chore: migrate to ctap-hid-fido2
This commit is contained in:
74
src/cli.rs
74
src/cli.rs
@@ -4,7 +4,7 @@ use crate::util::sha256;
|
||||
use crate::*;
|
||||
pub use cli_args::Args;
|
||||
use cli_args::*;
|
||||
use ctap::{FidoCredential, FidoErrorKind};
|
||||
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
|
||||
use std::borrow::Cow;
|
||||
use std::collections::HashSet;
|
||||
use std::io::Write;
|
||||
@@ -26,31 +26,31 @@ fn derive_secret(
|
||||
salt: &[u8; 32],
|
||||
timeout: u64,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
) -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
|
||||
if credentials.is_empty() {
|
||||
return Err(Fido2LuksError::InsufficientCredentials);
|
||||
}
|
||||
let timeout = Duration::from_secs(timeout);
|
||||
let start = SystemTime::now();
|
||||
|
||||
while let Ok(el) = start.elapsed() {
|
||||
if el > timeout {
|
||||
return Err(error::Fido2LuksError::NoAuthenticatorError);
|
||||
}
|
||||
if get_devices()
|
||||
.map(|devices| !devices.is_empty())
|
||||
.unwrap_or(false)
|
||||
{
|
||||
break;
|
||||
}
|
||||
thread::sleep(Duration::from_millis(500));
|
||||
}
|
||||
//while let Ok(el) = start.elapsed() {
|
||||
// if el > timeout {
|
||||
// return Err(error::Fido2LuksError::NoAuthenticatorError);
|
||||
// }
|
||||
// if get_devices()
|
||||
// .map(|devices| !devices.is_empty())
|
||||
// .unwrap_or(false)
|
||||
// {
|
||||
// break;
|
||||
// }
|
||||
// thread::sleep(Duration::from_millis(500));
|
||||
//}
|
||||
|
||||
let credentials = credentials
|
||||
.iter()
|
||||
.map(|hex| FidoCredential {
|
||||
.map(|hex| PublicKeyCredentialDescriptor {
|
||||
id: hex.0.clone(),
|
||||
public_key: None,
|
||||
ctype: Default::default(),
|
||||
})
|
||||
.collect::<Vec<_>>();
|
||||
let credentials = credentials.iter().collect::<Vec<_>>();
|
||||
@@ -289,7 +289,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
|
||||
let other_secret = |salt_q: &str,
|
||||
verify: bool|
|
||||
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
|
||||
-> Fido2LuksResult<(
|
||||
Vec<u8>,
|
||||
Option<PublicKeyCredentialDescriptor>,
|
||||
)> {
|
||||
match other_secret {
|
||||
OtherSecret {
|
||||
keyfile: Some(file),
|
||||
@@ -314,14 +317,15 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
)),
|
||||
}
|
||||
};
|
||||
let secret = |q: &str,
|
||||
verify: bool,
|
||||
credentials: &[HexEncoded]|
|
||||
-> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
let (pin, salt) = inputs(q, verify)?;
|
||||
prompt_interaction(interactive);
|
||||
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
|
||||
};
|
||||
let secret =
|
||||
|q: &str,
|
||||
verify: bool,
|
||||
credentials: &[HexEncoded]|
|
||||
-> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
|
||||
let (pin, salt) = inputs(q, verify)?;
|
||||
prompt_interaction(interactive);
|
||||
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
|
||||
};
|
||||
// Non overlap
|
||||
match &args.command {
|
||||
Command::AddKey {
|
||||
@@ -501,9 +505,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Err(e) => {
|
||||
match e {
|
||||
Fido2LuksError::WrongSecret if retries > 0 => {}
|
||||
Fido2LuksError::AuthenticatorError { ref cause }
|
||||
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
|
||||
|
||||
//Fido2LuksError::AuthenticatorError { ref cause }
|
||||
// if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
|
||||
e => return Err(e),
|
||||
};
|
||||
retries -= 1;
|
||||
@@ -516,13 +519,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
}
|
||||
}
|
||||
}
|
||||
Command::Connected => match get_devices() {
|
||||
Ok(ref devs) if !devs.is_empty() => {
|
||||
println!("Found {} devices", devs.len());
|
||||
Ok(())
|
||||
}
|
||||
_ => exit(1),
|
||||
},
|
||||
Command::Connected => unimplemented!("Not supported by current backend"),
|
||||
//Command::Connected => match get_devices() {
|
||||
// Ok(ref devs) if !devs.is_empty() => {
|
||||
// println!("Found {} devices", devs.len());
|
||||
// Ok(())
|
||||
// }
|
||||
// _ => exit(1),
|
||||
//},
|
||||
Command::Token(cmd) => match cmd {
|
||||
TokenCommand::List {
|
||||
device,
|
||||
|
||||
137
src/device.rs
137
src/device.rs
@@ -1,84 +1,99 @@
|
||||
use crate::error::*;
|
||||
|
||||
use crate::util;
|
||||
use ctap::{
|
||||
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
|
||||
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
|
||||
};
|
||||
use ctap_hid_fido2;
|
||||
use ctap_hid_fido2::get_assertion_params;
|
||||
use ctap_hid_fido2::get_assertion_with_args;
|
||||
use ctap_hid_fido2::get_info;
|
||||
use ctap_hid_fido2::make_credential_params;
|
||||
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
|
||||
use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
|
||||
use ctap_hid_fido2::GetAssertionArgsBuilder;
|
||||
use ctap_hid_fido2::LibCfg;
|
||||
use ctap_hid_fido2::MakeCredentialArgsBuilder;
|
||||
use std::time::Duration;
|
||||
|
||||
const RP_ID: &str = "fido2luks";
|
||||
|
||||
fn lib_cfg() -> LibCfg {
|
||||
let mut cfg = LibCfg::init();
|
||||
cfg.enable_log = false;
|
||||
cfg
|
||||
}
|
||||
|
||||
pub fn make_credential_id(
|
||||
name: Option<&str>,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<FidoCredential> {
|
||||
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
|
||||
if let Some(user_name) = name {
|
||||
request = request.user_name(user_name);
|
||||
) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
|
||||
let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
|
||||
.extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
|
||||
if let Some(pin) = pin {
|
||||
req = req.pin(pin);
|
||||
} else {
|
||||
req = req.without_pin_and_uv();
|
||||
}
|
||||
let request = request.build().unwrap();
|
||||
let make_credential = |device: &mut FidoDevice| {
|
||||
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
|
||||
device.unlock(pin)?;
|
||||
}
|
||||
device.make_hmac_credential(&request)
|
||||
};
|
||||
Ok(request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &make_credential)),
|
||||
None,
|
||||
)?)
|
||||
if let Some(_) = name {
|
||||
req = req.rkparam(&PublicKeyCredentialUserEntity::new(
|
||||
Some(b"00"),
|
||||
name.clone(),
|
||||
name,
|
||||
));
|
||||
}
|
||||
let resp = ctap_hid_fido2::make_credential_with_args(&lib_cfg(), &req.build())?;
|
||||
Ok(resp.credential_descriptor)
|
||||
}
|
||||
|
||||
pub fn perform_challenge<'a>(
|
||||
credentials: &'a [&'a FidoCredential],
|
||||
credentials: &'a [&'a PublicKeyCredentialDescriptor],
|
||||
salt: &[u8; 32],
|
||||
timeout: Duration,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
|
||||
let request = FidoAssertionRequestBuilder::default()
|
||||
.rp_id(RP_ID)
|
||||
.credentials(credentials)
|
||||
.build()
|
||||
.unwrap();
|
||||
let get_assertion = |device: &mut FidoDevice| {
|
||||
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
|
||||
device.unlock(pin)?;
|
||||
}
|
||||
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
|
||||
};
|
||||
let (credential, (secret, _)) = request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &get_assertion)),
|
||||
Some(timeout),
|
||||
)?;
|
||||
Ok((secret, credential))
|
||||
}
|
||||
|
||||
pub fn may_require_pin() -> Fido2LuksResult<bool> {
|
||||
for di in ctap::get_devices()? {
|
||||
if let Ok(dev) = FidoDevice::new(&di) {
|
||||
if dev.needs_pin() {
|
||||
return Ok(true);
|
||||
) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
|
||||
let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[
|
||||
get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))),
|
||||
]);
|
||||
if let Some(pin) = pin {
|
||||
req = req.pin(pin);
|
||||
} else {
|
||||
req = req.without_pin_and_uv();
|
||||
}
|
||||
let resp = get_assertion_with_args(&lib_cfg(), &req.build())?;
|
||||
fn dbg_hex<'a>(name: &str, vec: &'a Vec<u8>) -> &'a Vec<u8> {
|
||||
dbg!((name, hex::encode(&vec)));
|
||||
vec
|
||||
}
|
||||
let cred_used2 = credentials.iter().copied().find(|cred| {
|
||||
resp.iter()
|
||||
.any(|att| dbg_hex("att", &att.credential_id) == dbg_hex("cred", &cred.id))
|
||||
});
|
||||
for att in resp {
|
||||
for ext in att.extensions.iter() {
|
||||
match ext {
|
||||
get_assertion_params::Extension::HmacSecret(Some(secret)) => {
|
||||
dbg!(cred_used2);
|
||||
//TODO: eliminate unwrap
|
||||
let cred_used = credentials
|
||||
.iter()
|
||||
.copied()
|
||||
.find(|cred| {
|
||||
dbg_hex("att", &att.credential_id) == dbg_hex("cred", &cred.id)
|
||||
})
|
||||
.unwrap();
|
||||
return Ok((secret.clone(), cred_used));
|
||||
}
|
||||
_ => continue,
|
||||
}
|
||||
}
|
||||
}
|
||||
Ok(false)
|
||||
//TODO: create fitting error
|
||||
Err(Fido2LuksError::WrongSecret)
|
||||
}
|
||||
|
||||
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
|
||||
let mut devices = Vec::with_capacity(2);
|
||||
for di in ctap::get_devices()? {
|
||||
match FidoDevice::new(&di) {
|
||||
Err(e) => match e.kind() {
|
||||
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
|
||||
err => return Err(FidoError::from(err).into()),
|
||||
},
|
||||
Ok(dev) => devices.push(dev),
|
||||
}
|
||||
}
|
||||
Ok(devices)
|
||||
pub fn may_require_pin() -> Fido2LuksResult<bool> {
|
||||
let info = get_info(&lib_cfg())?;
|
||||
let needs_pin = info
|
||||
.options
|
||||
.iter()
|
||||
.any(|(name, val)| &name[..] == "clientPin" && *val);
|
||||
Ok(needs_pin)
|
||||
}
|
||||
|
||||
16
src/error.rs
16
src/error.rs
@@ -1,4 +1,4 @@
|
||||
use ctap::FidoError;
|
||||
use anyhow;
|
||||
use libcryptsetup_rs::LibcryptErr;
|
||||
use std::io;
|
||||
use std::io::ErrorKind;
|
||||
@@ -14,7 +14,7 @@ pub enum Fido2LuksError {
|
||||
#[fail(display = "unable to read keyfile: {}", cause)]
|
||||
KeyfileError { cause: io::Error },
|
||||
#[fail(display = "authenticator error: {}", cause)]
|
||||
AuthenticatorError { cause: ctap::FidoError },
|
||||
AuthenticatorError { cause: anyhow::Error },
|
||||
#[fail(display = "no authenticator found, please ensure your device is plugged in")]
|
||||
NoAuthenticatorError,
|
||||
#[fail(display = " {}", cause)]
|
||||
@@ -35,6 +35,12 @@ pub enum Fido2LuksError {
|
||||
InsufficientCredentials,
|
||||
}
|
||||
|
||||
impl From<anyhow::Error> for Fido2LuksError {
|
||||
fn from(cause: anyhow::Error) -> Self {
|
||||
Fido2LuksError::AuthenticatorError { cause }
|
||||
}
|
||||
}
|
||||
|
||||
impl Fido2LuksError {
|
||||
pub fn exit_code(&self) -> i32 {
|
||||
use Fido2LuksError::*;
|
||||
@@ -91,12 +97,6 @@ impl From<LuksError> for Fido2LuksError {
|
||||
}
|
||||
}
|
||||
|
||||
impl From<FidoError> for Fido2LuksError {
|
||||
fn from(e: FidoError) -> Self {
|
||||
AuthenticatorError { cause: e }
|
||||
}
|
||||
}
|
||||
|
||||
impl From<LibcryptErr> for Fido2LuksError {
|
||||
fn from(e: LibcryptErr) -> Self {
|
||||
match e {
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
extern crate ctap_hmac as ctap;
|
||||
#[macro_use]
|
||||
extern crate serde_derive;
|
||||
use crate::cli::*;
|
||||
|
||||
Reference in New Issue
Block a user