestBuilder::default()
|
||||
let request = FidoAssertionRequestBuilder::default()
|
||||
.rp_id(RP_ID)
|
||||
.credential(credential)
|
||||
.build()
|
||||
.unwrap();
|
||||
request.with_extension(&hmac)?;
|
||||
let (_cred, auth_data) = device.get_assertion(&request)?;
|
||||
let (hash1, _hash2) = auth_data.parse_extension_data(&hmac)?;
|
||||
let (_cred, (hash1, _hash2)) = device.get_hmac_assertion(&request, &salt, None)?;
|
||||
println!("Hash: {}", hex::encode(&hash1));
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@ -24,6 +24,7 @@ fn main() -> ctap::FidoResult<()> {
|
||||
FidoDevice::new(&h).and_then(|mut dev| {
|
||||
FidoCredentialRequestBuilder::default()
|
||||
.rp_id(RP_ID)
|
||||
.user_name("test")
|
||||
.build()
|
||||
.unwrap()
|
||||
.make_credential(&mut dev)
|
||||
|
||||
93
src/cbor.rs
93
src/cbor.rs
@ -7,6 +7,7 @@
|
||||
use cbor_codec::value;
|
||||
use cbor_codec::value::Value;
|
||||
use cbor_codec::{Config, Decoder, Encoder, GenericDecoder, GenericEncoder};
|
||||
use cbor::skip::Skip;
|
||||
|
||||
use byteorder::{BigEndian, ByteOrder, ReadBytesExt, WriteBytesExt};
|
||||
use failure::ResultExt;
|
||||
@ -38,7 +39,7 @@ impl<'a> Request<'a> {
|
||||
}
|
||||
}
|
||||
|
||||
pub fn decode<R: ReadBytesExt>(&self, reader: R) -> FidoResult<Response> {
|
||||
pub fn decode<R: ReadBytesExt + Skip>(&self, reader: R) -> FidoResult<Response> {
|
||||
Ok(match self {
|
||||
Request::MakeCredential(_) => {
|
||||
Response::MakeCredential(MakeCredentialResponse::decode(reader)?)
|
||||
@ -274,64 +275,37 @@ pub struct GetInfoResponse {
|
||||
pub options: OptionsInfo,
|
||||
pub max_msg_size: u16,
|
||||
pub pin_protocols: Vec<u8>,
|
||||
pub max_credential_count_in_list: Option<u32>,
|
||||
pub max_credential_id_len: Option<u32>,
|
||||
pub transports: Vec<String>,
|
||||
pub algorithms: Vec<CoseKey>,
|
||||
pub max_authenticator_config_len: Option<u32>,
|
||||
pub default_cred_protect: Option<u8>,
|
||||
}
|
||||
|
||||
impl GetInfoResponse {
|
||||
pub fn decode<R: ReadBytesExt>(mut reader: R) -> FidoResult<Self> {
|
||||
pub fn decode<R: ReadBytesExt + Skip>(mut reader: R) -> FidoResult<Self> {
|
||||
let status = reader.read_u8().context(FidoErrorKind::CborDecode)?;
|
||||
if status != 0 {
|
||||
Err(FidoErrorKind::CborError(CborErrorCode::from(status)))?
|
||||
}
|
||||
let mut generic = GenericDecoder::new(Config::default(), reader);
|
||||
let mut decoder = Decoder::new(Config::default(), reader);
|
||||
let mut response = GetInfoResponse::default();
|
||||
for _ in 0..generic.borrow_mut().object()? {
|
||||
match generic.borrow_mut().u8()? {
|
||||
for _ in 0..decoder.object()? {
|
||||
match decoder.u8()? {
|
||||
0x01 => {
|
||||
let decoder = generic.borrow_mut();
|
||||
for _ in 0..decoder.array()? {
|
||||
response.versions.push(decoder.text()?);
|
||||
}
|
||||
}
|
||||
0x02 => {
|
||||
let decoder = generic.borrow_mut();
|
||||
for _ in 0..decoder.array()? {
|
||||
response.extensions.push(decoder.text()?);
|
||||
}
|
||||
}
|
||||
0x03 => response
|
||||
.aaguid
|
||||
.copy_from_slice(&generic.borrow_mut().bytes()?[..]),
|
||||
0x04 => response.options = OptionsInfo::decode(&mut generic.borrow_mut())?,
|
||||
0x05 => response.max_msg_size = generic.borrow_mut().u16()?,
|
||||
0x03 => response.aaguid.copy_from_slice(&decoder.bytes()?[..]),
|
||||
0x04 => response.options = OptionsInfo::decode(&mut decoder)?,
|
||||
0x05 => response.max_msg_size = decoder.u16()?,
|
||||
0x06 => {
|
||||
let decoder = generic.borrow_mut();
|
||||
for _ in 0..decoder.array()? {
|
||||
response.pin_protocols.push(decoder.u8()?);
|
||||
}
|
||||
}
|
||||
0x07 => response.max_credential_count_in_list = Some(generic.borrow_mut().u32()?),
|
||||
0x08 => response.max_credential_id_len = Some(generic.borrow_mut().u32()?),
|
||||
0x09 => {
|
||||
let decoder = generic.borrow_mut();
|
||||
for _ in 0..decoder.array()? {
|
||||
response.transports.push(decoder.text()?);
|
||||
}
|
||||
}
|
||||
0x0A => {
|
||||
for _ in 0..generic.borrow_mut().array()? {
|
||||
response.algorithms.push(CoseKey::decode(&mut generic)?);
|
||||
}
|
||||
}
|
||||
0x0B => response.max_authenticator_config_len = Some(generic.borrow_mut().u32()?),
|
||||
|
||||
0x0C => response.default_cred_protect = Some(generic.borrow_mut().u8()?),
|
||||
_ => continue,
|
||||
_ => decoder.skip()?,
|
||||
}
|
||||
}
|
||||
Ok(response)
|
||||
@ -592,7 +566,7 @@ impl P256Key {
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Default, Clone)]
|
||||
#[derive(Debug, Default)]
|
||||
pub struct CoseKey {
|
||||
key_type: u16,
|
||||
algorithm: i32,
|
||||
@ -624,14 +598,45 @@ impl CoseKey {
|
||||
let mut cose_key = CoseKey::default();
|
||||
cose_key.algorithm = -7;
|
||||
for _ in 0..items {
|
||||
match generic.borrow_mut().i16()? {
|
||||
0x01 => cose_key.key_type = generic.borrow_mut().u16()?,
|
||||
0x02 => cose_key.algorithm = generic.borrow_mut().i32()?,
|
||||
key if key < 0 => {
|
||||
cose_key.parameters.insert(key, generic.value()?);
|
||||
match generic.value()? {
|
||||
Value::Text(value::Text::Text(text)) => match &text[..] {
|
||||
"type" => {
|
||||
cose_key.key_type = match generic.value()? {
|
||||
Value::Text(value::Text::Text(type_)) if &type_ == "public-key" => 0u16,
|
||||
Value::U16(i) => i,
|
||||
Value::U8(i) => i.into(),
|
||||
_ => {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
"alg" => cose_key.algorithm = generic.borrow_mut().i32()?,
|
||||
_ => continue,
|
||||
},
|
||||
val @ Value::I8(_)
|
||||
| val @ Value::I16(_)
|
||||
| val @ Value::U16(_)
|
||||
| val @ Value::U8(_) => {
|
||||
let int_val = match val {
|
||||
Value::I8(i) => i as i32,
|
||||
Value::I16(i) => i as i32,
|
||||
Value::U8(i) => i as i32,
|
||||
Value::U16(i) => i as i32,
|
||||
_ => unreachable!(),
|
||||
};
|
||||
match int_val {
|
||||
0x01 => cose_key.key_type = generic.borrow_mut().u16()?,
|
||||
0x02 => cose_key.algorithm = generic.borrow_mut().i32()?,
|
||||
key if key < 0 => {
|
||||
cose_key.parameters.insert(key as i16, generic.value()?);
|
||||
}
|
||||
unknown => {
|
||||
(unknown, generic.value()?); // skip unknown parameter
|
||||
}
|
||||
}
|
||||
}
|
||||
_ => {
|
||||
generic.value()?; // skip unknown parameter
|
||||
unknown => {
|
||||
(unknown, generic.value()?); // skip unknown parameter
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -15,7 +15,7 @@ use rust_crypto::buffer::{RefReadBuffer, RefWriteBuffer};
|
||||
use rust_crypto::symmetriccipher::{Decryptor, Encryptor};
|
||||
use untrusted::Input;
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
#[derive(Debug)]
|
||||
pub struct SharedSecret {
|
||||
pub public_key: CoseKey,
|
||||
pub shared_secret: [u8; 32],
|
||||
|
||||
92
src/error.rs
92
src/error.rs
@ -5,8 +5,8 @@
|
||||
// http://opensource.org/licenses/MIT>, at your option. This file may not be
|
||||
// copied, modified, or distributed except according to those terms.
|
||||
use cbor_codec::{DecodeError, EncodeError};
|
||||
use csv_core::{ReadFieldResult, Reader};
|
||||
use failure::_core::fmt::{Error, Formatter};
|
||||
use failure::_core::option::Option;
|
||||
use failure::{Backtrace, Context, Fail};
|
||||
use std::fmt;
|
||||
use std::fmt::Display;
|
||||
@ -19,6 +19,32 @@ pub struct FidoError(Context<FidoErrorKind>);
|
||||
#[derive(Debug, Copy, Clone, Fail, Eq, PartialEq)]
|
||||
pub struct CborErrorCode(u8);
|
||||
|
||||
// generated using build.rs
|
||||
include!(concat!(env!("OUT_DIR"), "/ctap_error_codes.rs"));
|
||||
|
||||
impl CborErrorCode {
|
||||
fn detail(&self) -> Option<(u8, &'static str, &'static str)> {
|
||||
for (code, name, desc) in CTAP_ERROR_CODES {
|
||||
if *code == self.0 as usize {
|
||||
return Some((self.0, name, desc));
|
||||
}
|
||||
}
|
||||
None
|
||||
}
|
||||
|
||||
pub fn name(&self) -> Option<&'static str> {
|
||||
self.detail().map(|(_, name, _)| name)
|
||||
}
|
||||
|
||||
pub fn description(&self) -> Option<&'static str> {
|
||||
self.detail().map(|(_, _, desc)| desc)
|
||||
}
|
||||
|
||||
pub fn code(&self) -> u8 {
|
||||
self.0
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Copy, Clone, Eq, PartialEq, Debug, Fail)]
|
||||
pub enum FidoErrorKind {
|
||||
#[fail(display = "Read/write error with device.")]
|
||||
@ -116,58 +142,24 @@ impl From<u8> for CborErrorCode {
|
||||
|
||||
impl Display for CborErrorCode {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
|
||||
let messages = include_str!("ctap_error_codes.csv");
|
||||
let mut rdr = Reader::new();
|
||||
let mut bytes = messages.as_bytes();
|
||||
let mut col: usize = 0;
|
||||
let mut row: usize = 0;
|
||||
let mut correct_row: bool = false;
|
||||
let mut field = [0u8; 1024];
|
||||
let mut name: Option<String> = None;
|
||||
let mut desc: Option<String> = None;
|
||||
loop {
|
||||
let (result, nin, read) = rdr.read_field(&bytes, &mut field);
|
||||
bytes = &bytes[nin..];
|
||||
match result {
|
||||
ReadFieldResult::InputEmpty => {}
|
||||
ReadFieldResult::OutputFull => panic!("field too large"),
|
||||
ReadFieldResult::Field { record_end } => {
|
||||
let text = String::from_utf8(field[..read].iter().cloned().collect()).unwrap();
|
||||
if row > 0 {
|
||||
match col {
|
||||
0 if i64::from_str_radix(&text[2..], 16)
|
||||
.expect("malformed ctap_error_codes.csv")
|
||||
== self.0 as i64 =>
|
||||
{
|
||||
correct_row = true
|
||||
}
|
||||
1 | 2 if correct_row => {
|
||||
if let Some(_) = name {
|
||||
desc = Some(text);
|
||||
break;
|
||||
} else {
|
||||
name = Some(text);
|
||||
}
|
||||
}
|
||||
_ => (),
|
||||
}
|
||||
}
|
||||
col += 1;
|
||||
if record_end {
|
||||
col = 0;
|
||||
row += 1;
|
||||
}
|
||||
}
|
||||
ReadFieldResult::End => break,
|
||||
}
|
||||
}
|
||||
if let Some((code, _name, desc)) =
|
||||
name.and_then(|name| desc.map(|desc| (self.0, name, desc)))
|
||||
{
|
||||
if let Some((code, _name, desc)) = self.detail() {
|
||||
write!(f, "CborError: 0x{:x?}: {}", code, desc)?;
|
||||
} else {
|
||||
write!(f, "CborError: 0x{:x?}", self.0)?;
|
||||
write!(f, "CborError: 0x{:x?}: unknown", self.code())?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod test {
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn cbor_error_code() {
|
||||
assert_eq!(
|
||||
CborErrorCode(0x33).to_string(),
|
||||
"CborError: 0x33: PIN authentication, pinAuth, verification failed."
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
use crate::extensions::FidoExtension;
|
||||
use crate::FidoResult;
|
||||
use crate::{FidoAssertionRequest, FidoCredentialRequest};
|
||||
use cbor_codec::value::Value;
|
||||
use num_traits::ToPrimitive;
|
||||
|
||||
#[derive(Copy, Clone, Debug, FromPrimitive, ToPrimitive, PartialEq)]
|
||||
pub enum CredProtectLevel {
|
||||
UvOptional = 0x01,
|
||||
UvOptionalWithCredentialIDList = 0x02,
|
||||
UvRequired = 0x03,
|
||||
}
|
||||
|
||||
impl CredProtectLevel {
|
||||
fn extension_input(self) -> Value {
|
||||
Value::U8(self.to_u8().unwrap())
|
||||
}
|
||||
}
|
||||
|
||||
pub struct CredProtect(Value);
|
||||
|
||||
impl CredProtect {
|
||||
pub fn level(level: CredProtectLevel) -> Self {
|
||||
Self(level.extension_input())
|
||||
}
|
||||
|
||||
fn extension_name() -> &'static str {
|
||||
"credProtect"
|
||||
}
|
||||
|
||||
fn extension_input(&self) -> &Value {
|
||||
&self.0
|
||||
}
|
||||
}
|
||||
|
||||
impl FidoExtension for CredProtect {
|
||||
fn extension_name() -> &'static str {
|
||||
CredProtect::extension_name()
|
||||
}
|
||||
|
||||
fn patch_assertion_request<'a, 'b>(
|
||||
&'b self,
|
||||
_request: &mut FidoAssertionRequest<'a, 'b>,
|
||||
) -> FidoResult<()> {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn patch_credential_request<'a>(
|
||||
&'a self,
|
||||
request: &mut FidoCredentialRequest<'a>,
|
||||
) -> FidoResult<()> {
|
||||
request
|
||||
.extension_data
|
||||
.insert(CredProtect::extension_name(), self.extension_input());
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
@ -1,14 +1,8 @@
|
||||
use crate::cbor::AuthenticatorData;
|
||||
use crate::crypto::SharedSecret;
|
||||
use crate::extensions::{
|
||||
FidoExtension, FidoExtensionResponseParser, FidoExtensionResponseParserExt,
|
||||
};
|
||||
use crate::{FidoAssertionRequest, FidoAssertionRequestBuilder, FidoCredentialRequest};
|
||||
use crate::{FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
|
||||
use cbor_codec::value::{Bytes, Int, Key, Text, Value};
|
||||
use cbor_codec::Encoder;
|
||||
use cbor_codec::{Config, GenericDecoder};
|
||||
use failure::ResultExt;
|
||||
use rust_crypto::buffer::{RefReadBuffer, RefWriteBuffer};
|
||||
use rust_crypto::digest::Digest;
|
||||
use rust_crypto::hmac::Hmac;
|
||||
@ -17,10 +11,6 @@ use rust_crypto::sha2::Sha256;
|
||||
use std::collections::BTreeMap;
|
||||
use std::io::Cursor;
|
||||
|
||||
#[deprecated(
|
||||
since = "0.4.2",
|
||||
note = "Please use FidoAssertionRequest::with_extension(HmacSecret) instead"
|
||||
)]
|
||||
pub trait HmacExtension {
|
||||
fn extension_name() -> &'static str {
|
||||
"hmac-secret"
|
||||
@ -93,75 +83,9 @@ pub trait HmacExtension {
|
||||
}
|
||||
}
|
||||
|
||||
#[allow(deprecated)]
|
||||
impl HmacExtension for FidoDevice {
|
||||
fn get_data(&mut self, salt: &[u8; 32], salt2: Option<&[u8; 32]>) -> FidoResult<Value> {
|
||||
Ok(HmacSecret::extension_input(self, salt, salt2)?)
|
||||
}
|
||||
|
||||
fn make_hmac_credential(
|
||||
&mut self,
|
||||
request: &FidoCredentialRequest,
|
||||
) -> FidoResult<FidoCredential> {
|
||||
let mut request = request.clone();
|
||||
request.rk = true;
|
||||
request.extension_data.insert(
|
||||
<Self as HmacExtension>::extension_name(),
|
||||
<Self as HmacExtension>::extension_input(),
|
||||
);
|
||||
self.make_credential(&request)
|
||||
}
|
||||
|
||||
fn get_hmac_assertion<'a: 'b, 'b>(
|
||||
&mut self,
|
||||
request: &FidoAssertionRequest<'a, 'b>,
|
||||
salt: &[u8; 32],
|
||||
salt2: Option<&[u8; 32]>,
|
||||
) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> {
|
||||
while self.shared_secret.is_none() {
|
||||
self.init_shared_secret()?;
|
||||
}
|
||||
let mut request = request.clone();
|
||||
let ext = HmacSecret::new().for_device(self, salt, salt2)?;
|
||||
request.with_extension(&ext)?;
|
||||
|
||||
let (cred, auth_data) = self.get_assertion(&request)?;
|
||||
|
||||
let cred = request
|
||||
.credentials
|
||||
.iter()
|
||||
.find(|c| c.id == cred.id)
|
||||
.unwrap();
|
||||
Ok((cred, auth_data.parse_extension_data(&ext)?))
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
pub enum HmacSecret {
|
||||
Assertion {
|
||||
extension_data: Value,
|
||||
shared_secret: SharedSecret,
|
||||
salt2: bool,
|
||||
},
|
||||
Credential,
|
||||
}
|
||||
|
||||
impl HmacSecret {
|
||||
pub fn new() -> Self {
|
||||
Self::Credential
|
||||
}
|
||||
|
||||
fn extension_input(
|
||||
device: &mut FidoDevice,
|
||||
salt: &[u8; 32],
|
||||
salt2: Option<&[u8; 32]>,
|
||||
) -> FidoResult<Value> {
|
||||
let shared_secret = loop {
|
||||
if let Some(ref secret) = device.shared_secret {
|
||||
break secret;
|
||||
}
|
||||
device.init_shared_secret()?;
|
||||
};
|
||||
let shared_secret = self.shared_secret.as_ref().unwrap();
|
||||
let mut encryptor = shared_secret.encryptor();
|
||||
let mut salt_enc = [0u8; 64];
|
||||
let mut output = RefWriteBuffer::new(&mut salt_enc);
|
||||
@ -189,7 +113,7 @@ impl HmacSecret {
|
||||
let mut map = BTreeMap::new();
|
||||
map.insert(
|
||||
Key::Int(Int::from_i64(0x01)),
|
||||
key_agreement().context(FidoErrorKind::Io)?,
|
||||
key_agreement().map_err(|_| FidoErrorKind::Io)?,
|
||||
);
|
||||
map.insert(
|
||||
Key::Int(Int::from_i64(0x02)),
|
||||
@ -212,67 +136,42 @@ impl HmacSecret {
|
||||
Ok(Value::Map(map))
|
||||
}
|
||||
|
||||
pub fn for_device(
|
||||
fn make_hmac_credential(
|
||||
&mut self,
|
||||
device: &mut FidoDevice,
|
||||
request: &FidoCredentialRequest,
|
||||
) -> FidoResult<FidoCredential> {
|
||||
let mut request = request.clone();
|
||||
request.rk = true;
|
||||
request.extension_data.insert(
|
||||
<Self as HmacExtension>::extension_name(),
|
||||
<Self as HmacExtension>::extension_input(),
|
||||
);
|
||||
self.make_credential(&request)
|
||||
}
|
||||
|
||||
fn get_hmac_assertion<'a: 'b, 'b>(
|
||||
&mut self,
|
||||
request: &FidoAssertionRequest<'a, 'b>,
|
||||
salt: &[u8; 32],
|
||||
salt2: Option<&[u8; 32]>,
|
||||
) -> FidoResult<Self> {
|
||||
Ok(Self::Assertion {
|
||||
extension_data: Self::extension_input(device, salt, salt2)?,
|
||||
shared_secret: device.shared_secret.as_ref().unwrap().clone(),
|
||||
salt2: salt2.is_some(),
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
impl FidoExtension for HmacSecret {
|
||||
fn extension_name() -> &'static str {
|
||||
"hmac-secret"
|
||||
}
|
||||
|
||||
fn patch_assertion_request<'a, 'b>(
|
||||
&'b self,
|
||||
request: &mut FidoAssertionRequest<'a, 'b>,
|
||||
) -> FidoResult<()> {
|
||||
match self {
|
||||
Self::Assertion { extension_data, .. } => request
|
||||
.extension_data
|
||||
.insert(Self::extension_name(), extension_data),
|
||||
_ => return Err(FidoErrorKind::DeviceUnsupported.into()),
|
||||
};
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn patch_credential_request<'a>(
|
||||
&'a self,
|
||||
request: &mut FidoCredentialRequest<'a>,
|
||||
) -> FidoResult<()> {
|
||||
) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> {
|
||||
while self.shared_secret.is_none() {
|
||||
self.init_shared_secret()?;
|
||||
}
|
||||
let ext_data: Value = self.get_data(salt, salt2)?;
|
||||
let mut request = request.clone();
|
||||
request
|
||||
.extension_data
|
||||
.insert(Self::extension_name(), &Value::Bool(true));
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
.insert(<Self as HmacExtension>::extension_name(), &ext_data);
|
||||
|
||||
impl FidoExtensionResponseParser for HmacSecret {
|
||||
type Output = ([u8; 32], Option<[u8; 32]>);
|
||||
|
||||
fn parse_response(&self, response: &AuthenticatorData) -> FidoResult<Self::Output> {
|
||||
let (shared_secret, salt2) = match self {
|
||||
Self::Assertion {
|
||||
shared_secret,
|
||||
salt2,
|
||||
..
|
||||
} => (shared_secret, salt2),
|
||||
_ => return Err(FidoErrorKind::DeviceUnsupported.into()),
|
||||
};
|
||||
let (cred, auth_data) = self.get_assertion(&request)?;
|
||||
let shared_secret = self.shared_secret.as_ref().unwrap();
|
||||
let mut decryptor = shared_secret.decryptor();
|
||||
let mut hmac_secret_combined = [0u8; 64];
|
||||
let _output = RefWriteBuffer::new(&mut hmac_secret_combined);
|
||||
let hmac_secret_enc = match response
|
||||
let hmac_secret_enc = match auth_data
|
||||
.extensions
|
||||
.get(Self::extension_name())
|
||||
.get(<Self as HmacExtension>::extension_name())
|
||||
.ok_or(FidoErrorKind::CborDecode)?
|
||||
{
|
||||
Value::Bytes(hmac_ciphered) => Ok(match hmac_ciphered {
|
||||
@ -297,6 +196,11 @@ impl FidoExtensionResponseParser for HmacSecret {
|
||||
let mut hmac_secret_1 = [0u8; 32];
|
||||
hmac_secret_0.copy_from_slice(&hmac_secret[0..32]);
|
||||
hmac_secret_1.copy_from_slice(&hmac_secret[32..]);
|
||||
Ok((hmac_secret_0, Some(hmac_secret_1).filter(|_| *salt2)))
|
||||
let cred = request
|
||||
.credentials
|
||||
.into_iter()
|
||||
.find(|c| c.id == cred.id)
|
||||
.unwrap();
|
||||
Ok((cred, (hmac_secret_0, salt2.and(Some(hmac_secret_1)))))
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,36 +1,2 @@
|
||||
pub mod hmac;
|
||||
pub use hmac::*;
|
||||
mod cred_protect;
|
||||
use crate::cbor::AuthenticatorData;
|
||||
use crate::{FidoAssertionRequest, FidoCredentialRequest, FidoResult};
|
||||
pub use cred_protect::*;
|
||||
|
||||
pub trait FidoExtension {
|
||||
fn extension_name() -> &'static str;
|
||||
fn patch_assertion_request<'a, 'b>(
|
||||
&'b self,
|
||||
request: &mut FidoAssertionRequest<'a, 'b>,
|
||||
) -> FidoResult<()>;
|
||||
fn patch_credential_request<'a>(
|
||||
&'a self,
|
||||
request: &mut FidoCredentialRequest<'a>,
|
||||
) -> FidoResult<()>;
|
||||
}
|
||||
|
||||
pub trait FidoExtensionResponseParser {
|
||||
type Output;
|
||||
fn parse_response(&self, response: &AuthenticatorData) -> FidoResult<Self::Output>;
|
||||
}
|
||||
|
||||
pub trait FidoExtensionResponseParserExt<Ext: FidoExtensionResponseParser> {
|
||||
fn parse_extension_data(&self, extension: &Ext) -> FidoResult<Ext::Output>;
|
||||
}
|
||||
|
||||
impl<Ext: FidoExtensionResponseParser> FidoExtensionResponseParserExt<Ext> for AuthenticatorData {
|
||||
fn parse_extension_data(
|
||||
&self,
|
||||
extension: &Ext,
|
||||
) -> FidoResult<<Ext as FidoExtensionResponseParser>::Output> {
|
||||
extension.parse_response(self)
|
||||
}
|
||||
}
|
||||
|
||||
52
src/lib.rs
52
src/lib.rs
@ -74,9 +74,7 @@ pub use self::error::*;
|
||||
use self::hid_linux as hid;
|
||||
use self::packet::CtapCommand;
|
||||
pub use self::util::*;
|
||||
use crate::cbor::{AuthenticatorData, GetAssertionRequest, GetInfoResponse};
|
||||
use crate::packet::CtapStatus;
|
||||
use crate::extensions::FidoExtension;
|
||||
use crate::cbor::{AuthenticatorData, GetAssertionRequest};
|
||||
use failure::{Fail, ResultExt};
|
||||
use num_traits::FromPrimitive;
|
||||
use rand::prelude::*;
|
||||
@ -109,7 +107,6 @@ pub struct FidoDevice {
|
||||
shared_secret: Option<crypto::SharedSecret>,
|
||||
pin_token: Option<crypto::PinToken>,
|
||||
aaguid: [u8; 16],
|
||||
info: GetInfoResponse,
|
||||
}
|
||||
|
||||
pub struct FidoCancelHandle {
|
||||
@ -120,7 +117,7 @@ pub struct FidoCancelHandle {
|
||||
|
||||
impl FidoCancelHandle {
|
||||
pub fn cancel(&mut self) -> FidoResult<()> {
|
||||
let payload = &[];
|
||||
let payload = &[1u8];
|
||||
let to_send = payload.len() as u16;
|
||||
let max_payload = (self.packet_size - 7) as usize;
|
||||
let (frame, payload) = payload.split_at(cmp::min(payload.len(), max_payload));
|
||||
@ -207,10 +204,6 @@ impl<'a> FidoCredentialRequest<'a> {
|
||||
pub fn make_credential(&self, device: &mut FidoDevice) -> FidoResult<FidoCredential> {
|
||||
device.make_credential(&self)
|
||||
}
|
||||
|
||||
pub fn with_extension<Ext: FidoExtension>(&mut self, extension: &'a Ext) -> FidoResult<()> {
|
||||
extension.patch_credential_request(self)
|
||||
}
|
||||
}
|
||||
|
||||
/// Request an assertion from the authenticator for a given credential.
|
||||
@ -246,10 +239,6 @@ impl<'a, 'b> FidoAssertionRequest<'a, 'b> {
|
||||
pub fn get_assertion(&self, device: &mut FidoDevice) -> FidoResult<&'a FidoCredential> {
|
||||
device.get_assertion(self).map(|res| res.0)
|
||||
}
|
||||
|
||||
pub fn with_extension<Ext: FidoExtension>(&mut self, extension: &'b Ext) -> FidoResult<()> {
|
||||
extension.patch_assertion_request(self)
|
||||
}
|
||||
}
|
||||
|
||||
impl<'a, 'b> FidoAssertionRequestBuilder<'a, 'b> {
|
||||
@ -277,7 +266,6 @@ impl FidoDevice {
|
||||
shared_secret: None,
|
||||
pin_token: None,
|
||||
aaguid: [0; 16],
|
||||
info: GetInfoResponse::default(),
|
||||
};
|
||||
dev.init()?;
|
||||
Ok(dev)
|
||||
@ -299,20 +287,19 @@ impl FidoDevice {
|
||||
cbor::Response::GetInfo(resp) => resp,
|
||||
_ => Err(FidoErrorKind::CborDecode)?,
|
||||
};
|
||||
if !response.versions.iter().any(|ver| ver == "FIDO_2_0") {
|
||||
if !response.versions.iter().any(|ver| ["FIDO_2_0", "FIDO_2_1_PRE"].contains(&ver.as_str())) {
|
||||
Err(FidoErrorKind::DeviceUnsupported)?
|
||||
}
|
||||
// Require pin protocol version 1, only if pin-protocol is supported at all
|
||||
if !response
|
||||
.pin_protocols
|
||||
.iter()
|
||||
.fold(true, |supported, ver| *ver == 1 && supported)
|
||||
.any(|ver| *ver == 1) && response.pin_protocols.len() > 0
|
||||
{
|
||||
Err(FidoErrorKind::DeviceUnsupported)?
|
||||
}
|
||||
self.needs_pin = response.options.client_pin == Some(true);
|
||||
self.aaguid = response.aaguid;
|
||||
self.info = response;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@ -338,6 +325,11 @@ impl FidoDevice {
|
||||
}
|
||||
}
|
||||
|
||||
/// True if this authenticator requires a PIN
|
||||
pub fn needs_pin(&self) -> bool {
|
||||
self.needs_pin
|
||||
}
|
||||
|
||||
/// Unlock the device with the provided PIN. Internally this will generate
|
||||
/// an ECDH keypair, send the encrypted PIN to the device and store the PIN
|
||||
/// token that the device generates on every power cycle. The PIN itself is
|
||||
@ -382,10 +374,6 @@ impl FidoDevice {
|
||||
.context(FidoErrorKind::Io)?)
|
||||
}
|
||||
|
||||
pub fn supports_extension<Ext: FidoExtension>(&self) -> bool {
|
||||
self.info.extensions.iter().any(|ext| ext == Ext::extension_name())
|
||||
}
|
||||
|
||||
pub fn make_credential(
|
||||
&mut self,
|
||||
request: &FidoCredentialRequest<'_>,
|
||||
@ -555,26 +543,6 @@ impl FidoDevice {
|
||||
.map(|cred| (cred, response.auth_data))
|
||||
}
|
||||
|
||||
pub fn ping(&mut self, data: &[u8]) -> FidoResult<Vec<u8>> {
|
||||
self.exchange(CtapCommand::Ping, data)
|
||||
}
|
||||
|
||||
pub fn wink(&mut self) -> FidoResult<()> {
|
||||
self.send(&CtapCommand::Wink, &[]).map(|_| ())
|
||||
}
|
||||
|
||||
fn lock(&mut self, time_sec: u8) -> FidoResult<()> {
|
||||
self.exchange(CtapCommand::Lock, &[time_sec]).map(|_| ())
|
||||
}
|
||||
|
||||
fn keepalive(&mut self) -> FidoResult<CtapStatus> {
|
||||
self.exchange(CtapCommand::Keepalive, &[])?
|
||||
.first()
|
||||
.cloned()
|
||||
.and_then(CtapStatus::from_u8)
|
||||
.ok_or(FidoError::from(FidoErrorKind::CborDecode))
|
||||
}
|
||||
|
||||
fn cbor(&mut self, request: cbor::Request) -> FidoResult<cbor::Response> {
|
||||
let mut buf = Cursor::new(Vec::new());
|
||||
request
|
||||
@ -593,7 +561,7 @@ impl FidoDevice {
|
||||
}
|
||||
|
||||
fn send(&mut self, cmd: &CtapCommand, payload: &[u8]) -> FidoResult<()> {
|
||||
if payload.len() > u16::MAX as usize {
|
||||
if payload.is_empty() || payload.len() > u16::MAX as usize {
|
||||
Err(FidoErrorKind::WritePacket)?
|
||||
}
|
||||
let to_send = payload.len() as u16;
|
||||
|
||||
@ -13,7 +13,7 @@ use std::io::{Read, Write};
|
||||
static FRAME_INIT: u8 = 0x80;
|
||||
|
||||
#[repr(u8)]
|
||||
#[derive(Debug, FromPrimitive, ToPrimitive, PartialEq)]
|
||||
#[derive(FromPrimitive, ToPrimitive, PartialEq)]
|
||||
pub enum CtapCommand {
|
||||
Invalid = 0x00,
|
||||
Ping = 0x01,
|
||||
@ -36,13 +36,6 @@ impl CtapCommand {
|
||||
}
|
||||
}
|
||||
|
||||
#[repr(u8)]
|
||||
#[derive(Debug, FromPrimitive, ToPrimitive, PartialEq)]
|
||||
pub enum CtapStatus {
|
||||
Processing = 0x01,
|
||||
AwaitingUserPresence = 0x02,
|
||||
}
|
||||
|
||||
#[repr(u8)]
|
||||
#[derive(FromPrimitive, Fail, Debug)]
|
||||
pub enum CtapError {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user