shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Merge remote-tracking branch 'gt/ctap-hid-fido2' into 0.3.0-alpha

Browse Source
This commit is contained in:
shimun 2024-03-03 19:41:19 +01:00
commit acd4021e03
Signed by: shimun
GPG Key ID: E0420647856EA39E
10 changed files with 789 additions and 687 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1145
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

11
Cargo.toml
View File

@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.3.0-alpha" version = "0.3.1-alpha"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@ -14,9 +14,8 @@ categories = ["command-line-utilities"]
license = "MPL-2.0" license = "MPL-2.0"
[dependencies] [dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.16.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
@ -24,15 +23,17 @@ libcryptsetup-rs = "0.9.1"
serde_json = "1.0.51" serde_json = "1.0.51"
serde_derive = "1.0.116" serde_derive = "1.0.116"
serde = "1.0.116" serde = "1.0.116"
anyhow = "1.0.56"
ctap-hid-fido2 = "3.4.1"
[build-dependencies] [build-dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.16.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
libcryptsetup-rs = "0.9.1" libcryptsetup-rs = "0.9.1"
structopt = "0.3.2" structopt = "0.3.2"
anyhow = "1.0.56"
[profile.release] [profile.release]
lto = true lto = true

8
build.rs
View File

@ -1,7 +1,6 @@
#![allow(warnings)] #![allow(warnings)]
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap;
#[path = "src/cli_args/mod.rs"] #[path = "src/cli_args/mod.rs"]
mod cli_args; mod cli_args;
@ -12,17 +11,22 @@ mod util;
use cli_args::Args; use cli_args::Args;
use std::env; use std::env;
use std::fs;
use std::path::PathBuf;
use std::str::FromStr; use std::str::FromStr;
use structopt::clap::Shell; use structopt::clap::Shell;
use structopt::StructOpt; use structopt::StructOpt;
fn main() { fn main() {
let env_outdir = env::var_os("OUT_DIR").unwrap();
let outdir = PathBuf::from(PathBuf::from(env_outdir).ancestors().nth(3).unwrap());
fs::create_dir_all(&outdir).unwrap();
// generate completion scripts, zsh does panic for some reason // generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") { for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions( Args::clap().gen_completions(
env!("CARGO_PKG_NAME"), env!("CARGO_PKG_NAME"),
Shell::from_str(shell).unwrap(), Shell::from_str(shell).unwrap(),
env!("CARGO_MANIFEST_DIR"), &outdir,
); );
} }
} }

2
flake.nix
View File

@ -16,7 +16,7 @@
forPkgs = pkgs: forPkgs = pkgs:
let let
naersk-lib = naersk.lib."${pkgs.system}"; naersk-lib = naersk.lib."${pkgs.system}";
buildInputs = with pkgs; [ cryptsetup cryptsetup.dev ]; buildInputs = with pkgs; [ cryptsetup cryptsetup.dev udev.dev ];
nativeBuildInputs = with pkgs; [ nativeBuildInputs = with pkgs; [
rustPlatform.bindgenHook rustPlatform.bindgenHook
pkg-config pkg-config

97
src/cli.rs
View File

@ -4,14 +4,13 @@ use crate::util::sha256;
use crate::*; use crate::*;
pub use cli_args::Args; pub use cli_args::Args;
use cli_args::*; use cli_args::*;
use ctap::{FidoCredential, FidoErrorKind}; use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use std::borrow::Cow; use std::borrow::Cow;
use std::collections::HashSet; use std::collections::HashSet;
use std::io::Write; use std::io::Write;
use std::iter::FromIterator; use std::iter::FromIterator;
use std::path::Path; use std::path::Path;
use std::str::FromStr; use std::str::FromStr;
use std::thread;
use std::time::Duration; use std::time::Duration;
use std::time::SystemTime; use std::time::SystemTime;
use structopt::clap::Shell; use structopt::clap::Shell;
@ -26,31 +25,31 @@ fn derive_secret(
salt: &[u8; 32], salt: &[u8; 32],
timeout: u64, timeout: u64,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> { ) -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
if credentials.is_empty() { if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials); return Err(Fido2LuksError::InsufficientCredentials);
} }
let timeout = Duration::from_secs(timeout); let timeout = Duration::from_secs(timeout);
let start = SystemTime::now(); let start = SystemTime::now();
while let Ok(el) = start.elapsed() { //while let Ok(el) = start.elapsed() {
if el > timeout { // if el > timeout {
return Err(error::Fido2LuksError::NoAuthenticatorError); // return Err(error::Fido2LuksError::NoAuthenticatorError);
} // }
if get_devices() // if get_devices()
.map(|devices| !devices.is_empty()) // .map(|devices| !devices.is_empty())
.unwrap_or(false) // .unwrap_or(false)
{ // {
break; // break;
} // }
thread::sleep(Duration::from_millis(500)); // thread::sleep(Duration::from_millis(500));
} //}
let credentials = credentials let credentials = credentials
.iter() .iter()
.map(|hex| FidoCredential { .map(|hex| PublicKeyCredentialDescriptor {
id: hex.0.clone(), id: hex.0.clone(),
public_key: None, ctype: Default::default(),
}) })
.collect::<Vec<_>>(); .collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>(); let credentials = credentials.iter().collect::<Vec<_>>();
@ -182,7 +181,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else { } else {
None None
}; };
let cred = make_credential_id(Some(name.as_ref()), pin)?; let cred =
make_credential_id(Some(name.as_str()).filter(|name| name.len() > 0), pin, &[])?;
println!("{}", hex::encode(&cred.id)); println!("{}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
@ -289,7 +289,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let other_secret = |salt_q: &str, let other_secret = |salt_q: &str,
verify: bool| verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> { -> Fido2LuksResult<(
Vec<u8>,
Option<PublicKeyCredentialDescriptor>,
)> {
match other_secret { match other_secret {
OtherSecret { OtherSecret {
keyfile: Some(file), keyfile: Some(file),
@ -314,22 +317,38 @@ pub fn run_cli() -> Fido2LuksResult<()> {
)), )),
} }
}; };
let secret = |q: &str, let secret =
verify: bool, |q: &str,
credentials: &[HexEncoded]| verify: bool,
-> Fido2LuksResult<([u8; 32], FidoCredential)> { credentials: &[HexEncoded]|
let (pin, salt) = inputs(q, verify)?; -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
prompt_interaction(interactive); let (pin, salt) = inputs(q, verify)?;
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref()) prompt_interaction(interactive);
}; derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
};
// Non overlap // Non overlap
match &args.command { match &args.command {
Command::AddKey { Command::AddKey {
exclusive, exclusive,
generate_credential, generate_credential,
comment,
.. ..
} => { } => {
let (existing_secret, _) = other_secret("Current password", false)?; let (existing_secret, existing_credential) =
other_secret("Current password", false)?;
let excluded_credential = existing_credential.as_ref();
let exclude_list = excluded_credential
.as_ref()
.map(core::slice::from_ref)
.unwrap_or_default();
existing_credential.iter().for_each(|cred| {
log(&|| {
format!(
"using credential to unlock container: {}",
hex::encode(&cred.id)
)
})
});
let (new_secret, cred) = if *generate_credential && luks2 { let (new_secret, cred) = if *generate_credential && luks2 {
let cred = make_credential_id( let cred = make_credential_id(
Some(derive_credential_name(luks.device.as_path()).as_str()), Some(derive_credential_name(luks.device.as_path()).as_str()),
@ -340,6 +359,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
None None
}) })
.as_deref(), .as_deref(),
dbg!(exclude_list),
)?; )?;
log(&|| { log(&|| {
format!( format!(
@ -361,6 +381,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Some(&cred.id[..]) Some(&cred.id[..])
.filter(|_| !luks.disable_token || *generate_credential) .filter(|_| !luks.disable_token || *generate_credential)
.filter(|_| luks2), .filter(|_| luks2),
comment.as_deref().map(String::from),
)?; )?;
if *exclusive { if *exclusive {
let destroyed = luks_dev.remove_keyslots(&[added_slot])?; let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
@ -396,6 +417,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.filter(|_| !luks.disable_token) .filter(|_| !luks.disable_token)
.filter(|_| luks2) .filter(|_| luks2)
.map(|cred| &cred.id[..]), .map(|cred| &cred.id[..]),
None,
) )
} else { } else {
let slot = luks_dev.replace_key( let slot = luks_dev.replace_key(
@ -501,9 +523,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Err(e) => { Err(e) => {
match e { match e {
Fido2LuksError::WrongSecret if retries > 0 => {} Fido2LuksError::WrongSecret if retries > 0 => {}
Fido2LuksError::AuthenticatorError { ref cause } //Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {} // if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
e => return Err(e), e => return Err(e),
}; };
retries -= 1; retries -= 1;
@ -544,8 +565,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
continue; continue;
} }
println!( println!(
"{}:\n\tSlots: {}\n\tCredentials: {}", "{}{}:\n\tSlots: {}\n\tCredentials: {}",
id, id,
token
.comment
.as_deref()
.map(|comment| format!(" - {}", comment))
.unwrap_or_default(),
if token.keyslots.is_empty() { if token.keyslots.is_empty() {
"None".into() "None".into()
} else { } else {
@ -571,6 +597,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
TokenCommand::Add { TokenCommand::Add {
device, device,
credentials, credentials,
comment,
slot, slot,
} => { } => {
let mut dev = LuksDevice::load(device)?; let mut dev = LuksDevice::load(device)?;
@ -582,7 +609,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
} }
let count = if tokens.is_empty() { let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?; dev.add_token(&Fido2LuksToken::with_credentials(
&credentials.0,
*slot,
comment.as_deref().map(String::from),
))?;
1 1
} else { } else {
tokens.len() tokens.len()

8
src/cli_args/mod.rs
View File

@ -189,6 +189,9 @@ pub enum Command {
luks: LuksParameters, luks: LuksParameters,
#[structopt(flatten)] #[structopt(flatten)]
credentials: Credentials, credentials: Credentials,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
#[structopt(flatten)] #[structopt(flatten)]
authenticator: AuthenticatorParameters, authenticator: AuthenticatorParameters,
#[structopt(flatten)] #[structopt(flatten)]
@ -254,7 +257,7 @@ pub enum Command {
#[structopt(flatten)] #[structopt(flatten)]
authenticator: AuthenticatorParameters, authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator display /// Name to be displayed on the authenticator display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")] #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "")]
name: String, name: String,
}, },
/// Check if an authenticator is connected /// Check if an authenticator is connected
@ -295,6 +298,9 @@ pub enum TokenCommand {
long = "creds" long = "creds"
)] )]
credentials: CommaSeparated<HexEncoded>, credentials: CommaSeparated<HexEncoded>,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
/// Slot to which the credentials will be added /// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")] #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32, slot: u32,

161
src/device.rs
View File

@ -1,84 +1,133 @@
use crate::error::*; use crate::error::*;
use crate::util; use crate::util;
use ctap::{ use ctap_hid_fido2;
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder, use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params;
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind, use ctap_hid_fido2::fidokey::make_credential::make_credential_params;
}; use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder;
use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
use ctap_hid_fido2::get_fidokey_devices;
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
use ctap_hid_fido2::FidoKeyHidFactory;
use ctap_hid_fido2::HidInfo;
use ctap_hid_fido2::LibCfg;
use std::time::Duration; use std::time::Duration;
const RP_ID: &str = "fido2luks"; const RP_ID: &str = "fido2luks";
fn lib_cfg() -> LibCfg {
let mut cfg = LibCfg::init();
cfg.enable_log = false;
cfg.keep_alive_msg = String::new();
cfg
}
pub fn make_credential_id( pub fn make_credential_id(
name: Option<&str>, name: Option<&str>,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<FidoCredential> { exclude: &[&PublicKeyCredentialDescriptor],
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID); ) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
if let Some(user_name) = name { let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
request = request.user_name(user_name); .extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
} }
let request = request.build().unwrap(); for cred in exclude {
let make_credential = |device: &mut FidoDevice| { req = req.exclude_authenticator(cred.id.as_ref());
if let Some(pin) = pin.filter(|_| device.needs_pin()) { }
device.unlock(pin)?; if let Some(_) = name {
req = req.user_entity(&PublicKeyCredentialUserEntity::new(
Some(b"00"),
name.clone(),
name,
));
}
let devices = get_devices()?;
let mut err: Option<Fido2LuksError> = None;
let req = req.build();
for dev in devices {
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
match handle.make_credential_with_args(&req) {
Ok(resp) => return Ok(resp.credential_descriptor),
Err(e) => err = Some(e.into()),
} }
device.make_hmac_credential(&request) }
}; Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
Ok(request_multiple_devices(
get_devices()?
.iter_mut()
.map(|device| (device, &make_credential)),
None,
)?)
} }
pub fn perform_challenge<'a>( pub fn perform_challenge<'a>(
credentials: &'a [&'a FidoCredential], credentials: &'a [&'a PublicKeyCredentialDescriptor],
salt: &[u8; 32], salt: &[u8; 32],
timeout: Duration, _timeout: Duration,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> { ) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
let request = FidoAssertionRequestBuilder::default() if credentials.is_empty() {
.rp_id(RP_ID) return Err(Fido2LuksError::InsufficientCredentials);
.credentials(credentials) }
.build() let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[
.unwrap(); get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))),
let get_assertion = |device: &mut FidoDevice| { ]);
if let Some(pin) = pin.filter(|_| device.needs_pin()) { for cred in credentials {
device.unlock(pin)?; req = req.add_credential_id(&cred.id);
}
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
}
let process_response = |resp: Vec<get_assertion_params::Assertion>| -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
for att in resp {
for ext in att.extensions.iter() {
match ext {
get_assertion_params::Extension::HmacSecret(Some(secret)) => {
//TODO: eliminate unwrap
let cred_used = credentials
.iter()
.copied()
.find(|cred| {
att.credential_id == cred.id
})
.unwrap();
return Ok((secret.clone(), cred_used));
}
_ => continue,
}
} }
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None) }
Err(Fido2LuksError::WrongSecret)
}; };
let (credential, (secret, _)) = request_multiple_devices(
get_devices()? let devices = get_devices()?;
.iter_mut() let mut err: Option<Fido2LuksError> = None;
.map(|device| (device, &get_assertion)), let req = req.build();
Some(timeout), for dev in devices {
)?; let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
Ok((secret, credential)) match handle.get_assertion_with_args(&req) {
Ok(resp) => return process_response(resp),
Err(e) => err = Some(e.into()),
}
}
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
} }
pub fn may_require_pin() -> Fido2LuksResult<bool> { pub fn may_require_pin() -> Fido2LuksResult<bool> {
for di in ctap::get_devices()? { for dev in get_devices()? {
if let Ok(dev) = FidoDevice::new(&di) { let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
if dev.needs_pin() { let info = handle.get_info()?;
return Ok(true); let needs_pin = info
} .options
.iter()
.any(|(name, val)| &name[..] == "clientPin" && *val);
if needs_pin {
return Ok(true);
} }
} }
Ok(false) Ok(false)
} }
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> { pub fn get_devices() -> Fido2LuksResult<Vec<HidInfo>> {
let mut devices = Vec::with_capacity(2); Ok(get_fidokey_devices())
for di in ctap::get_devices()? {
match FidoDevice::new(&di) {
Err(e) => match e.kind() {
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
err => return Err(FidoError::from(err).into()),
},
Ok(dev) => devices.push(dev),
}
}
Ok(devices)
} }

16
src/error.rs
View File

@ -1,4 +1,4 @@
use ctap::FidoError; use anyhow;
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use std::io; use std::io;
use std::io::ErrorKind; use std::io::ErrorKind;
@ -14,7 +14,7 @@ pub enum Fido2LuksError {
#[fail(display = "unable to read keyfile: {}", cause)] #[fail(display = "unable to read keyfile: {}", cause)]
KeyfileError { cause: io::Error }, KeyfileError { cause: io::Error },
#[fail(display = "authenticator error: {}", cause)] #[fail(display = "authenticator error: {}", cause)]
AuthenticatorError { cause: ctap::FidoError }, AuthenticatorError { cause: anyhow::Error },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = " {}", cause)] #[fail(display = " {}", cause)]
@ -35,6 +35,12 @@ pub enum Fido2LuksError {
InsufficientCredentials, InsufficientCredentials,
} }
impl From<anyhow::Error> for Fido2LuksError {
fn from(cause: anyhow::Error) -> Self {
Fido2LuksError::AuthenticatorError { cause }
}
}
impl Fido2LuksError { impl Fido2LuksError {
pub fn exit_code(&self) -> i32 { pub fn exit_code(&self) -> i32 {
use Fido2LuksError::*; use Fido2LuksError::*;
@ -91,12 +97,6 @@ impl From<LuksError> for Fido2LuksError {
} }
} }
impl From<FidoError> for Fido2LuksError {
fn from(e: FidoError) -> Self {
AuthenticatorError { cause: e }
}
}
impl From<LibcryptErr> for Fido2LuksError { impl From<LibcryptErr> for Fido2LuksError {
fn from(e: LibcryptErr) -> Self { fn from(e: LibcryptErr) -> Self {
match e { match e {

27
src/luks.rs
View File

@ -141,6 +141,7 @@ impl LuksDevice {
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>, credential_id: Option<&[u8]>,
comment: Option<String>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis) self.device.settings_handle().set_iteration_time(millis)
@ -151,7 +152,7 @@ impl LuksDevice {
.add_by_passphrase(None, old_secret, secret)?; .add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id { if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken( self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(), &serde_json::to_value(&Fido2LuksToken::new(id, slot, comment)).unwrap(),
))?; ))?;
} }
@ -215,9 +216,18 @@ impl LuksDevice {
)? as u32; )? as u32;
if let Some(id) = credential_id { if let Some(id) = credential_id {
if self.is_luks2()? { if self.is_luks2()? {
let token = self.find_token(slot)?.map(|(t, _)| t); let (token_id, token_data) = match self.find_token(slot)? {
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(); Some((id, data)) => (Some(id), Some(data)),
if let Some(token) = token { _ => (None, None),
};
let json = serde_json::to_value(&Fido2LuksToken::new(
id,
slot,
// retain comment on replace
token_data.map(|data| data.comment).flatten(),
))
.unwrap();
if let Some(token) = token_id {
self.device self.device
.token_handle() .token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?; .json_set(TokenInput::ReplaceToken(token, &json))?;
@ -314,16 +324,19 @@ pub struct Fido2LuksToken {
pub type_: String, pub type_: String,
pub credential: HashSet<String>, pub credential: HashSet<String>,
pub keyslots: HashSet<String>, pub keyslots: HashSet<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub comment: Option<String>,
} }
impl Fido2LuksToken { impl Fido2LuksToken {
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self { pub fn new(credential_id: impl AsRef<[u8]>, slot: u32, comment: Option<String>) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot) Self::with_credentials(std::iter::once(credential_id), slot, comment)
} }
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>( pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I, credentials: I,
slot: u32, slot: u32,
comment: Option<String>,
) -> Self { ) -> Self {
Self { Self {
credential: credentials credential: credentials
@ -331,6 +344,7 @@ impl Fido2LuksToken {
.map(|cred| hex::encode(cred.as_ref())) .map(|cred| hex::encode(cred.as_ref()))
.collect(), .collect(),
keyslots: vec![slot.to_string()].into_iter().collect(), keyslots: vec![slot.to_string()].into_iter().collect(),
comment,
..Default::default() ..Default::default()
} }
} }
@ -345,6 +359,7 @@ impl Default for Fido2LuksToken {
type_: Self::default_type().into(), type_: Self::default_type().into(),
credential: HashSet::new(), credential: HashSet::new(),
keyslots: HashSet::new(), keyslots: HashSet::new(),
comment: None,
} }
} }
} }

1
src/main.rs
View File

@ -1,6 +1,5 @@
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap;
#[macro_use] #[macro_use]
extern crate serde_derive; extern crate serde_derive;
use crate::cli::*; use crate::cli::*;