handle surplus options

fix warnings
fix api leaking private type
2020-04-01 19:49:49 +02:00 · 2020-04-01 19:20:48 +02:00 · 2020-04-01 19:20:20 +02:00 · 2020-04-01 17:58:53 +02:00 · 2020-04-01 17:48:03 +02:00 · 2020-03-31 21:10:33 +02:00
9 changed files with 499 additions and 302 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,7 +1,7 @@
 [package]
 name = "ctap_hmac"
 description = "A Rust implementation of the FIDO2 CTAP protocol, including the HMAC extension"
-version = "0.2.1"
+version = "0.3.0"
 license = "Apache-2.0/MIT"
 homepage = "https://github.com/ArdaXi/ctap/pull/2"
 repository = "https://github.com/shimunn/ctap"
@ -19,5 +19,12 @@ cbor-codec = "0.7"
 ring = "0.13"
 untrusted = "0.6"
 rust-crypto = "0.2"
 hex = "0.4.0"
 csv-core = "0.1.6"
 derive_builder = "0.9.0"
 crossbeam = { version = "0.7.3", optional = true }
 [dev-dependencies]
 crossbeam = "0.7.3"
 hex = "0.4.0"
 [features]
 request_multiple = ["crossbeam"]
--- a/README.md
+++ b/README.md
@ -13,28 +13,28 @@ ctap is a library implementing the [FIDO2 CTAP](https://fidoalliance.org/specs/f
 ## Usage example
 ```rust
-let devices = ctap::get_devices()?;
+use ctap_hmac::*;
-let device_info = &devices[0];
+let device_info = get_devices()?.next().expect("no device connected");
-let mut device = ctap::FidoDevice::new(device_info)?;
+let mut device = FidoDevice::new(&device_info)?;
 // This can be omitted if the FIDO device is not configured with a PIN.
 let pin = "test";
 device.unlock(pin)?;
 // In a real application these values would come from the requesting app.
-let rp_id = "rp_id";
+let cred_request = FidoCredentialRequestBuilder::default()
-let user_id = [0];
+                    .rp_id("rp_id")
-let user_name = "user_name";
+                    .user_name("user_name")
-let client_data_hash = [0; 32];
+                    .build().unwrap();
 let cred = device.make_credential(
    rp_id,
    &user_id,
    user_name,
    &client_data_hash
 )?;
 let cred = device.make_credential(&cred_request)?;
 let cred = &&cred;
 let assertion_request = FidoAssertionRequestBuilder::default()
                            .rp_id("rp_id")
                            .credential(&&cred)
                            .build().unwrap();
 // In a real application the credential would be stored and used later.
-let result = device.get_assertion(&cred, &client_data_hash);
+let result = device.get_assertion(&assertion_request);
 ```
 ## Limitations
--- a/examples/hmac.rs
+++ b/examples/hmac.rs
@ -2,8 +2,9 @@ extern crate ctap_hmac as ctap;
 use crypto::digest::Digest;
 use crypto::sha2::Sha256;
-use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
+use ctap::extensions::hmac::HmacExtension;
-use ctap_hmac::{AuthenticatorOptions, PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity};
+use ctap::{FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder};
 use hex;
 use std::env::args;
 use std::io::prelude::*;
@ -14,43 +15,33 @@ const RP_ID: &str = "ctap_demo";
 fn main() -> ctap::FidoResult<()> {
    let mut devices = ctap::get_devices()?;
-    let device_info = &mut devices.next().expect("No authenicator found");
+    let device_info = &mut devices.next().expect("No authenticator found");
    let mut device = ctap::FidoDevice::new(device_info)?;
-    let options = || {
+
-        Some(AuthenticatorOptions {
+    let credential = match args().skip(1).next().map(|h| FidoCredential {
            uv: false,
            rk: true,
        })
    };
    let mut credential = match args().skip(1).next().map(|h| FidoHmacCredential {
        id: hex::decode(&h).expect("Invalid credential"),
-        rp_id: RP_ID.into(),
+        public_key: None,
    }) {
        Some(cred) => cred,
        _ => {
-            let rp = PublicKeyCredentialRpEntity {
+            let req = FidoCredentialRequestBuilder::default()
-                id: RP_ID,
+                .rp_id(RP_ID)
-                name: Some("ctap_hmac crate"),
+                .rp_name("ctap_hmac crate")
-                icon: None,
+                .user_name("example")
-            };
+                .uv(false)
-            let user = PublicKeyCredentialUserEntity {
+                .build()
-                id: &[0u8],
+                .unwrap();
                name: "commandline",
                icon: None,
                display_name: None,
            };
            println!("Authorize using your device");
-            let credential: FidoHmacCredential = device
+            let cred = device
-                .make_hmac_credential_full(rp, user, &[0u8; 32], &[], options())
+                .make_hmac_credential(&req)
-                .map(|cred| cred.into())?;
+                .expect("Failed to request credential");
-            println!("Credential: {}\nNote: You can pass this credential as first argument in order to reproduce results", hex::encode(&credential.id));
+            println!("Credential: {}\nNote: You can pass this credential as first argument in order to reproduce results", hex::encode(&cred.id));
-            credential
+            cred
        }
    };
    let credential = credential;
    print!("Type in your message: ");
-    stdout().flush();
+    stdout().flush().unwrap();
    let mut message = String::new();
    stdin()
        .read_line(&mut message)
@ -61,14 +52,13 @@ fn main() -> ctap::FidoResult<()> {
    let mut digest = Sha256::new();
    digest.input(&message.as_bytes());
    digest.result(&mut salt);
-    let hash = device
+    let credential = &&credential;
-        .get_hmac_assertion(
+    let request = FidoAssertionRequestBuilder::default()
-            &credential,
+        .rp_id(RP_ID)
-            &salt,
+        .credential(credential)
-            None,
+        .build()
-            None,
+        .unwrap();
-        )?
+    let (_cred, (hash1, _hash2)) = device.get_hmac_assertion(&request, &salt, None)?;
-        .0;
+    println!("Hash: {}", hex::encode(&hash1));
    println!("Hash: {}", hex::encode(&hash));
    Ok(())
 }
--- a/examples/multiple.rs
+++ b/examples/multiple.rs
@ -0,0 +1,47 @@
 extern crate ctap_hmac as ctap;
 use ctap::{
    FidoAssertionRequestBuilder, FidoCredential, FidoCredentialRequestBuilder, FidoDevice,
    FidoResult,
 };
 use hex;
 use std::env::args;
 const RP_ID: &str = "ctap_demo";
 fn main() -> ctap::FidoResult<()> {
    let mut credentials = args()
        .skip(1)
        .map(|id| FidoCredential {
            id: hex::decode(&id).expect("Invalid credential"),
            public_key: None,
        })
        .collect::<Vec<_>>();
    if credentials.len() == 0 {
        credentials = ctap::get_devices()?
            .map(|h| {
                FidoDevice::new(&h).and_then(|mut dev| {
                    FidoCredentialRequestBuilder::default()
                        .rp_id(RP_ID)
                        .build()
                        .unwrap()
                        .make_credential(&mut dev)
                })
            })
            .collect::<FidoResult<Vec<FidoCredential>>>()?;
    }
    let credentials = credentials.iter().collect::<Vec<_>>();
    let req = FidoAssertionRequestBuilder::default()
        .rp_id(RP_ID)
        .credentials(&credentials[..])
        .build()
        .unwrap();
    let mut devices = ctap::get_devices()?
        .map(|handle| FidoDevice::new(&handle))
        .collect::<FidoResult<Vec<_>>>()?;
    // run with --features request_multiple
    let (cred, _) = ctap::get_assertion_devices(&req, devices.iter_mut())?;
    println!("Success, got assertion for: {}", hex::encode(&cred.id));
    Ok(())
 }
--- a/src/cbor.rs
+++ b/src/cbor.rs
@ -423,7 +423,9 @@ impl OptionsInfo {
                "clientPin" => options.client_pin = Some(decoder.bool()?),
                "up" => options.up = decoder.bool()?,
                "uv" => options.uv = Some(decoder.bool()?),
-                _ => continue,
+                _ => {
                    decoder.bool()?;
                }
            }
        }
        Ok(options)
@ -700,15 +702,16 @@ impl PublicKeyCredentialDescriptor {
 pub struct AuthenticatorOptions {
    pub rk: bool,
    pub uv: bool,
    pub up: bool,
 }
 impl AuthenticatorOptions {
    pub fn encoded(&self) -> bool {
-        self.rk || self.uv
+        self.rk || self.uv || self.up
    }
    pub fn encode<W: WriteBytesExt>(&self, encoder: &mut Encoder<W>) -> FidoResult<()> {
-        let length = (self.rk as usize) + (self.uv as usize);
+        let length = (self.rk as usize) + (self.uv as usize) + (self.up as usize);
        encoder.object(length)?;
        if self.rk {
            encoder.text("rk")?;
@ -718,6 +721,10 @@ impl AuthenticatorOptions {
            encoder.text("uv")?;
            encoder.bool(true)?;
        }
        if self.up {
            encoder.text("up")?;
            encoder.bool(true)?;
        }
        Ok(())
    }
 }
--- a/src/error.rs
+++ b/src/error.rs
@ -45,6 +45,8 @@ pub enum FidoErrorKind {
    EncryptPin,
    #[fail(display = "Failed to decrypt PIN.")]
    DecryptPin,
    #[fail(display = "Failed to verify response signature.")]
    VerifySignature,
    #[fail(display = "Supplied key has incorrect type.")]
    KeyType,
    #[fail(display = "Device returned error: {}", _0)]
--- a/src/extensions/hmac.rs
+++ b/src/extensions/hmac.rs
@ -1,5 +1,5 @@
 use crate::{
-    cbor, AuthenticatorOptions, PublicKeyCredentialRpEntity, PublicKeyCredentialUserEntity,
+    FidoAssertionRequest, FidoAssertionRequestBuilder, FidoCredentialRequest,
 };
 use crate::{FidoCredential, FidoDevice, FidoErrorKind, FidoResult};
 use cbor_codec::value::{Bytes, Int, Key, Text, Value};
@ -13,20 +13,6 @@ use rust_crypto::sha2::Sha256;
 use std::collections::BTreeMap;
 use std::io::Cursor;
 #[derive(Debug, Clone)]
 pub struct FidoHmacCredential {
    pub id: Vec<u8>,
    pub rp_id: String,
 }
 impl From<FidoCredential> for FidoHmacCredential {
    fn from(cred: FidoCredential) -> Self {
        FidoHmacCredential {
            id: cred.id,
            rp_id: cred.rp_id,
        }
    }
 }
 pub trait HmacExtension {
    fn extension_name() -> &'static str {
@ -51,17 +37,11 @@ pub trait HmacExtension {
    fn get_data(&mut self, salt: &[u8; 32], salt2: Option<&[u8; 32]>) -> FidoResult<Value>;
-    /// Convenience function to create an credential with default rp_id and user_name
+    /// Convenience function to create an credential which includes extension specific data
    /// Use `FidoDevice::make_credential` if you need more control
-    fn make_hmac_credential(&mut self) -> FidoResult<FidoHmacCredential>;
+    fn make_hmac_credential(
    fn make_hmac_credential_full(
        &mut self,
-        rp: cbor::PublicKeyCredentialRpEntity,
+        request: &FidoCredentialRequest,
        user: cbor::PublicKeyCredentialUserEntity,
        client_data_hash: &[u8],
        exclude_list: &[cbor::PublicKeyCredentialDescriptor],
        options: Option<cbor::AuthenticatorOptions>,
    ) -> FidoResult<FidoCredential>;
    /// Request an assertion from the authenticator for a given credential and salt(s).
@ -74,19 +54,19 @@ pub trait HmacExtension {
    /// provided, and will fail if a PIN is required but not provided or if the
    /// device returns malformed data.
    ///
-    fn get_hmac_assertion(
+    fn get_hmac_assertion<'a: 'b, 'b>(
        &mut self,
-        credential: &FidoHmacCredential,
+        assertion: &FidoAssertionRequest<'a, 'b>,
        salt: &[u8; 32],
        salt2: Option<&[u8; 32]>,
-        options: Option<AuthenticatorOptions>,
+    ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))>;
    ) -> FidoResult<([u8; 32], Option<[u8; 32]>)>;
    /// Convenience function for `get_hmac_assertion` that will accept arbitrary
    /// lenght input which will then be hashed and passed on
    fn hmac_challange(
        &mut self,
-        credential: &FidoHmacCredential,
+        rp_id: &str,
        credential: &FidoCredential,
        input: &[u8],
    ) -> FidoResult<[u8; 32]> {
        let mut salt = [0u8; 32];
@ -94,12 +74,15 @@ pub trait HmacExtension {
        digest.input(input);
        digest.result(&mut salt);
        self.get_hmac_assertion(
-            credential,
+            &FidoAssertionRequestBuilder::default()
                .rp_id(rp_id)
                .credential(&credential)
                .build()
                .unwrap(),
            &salt,
            None,
            Some(AuthenticatorOptions { uv: true, rk: true }),
        )
-        .map(|secret| secret.0)
+        .map(|(_cred, secret)| secret.0)
    }
 }
@ -156,94 +139,40 @@ impl HmacExtension for FidoDevice {
        Ok(Value::Map(map))
    }
-    fn make_hmac_credential(&mut self) -> FidoResult<FidoHmacCredential> {
+    fn make_hmac_credential(
        let rp = PublicKeyCredentialRpEntity {
            id: "hmac",
            name: None,
            icon: None,
        };
        let user = PublicKeyCredentialUserEntity {
            id: &[0u8],
            name: "commandline",
            icon: None,
            display_name: None,
        };
        let options = Some(AuthenticatorOptions {
            uv: true,
            rk: false,
        });
        self.make_hmac_credential_full(rp, user, &[0u8; 32], &[], options)
            .map(|cred| cred.into())
    }
    fn make_hmac_credential_full(
        &mut self,
-        rp: cbor::PublicKeyCredentialRpEntity,
+        request: &FidoCredentialRequest,
        user: cbor::PublicKeyCredentialUserEntity,
        client_data_hash: &[u8],
        exclude_list: &[cbor::PublicKeyCredentialDescriptor],
        options: Option<cbor::AuthenticatorOptions>,
    ) -> FidoResult<FidoCredential> {
-        self.make_credential_full(
+        let mut request = request.clone();
-            rp,
+        request.rk = true;
-            user,
+        request.extension_data.insert(
-            client_data_hash,
+            <Self as HmacExtension>::extension_name(),
-            exclude_list,
+            <Self as HmacExtension>::extension_input(),
-            &[(
+        );
-                <Self as HmacExtension>::extension_name(),
+        self.make_credential(&request)
                <Self as HmacExtension>::extension_input(),
            )],
            options,
        )
    }
-    fn get_hmac_assertion(
+    fn get_hmac_assertion<'a: 'b, 'b>(
        &mut self,
-        credential: &FidoHmacCredential,
+        request: &FidoAssertionRequest<'a, 'b>,
        salt: &[u8; 32],
        salt2: Option<&[u8; 32]>,
-        options: Option<AuthenticatorOptions>,
+    ) -> FidoResult<(&'a FidoCredential, ([u8; 32], Option<[u8; 32]>))> {
    ) -> FidoResult<([u8; 32], Option<[u8; 32]>)> {
        let client_data_hash = [0u8; 32];
        while self.shared_secret.is_none() {
            self.init_shared_secret()?;
        }
        if self.needs_pin && self.pin_token.is_none() {
            Err(FidoErrorKind::PinRequired)?
        }
        if client_data_hash.len() != 32 {
            Err(FidoErrorKind::CborEncode)?
        }
        let pin_auth = self
            .pin_token
            .as_ref()
            .map(|token| token.auth(&client_data_hash));
        let ext_data: Value = self.get_data(salt, salt2)?;
-        let allow_list = [cbor::PublicKeyCredentialDescriptor {
+        let mut request = request.clone();
-            cred_type: String::from("public-key"),
+        request
-            id: credential.id.clone(),
+            .extension_data
-        }];
+            .insert(<Self as HmacExtension>::extension_name(), &ext_data);
-        let request = cbor::GetAssertionRequest {
+
-            rp_id: &credential.rp_id,
+        let (cred, auth_data) = self.get_assertion(&request)?;
            client_data_hash: &client_data_hash,
            allow_list: &allow_list,
            extensions: &[(<Self as HmacExtension>::extension_name(), &ext_data)],
            options: options,
            pin_auth,
            pin_protocol: pin_auth.and(Some(0x01)),
        };
        let response = match self.cbor(cbor::Request::GetAssertion(request))? {
            cbor::Response::GetAssertion(resp) => resp,
            _ => Err(FidoErrorKind::CborDecode)?,
        };
        let shared_secret = self.shared_secret.as_ref().unwrap();
        let mut decryptor = shared_secret.decryptor();
        let mut hmac_secret_combined = [0u8; 64];
        let _output = RefWriteBuffer::new(&mut hmac_secret_combined);
-        let hmac_secret_enc = match response
+        let hmac_secret_enc = match auth_data
            .auth_data
            .extensions
            .get(<Self as HmacExtension>::extension_name())
            .ok_or(FidoErrorKind::CborDecode)?
@ -270,6 +199,11 @@ impl HmacExtension for FidoDevice {
        let mut hmac_secret_1 = [0u8; 32];
        hmac_secret_0.copy_from_slice(&hmac_secret[0..32]);
        hmac_secret_1.copy_from_slice(&hmac_secret[32..]);
-        Ok((hmac_secret_0, salt2.map(|_| hmac_secret_1)))
+        let cred = request
            .credentials
            .into_iter()
            .find(|c| c.id == cred.id)
            .unwrap();
        Ok((cred, (hmac_secret_0, salt2.and(Some(hmac_secret_1)))))
    }
 }
--- a/src/lib.rs
+++ b/src/lib.rs
@ -9,29 +9,31 @@
 //! # Example
 //!
 //! ```
-//! # fn do_fido() -> ctap::FidoResult<()> {
+//! # use ctap_hmac::*;
-//! let mut devices = ctap::get_devices()?;
+//! # fn do_fido() -> FidoResult<()> {
 //! let device_info = &devices.next().unwrap();
 //! let mut device = ctap::FidoDevice::new(device_info)?;
 //!
-//! // This can be omitted if the FIDO device is not configured with a PIN.
+//!use ctap_hmac::*;
-//! let pin = "test";
+//!let device_info = get_devices()?.next().expect("no device connected");
-//! device.unlock(pin)?;
+//!let mut device = FidoDevice::new(&device_info)?;
 //!
-//! // In a real application these values would come from the requesting app.
+//!// This can be omitted if the FIDO device is not configured with a PIN.
-//! let rp_id = "rp_id";
+//!let pin = "test";
-//! let user_id = [0];
+//!device.unlock(pin)?;
-//! let user_name = "user_name";
+//!
-//! let client_data_hash = [0; 32];
+//!// In a real application these values would come from the requesting app.
-//! let cred = device.make_credential(
+//!let cred_request = FidoCredentialRequestBuilder::default()
-//!     rp_id,
+//!     .rp_id("rp_id")
-//!     &user_id,
+//!     .user_name("user_name")
-//!     user_name,
+//!     .build().unwrap();
-//!     &client_data_hash
+//!let cred = device.make_credential(&cred_request)?;
-//! )?;
+//!let cred = &&cred;
 //!let assertion_request = FidoAssertionRequestBuilder::default()
 //!     .rp_id("rp_id")
 //!     .credential(cred)
 //!     .build().unwrap();
 //!// In a real application the credential would be stored and used later.
 //!let result = device.get_assertion(&assertion_request);
 //!
 //! // In a real application the credential would be stored and used later.
 //! let result = device.get_assertion(&cred, &client_data_hash);
 //! # Ok(())
 //! # }
@ -43,6 +45,8 @@ extern crate rand;
 extern crate failure_derive;
 #[macro_use]
 extern crate num_derive;
 #[macro_use]
 extern crate derive_builder;
 extern crate byteorder;
 extern crate cbor as cbor_codec;
 extern crate crypto as rust_crypto;
@ -57,6 +61,7 @@ pub mod extensions;
 mod hid_common;
 mod hid_linux;
 mod packet;
 mod util;
 use std::cmp;
 use std::fs;
@ -64,16 +69,16 @@ use std::io::{Cursor, Write};
 use std::u16;
 use std::u8;
-pub use self::cbor::{
+use self::cbor::{AuthenticatorOptions, PublicKeyCredentialDescriptor};
    AuthenticatorOptions, PublicKeyCredentialDescriptor, PublicKeyCredentialRpEntity,
    PublicKeyCredentialUserEntity,
 };
 pub use self::error::*;
 use self::hid_linux as hid;
 use self::packet::CtapCommand;
 pub use self::util::*;
 use crate::cbor::{AuthenticatorData, GetAssertionRequest};
 use failure::{Fail, ResultExt};
 use num_traits::FromPrimitive;
 use rand::prelude::*;
 use std::collections::BTreeMap;
 static BROADCAST_CID: [u8; 4] = [0xff, 0xff, 0xff, 0xff];
@ -86,16 +91,13 @@ pub fn get_devices() -> FidoResult<impl Iterator<Item = hid::DeviceInfo>> {
 }
 /// A credential created by a FIDO2 authenticator.
-#[derive(Debug)]
+#[derive(Debug, Clone)]
 pub struct FidoCredential {
    /// The ID provided by the authenticator.
    pub id: Vec<u8>,
    /// The public key provided by the authenticator, in uncompressed form.
-    pub public_key: Vec<u8>,
+    pub public_key: Option<Vec<u8>>,
    /// The Relying Party ID provided by the platform when this key was generated.
    pub rp_id: String,
 }
 /// An opened FIDO authenticator.
 pub struct FidoDevice {
    device: fs::File,
@ -107,6 +109,145 @@ pub struct FidoDevice {
    aaguid: [u8; 16],
 }
 pub struct FidoCancelHandle {
    device: fs::File,
    packet_size: u16,
    channel_id: [u8; 4],
 }
 impl FidoCancelHandle {
    pub fn cancel(&mut self) -> FidoResult<()> {
        let payload = &[1u8];
        let to_send = payload.len() as u16;
        let max_payload = (self.packet_size - 7) as usize;
        let (frame, payload) = payload.split_at(cmp::min(payload.len(), max_payload));
        packet::write_init_packet(
            &mut self.device,
            64,
            &self.channel_id,
            &CtapCommand::Cancel,
            to_send,
            frame,
        )?;
        if payload.is_empty() {
            return Ok(());
        }
        let max_payload = (self.packet_size - 5) as usize;
        for (seq, frame) in (0..u8::MAX).zip(payload.chunks(max_payload)) {
            packet::write_cont_packet(&mut self.device, 64, &self.channel_id, seq, frame)?;
        }
        self.device.flush().context(FidoErrorKind::WritePacket)?;
        Ok(())
    }
    pub fn cancel_after<T>(&mut self, body: impl Fn(()) -> T) -> FidoResult<T> {
        let res = body(());
        match self.cancel() {
            Ok(_) => Ok(res),
            Err(e) => Err(e),
        }
    }
 }
 /// Request a new credential from the authenticator. The `rp_id` should be
 /// a stable string used to identify the party for whom the credential is
 /// created, for convenience it will be returned with the credential.
 /// `user_id` and `user_name` are not required when requesting attestations
 /// but they MAY be displayed to the user and MAY be stored on the device
 /// to be returned with an attestation if the device supports this.
 /// `client_data_hash` SHOULD be a SHA256 hash of provided `client_data`,
 /// this is only used to verify the attestation provided by the
 /// authenticator. When not implementing WebAuthN this can be any random
 /// 32-byte array.
 ///
 /// This method will fail if a PIN is required but the device is not
 /// unlocked or if the device returns malformed data.
 #[derive(Clone, Debug, Builder)]
 #[builder(setter(into))]
 #[builder(pattern = "owned")]
 pub struct FidoCredentialRequest<'a> {
    /// create resident key
    #[builder(default)]
    rk: bool,
    /// user verification
    #[builder(default)]
    uv: bool,
    /// relying party id
    rp_id: &'a str,
    /// relying party id
    #[builder(default)]
    rp_name: Option<&'a str>,
    /// relying party icon url
    #[builder(default)]
    rp_icon_url: Option<&'a str>,
    /// user id
    #[builder(default = "&[0u8]")]
    user_id: &'a [u8],
    /// user name
    #[builder(default)]
    user_name: Option<&'a str>,
    /// user icon url
    #[builder(default)]
    user_icon_url: Option<&'a str>,
    /// user display name
    #[builder(default)]
    user_display_name: Option<&'a str>,
    #[builder(default = "&[]")]
    exclude_list: &'a [&'a FidoCredential],
    #[builder(default = "&[0u8; 32]")]
    client_data_hash: &'a [u8],
    #[builder(default)]
    extension_data: BTreeMap<&'a str, &'a cbor_codec::value::Value>,
 }
 impl<'a> FidoCredentialRequest<'a> {
    pub fn make_credential(&self, device: &mut FidoDevice) -> FidoResult<FidoCredential> {
        device.make_credential(&self)
    }
 }
 /// Request an assertion from the authenticator for a given credential.
 /// `client_data_hash` SHOULD be a SHA256 hash of provided `client_data`,
 /// this is signed and verified as part of the attestation. When not
 /// implementing WebAuthN this can be any random 32-byte array.
 ///
 /// This method will return whether the assertion matches the credential
 /// provided, and will fail if a PIN is required but not provided or if the
 /// device returns malformed data.
 #[derive(Clone, Debug, Builder)]
 #[builder(setter(into))]
 #[builder(pattern = "owned")]
 pub struct FidoAssertionRequest<'a, 'b> {
    #[builder(default)]
    up: bool,
    #[builder(default)]
    rk: bool,
    #[builder(default)]
    uv: bool,
    /// The Relying Party ID provided by the platform when this key was generated.
    rp_id: &'a str,
    credentials: &'a [&'a FidoCredential],
    #[builder(default = "&[]")]
    exclude_list: &'a [&'a FidoCredential],
    #[builder(default = "&[0u8; 32]")]
    client_data_hash: &'a [u8],
    #[builder(default)]
    extension_data: BTreeMap<&'b str, &'b cbor_codec::value::Value>,
 }
 impl<'a, 'b> FidoAssertionRequest<'a, 'b> {
    pub fn get_assertion(&self, device: &mut FidoDevice) -> FidoResult<&'a FidoCredential> {
        device.get_assertion(self).map(|res| res.0)
    }
 }
 impl<'a, 'b> FidoAssertionRequestBuilder<'a, 'b> {
    pub fn credential(mut self, credential: &'a &'a FidoCredential) -> Self {
        self.credentials = Some(std::slice::from_ref(credential));
        self
    }
 }
 impl FidoDevice {
    /// Open and initialize a given device. DeviceInfo is provided by the `get_devices`
    /// function. This method will allocate a channel for this application, verify that
@ -216,88 +357,72 @@ impl FidoDevice {
        }
    }
-    /// Request a new credential from the authenticator. The `rp_id` should be
+    pub fn cancel_handle(&mut self) -> FidoResult<FidoCancelHandle> {
-    /// a stable string used to identify the party for whom the credential is
+        Ok(self
-    /// created, for convenience it will be returned with the credential.
+            .device
-    /// `user_id` and `user_name` are not required when requesting attestations
+            .try_clone()
-    /// but they MAY be displayed to the user and MAY be stored on the device
+            .map(|device| FidoCancelHandle {
-    /// to be returned with an attestation if the device supports this.
+                device,
-    /// `client_data_hash` SHOULD be a SHA256 hash of provided `client_data`,
+                packet_size: self.packet_size,
-    /// this is only used to verify the attestation provided by the
+                channel_id: self.channel_id,
-    /// authenticator. When not implementing WebAuthN this can be any random
+            })
-    /// 32-byte array.
+            .context(FidoErrorKind::Io)?)
-    ///
+    }
-    /// This method will fail if a PIN is required but the device is not
+
    /// unlocked or if the device returns malformed data.
    pub fn make_credential(
        &mut self,
-        rp_id: &str,
+        request: &FidoCredentialRequest<'_>,
        user_id: &[u8],
        user_name: &str,
        client_data_hash: &[u8],
    ) -> FidoResult<FidoCredential> {
        //TODO: implement all options: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorMakeCredential
        let rp = cbor::PublicKeyCredentialRpEntity {
-            id: rp_id,
+            id: request.rp_id,
-            name: None,
+            name: request.rp_name,
-            icon: None,
+            icon: request.rp_icon_url,
        };
        let user = cbor::PublicKeyCredentialUserEntity {
-            id: user_id,
+            id: request.user_id,
-            name: user_name,
+            name: request.user_name.unwrap_or(""),
-            icon: None,
+            icon: request.user_icon_url,
-            display_name: None,
+            display_name: request.user_display_name,
        };
        let options = Some(AuthenticatorOptions {
-            uv: true,
+            up: false,
-            rk: false,
+            uv: request.uv,
            rk: request.rk,
        });
        self.make_credential_full(rp, user, client_data_hash, &[], &[], options)
    }
    /// Request a new credential from the authenticator. The `rp_id` should be
    /// a stable string used to identify the party for whom the credential is
    /// created, for convenience it will be returned with the credential.
    /// `user_id` and `user_name` are not required when requesting attestations
    /// but they MAY be displayed to the user and MAY be stored on the device
    /// to be returned with an attestation if the device supports this.
    /// `client_data_hash` SHOULD be a SHA256 hash of provided `client_data`,
    /// this is only used to verify the attestation provided by the
    /// authenticator. When not implementing WebAuthN this can be any random
    /// 32-byte array.
    ///
    /// This method will fail if a PIN is required but the device is not
    /// unlocked or if the device returns malformed data.
    pub fn make_credential_full(
        &mut self,
        rp: cbor::PublicKeyCredentialRpEntity,
        user: cbor::PublicKeyCredentialUserEntity,
        client_data_hash: &[u8],
        exclude_list: &[cbor::PublicKeyCredentialDescriptor],
        extensions: &[(&str, &cbor_codec::value::Value)],
        options: Option<cbor::AuthenticatorOptions>,
    ) -> FidoResult<FidoCredential> {
        if self.needs_pin && self.pin_token.is_none() {
            Err(FidoErrorKind::PinRequired)?
        }
-        if client_data_hash.len() != 32 {
+        if request.client_data_hash.len() != 32 {
            Err(FidoErrorKind::CborEncode)?
        }
        while self.shared_secret.is_none() {
            self.init_shared_secret()?;
        }
        let pub_key_cred_params = [("public-key", -7)];
        let pin_auth = self
            .pin_token
            .as_ref()
-            .map(|token| token.auth(&client_data_hash));
+            .map(|token| token.auth(&request.client_data_hash));
        let rp_id = rp.id.to_owned();
        let request = cbor::MakeCredentialRequest {
-            client_data_hash,
+            client_data_hash: request.client_data_hash,
            rp,
            user,
            pub_key_cred_params: &pub_key_cred_params,
-            exclude_list: exclude_list,
+            exclude_list: &request
-            extensions: extensions,
+                .exclude_list
-            options: options,
+                .iter()
                .map(|cred| PublicKeyCredentialDescriptor {
                    cred_type: "public-key".into(),
                    id: cred.id.clone(),
                })
                .collect::<Vec<_>>()[..],
            extensions: &request
                .extension_data
                .iter()
                .map(|(name, data)| (*name, *data))
                .collect::<Vec<_>>()[..],
            options,
            pin_auth,
            pin_protocol: pin_auth.and(Some(0x01)),
        };
@ -315,85 +440,103 @@ impl FidoDevice {
        .bytes();
        Ok(FidoCredential {
            id: response.auth_data.attested_credential_data.credential_id,
-            rp_id: rp_id,
+            public_key: Some(Vec::from(&public_key[..])),
            public_key: Vec::from(&public_key[..]),
        })
    }
-    /// Request an assertion from the authenticator for a given credential.
+    /// Request a new credential from the authenticator. The `rp_id` should be
    /// a stable string used to identify the party for whom the credential is
    /// created, for convenience it will be returned with the credential.
    /// `user_id` and `user_name` are not required when requesting attestations
    /// but they MAY be displayed to the user and MAY be stored on the device
    /// to be returned with an attestation if the device supports this.
    /// `client_data_hash` SHOULD be a SHA256 hash of provided `client_data`,
-    /// this is signed and verified as part of the attestation. When not
+    /// this is only used to verify the attestation provided by the
-    /// implementing WebAuthN this can be any random 32-byte array.
+    /// authenticator. When not implementing WebAuthN this can be any random
    /// 32-byte array.
    ///
-    /// This method will return whether the assertion matches the credential
+    /// This method will fail if a PIN is required but the device is not
-    /// provided, and will fail if a PIN is required but not provided or if the
+    /// unlocked or if the device returns malformed data.
    /// device returns malformed data.
    pub fn get_assertion(
        &mut self,
        credential: &FidoCredential,
        client_data_hash: &[u8],
    ) -> FidoResult<bool> {
        self.get_assertion_multiple(&[credential], client_data_hash)
    }
-    pub fn get_assertion_multiple(
+    pub fn get_assertion<'a, 'b>(
        &mut self,
-        credentials: &[&FidoCredential],
+        assertion: &FidoAssertionRequest<'a, 'b>,
-        client_data_hash: &[u8],
+    ) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
-    ) -> FidoResult<bool> {
+        while self.shared_secret.is_none() {
            self.init_shared_secret()?;
        }
        if self.needs_pin && self.pin_token.is_none() {
            Err(FidoErrorKind::PinRequired)?
        }
-        if client_data_hash.len() != 32 {
+        if assertion.client_data_hash.len() != 32 {
            Err(FidoErrorKind::CborEncode)?
        }
        let pin_auth = self
            .pin_token
            .as_ref()
-            .map(|token| token.auth(&client_data_hash));
+            .map(|token| token.auth(&assertion.client_data_hash));
-        let allow_list = credentials
+        let request = GetAssertionRequest {
-            .iter()
+            rp_id: assertion.rp_id,
-            .map(|cred| cbor::PublicKeyCredentialDescriptor {
+            client_data_hash: assertion.client_data_hash,
-                cred_type: String::from("public-key"),
+            allow_list: &assertion
-                id: cred.id.clone(),
+                .credentials
-            })
+                .iter()
-            .collect::<Vec<_>>();
+                .map(|cred| PublicKeyCredentialDescriptor {
-        let request = cbor::GetAssertionRequest {
+                    cred_type: "public-key".into(),
-            rp_id: &credentials[0].rp_id,
+                    id: cred.id.clone(),
-            client_data_hash: client_data_hash,
+                })
-            allow_list: &allow_list,
+                .collect::<Vec<_>>()[..],
-            extensions: Default::default(),
+            extensions: &assertion
-            options: Some(cbor::AuthenticatorOptions {
+                .extension_data
-                rk: false,
+                .iter()
-                uv: true,
+                .map(|(name, data)| (*name, *data))
                .collect::<Vec<_>>()[..],
            options: Some(AuthenticatorOptions {
                rk: assertion.rk,
                uv: assertion.uv,
                up: assertion.up,
            }),
-            pin_auth,
+            pin_auth: pin_auth,
            pin_protocol: pin_auth.and(Some(0x01)),
        };
        let response = match self.cbor(cbor::Request::GetAssertion(request))? {
            cbor::Response::GetAssertion(resp) => resp,
            _ => Err(FidoErrorKind::CborDecode)?,
        };
-        Ok(credentials
+        let credential = assertion
            .credentials
            .iter()
-            .filter(|cred| {
+            .flat_map(|cred| {
                response
                    .credential
                    .as_ref()
-                    .map(|cred2| cred2.id == cred.id)
+                    .filter(|rcred| rcred.id == cred.id)
                    .map(|_| *cred)
            })
            .next();
        credential
            .and_then(|cred| {
                if cred
                    .public_key
                    .as_ref()
                    .map(|public_key| {
                        crypto::verify_signature(
                            &public_key,
                            &assertion.client_data_hash,
                            &response.auth_data_bytes,
                            &response.signature,
                        )
                    })
                    .unwrap_or(true)
                {
                    Some(cred)
                } else {
                    None
                }
            })
-            .map(|cred| {
+            .ok_or(FidoError::from(FidoErrorKind::VerifySignature))
-                crypto::verify_signature(
+            .map(|cred| (cred, response.auth_data))
                    &cred.public_key,
                    &client_data_hash,
                    &response.auth_data_bytes,
                    &response.signature,
                )
            })
            .filter(|pass| *pass)
            .next()
            .unwrap_or(false))
    }
    fn cbor(&mut self, request: cbor::Request) -> FidoResult<cbor::Response> {
--- a/src/util.rs
+++ b/src/util.rs
@ -0,0 +1,67 @@
 #[cfg(feature = "request_multiple")]
 use crate::{
    cbor::AuthenticatorData, FidoAssertionRequest, FidoCredential, FidoCredentialRequest,
    FidoDevice, FidoErrorKind, FidoResult,
 };
 #[cfg(feature = "request_multiple")]
 use crossbeam::thread;
 #[cfg(feature = "request_multiple")]
 use std::sync::mpsc::channel;
 #[cfg(feature = "request_multiple")]
 pub fn request_multiple_devices<
    'a,
    T: Send + 'a,
    F: Fn(&mut FidoDevice) -> FidoResult<T> + 'a + Sync,
 >(
    devices: impl Iterator<Item = (&'a mut FidoDevice, &'a F)>,
 ) -> FidoResult<T> {
    thread::scope(|scope| -> FidoResult<T> {
        let (tx, rx) = channel();
        let handles = devices
            .map(|(device, fn_)| {
                let cancel = device.cancel_handle()?;
                let tx = tx.clone();
                let thread_handle = scope.spawn(move |_| tx.send(fn_(device)));
                Ok((cancel, thread_handle))
            })
            .collect::<FidoResult<Vec<_>>>()?;
        let mut err = None;
        for res in rx.iter().take(handles.len()) {
            match res {
                Ok(_) => {
                    for (mut cancel, join) in handles {
                        // Canceling out of courtesy don't care if it fails
                        let _ = cancel.cancel();
                        let _ = join.join();
                    }
                    return res;
                }
                e => err = Some(e),
            }
        }
        err.unwrap_or(Err(FidoErrorKind::DeviceUnsupported.into()))
    })
    .unwrap()
 }
 /// Will send the `assertion_request` to all supplied `devices` and return either the first successful assertion or the last error
 #[cfg(feature = "request_multiple")]
 pub fn get_assertion_devices<'a>(
    assertion_request: &'a FidoAssertionRequest,
    devices: impl Iterator<Item = &'a mut FidoDevice>,
 ) -> FidoResult<(&'a FidoCredential, AuthenticatorData)> {
    let get_assertion = |device: &mut FidoDevice| device.get_assertion(assertion_request);
    request_multiple_devices(devices.map(|device| (device, &get_assertion)))
 }
 /// Will send the `credential_request` to all supplied `devices` and return either the first credential or the last error
 #[cfg(feature = "request_multiple")]
 pub fn make_credential_devices<'a>(
    credential_request: &'a FidoCredentialRequest,
    devices: impl Iterator<Item = &'a mut FidoDevice>,
 ) -> FidoResult<FidoCredential> {
    let make_credential = |device: &mut FidoDevice| device.make_credential(credential_request);
    request_multiple_devices(devices.map(|device| (device, &make_credential)))
 }
Author	SHA1	Message	Date
shimun	65ef574031	handle surplus options	2020-04-01 19:49:49 +02:00
shimun	9440271d90	fix warnings	2020-04-01 19:20:48 +02:00
shimun	822cebd6ff	fix api leaking private type	2020-04-01 19:20:20 +02:00
shimun	4e14d265b8	implement make_credential_devices & rename feature	2020-04-01 17:58:53 +02:00
shimun	1202fed98d	generic request_multiple_devices	2020-04-01 17:48:03 +02:00
shimun	501b28e0d9	added feature assert_devices	2020-03-31 21:10:33 +02:00
shimun	d4c9dd913f	use builder pattern to expose all possible options	2020-03-30 22:59:37 +02:00