update ctap-hid

2022-04-10 17:15:50 +02:00
parent 7daa5a3fdb
commit 581e1780d1
3 changed files with 49 additions and 37 deletions
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -181,7 +181,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            } else {
                None
            };
-            let cred = make_credential_id(Some(name.as_ref()), pin)?;
+            let cred = make_credential_id(Some(name.as_ref()), pin, &[])?;
            println!("{}", hex::encode(&cred.id));
            Ok(())
        }
@@ -332,7 +332,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    generate_credential,
                    ..
                } => {
-                    let (existing_secret, _) = other_secret("Current password", false)?;
+                    let (existing_secret, existing_credential) =
+                        other_secret("Current password", false)?;
+                    let excluded_credential = existing_credential.as_ref();
+                    let exclude_list = excluded_credential
+                        .as_ref()
+                        .map(core::slice::from_ref)
+                        .unwrap_or_default();
+                    existing_credential.iter().for_each(|cred| log(&|| format!("using credential to unlock container: {}", hex::encode(&cred.id))));
                    let (new_secret, cred) = if *generate_credential && luks2 {
                        let cred = make_credential_id(
                            Some(derive_credential_name(luks.device.as_path()).as_str()),
@@ -343,6 +350,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                                None
                            })
                            .as_deref(),
+                            dbg!(exclude_list),
                        )?;
                        log(&|| {
                            format!(
--- a/src/device.rs
+++ b/src/device.rs
@@ -2,6 +2,7 @@ use crate::error::*;

 use crate::util;
 use ctap_hid_fido2;
+use ctap_hid_fido2::FidoKeyHidFactory;
 use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params;
 use ctap_hid_fido2::fidokey::make_credential::make_credential_params;
 use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder;
@@ -9,7 +10,6 @@ use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
 use ctap_hid_fido2::get_fidokey_devices;
 use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
 use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
-use ctap_hid_fido2::FidoKeyHid;
 use ctap_hid_fido2::HidInfo;
 use ctap_hid_fido2::LibCfg;
 use std::time::Duration;
@@ -26,6 +26,7 @@ fn lib_cfg() -> LibCfg {
 pub fn make_credential_id(
    name: Option<&str>,
    pin: Option<&str>,
+    exclude: &[&PublicKeyCredentialDescriptor],
 ) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
    let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
        .extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
@@ -34,6 +35,9 @@ pub fn make_credential_id(
    } else {
        req = req.without_pin_and_uv();
    }
+    for cred in exclude {
+        req = req.exclude_authenticator(cred.id.as_ref());
+    }
    if let Some(_) = name {
        req = req.rkparam(&PublicKeyCredentialUserEntity::new(
            Some(b"00"),
@@ -45,7 +49,7 @@ pub fn make_credential_id(
    let mut err: Option<Fido2LuksError> = None;
    let req = req.build();
    for dev in devices {
-        let handle = FidoKeyHid::new(&vec![dev.param], &lib_cfg()).unwrap();
+        let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
        match handle.make_credential_with_args(&req) {
            Ok(resp) => return Ok(resp.credential_descriptor),
            Err(e) => err = Some(e.into()),
@@ -100,7 +104,7 @@ pub fn perform_challenge<'a>(
    let mut err: Option<Fido2LuksError> = None;
    let req = req.build();
    for dev in devices {
-        let handle = FidoKeyHid::new(&vec![dev.param], &lib_cfg()).unwrap();
+        let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
        match handle.get_assertion_with_args(&req) {
            Ok(resp) => return process_response(resp),
            Err(e) => err = Some(e.into()),
@@ -111,8 +115,8 @@ pub fn perform_challenge<'a>(

 pub fn may_require_pin() -> Fido2LuksResult<bool> {
    for dev in get_devices()? {
-        let dev = FidoKeyHid::new(&vec![dev.param], &lib_cfg()).unwrap();
-        let info = dev.get_info()?;
+        let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
+        let info = handle.get_info()?;
        let needs_pin = info
            .options
            .iter()