test all features

.drone.yml

@@ -0,0 +1,24 @@
+kind: pipeline
+name: default
+
+steps:
+ - name: fmt
+   image: rust:1.43.0
+   commands:
+     -  rustup component add rustfmt
+     -  cargo fmt --all -- --check
+ - name: test
+   image: rust:1.43.0
+   commands:
+    - cargo test --all-features
+ - name: publish
+   image: rust:1.43.0
+   environment:
+    CARGO_REGISTRY_TOKEN:
+     from_secret: cargo_tkn
+   commands:
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
+    - cargo package --all-features
+    - cargo publish --all-features
+   when:
+    event: tag

Cargo.toml

@@ -1,12 +1,13 @@
 [package]
 name = "ctap_hmac"
 description = "A Rust implementation of the FIDO2 CTAP protocol, including the HMAC extension"
-version = "0.3.0"
+version = "0.4.0"
 license = "Apache-2.0/MIT"
-homepage = "https://github.com/ArdaXi/ctap/pull/2"
+homepage = "https://github.com/shimunn/ctap"
 repository = "https://github.com/shimunn/ctap"
 authors = ["Arda Xi <arda@ardaxi.com>", "shimun <shimun@shimun.net>"]
 edition = "2018"
+readme = "README.md"
 
 [dependencies]
 rand = "0.6"
@@ -22,9 +23,13 @@ rust-crypto = "0.2"
 csv-core = "0.1.6"
 derive_builder = "0.9.0"
 crossbeam = { version = "0.7.3", optional = true }
+serde_derive = "1.0.106"
+serde = "1.0.106"
+serde_cbor = "0.11.1"
+serde_bytes = "0.11.3"
 [dev-dependencies]
 crossbeam = "0.7.3"
 hex = "0.4.0"
 
 [features]
-assert_devices = ["crossbeam"]
+request_multiple = ["crossbeam"]

examples/hmac.rs

@@ -3,7 +3,7 @@ extern crate ctap_hmac as ctap;
 use crypto::digest::Digest;
 use crypto::sha2::Sha256;
 use ctap::extensions::hmac::HmacExtension;
-use ctap::{FidoCredential, FidoCredentialRequestBuilder, AuthenticatorOptions};
+use ctap::{FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder};
 use hex;
 use std::env::args;
 use std::io::prelude::*;
@@ -17,23 +17,30 @@ fn main() -> ctap::FidoResult<()> {
     let device_info = &mut devices.next().expect("No authenticator found");
     let mut device = ctap::FidoDevice::new(device_info)?;
 
-    let mut credential = match args().skip(1).next().map(|h| FidoCredential {
+    let credential = match args().skip(1).next().map(|h| FidoCredential {
         id: hex::decode(&h).expect("Invalid credential"),
         public_key: None,
     }) {
         Some(cred) => cred,
         _ => {
-            let req = FidoCredentialRequestBuilder::default().rp_id(RP_ID).rp_name("ctap_hmac crate").user_name("example").uv(false).build().unwrap();
+            let req = FidoCredentialRequestBuilder::default()
+                .rp_id(RP_ID)
+                .rp_name("ctap_hmac crate")
+                .user_name("example")
+                .uv(false)
+                .build()
+                .unwrap();
 
             println!("Authorize using your device");
-            let cred = device.make_hmac_credential(req).expect("Failed to request credential");
+            let cred = device
+                .make_hmac_credential(&req)
+                .expect("Failed to request credential");
             println!("Credential: {}\nNote: You can pass this credential as first argument in order to reproduce results", hex::encode(&cred.id));
             cred
         }
     };
-    let credential = credential;
     print!("Type in your message: ");
-    stdout().flush();
+    stdout().flush().unwrap();
     let mut message = String::new();
     stdin()
         .read_line(&mut message)
@@ -44,7 +51,13 @@ fn main() -> ctap::FidoResult<()> {
     let mut digest = Sha256::new();
     digest.input(&message.as_bytes());
     digest.result(&mut salt);
-    let (cred, (hash1, _hash2)) = device.get_hmac_assertion(RP_ID, &[&credential], &salt, None, None)?;
+    let credential = &&credential;
+    let request = FidoAssertionRequestBuilder::default()
+        .rp_id(RP_ID)
+        .credential(credential)
+        .build()
+        .unwrap();
+    let (_cred, (hash1, _hash2)) = device.get_hmac_assertion(&request, &salt, None)?;
     println!("Hash: {}", hex::encode(&hash1));
     Ok(())
 }

examples/multiple.rs

@@ -1,24 +1,16 @@
 extern crate ctap_hmac as ctap;
-
-use crossbeam::thread;
-use crypto::digest::Digest;
-use crypto::sha2::Sha256;
 use ctap::{
     FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder, FidoDevice,
-    FidoError, FidoResult,
+    FidoResult,
 };
-use failure::_core::time::Duration;
+
 use hex;
 use std::env::args;
-use std::io::prelude::*;
+use std::time::Duration;
-use std::io::stdin;
-use std::io::stdout;
-use std::sync::mpsc::channel;
-use std::sync::Mutex;
 
 const RP_ID: &str = "ctap_demo";
 
-fn run() -> ctap::FidoResult<()> {
+fn main() -> ctap::FidoResult<()> {
     let mut credentials = args()
         .skip(1)
         .map(|id| FidoCredential {
@@ -32,6 +24,7 @@ fn run() -> ctap::FidoResult<()> {
                 FidoDevice::new(&h).and_then(|mut dev| {
                     FidoCredentialRequestBuilder::default()
                         .rp_id(RP_ID)
+                        .user_name("test")
                         .build()
                         .unwrap()
                         .make_credential(&mut dev)
@@ -48,11 +41,9 @@ fn run() -> ctap::FidoResult<()> {
     let mut devices = ctap::get_devices()?
         .map(|handle| FidoDevice::new(&handle))
         .collect::<FidoResult<Vec<_>>>()?;
-    let (cred, _) = ctap::get_assertion_devices(&req, devices.iter_mut())?;
+    // run with --features request_multiple
+    let (cred, _) =
+        ctap::get_assertion_devices(&req, devices.iter_mut(), Some(Duration::from_secs(10)))?;
     println!("Success, got assertion for: {}", hex::encode(&cred.id));
     Ok(())
 }
-
-fn main() {
-    dbg!(run());
-}

src/cbor.rs

@@ -423,7 +423,9 @@ impl OptionsInfo {
                 "clientPin" => options.client_pin = Some(decoder.bool()?),
                 "up" => options.up = decoder.bool()?,
                 "uv" => options.uv = Some(decoder.bool()?),
-                _ => continue,
+                _ => {
+                    decoder.bool()?;
+                }
             }
         }
         Ok(options)
@@ -595,14 +597,45 @@ impl CoseKey {
         let mut cose_key = CoseKey::default();
         cose_key.algorithm = -7;
         for _ in 0..items {
-            match generic.borrow_mut().i16()? {
+            match generic.value()? {
-                0x01 => cose_key.key_type = generic.borrow_mut().u16()?,
+                Value::Text(value::Text::Text(text)) => match &text[..] {
-                0x02 => cose_key.algorithm = generic.borrow_mut().i32()?,
+                    "type" => {
-                key if key < 0 => {
+                        cose_key.key_type = match generic.value()? {
-                    cose_key.parameters.insert(key, generic.value()?);
+                            Value::Text(value::Text::Text(type_)) if &type_ == "public-key" => 0u16,
+                            Value::U16(i) => i,
+                            Value::U8(i) => i.into(),
+                            _ => {
+                                continue;
+                            }
+                        }
+                    }
+                    "alg" => cose_key.algorithm = generic.borrow_mut().i32()?,
+                    _ => continue,
+                },
+                val @ Value::I8(_)
+                | val @ Value::I16(_)
+                | val @ Value::U16(_)
+                | val @ Value::U8(_) => {
+                    let int_val = match val {
+                        Value::I8(i) => i as i32,
+                        Value::I16(i) => i as i32,
+                        Value::U8(i) => i as i32,
+                        Value::U16(i) => i as i32,
+                        _ => unreachable!(),
+                    };
+                    match int_val {
+                        0x01 => cose_key.key_type = generic.borrow_mut().u16()?,
+                        0x02 => cose_key.algorithm = generic.borrow_mut().i32()?,
+                        key if key < 0 => {
+                            cose_key.parameters.insert(key as i16, generic.value()?);
+                        }
+                        unknown => {
+                            (unknown, generic.value()?); // skip unknown parameter
+                        }
+                    }
                 }
-                _ => {
+                unknown => {
-                    generic.value()?; // skip unknown parameter
+                    (unknown, generic.value()?); // skip unknown parameter
                 }
             }
         }

src/error.rs

@@ -23,6 +23,8 @@ pub struct CborErrorCode(u8);
 pub enum FidoErrorKind {
     #[fail(display = "Read/write error with device.")]
     Io,
+    #[fail(display = "Operation timed out")]
+    Timeout,
     #[fail(display = "Error while reading packet from device.")]
     ReadPacket,
     #[fail(display = "Error while writing packet to device.")]
@@ -47,7 +49,7 @@ pub enum FidoErrorKind {
     DecryptPin,
     #[fail(display = "Failed to verify response signature.")]
     VerifySignature,
-    #[fail(display = "Supplied key has incorrect type.")]
+    #[fail(display = "Failed to verify response signature.")]
     KeyType,
     #[fail(display = "Device returned error: {}", _0)]
     CborError(CborErrorCode),

src/extensions/hmac.rs

@@ -1,7 +1,4 @@
-use crate::{
+use crate::{FidoAssertionRequest, FidoAssertionRequestBuilder, FidoCredentialRequest};
-    AuthenticatorOptions, FidoAssertionRequestBuilder,
-    FidoCredentialRequest,
-};
 use crate::{FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
 use cbor_codec::value::{Bytes, Int, Key, Text, Value};
 use cbor_codec::Encoder;
@@ -13,7 +10,6 @@ use rust_crypto::mac::Mac;
 use rust_crypto::sha2::Sha256;
 use std::collections::BTreeMap;
 use std::io::Cursor;
-use std::iter::FromIterator;
 
 pub trait HmacExtension {
     fn extension_name() -> &'static str {
@@ -40,8 +36,10 @@ pub trait HmacExtension {
 
     /// Convenience function to create an credential which includes extension specific data
     /// Use `FidoDevice::make_credential` if you need more control
-    fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential>;
+    fn make_hmac_credential(
-
+        &mut self,
+        request: &FidoCredentialRequest,
+    ) -> FidoResult<FidoCredential>;
 
     /// Request an assertion from the authenticator for a given credential and salt(s).
     /// at least one `salt` must be provided, consider using a hashing function like SHA256
@@ -53,13 +51,11 @@ pub trait HmacExtension {
     /// provided, and will fail if a PIN is required but not provided or if the
     /// device returns malformed data.
     ///
-    fn get_hmac_assertion<'a>(
+    fn get_hmac_assertion<'a: 'b, 'b>(
         &mut self,
-        rp_id: &str,
+        assertion: &FidoAssertionRequest<'a, 'b>,
-        credentials: &'a [&'a FidoCredential],
         salt: &[u8; 32],
         salt2: Option<&[u8; 32]>,
-        options: Option<AuthenticatorOptions>,
     ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))>;
 
     /// Convenience function for `get_hmac_assertion` that will accept arbitrary
@@ -75,11 +71,13 @@ pub trait HmacExtension {
         digest.input(input);
         digest.result(&mut salt);
         self.get_hmac_assertion(
-            rp_id,
+            &FidoAssertionRequestBuilder::default()
-            &[credential],
+                .rp_id(rp_id)
+                .credential(&credential)
+                .build()
+                .unwrap(),
             &salt,
             None,
-            Some(AuthenticatorOptions { uv: true, rk: true, up: false }),
         )
         .map(|(_cred, secret)| secret.0)
     }
@@ -138,43 +136,35 @@ impl HmacExtension for FidoDevice {
         Ok(Value::Map(map))
     }
 
-    fn make_hmac_credential(&mut self, request: FidoCredentialRequest) -> FidoResult<FidoCredential> {
+    fn make_hmac_credential(
-        let mut request = request;
+        &mut self,
+        request: &FidoCredentialRequest,
+    ) -> FidoResult<FidoCredential> {
+        let mut request = request.clone();
         request.rk = true;
-        request.extension_data.insert(<Self as HmacExtension>::extension_name(), <Self as HmacExtension>::extension_input());
+        request.extension_data.insert(
+            <Self as HmacExtension>::extension_name(),
+            <Self as HmacExtension>::extension_input(),
+        );
         self.make_credential(&request)
     }
 
-    fn get_hmac_assertion<'a>(
+    fn get_hmac_assertion<'a: 'b, 'b>(
         &mut self,
-        rp_id: &str,
+        request: &FidoAssertionRequest<'a, 'b>,
-        credentials: &'a [&'a FidoCredential],
         salt: &[u8; 32],
         salt2: Option<&[u8; 32]>,
-        options: Option<AuthenticatorOptions>,
     ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> {
         while self.shared_secret.is_none() {
             self.init_shared_secret()?;
         }
         let ext_data: Value = self.get_data(salt, salt2)?;
+        let mut request = request.clone();
+        request
+            .extension_data
+            .insert(<Self as HmacExtension>::extension_name(), &ext_data);
 
-        let ext_data: BTreeMap<&str, &Value> = BTreeMap::from_iter(
+        let (cred, auth_data) = self.get_assertion(&request)?;
-            [(<Self as HmacExtension>::extension_name(), &ext_data)]
-                .iter()
-                .cloned(),
-        );
-
-        let mut builder = FidoAssertionRequestBuilder::default()
-            .credentials(credentials)
-            .rp_id(rp_id)
-            .extension_data(ext_data);
-
-        if let Some(opts) = options {
-            builder = builder.uv(opts.uv).up(opts.up);
-        }
-
-        let (cred, auth_data) =
-            self.get_assertion(&builder.build().unwrap())?;
         let shared_secret = self.shared_secret.as_ref().unwrap();
         let mut decryptor = shared_secret.decryptor();
         let mut hmac_secret_combined = [0u8; 64];
@@ -206,7 +196,11 @@ impl HmacExtension for FidoDevice {
         let mut hmac_secret_1 = [0u8; 32];
         hmac_secret_0.copy_from_slice(&hmac_secret[0..32]);
         hmac_secret_1.copy_from_slice(&hmac_secret[32..]);
-        let cred = credentials.into_iter().find(|c| c.id == cred.id).unwrap();
+        let cred = request
+            .credentials
+            .into_iter()
+            .find(|c| c.id == cred.id)
+            .unwrap();
         Ok((cred, (hmac_secret_0, salt2.and(Some(hmac_secret_1)))))
     }
 }

src/lib.rs

@@ -217,7 +217,7 @@ impl<'a> FidoCredentialRequest<'a> {
 #[derive(Clone, Debug, Builder)]
 #[builder(setter(into))]
 #[builder(pattern = "owned")]
-pub struct FidoAssertionRequest<'a> {
+pub struct FidoAssertionRequest<'a, 'b> {
     #[builder(default)]
     up: bool,
     #[builder(default)]
@@ -232,16 +232,16 @@ pub struct FidoAssertionRequest<'a> {
     #[builder(default = "&[0u8; 32]")]
     client_data_hash: &'a [u8],
     #[builder(default)]
-    extension_data: BTreeMap<&'a str, &'a cbor_codec::value::Value>,
+    extension_data: BTreeMap<&'b str, &'b cbor_codec::value::Value>,
 }
 
-impl<'a> FidoAssertionRequest<'a> {
+impl<'a, 'b> FidoAssertionRequest<'a, 'b> {
     pub fn get_assertion(&self, device: &mut FidoDevice) -> FidoResult<&'a FidoCredential> {
         device.get_assertion(self).map(|res| res.0)
     }
 }
 
-impl<'a> FidoAssertionRequestBuilder<'a> {
+impl<'a, 'b> FidoAssertionRequestBuilder<'a, 'b> {
     pub fn credential(mut self, credential: &'a &'a FidoCredential) -> Self {
         self.credentials = Some(std::slice::from_ref(credential));
         self
@@ -457,10 +457,9 @@ impl FidoDevice {
     ///
     /// This method will fail if a PIN is required but the device is not
     /// unlocked or if the device returns malformed data.
-
+    pub fn get_assertion<'a, 'b>(
-    pub fn get_assertion<'a>(
         &mut self,
-        assertion: &FidoAssertionRequest<'a>,
+        assertion: &FidoAssertionRequest<'a, 'b>,
     ) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
         while self.shared_secret.is_none() {
             self.init_shared_secret()?;

src/protocol/error.rs

@@ -0,0 +1,7 @@
+use thiserror::Error;
+
+#[derive(Clone, PartialEq, Eq, Debug)]
+pub enum ProtocolError {
+    CborEncode,
+    CborDecode { data: Vec<u8> },
+}

src/protocol/mod.rs

@@ -0,0 +1,4 @@
+mod cbor;
+mod error;
+pub use self::cbor::*;
+pub use self::error::*;

src/transport/mod.rs

@@ -0,0 +1,9 @@
+use crate::protocol::{CborRequest, CborResponse};
+
+pub trait CtapTransport {
+    type Error;
+
+    fn cbor<'a>(&mut self, command: &CborRequest<'a>) -> Result<CborResponse, Self::Error>;
+}
+
+pub enum CtapCommand {}

src/util.rs

@@ -1,44 +1,88 @@
-use crate::cbor::AuthenticatorData;
+#[cfg(feature = "request_multiple")]
-use crate::{FidoAssertionRequest, FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
+use crate::{
-use std::sync::mpsc::channel;
+    cbor::AuthenticatorData, FidoAssertionRequest, FidoCredential, FidoCredentialRequest,
-#[cfg(feature = "assert_devices")]
+    FidoDevice, FidoErrorKind, FidoResult,
+};
+#[cfg(feature = "request_multiple")]
 use crossbeam::thread;
-
+#[cfg(feature = "request_multiple")]
-/// Will send the `assertion` to all supplied `devices` and return either the first successful assertion or the last error
+use std::sync::mpsc::channel;
-#[cfg(feature = "assert_devices")]
+#[cfg(feature = "request_multiple")]
-pub fn get_assertion_devices<'a>(
+use std::time::Duration;
-    assertion: &'a FidoAssertionRequest,
+#[cfg(feature = "request_multiple")]
-    devices: impl Iterator<Item = &'a mut FidoDevice>,
+pub fn request_multiple_devices<
-) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
+    'a,
-    thread::scope(
+    T: Send + 'a,
-        |scope| -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
+    F: Fn(&mut FidoDevice) -> FidoResult<T> + 'a + Sync,
-            let (tx, rx) = channel();
+>(
-            let handles = devices
+    devices: impl Iterator<Item = (&'a mut FidoDevice, &'a F)>,
-                .map(|device| {
+    timeout: Option<Duration>,
-                    let cancel = device.cancel_handle()?;
+) -> FidoResult<T> {
-                    let tx = tx.clone();
+    thread::scope(|scope| -> FidoResult<T> {
-                    let thread_handle =
+        let (tx, rx) = channel();
-                        scope.spawn(move |_| tx.send(device.get_assertion(assertion)));
+        let handles = devices
-                    Ok((cancel, thread_handle))
+            .map(|(device, fn_)| {
-                })
+                let cancel = device.cancel_handle()?;
-                .collect::<FidoResult<Vec<_>>>()?;
+                let tx = tx.clone();
-
+                let thread_handle = scope.spawn(move |_| tx.send(fn_(device)));
-            let mut err = None;
+                Ok((cancel, thread_handle))
-            for res in rx.iter().take(handles.len()) {
+            })
-                match res {
+            .collect::<FidoResult<Vec<_>>>()?;
-                    Ok(_) => {
+        let mut err = None;
-                        for (mut cancel, join) in handles {
+        let mut slept = Duration::from_millis(0);
-                            // Canceling out of courtesy don't care if it fails
+        let interval = Duration::from_millis(10);
-                            let _ = cancel.cancel();
+        let mut received = 0usize;
-                            let _ = join.join();
+        let res = loop {
-                        }
+            match timeout {
-                        return res;
+                Some(t) if t < slept => {
-                    }
+                    break if let Some(cause) = err {
-                    e => err = Some(e),
+                        cause
+                    } else {
+                        Err(FidoErrorKind::Timeout.into())
+                    };
                 }
+                _ => (),
             }
-            err.unwrap_or(Err(FidoErrorKind::DeviceUnsupported.into()))
+            if timeout.map(|t| t < slept).unwrap_or(true) {}
-        },
+            if let Ok(msg) = rx.recv_timeout(interval) {
-    )
+                received += 1;
+                match msg {
+                    e @ Err(_) if received == handles.len() => break e,
+                    e @ Err(_) => err = Some(e),
+                    res @ Ok(_) => break res,
+                }
+            } else {
+                slept += interval;
+            }
+        };
+        for (mut cancel, join) in handles {
+            // Canceling out of courtesy don't care if it fails
+            let _ = cancel.cancel();
+            let _ = join.join();
+        }
+        res
+    })
     .unwrap()
 }
+
+/// Will send the `assertion_request` to all supplied `devices` and return either the first successful assertion or the last error
+#[cfg(feature = "request_multiple")]
+pub fn get_assertion_devices<'a>(
+    assertion_request: &'a FidoAssertionRequest,
+    devices: impl Iterator<Item = &'a mut FidoDevice>,
+    timeout: Option<Duration>,
+) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
+    let get_assertion = |device: &mut FidoDevice| device.get_assertion(assertion_request);
+    request_multiple_devices(devices.map(|device| (device, &get_assertion)), timeout)
+}
+
+/// Will send the `credential_request` to all supplied `devices` and return either the first credential or the last error
+#[cfg(feature = "request_multiple")]
+pub fn make_credential_devices<'a>(
+    credential_request: &'a FidoCredentialRequest,
+    devices: impl Iterator<Item = &'a mut FidoDevice>,
+    timeout: Option<Duration>,
+) -> FidoResult<FidoCredential> {
+    let make_credential = |device: &mut FidoDevice| device.make_credential(credential_request);
+    request_multiple_devices(devices.map(|device| (device, &make_credential)), timeout)
+}