update libcryptsetup_rs to 0.4.0

Cargo.lock

@@ -55,9 +55,9 @@ dependencies = [
 
 [[package]]
 name = "backtrace-sys"
-version = "0.1.35"
+version = "0.1.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7de8aba10a69c8e8d7622c5710229485ec32e9d55fdad160ea559c086fdcd118"
+checksum = "78848718ee1255a2485d1309ad9cdecfc2e7d0362dd11c6829364c6b35ae1bc7"
 dependencies = [
  "cc",
  "libc",
@@ -111,9 +111,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.50"
+version = "1.0.52"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95e28fa049fda1c330bcf9d723be7663a899c4679724b34c81e9f5a326aab8cd"
+checksum = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d"
 
 [[package]]
 name = "cexpr"
@@ -287,7 +287,7 @@ dependencies = [
  "proc-macro2 1.0.10",
  "quote 1.0.3",
  "strsim 0.9.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 
 [[package]]
@@ -298,7 +298,7 @@ checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
  "darling_core",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 
 [[package]]
@@ -311,7 +311,7 @@ dependencies = [
  "derive_builder_core",
  "proc-macro2 1.0.10",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 
 [[package]]
@@ -323,7 +323,7 @@ dependencies = [
  "darling",
  "proc-macro2 1.0.10",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 
 [[package]]
@@ -363,13 +363,13 @@ checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
 dependencies = [
  "proc-macro2 1.0.10",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
  "synstructure",
 ]
 
 [[package]]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.2.8"
 dependencies = [
  "ctap_hmac",
  "failure",
@@ -377,6 +377,9 @@ dependencies = [
  "libcryptsetup-rs",
  "ring",
  "rpassword",
+ "serde",
+ "serde_derive",
+ "serde_json",
  "structopt",
 ]
 
@@ -415,9 +418,9 @@ dependencies = [
 
 [[package]]
 name = "hermit-abi"
-version = "0.1.10"
+version = "0.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "725cf19794cf90aa94e65050cb4191ff5d8fa87a498383774c47b332e3af952e"
+checksum = "61565ff7aaace3525556587bd2dc31d4a07071957be715e63ce7b1eccf51a8f4"
 dependencies = [
  "libc",
 ]
@@ -463,20 +466,21 @@ checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
 
 [[package]]
 name = "libc"
-version = "0.2.68"
+version = "0.2.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dea0c0405123bba743ee3f91f49b1c7cfb684eef0da0a50110f758ccf24cdff0"
+checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
 
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.2.0"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0177fd0ec022a5adb247e13e3238309913c28102a811227ad5de6a55697f152"
+checksum = "286a440a894fafd96c841b61c73e2053ff5b4d456820b3e04f7e88c4e8636a6b"
 dependencies = [
  "either",
  "libc",
  "libcryptsetup-rs-sys",
  "pkg-config",
+ "semver",
  "serde_json",
  "uuid",
 ]
@@ -577,26 +581,26 @@ checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
 
 [[package]]
 name = "proc-macro-error"
-version = "0.4.12"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18f33027081eba0a6d8aba6d1b1c3a3be58cbb12106341c2d5759fcd9b5277e7"
+checksum = "98e9e4b82e0ef281812565ea4751049f1bdcdfccda7d3f459f2e138a40c08678"
 dependencies = [
  "proc-macro-error-attr",
  "proc-macro2 1.0.10",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
  "version_check",
 ]
 
 [[package]]
 name = "proc-macro-error-attr"
-version = "0.4.12"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a5b4b77fdb63c1eca72173d68d24501c54ab1269409f6b672c85deb18af69de"
+checksum = "4f5444ead4e9935abd7f27dc51f7e852a0569ac888096d5ec2499470794e2e53"
 dependencies = [
  "proc-macro2 1.0.10",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
  "syn-mid",
  "version_check",
 ]
@@ -781,17 +785,11 @@ dependencies = [
  "rand_core 0.3.1",
 ]
 
-[[package]]
-name = "redox_syscall"
-version = "0.1.56"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2439c63f3f6139d1b57529d16bc3b8bb855230c8efcc5d3a896c8bea7c3b1e84"
-
 [[package]]
 name = "regex"
-version = "1.3.6"
+version = "1.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f6946991529684867e47d86474e3a6d0c0ab9b82d5821e314b1ede31fa3a4b3"
+checksum = "a6020f034922e3194c711b82a627453881bc4682166cabb07134a10c26ba7692"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -860,9 +858,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 
 [[package]]
 name = "ryu"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "535622e6be132bccd223f4bb2b8ac8d53cda3c7a6394944d3b2b33fb974f9d76"
+checksum = "ed3d612bc64430efeb3f7ee6ef26d590dce0c43249217bddc62112540c7941e1"
 
 [[package]]
 name = "scopeguard"
@@ -891,6 +889,17 @@ version = "1.0.106"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
 
+[[package]]
+name = "serde_derive"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c"
+dependencies = [
+ "proc-macro2 1.0.10",
+ "quote 1.0.3",
+ "syn 1.0.18",
+]
+
 [[package]]
 name = "serde_json"
 version = "1.0.51"
@@ -922,9 +931,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 
 [[package]]
 name = "structopt"
-version = "0.3.12"
+version = "0.3.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8faa2719539bbe9d77869bfb15d4ee769f99525e707931452c97b693b3f159d"
+checksum = "863246aaf5ddd0d6928dfeb1a9ca65f505599e4e1b399935ef7e75107516b4ef"
 dependencies = [
  "clap",
  "lazy_static",
@@ -933,15 +942,15 @@ dependencies = [
 
 [[package]]
 name = "structopt-derive"
-version = "0.4.5"
+version = "0.4.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f88b8e18c69496aad6f9ddf4630dd7d585bcaf765786cb415b9aec2fe5a0430"
+checksum = "d239ca4b13aee7a2142e6795cbd69e457665ff8037aed33b3effdc430d2f927a"
 dependencies = [
  "heck",
  "proc-macro-error",
  "proc-macro2 1.0.10",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 
 [[package]]
@@ -957,9 +966,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "1.0.17"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0df0eb663f387145cab623dea85b09c2c5b4b0aef44e945d928e682fce71bb03"
+checksum = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213"
 dependencies = [
  "proc-macro2 1.0.10",
  "quote 1.0.3",
@@ -974,7 +983,7 @@ checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
 dependencies = [
  "proc-macro2 1.0.10",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 
 [[package]]
@@ -985,7 +994,7 @@ checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
 dependencies = [
  "proc-macro2 1.0.10",
  "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
  "unicode-xid 0.2.0",
 ]
 
@@ -1018,12 +1027,11 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.1.42"
+version = "0.1.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db8dcfca086c1143c9270ac42a2bbd8a7ee477b78ac8e45b19abfb0cbede4b6f"
+checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
 dependencies = [
  "libc",
- "redox_syscall",
  "winapi",
 ]
 
@@ -1105,9 +1113,9 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
 [[package]]
 name = "winapi-util"
-version = "0.1.4"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa515c5163a99cc82bab70fd3bfdd36d827be85de63737b40fcef2ce084a436e"
+checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
 dependencies = [
  "winapi",
 ]

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.2.8"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -20,7 +20,10 @@ ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
-libcryptsetup-rs = "0.2.0"
+libcryptsetup-rs = "0.4.0"
+serde_json = "1.0.51"
+serde_derive = "1.0.106"
+serde = "1.0.106"
 
 [profile.release]
 lto = true

src/cli.rs

@@ -120,6 +120,14 @@ impl SecretGeneration {
     }
 
     pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
+        self.obtain_secret_and_credential(password_query)
+            .map(|(secret, _)| secret)
+    }
+
+    pub fn obtain_secret_and_credential(
+        &self,
+        password_query: &str,
+    ) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
         let mut salt = [0u8; 32];
         match self.password_helper {
             PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
@@ -158,10 +166,9 @@ impl SecretGeneration {
             })
             .collect::<Vec<_>>();
         let credentials = credentials.iter().collect::<Vec<_>>();
-        Ok(assemble_secret(
+        let (secret, credential) =
-            &perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?,
+            perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?;
-            &salt,
+        Ok((assemble_secret(&secret, &salt), credential.clone()))
-        ))
     }
 }
 
@@ -220,6 +227,9 @@ pub enum Command {
         /// Will wipe all other keys
         #[structopt(short = "e", long = "exclusive")]
         exclusive: bool,
+        /// Will add an token to your LUKS 2 header, including the credential id
+        #[structopt(short = "t", long = "token")]
+        token: bool,
         #[structopt(flatten)]
         existing_secret: OtherSecret,
         #[structopt(flatten)]
@@ -235,6 +245,9 @@ pub enum Command {
         /// Add the password and keep the key
         #[structopt(short = "a", long = "add-password")]
         add_password: bool,
+        // /// Will add an token to your LUKS 2 header, including the credential id
+        // #[structopt(short = "t", long = "token")]
+        //  token: bool,
         #[structopt(flatten)]
         replacement: OtherSecret,
         #[structopt(flatten)]
@@ -254,6 +267,15 @@ pub enum Command {
         #[structopt(flatten)]
         secret_gen: SecretGeneration,
     },
+    /// Open the LUKS device using information embedded into the LUKS 2 header
+    #[structopt(name = "open-token")]
+    OpenToken {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        salt: String,
+    },
     /// Generate a new FIDO credential
     #[structopt(name = "credential")]
     Credential {
@@ -296,18 +318,20 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         Command::AddKey {
             device,
             exclusive,
+            token,
             existing_secret,
             ref secret_gen,
             luks_settings,
         } => {
             let secret_gen = secret_gen.patch(&args, None);
             let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
-            let secret = secret_gen.obtain_secret("Password")?;
+            let (secret, credential) = secret_gen.obtain_secret_and_credential("Password")?;
             let added_slot = luks::add_key(
                 device.clone(),
                 &secret,
                 &old_secret[..],
                 luks_settings.kdf_time.or(Some(10)),
+                Some(&credential.id[..]).filter(|_| *token),
             )?;
             if *exclusive {
                 let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
@@ -329,6 +353,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         Command::ReplaceKey {
             device,
             add_password,
+            //token,
             replacement,
             ref secret_gen,
             luks_settings,
@@ -337,9 +362,21 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             let secret = secret_gen.obtain_secret("Password")?;
             let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
             let slot = if *add_password {
-                luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
+                luks::add_key(
+                    device,
+                    &new_secret[..],
+                    &secret,
+                    luks_settings.kdf_time,
+                    None,
+                )
             } else {
-                luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
+                luks::replace_key(
+                    device,
+                    &new_secret[..],
+                    &secret,
+                    luks_settings.kdf_time,
+                    None,
+                )
             }?;
             println!(
                 "Added to password to device {}, slot: {}",
@@ -376,6 +413,31 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                 }
             }
         }
+        // TODO: utilise salt
+        Command::OpenToken {
+            device,
+            name,
+            salt: _,
+        } => luks::open_container_token(
+            device,
+            &name[..],
+            Box::new(|creds| {
+                let (secret, cred) = SecretGeneration {
+                    credential_ids: CommaSeparated(
+                        creds
+                            .iter()
+                            .map(|c| HexEncoded::from_str(&c[..]).unwrap())
+                            .collect(),
+                    ),
+                    salt: InputSalt::String("".into()),
+                    password_helper: Default::default(),
+                    await_authenticator: 100,
+                    verify_password: None,
+                }
+                .obtain_secret_and_credential("Password")?;
+                Ok((secret, hex::encode(cred.id)))
+            }),
+        ),
         Command::Connected => match get_devices() {
             Ok(ref devs) if !devs.is_empty() => {
                 println!("Found {} devices", devs.len());

src/device.rs

@@ -24,11 +24,11 @@ pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential>
     )?)
 }
 
-pub fn perform_challenge(
+pub fn perform_challenge<'a>(
-    credentials: &[&FidoCredential],
+    credentials: &'a [&'a FidoCredential],
     salt: &[u8; 32],
     timeout: Duration,
-) -> Fido2LuksResult<[u8; 32]> {
+) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
     let request = FidoAssertionRequestBuilder::default()
         .rp_id(RP_ID)
         .credentials(credentials)
@@ -37,13 +37,13 @@ pub fn perform_challenge(
     let get_assertion = |device: &mut FidoDevice| {
         device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
     };
-    let (_, (secret, _)) = request_multiple_devices(
+    let (credential, (secret, _)) = request_multiple_devices(
         get_devices()?
             .iter_mut()
             .map(|device| (device, &get_assertion)),
         Some(timeout),
     )?;
-    Ok(secret)
+    Ok((secret, credential))
 }
 
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {

src/error.rs

@@ -13,11 +13,13 @@ pub enum Fido2LuksError {
     AuthenticatorError { cause: ctap::FidoError },
     #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     NoAuthenticatorError,
-    #[fail(display = "luks err")]
+    #[fail(display = " {}", cause)]
-    LuksError {
+    CryptsetupError {
         cause: libcryptsetup_rs::LibcryptErr,
     },
-    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
+    #[fail(display = "{}", cause)]
+    LuksError { cause: LuksError },
+    #[fail(display = "{}", cause)]
     IoError { cause: io::Error },
     #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,
@@ -46,7 +48,35 @@ pub enum AskPassError {
     Mismatch,
 }
 
+#[derive(Debug, Fail)]
+pub enum LuksError {
+    #[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
+    Luks2Required,
+    #[fail(display = "Invalid token: {}", _0)]
+    InvalidToken(String),
+    #[fail(display = "No token found")]
+    NoToken,
+    #[fail(display = "The device already exists")]
+    DeviceExists,
+}
+
+impl LuksError {
+    pub fn activate(e: LibcryptErr) -> Fido2LuksError {
+        match e {
+            LibcryptErr::IOError(ref io) => match io.raw_os_error() {
+                Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
+                Some(17) => Fido2LuksError::LuksError {
+                    cause: LuksError::DeviceExists,
+                },
+                _ => return Fido2LuksError::CryptsetupError { cause: e },
+            },
+            _ => Fido2LuksError::CryptsetupError { cause: e },
+        }
+    }
+}
+
 use libcryptsetup_rs::LibcryptErr;
+use std::io::ErrorKind;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
 
@@ -62,7 +92,7 @@ impl From<LibcryptErr> for Fido2LuksError {
             LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
                 WrongSecret
             }
-            _ => LuksError { cause: e },
+            _ => CryptsetupError { cause: e },
         }
     }
 }

src/luks.rs

@@ -1,23 +1,45 @@
 use crate::error::*;
 
-use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
+use libcryptsetup_rs::{
+    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
+    TokenInput,
+};
+use std::collections::{HashMap, HashSet};
 use std::path::Path;
 
 fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
     let mut device = CryptInit::init(path.as_ref())?;
-    //TODO: determine luks version some way other way than just trying
+    device.context_handle().load::<()>(None, None)?;
-    let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
-    vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
-        .into_iter()
-        .fold(None, |res, format| match res {
-            Some(Ok(())) => res,
-            Some(e) => Some(e.or_else(|_| load(format))),
-            None => Some(load(format)),
-        })
-        .unwrap()?;
     Ok(device)
 }
 
+fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> {
+    match device.format_handle().get_type()? {
+        EncryptionFormat::Luks2 => Ok(()),
+        _ => Err(Fido2LuksError::LuksError {
+            cause: LuksError::Luks2Required,
+        }),
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+struct Fido2LuksToken {
+    #[serde(rename = "type")]
+    type_: String,
+    credential: Vec<String>,
+    keyslots: Vec<String>,
+}
+
+impl Fido2LuksToken {
+    fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
+        Self {
+            type_: "fido2luks\0".into(), // Doubles as c style string
+            credential: vec![hex::encode(credential_id)],
+            keyslots: vec![slot.to_string()],
+        }
+    }
+}
+
 pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
     let mut device = load_device_handle(path)?;
     device
@@ -27,41 +49,158 @@ pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fid
         .map_err(|_e| Fido2LuksError::WrongSecret)
 }
 
+pub fn open_container_token<P: AsRef<Path>>(
+    path: P,
+    name: &str,
+    secret: Box<dyn Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>>,
+) -> Fido2LuksResult<()> {
+    let mut device = load_device_handle(path)?;
+    check_luks2(&mut device)?;
+
+    let mut creds = HashMap::new();
+    for i in 0..256 {
+        let status = device.token_handle().status(i)?;
+        match status {
+            CryptTokenInfo::Inactive => break,
+            CryptTokenInfo::Internal(s)
+            | CryptTokenInfo::InternalUnknown(s)
+            | CryptTokenInfo::ExternalUnknown(s)
+            | CryptTokenInfo::External(s)
+                if &s != "fido2luks" =>
+            {
+                continue
+            }
+            _ => (),
+        };
+        let json = device.token_handle().json_get(i)?;
+        let info: Fido2LuksToken =
+            serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
+                cause: LuksError::InvalidToken(json.to_string()),
+            })?;
+        let slots = || {
+            info.keyslots
+                .iter()
+                .filter_map(|slot| slot.parse::<u32>().ok())
+        };
+        for cred in info.credential.iter().cloned() {
+            creds
+                .entry(cred)
+                .or_insert_with(|| slots().collect::<HashSet<u32>>())
+                .extend(slots());
+        }
+    }
+    if creds.is_empty() {
+        return Err(Fido2LuksError::LuksError {
+            cause: LuksError::NoToken,
+        });
+    }
+    let (secret, credential) = secret(creds.keys().cloned().collect())?;
+    let slots = creds.get(&credential).unwrap();
+    let slots = slots
+        .iter()
+        .cloned()
+        .map(Option::Some)
+        .chain(std::iter::once(None).take(slots.is_empty() as usize));
+    for slot in slots {
+        match device
+            .activate_handle()
+            .activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
+            .map(|_slot| ())
+            .map_err(LuksError::activate)
+        {
+            Err(Fido2LuksError::WrongSecret) => (),
+            res => return res,
+        }
+    }
+    Err(Fido2LuksError::WrongSecret)
+}
+
 pub fn add_key<P: AsRef<Path>>(
     path: P,
     secret: &[u8],
     old_secret: &[u8],
     iteration_time: Option<u64>,
+    credential_id: Option<&[u8]>,
 ) -> Fido2LuksResult<u32> {
     let mut device = load_device_handle(path)?;
     if let Some(millis) = iteration_time {
         device.settings_handle().set_iteration_time(millis)
     }
     let slot = device
-        .keyslot_handle(None)
+        .keyslot_handle()
-        .add_by_passphrase(old_secret, secret)?;
+        .add_by_passphrase(None, old_secret, secret)?;
+    if let Some(id) = credential_id {
+        /*  if let e @ Err(_) = check_luks2(&mut device) {
+            //rollback
+            device.keyslot_handle(Some(slot)).destroy()?;
+            return e.map(|_| 0u32);
+        }*/
+        device.token_handle().json_set(TokenInput::AddToken(
+            &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
+        ))?;
+    }
+
     Ok(slot)
 }
 
+fn find_token(
+    device: &mut CryptDevice,
+    slot: u32,
+) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
+    for i in 0..256 {
+        let status = device.token_handle().status(i)?;
+        match status {
+            CryptTokenInfo::Inactive => break,
+            CryptTokenInfo::Internal(s)
+            | CryptTokenInfo::InternalUnknown(s)
+            | CryptTokenInfo::ExternalUnknown(s)
+            | CryptTokenInfo::External(s)
+                if &s != "fido2luks" =>
+            {
+                continue
+            }
+            _ => (),
+        };
+        let json = device.token_handle().json_get(i)?;
+        let info: Fido2LuksToken =
+            serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
+                cause: LuksError::InvalidToken(json.to_string()),
+            })?;
+        if info.keyslots.contains(&slot.to_string()) {
+            return Ok(Some((i, info)));
+        }
+    }
+    Ok(None)
+}
+
 pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
     let mut device = load_device_handle(path)?;
-    let mut handle;
     let mut destroyed = 0;
-    //TODO: detect how many keyslots there are instead of trying within a given range
+    let mut tokens = Vec::new();
-    for slot in 0..1024 {
+    for slot in 0..256 {
-        handle = device.keyslot_handle(Some(slot));
+        match device.keyslot_handle().status(slot)? {
-        match handle.status()? {
             KeyslotInfo::Inactive => continue,
-            KeyslotInfo::Active if !exclude.contains(&slot) => {
+            KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
-                handle.destroy()?;
+                if let Ok(_) = check_luks2(&mut device) {
+                    if let Some((token, _)) = dbg!(find_token(&mut device, slot))? {
+                        tokens.push(token);
+                    }
+                }
+                device.keyslot_handle().destroy(slot)?;
                 destroyed += 1;
             }
+            KeyslotInfo::ActiveLast => break,
             _ => (),
         }
-        if let KeyslotInfo::ActiveLast = handle.status()? {
+        if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
             break;
         }
     }
+    for token in tokens.iter() {
+        device
+            .token_handle()
+            .json_set(TokenInput::RemoveToken(*token))?;
+    }
     Ok(destroyed)
 }
 
@@ -70,13 +209,26 @@ pub fn replace_key<P: AsRef<Path>>(
     secret: &[u8],
     old_secret: &[u8],
     iteration_time: Option<u64>,
+    credential_id: Option<&[u8]>,
 ) -> Fido2LuksResult<u32> {
     let mut device = load_device_handle(path)?;
     // Set iteration time not sure wether this applies to luks2 as well
     if let Some(millis) = iteration_time {
         device.settings_handle().set_iteration_time(millis)
     }
-    Ok(device
+    let slot = device
-        .keyslot_handle(None)
+        .keyslot_handle()
-        .change_by_passphrase(None, None, old_secret, secret)? as u32)
+        .change_by_passphrase(None, None, old_secret, secret)? as u32;
+    if let Some(id) = credential_id {
+        if check_luks2(&mut device).is_ok() {
+            let token = find_token(&mut device, slot)?.map(|(t, _)| t);
+            if let Some(token) = token {
+                device.token_handle().json_set(TokenInput::ReplaceToken(
+                    token,
+                    &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
+                ))?;
+            }
+        }
+    }
+    Ok(slot)
 }

src/main.rs

@@ -1,6 +1,8 @@
 #[macro_use]
 extern crate failure;
 extern crate ctap_hmac as ctap;
+#[macro_use]
+extern crate serde_derive;
 use crate::cli::*;
 use crate::config::*;
 use crate::device::*;