Merge remote-tracking branch 'gt/ctap-hid-fido2' into 0.3.0-alpha

* create PKGBUILD file

* use build & install method

* add package dependencies

.drone.yml

@@ -3,32 +3,25 @@ name: default
 
 steps:
  - name: fmt
-   image: rust:1.37.0
+   image: rust:1.43.0
    commands:
-     -  rustup component add rustfmt
+     - rustup component add rustfmt
-     -  cargo fmt --all -- --check
+     - cargo fmt --all -- --check
  - name: test
-   image: rust:1.37.0
+   image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
+   environment:
+    DEBIAN_FRONTEND: noninteractive
    commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - cargo test --locked
-    - cargo test
+ - name: publish
-
+   image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
- - name: build
+   environment:
-   image: rust:1.37.0
+    DEBIAN_FRONTEND: noninteractive
+    CARGO_REGISTRY_TOKEN:
+     from_secret: cargo_tkn
    commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - cargo install -f --path . --root .
+    - cargo package --all-features --allow-dirty
+    - cargo publish --all-features --allow-dirty
    when:
     event: tag
- - name: publish
-   image: plugins/github-release
-   settings:
-     api_key:
-      from_secret: github_release
-     files:
-      - bin/fido2luks
-     checksum:
-      - md5
-      - sha256
-   when:
-    event: tag    

.github/workflows/current.yml

@@ -0,0 +1,32 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Current
+
+# Controls when the workflow will run
+on:
+  schedule:
+    - cron: '0 22 * * 6'
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+          cache: ${{ secrets.ATTIC_CACHE }}
+          token: ${{ secrets.ATTIC_TOKEN }}
+      - name: Build Nix Package nixos-unstable
+        run: nix build --override-input nixpkgs github:nixos/nixpkgs/nixos-unstable --show-trace

.github/workflows/locked.yml

@@ -0,0 +1,33 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Locked
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the "master" branch
+  push:
+    branches: '*'
+  pull_request:
+    branches: '*'
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: ${{ secrets.ATTIC_ENDPOINT }}
+          cache: ${{ secrets.ATTIC_CACHE }}
+          token: ${{ secrets.ATTIC_TOKEN }}
+      - name: Build Nix Package
+        run: nix build -j 10 --show-trace

.gitignore

@@ -2,3 +2,9 @@
 **/*.rs.bk
 .idea/
 *.iml
+fido2luks.bash
+fido2luks.elv
+fido2luks.fish
+fido2luks.zsh
+result
+result-*

CHANGELOG.md

@@ -0,0 +1,11 @@
+## 0.3.0
+
+* LUKS2 Tokens are now supported by every subcommand
+* `<credential>` has been converted into the flag `--creds`  
+credentials provided by `--creds` will be supplemented from the LUKS header unless this is disabled by `--disable-token`
+* `fido2luks add-key` will take an `--auto-cred` flag which allows for credentials to be generated and stored without having to use `fido2luks credential`  
+`fido2luks replace-key` will allow for credentials to be removed using the `--remove-cred` flag respectively 
+* Removed `fido2luks open-token` subcommand  
+  `fido2luks open` now fulfills both functions
+* Added `fido2luks open --dry-run` flag, to perform the whole procedure apart from mounting the LUKS volume
+* Added an `--verbose` flag to display additional information like credentials and keyslots used if desired

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.3.1-alpha"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -11,16 +11,29 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license-file = "LICENSE"
+license = "MPL-2.0"
 
 [dependencies]
-ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
 hex = "0.3.2"
-ring = "0.13.5"
+ring = "0.16.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
-libcryptsetup-rs = "0.2.0"
+libcryptsetup-rs = "0.9.1"
+serde_json = "1.0.51"
+serde_derive = "1.0.116"
+serde = "1.0.116"
+anyhow = "1.0.56"
+ctap-hid-fido2 = "3.4.1"
+
+[build-dependencies]
+hex = "0.3.2"
+ring = "0.16.5"
+failure = "0.1.5"
+rpassword = "4.0.1"
+libcryptsetup-rs = "0.9.1"
+structopt = "0.3.2"
+anyhow = "1.0.56"
 
 [profile.release]
 lto = true
@@ -28,3 +41,16 @@ opt-level = 'z'
 panic = 'abort'
 incremental = false
 overflow-checks = false
+
+[package.metadata.deb]
+depends = "$auto, cryptsetup"
+build-depends = "libclang-dev, libcryptsetup-dev"
+extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
+assets = [
+    ["target/release/fido2luks", "usr/bin/", "755"],
+    ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
+    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
+    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
+    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
+]
+conf-files = ["/etc/fido2luks.conf"]

PKGBUILD

@@ -0,0 +1,37 @@
+# Maintainer: shimunn <shimun@shimun.net>
+
+pkgname=fido2luks-git
+pkgver=0.2.16.7e6b33a
+pkgrel=1
+makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
+depends=('cryptsetup')
+arch=('i686' 'x86_64' 'armv6h' 'armv7h')
+pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
+url="https://github.com/shimunn/fido2luks"
+license=('MPL-2.0')
+source=('git+https://github.com/shimunn/fido2luks')
+sha512sums=('SKIP')
+
+pkgver() {
+    cd fido2luks
+
+    # Use tag version if possible otherwise concat project version and git ref
+    git describe --exact-match --tags HEAD 2>/dev/null ||
+        echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
+}
+
+build() {
+    cd fido2luks
+    cargo build --release --locked --all-features --target-dir=target
+}
+
+package() {
+    cd fido2luks
+
+    install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
+    install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
+    install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
+    install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
+    install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
+}

README.md

@@ -1,105 +1,7 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 
-This will allow you to unlock your luks encrypted disk with an fido2 compatible key
+## 0.3.0-alpha
 
-Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
+This is just the program itself, all intitrid scripts are mostly taylored to the latest 0.2.x version and will most likely not work with 0.3.0 due to breaking changes in the CLI interface.
-
+I've decided it release the version in this state since I just do not have the time now or in the forseeable future to tewak all scripts since it's quite an tedious tasks which involves rebooting VMs countless times.
-## Setup
+If you're interested to adapt or write scripts for an particular distro I'd be more than happy to accept pull requests.
-
-### Prerequisites
-
-```
-dnf install clang cargo cryptsetup-devel -y
-```
-
-### Device
-
-```
-git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
-
-# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
-sudo -E cargo install -f --path . --root /usr
-
-# Copy template
-cp dracut/96luks-2fa/fido2luks.conf /etc/
-# Name is optional but useful if your authenticator has a display
-echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
-
-# Load config into env
-set -a
-. /etc/fido2luks.conf
-
-# Repeat for each luks volume
-sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
-
-# Test(only works if the luks container isn't active)
-sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
-
-```
-
-### Dracut
-
-```
-cd dracut
-
-sudo make install
-```
-
-### Grub
-
-Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
-
-Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
-
-```
-grub2-mkconfig > /boot/grub2/grub.cfg
-```
-
-I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
-
-```
-mkdir /boot/fido2luks/
-cp /usr/bin/fido2luks /boot/fido2luks/
-cp /etc/fido2luks.conf /boot/fido2luks/
-```
-
-## Test
-
-Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
-
-```
-# Recommend in case you lose your authenticator, store this backupfile somewhere safe
-cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
-# There is no turning back if you mess this up, make sure you made a backup
-fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
-```
-
-## Addtional settings
-
-### Password less
-
-Remove your previous secret as described in the next section, in case you've already added one.
-
-Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
-but be warned that this password will be included to into your initramfs.
-
-Import the new config into env:
-
-```
-set -a
-. /etc/fido2luks.conf
-```
-
-Then add the new secret to each device and update dracut afterwards `dracut -f`
-
-## Removal
-
-Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
-
-```
-set -a
-. fido2luks.conf
-sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
-
-sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
-```

build.rs

@@ -0,0 +1,32 @@
+#![allow(warnings)]
+#[macro_use]
+extern crate failure;
+
+#[path = "src/cli_args/mod.rs"]
+mod cli_args;
+#[path = "src/error.rs"]
+mod error;
+#[path = "src/util.rs"]
+mod util;
+
+use cli_args::Args;
+use std::env;
+use std::fs;
+use std::path::PathBuf;
+use std::str::FromStr;
+use structopt::clap::Shell;
+use structopt::StructOpt;
+
+fn main() {
+    let env_outdir = env::var_os("OUT_DIR").unwrap();
+    let outdir = PathBuf::from(PathBuf::from(env_outdir).ancestors().nth(3).unwrap());
+    fs::create_dir_all(&outdir).unwrap();
+    // generate completion scripts, zsh does panic for some reason
+    for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
+        Args::clap().gen_completions(
+            env!("CARGO_PKG_NAME"),
+            Shell::from_str(shell).unwrap(),
+            &outdir,
+        );
+    }
+}

flake.lock

@@ -0,0 +1,80 @@
+{
+  "nodes": {
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1698420672,
+        "narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "aeb58d5e8faead8980a807c840232697982d47b9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1705496572,
+        "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,63 @@
+{
+  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
+
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    naersk = {
+      url = "github:nix-community/naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, utils, naersk }:
+    let
+      root = ./.;
+      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
+      forPkgs = pkgs:
+        let
+          naersk-lib = naersk.lib."${pkgs.system}";
+          buildInputs = with pkgs; [ cryptsetup cryptsetup.dev udev.dev ];
+          nativeBuildInputs = with pkgs; [
+            rustPlatform.bindgenHook
+            pkg-config
+            clang
+          ];
+        in
+        rec {
+          # `nix build`
+          packages.${pname} = naersk-lib.buildPackage {
+            inherit pname root buildInputs nativeBuildInputs;
+          };
+          defaultPackage = packages.${pname};
+
+          # `nix run`
+          apps.${pname} = utils.lib.mkApp {
+            drv = packages.${pname};
+          };
+          defaultApp = apps.${pname};
+
+          # `nix flake check`
+          checks = {
+            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
+              cd ${root}
+              cargo fmt -- --check
+              nixpkgs-fmt --check *.nix
+              touch $out
+            '';
+          };
+
+          hydraJobs = checks // packages;
+
+          # `nix develop`
+          devShell = pkgs.mkShell {
+            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
+            inherit buildInputs;
+          };
+        };
+      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
+    in
+    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
+      overlay = final: prev: (forPkgs final).packages;
+    };
+
+}

initcpio/Makefile

@@ -0,0 +1,18 @@
+.PHONY: install remove
+
+install:
+	install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
+	install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif
+
+remove:
+	rm /usr/lib/initcpio/{hooks,install}/fido2luks
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif

initcpio/README.md

@@ -0,0 +1,52 @@
+## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
+
+> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
+
+### Setup
+
+1. Connect your FIDO2 authenticator
+2. Generate credential id
+
+```shell
+fido2luks credential
+```
+
+3. Generate salt (random string)
+
+```shell
+pwgen 48 1
+```
+
+4. Add key to your LUKS2 device
+
+```shell
+fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
+```
+
+`-P` - request PIN to unlock the authenticator  
+`-t` - add token (including credential id) to the LUKS2 header  
+`-e` - wipe all other keys  
+
+For the full list of options see `fido2luks add-key --help`
+
+5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
+
+Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
+
+```shell
+cryptsetup luksDump <block_device>
+```
+
+6. Add fido2luks hook to /etc/mkinitcpio.conf
+
+Before or instead of `encrypt` hook, for example:
+
+```shell
+HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
+```
+
+7. Recreate initial ramdisk
+
+```shell
+mkinitcpio -p <preset>
+```

initcpio/fido2luks.conf

@@ -0,0 +1,18 @@
+# Set credential *ONLY IF* it's not embedded in the LUKS2 header
+FIDO2LUKS_CREDENTIAL_ID=
+
+# Encrypted device and its name under /dev/mapper
+# Can be overridden by `cryptdevice` kernel parameter
+FIDO2LUKS_DEVICE=
+FIDO2LUKS_MAPPER_NAME=
+
+FIDO2LUKS_SALT=string:<salt>
+
+# Use specific keyslot (ignore all other slots)
+FIDO2LUKS_DEVICE_SLOT=
+
+# Await for an authenticator to be connected (in seconds)
+FIDO2LUKS_DEVICE_AWAIT=
+
+# Set to 1 if PIN is required to unlock the authenticator
+FIDO2LUKS_ASK_PIN=

initcpio/hooks/fido2luks

@@ -0,0 +1,55 @@
+#!/usr/bin/ash
+
+run_hook() {
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    . /etc/fido2luks.conf
+
+    if [ -z "$cryptdevice" ]; then
+        device="$FIDO2LUKS_DEVICE"
+        dmname="$FIDO2LUKS_MAPPER_NAME"
+    else
+        IFS=: read cryptdev dmname _cryptoptions <<EOF
+$cryptdevice
+EOF
+        if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
+            return 1
+        fi
+    fi
+
+    options="--salt $FIDO2LUKS_SALT"
+
+    if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
+        options="$options --pin"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
+        options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
+        options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
+    fi
+
+    # HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
+    # Temporary link it to /dev/tty1
+    mv /dev/tty /dev/tty.back
+    ln -s /dev/tty1 /dev/tty
+
+    printf "\nAuthentication is required to access the $dmname volume at $device\n"
+
+    if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
+        fido2luks open-token $device $dmname $options
+    else
+        fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
+    fi
+    exit_code=$?
+
+    # Restore /dev/tty
+    mv /dev/tty.back /dev/tty
+
+    if [ $exit_code -ne 0 ]; then
+        printf '\n'
+        read -s -p 'Press Enter to continue'
+        printf '\n'
+    fi
+}

initcpio/install/fido2luks

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+build() {
+    local mod
+
+    add_module dm-crypt
+    add_module dm-integrity
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules /crypto/
+    fi
+
+    add_binary fido2luks
+    add_binary dmsetup
+    add_file /usr/lib/udev/rules.d/10-dm.rules
+    add_file /usr/lib/udev/rules.d/13-dm-disk.rules
+    add_file /usr/lib/udev/rules.d/95-dm-notify.rules
+    add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
+    add_file /etc/fido2luks.conf /etc/fido2luks.conf
+
+    add_runscript
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
+HELPEOF
+}

initramfs-tools/Dockerfile

@@ -0,0 +1,15 @@
+FROM rust:bullseye
+
+RUN cargo install -f cargo-deb --debug --version 1.30.0
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt update && apt install -y cryptsetup pkg-config libclang-dev libcryptsetup-dev && mkdir -p /build/fido2luks
+
+WORKDIR /build/fido2luks
+
+ENV CARGO_TARGET_DIR=/build/fido2luks/target
+
+RUN cargo install fido2luks -f
+
+CMD bash -xc 'cp -rf /code/* /build/fido2luks && cargo-deb && cp target/debian/*.deb /out'

initramfs-tools/Makefile

@@ -0,0 +1,11 @@
+.PHONY: install
+install:
+	chmod +x hook/fido2luks.sh keyscript.sh
+	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
+	mkdir -p /usr/share/fido2luks
+	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
+	update-initramfs -u
+remove:
+	sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
+	rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
+	update-initramfs -u

initramfs-tools/README.md

@@ -0,0 +1,34 @@
+## Initramfs-tools based systems(Ubuntu and derivatives)
+
+For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
+
+```
+sudo -s
+
+# Insert FIDO key.
+fido2luks credential
+# Tap FIDO key
+# Copy returned string <CREDENTIAL>
+
+nano /etc/fido2luks.conf
+# Insert <CREDENTIAL> 
+# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL> 
+
+set -a
+. /etc/fido2luks.conf
+fido2luks -i add-key /dev/<LUKS PARTITION>
+# Current password: <Any current LUKS password>
+# Password: <Password used as FIDO challange>
+# Tap FIDO key
+
+nano /etc/crypttab
+# Append to end ",discard,initramfs,keyscript=fido2luks"
+# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
+
+update-initramfs -u
+
+
+```
+
+[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
+

initramfs-tools/build-deb.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -ex
+
+docker build . -t fido2luks-deb
+
+mkdir -p debs
+
+docker run -ti -v "$(pwd)/..:/code:ro" -v "$(pwd)/debs:/out" fido2luks-deb

initramfs-tools/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
+FIDO2LUKS_CREDENTIAL_ID=

initramfs-tools/hook/fido2luks.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+case "$1" in
+prereqs)
+	echo ""
+	exit 0
+	;;
+
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
+copy_exec /usr/bin/fido2luks
+exit 0

initramfs-tools/keyscript.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+set -a
+. /etc/fido2luks.conf
+
+if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
+	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
+	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
+fi
+
+fido2luks print-secret --bin "$CRYPTTAB_SOURCE" $([ "$FIDO2LUKS_USE_TOKEN" -eq 0 ] && printf "--disable-token")

pam_mount/fido2luksmounthelper.sh

@@ -0,0 +1,220 @@
+#!/bin/bash
+#
+# This is a rather minimal example Argbash potential
+# Example taken from http://argbash.readthedocs.io/en/stable/example.html
+#
+# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
+# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
+# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
+# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
+# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
+# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
+# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
+# ARGBASH_GO()
+# needed because of Argbash --> m4_ignore([
+### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
+# Argbash is a bash code generator used to get arguments parsing right.
+# Argbash is FREE SOFTWARE, see https://argbash.io for more info
+# Generated online by https://argbash.io/generate
+
+
+die()
+{
+	local _ret="${2:-1}"
+	test "${_PRINT_HELP:-no}" = yes && print_help >&2
+	echo "$1" >&2
+	exit "${_ret}"
+}
+
+
+begins_with_short_option()
+{
+	local first_option all_short_options='cdmash'
+	first_option="${1:0:1}"
+	test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
+}
+
+# THE DEFAULTS INITIALIZATION - POSITIONALS
+_positionals=()
+# THE DEFAULTS INITIALIZATION - OPTIONALS
+_arg_credentials_type=
+_arg_device=
+_arg_mount_point=
+_arg_ask_pin="off"
+_arg_salt=""
+
+
+print_help()
+{
+	printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
+	printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
+	printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
+	printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
+	printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
+	printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
+	printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
+	printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
+	printf '\t%s\n' "-h, --help: Prints help"
+}
+
+
+parse_commandline()
+{
+	_positionals_count=0
+	while test $# -gt 0
+	do
+		_key="$1"
+		case "$_key" in
+			-c|--credentials-type)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_credentials_type="$2"
+				shift
+				;;
+			--credentials-type=*)
+				_arg_credentials_type="${_key##--credentials-type=}"
+				;;
+			-c*)
+				_arg_credentials_type="${_key##-c}"
+				;;
+			-d|--device)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_device="$2"
+				shift
+				;;
+			--device=*)
+				_arg_device="${_key##--device=}"
+				;;
+			-d*)
+				_arg_device="${_key##-d}"
+				;;
+			-m|--mount-point)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_mount_point="$2"
+				shift
+				;;
+			--mount-point=*)
+				_arg_mount_point="${_key##--mount-point=}"
+				;;
+			-m*)
+				_arg_mount_point="${_key##-m}"
+				;;
+			-a|--no-ask-pin|--ask-pin)
+				_arg_ask_pin="on"
+				test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
+				;;
+			-a*)
+				_arg_ask_pin="on"
+				_next="${_key##-a}"
+				if test -n "$_next" -a "$_next" != "$_key"
+				then
+					{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
+				fi
+				;;
+			-s|--salt)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_salt="$2"
+				shift
+				;;
+			--salt=*)
+				_arg_salt="${_key##--salt=}"
+				;;
+			-s*)
+				_arg_salt="${_key##-s}"
+				;;
+			-h|--help)
+				print_help
+				exit 0
+				;;
+			-h*)
+				print_help
+				exit 0
+				;;
+			*)
+				_last_positional="$1"
+				_positionals+=("$_last_positional")
+				_positionals_count=$((_positionals_count + 1))
+				;;
+		esac
+		shift
+	done
+}
+
+
+handle_passed_args_count()
+{
+	local _required_args_string="'operation'"
+	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
+	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
+}
+
+
+assign_positional_args()
+{
+	local _positional_name _shift_for=$1
+	_positional_names="_arg_operation "
+
+	shift "$_shift_for"
+	for _positional_name in ${_positional_names}
+	do
+		test $# -gt 0 || break
+		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
+		shift
+	done
+}
+
+parse_commandline "$@"
+handle_passed_args_count
+assign_positional_args 1 "${_positionals[@]}"
+
+# OTHER STUFF GENERATED BY Argbash
+
+### END OF CODE GENERATED BY Argbash (sortof) ### ])
+# [ <-- needed because of Argbash
+
+if [ -z ${_arg_mount_point} ]; then
+  die "Missing '--mount-point' argument"
+fi
+
+if [ -z ${_arg_device} ]; then
+  die "Missing '--device' argument"
+fi
+
+ASK_PIN=${_arg_ask_pin}
+OPERATION=${_arg_operation}
+DEVICE=${_arg_device}
+DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
+MOUNT_POINT=${_arg_mount_point}
+CREDENTIALS_TYPE=${_arg_credentials_type}
+SALT=${_arg_salt}
+CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
+
+if [ "${OPERATION}" == "mount" ]; then
+	if [ "${CREDENTIALS_TYPE}" == "external" ]; then
+    if  [ -f ${CONF_FILE_PATH} ]; then
+			if [ "${ASK_PIN}" == "on" ]; then
+				read PASSWORD
+			fi
+			CREDENTIALS=$(<${CONF_FILE_PATH})
+		else
+			die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
+		fi
+		printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
+	elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
+		if [ "${ASK_PIN}" == "on" ]; then
+			read PASSWORD
+		fi
+		printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
+	else
+		die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
+	fi 
+	mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
+elif [ "${OPERATION}" == "umount" ]; then
+  umount ${MOUNT_POINT}
+  cryptsetup luksClose ${DEVICE_NAME}
+else
+  die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
+fi
+
+exit 0
+
+# ] <-- needed because of Argbash

src/cli_args/config.rs

@@ -7,36 +7,37 @@ use std::fs::File;
 use std::io::Read;
 use std::path::PathBuf;
 use std::process::Command;
+use std::process::Stdio;
 use std::str::FromStr;
 
 #[derive(Debug, Clone, PartialEq)]
-pub enum InputSalt {
+pub enum SecretInput {
     AskPassword,
     String(String),
     File { path: PathBuf },
 }
 
-impl Default for InputSalt {
+impl Default for SecretInput {
     fn default() -> Self {
-        InputSalt::AskPassword
+        SecretInput::AskPassword
     }
 }
 
-impl From<&str> for InputSalt {
+impl From<&str> for SecretInput {
     fn from(s: &str) -> Self {
         let mut parts = s.split(':');
         match parts.next() {
-            Some("ask") | Some("Ask") => InputSalt::AskPassword,
+            Some("ask") | Some("Ask") => SecretInput::AskPassword,
-            Some("file") => InputSalt::File {
+            Some("file") => SecretInput::File {
                 path: parts.collect::<Vec<_>>().join(":").into(),
             },
-            Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
+            Some("string") => SecretInput::String(parts.collect::<Vec<_>>().join(":")),
             _ => Self::default(),
         }
     }
 }
 
-impl FromStr for InputSalt {
+impl FromStr for SecretInput {
     type Err = Fido2LuksError;
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
@@ -44,21 +45,54 @@ impl FromStr for InputSalt {
     }
 }
 
-impl fmt::Display for InputSalt {
+impl fmt::Display for SecretInput {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
         f.write_str(&match self {
-            InputSalt::AskPassword => "ask".to_string(),
+            SecretInput::AskPassword => "ask".to_string(),
-            InputSalt::String(s) => ["string", s].join(":"),
+            SecretInput::String(s) => ["string", s].join(":"),
-            InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
+            SecretInput::File { path } => ["file", path.display().to_string().as_str()].join(":"),
         })
     }
 }
 
-impl InputSalt {
+impl SecretInput {
-    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
+    pub fn obtain_string(
+        &self,
+        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
+    ) -> Fido2LuksResult<String> {
+        Ok(String::from_utf8(self.obtain(password_helper)?)?)
+    }
+
+    pub fn obtain(
+        &self,
+        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
+    ) -> Fido2LuksResult<Vec<u8>> {
+        let mut secret = Vec::new();
+        match self {
+            SecretInput::File { path } => {
+                //TODO: replace with try_blocks
+                let mut do_io = || File::open(path)?.read_to_end(&mut secret);
+                do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
+            }
+            SecretInput::AskPassword => secret.extend_from_slice(
+                password_helper.ok_or_else(|| Fido2LuksError::AskPassError {
+                    cause: AskPassError::FailedHelper,
+                })?()?
+                .as_bytes(),
+            ),
+
+            SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
+        }
+        Ok(secret)
+    }
+
+    pub fn obtain_sha256(
+        &self,
+        password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
+    ) -> Fido2LuksResult<[u8; 32]> {
         let mut digest = digest::Context::new(&digest::SHA256);
         match self {
-            InputSalt::File { path } => {
+            SecretInput::File { path } => {
                 let mut do_io = || {
                     let mut reader = File::open(path)?;
                     let mut buf = [0u8; 512];
@@ -73,10 +107,7 @@ impl InputSalt {
                 };
                 do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
             }
-            InputSalt::AskPassword => {
+            _ => digest.update(self.obtain(password_helper)?.as_slice()),
-                digest.update(password_helper.obtain()?.as_bytes());
-            }
-            InputSalt::String(s) => digest.update(s.as_bytes()),
         }
         let mut salt = [0u8; 32];
         salt.as_mut().copy_from_slice(digest.finish().as_ref());
@@ -133,12 +164,13 @@ impl PasswordHelper {
         use PasswordHelper::*;
         match self {
             Systemd => unimplemented!(),
-            Stdin => Ok(util::read_password("Password", true)?),
+            Stdin => Ok(util::read_password("Password", true, false)?),
             Script(password_helper) => {
-                let mut helper_parts = password_helper.split(' ');
+                let password = Command::new("sh")
-
+                    .arg("-c")
-                let password = Command::new((&mut helper_parts).next().unwrap())
+                    .arg(&password_helper)
-                    .args(helper_parts)
+                    .stdin(Stdio::inherit())
+                    .stderr(Stdio::inherit())
                     .output()
                     .map_err(|e| Fido2LuksError::AskPassError {
                         cause: error::AskPassError::IO(e),
@@ -158,24 +190,30 @@ mod test {
     #[test]
     fn input_salt_from_str() {
         assert_eq!(
-            "file:/tmp/abc".parse::<InputSalt>().unwrap(),
+            "file:/tmp/abc".parse::<SecretInput>().unwrap(),
-            InputSalt::File {
+            SecretInput::File {
                 path: "/tmp/abc".into()
             }
         );
         assert_eq!(
-            "string:abc".parse::<InputSalt>().unwrap(),
+            "string:abc".parse::<SecretInput>().unwrap(),
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
+        );
+        assert_eq!(
+            "ask".parse::<SecretInput>().unwrap(),
+            SecretInput::AskPassword
+        );
+        assert_eq!(
+            "lol".parse::<SecretInput>().unwrap(),
+            SecretInput::default()
         );
-        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
-        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
     }
 
     #[test]
     fn input_salt_obtain() {
         assert_eq!(
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
-                .obtain(&PasswordHelper::Stdin)
+                .obtain_sha256(Some(|| Ok("123456".to_string())))
                 .unwrap(),
             [
                 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

src/cli_args/mod.rs

@@ -0,0 +1,329 @@
+use std::fmt::{Display, Error, Formatter};
+use std::hash::{Hash, Hasher};
+use std::path::PathBuf;
+use std::str::FromStr;
+use structopt::clap::{AppSettings, Shell};
+use structopt::StructOpt;
+
+mod config;
+
+pub use config::*;
+
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct HexEncoded(pub Vec<u8>);
+
+impl Display for HexEncoded {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        f.write_str(&hex::encode(&self.0))
+    }
+}
+
+impl AsRef<[u8]> for HexEncoded {
+    fn as_ref(&self) -> &[u8] {
+        &self.0[..]
+    }
+}
+
+impl FromStr for HexEncoded {
+    type Err = hex::FromHexError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(HexEncoded(hex::decode(s)?))
+    }
+}
+
+impl Hash for HexEncoded {
+    fn hash<H: Hasher>(&self, state: &mut H) {
+        self.0.hash(state)
+    }
+}
+
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
+
+impl<T: Display + FromStr> Display for CommaSeparated<T> {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        for i in &self.0 {
+            f.write_str(&i.to_string())?;
+            f.write_str(",")?;
+        }
+        Ok(())
+    }
+}
+
+impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
+    type Err = <T as FromStr>::Err;
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(CommaSeparated(
+            s.split(',')
+                .map(|part| <T as FromStr>::from_str(part))
+                .collect::<Result<Vec<_>, _>>()?,
+        ))
+    }
+}
+
+#[derive(Debug, StructOpt)]
+pub struct Credentials {
+    /// FIDO credential ids, separated by ',' generate using fido2luks credential
+    #[structopt(
+        name = "credential-ids",
+        env = "FIDO2LUKS_CREDENTIAL_ID",
+        short = "c",
+        long = "creds"
+    )]
+    pub ids: Option<CommaSeparated<HexEncoded>>,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct AuthenticatorParameters {
+    /// Request a PIN to unlock the authenticator if required
+    #[structopt(short = "P", long = "pin")]
+    pub pin: bool,
+
+    /// Request PIN and password combined `pin:password` when using an password helper
+    #[structopt(long = "pin-prefixed")]
+    pub pin_prefixed: bool,
+
+    /// Await for an authenticator to be connected, timeout after n seconds
+    #[structopt(
+        long = "await-dev",
+        name = "await-dev",
+        env = "FIDO2LUKS_DEVICE_AWAIT",
+        default_value = "15"
+    )]
+    pub await_time: u64,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct LuksParameters {
+    #[structopt(env = "FIDO2LUKS_DEVICE")]
+    pub device: PathBuf,
+
+    /// Try to unlock the device using a specifc keyslot, ignore all other slots
+    #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
+    pub slot: Option<u32>,
+
+    /// Disable implicit use of LUKS2 tokens
+    #[structopt(
+        long = "disable-token",
+    //  env = "FIDO2LUKS_DISABLE_TOKEN" // unfortunately clap will convert flags into args if they have an env attribute
+    )]
+    pub disable_token: bool,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct LuksModParameters {
+    /// Number of milliseconds required to derive the volume decryption key
+    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
+    #[structopt(long = "kdf-time", name = "kdf-time", env = "FIDO2LUKS_KDF_TIME")]
+    pub kdf_time: Option<u64>,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct SecretParameters {
+    /// Salt for secret generation, defaults to 'ask'
+    ///
+    /// Options:{n}
+    ///  - ask              : Prompt user using password helper{n}
+    ///  - file:<PATH>      : Will read <FILE>{n}
+    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
+    #[structopt(
+        name = "salt",
+        long = "salt",
+        env = "FIDO2LUKS_SALT",
+        default_value = "ask"
+    )]
+    pub salt: SecretInput,
+    /// Script used to obtain passwords, overridden by --interactive flag
+    #[structopt(
+        name = "password-helper",
+        env = "FIDO2LUKS_PASSWORD_HELPER",
+        long = "password-helper"
+    )]
+    pub password_helper: Option<PasswordHelper>,
+}
+#[derive(Debug, StructOpt)]
+pub struct Args {
+    /// Request passwords via Stdin instead of using the password helper
+    #[structopt(short = "i", long = "interactive")]
+    pub interactive: bool,
+    #[structopt(short = "v", long = "verbose")]
+    pub verbose: bool,
+    #[structopt(subcommand)]
+    pub command: Command,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct OtherSecret {
+    /// Use a keyfile instead of a password
+    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
+    pub keyfile: Option<PathBuf>,
+    /// Use another fido device instead of a password
+    /// Note: this requires for the credential for the other device to be passed as argument as well
+    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
+    pub fido_device: bool,
+}
+
+#[derive(Debug, StructOpt)]
+pub enum Command {
+    #[structopt(name = "print-secret")]
+    PrintSecret {
+        // version 0.3.0 will store use the lower case ascii encoded hex string making binary output unnecessary
+        /// Prints the secret as binary instead of hex encoded
+        #[structopt(hidden = true, short = "b", long = "bin")]
+        binary: bool,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        /// Load credentials from LUKS header
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: Option<PathBuf>,
+    },
+    /// Adds a generated key to the specified LUKS device
+    #[structopt(name = "add-key")]
+    AddKey {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        /// Comment to be associated with this credential
+        #[structopt(long = "comment")]
+        comment: Option<String>,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        /// Will wipe all other keys
+        #[structopt(short = "e", long = "exclusive")]
+        exclusive: bool,
+        /// Will generate an credential while adding a new key to this LUKS device if supported
+        #[structopt(short = "g", long = "gen-cred")]
+        generate_credential: bool,
+        #[structopt(flatten)]
+        existing_secret: OtherSecret,
+        #[structopt(flatten)]
+        luks_mod: LuksModParameters,
+    },
+    /// Replace a previously added key with a password
+    #[structopt(name = "replace-key")]
+    ReplaceKey {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        /// Add the password and keep the key
+        #[structopt(short = "a", long = "add-password")]
+        add_password: bool,
+        /// Remove the affected credential from LUKS header
+        #[structopt(short = "r", long = "remove-cred")]
+        remove_cred: bool,
+        #[structopt(flatten)]
+        replacement: OtherSecret,
+        #[structopt(flatten)]
+        luks_mod: LuksModParameters,
+    },
+    /// Open the LUKS device
+    #[structopt(name = "open", alias = "open-token")]
+    Open {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
+        /// Perform the whole procedure without mounting the LUKS volume on success
+        #[structopt(long = "dry-run")]
+        dry_run: bool,
+        /// Pass SSD trim instructions to the underlying block device
+        #[structopt(long = "allow-discards")]
+        allow_discards: bool,
+    },
+    /// Generate a new FIDO credential
+    #[structopt(name = "credential")]
+    Credential {
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        /// Name to be displayed on the authenticator display
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "")]
+        name: String,
+    },
+    /// Check if an authenticator is connected
+    #[structopt(name = "connected")]
+    Connected,
+    Token(TokenCommand),
+    /// Generate bash completion scripts
+    /// Example: fido2luks completions --shell bash /usr/share/bash-completion/completions
+    #[structopt(name = "completions", setting = AppSettings::Hidden)]
+    GenerateCompletions {
+        /// Shell to generate completions for
+        #[structopt(short = "s", long = "shell",possible_values = &Shell::variants()[..])]
+        shell: Option<String>,
+        out_dir: PathBuf,
+    },
+}
+
+///LUKS2 token related operations
+#[derive(Debug, StructOpt)]
+pub enum TokenCommand {
+    /// List all tokens associated with the specified device
+    List {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Dump all credentials as CSV
+        #[structopt(long = "csv")]
+        csv: bool,
+    },
+    /// Add credential to a keyslot
+    Add {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// FIDO credential ids, separated by ',' generate using fido2luks credential
+        #[structopt(
+            name = "credential-ids",
+            env = "FIDO2LUKS_CREDENTIAL_ID",
+            short = "c",
+            long = "creds"
+        )]
+        credentials: CommaSeparated<HexEncoded>,
+        /// Comment to be associated with this credential
+        #[structopt(long = "comment")]
+        comment: Option<String>,
+        /// Slot to which the credentials will be added
+        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
+        slot: u32,
+    },
+    /// Remove credentials from token(s)
+    Remove {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// FIDO credential ids, separated by ',' generate using fido2luks credential
+        #[structopt(
+            name = "credential-ids",
+            env = "FIDO2LUKS_CREDENTIAL_ID",
+            short = "c",
+            long = "creds"
+        )]
+        credentials: CommaSeparated<HexEncoded>,
+        /// Token from which the credentials will be removed
+        #[structopt(long = "token")]
+        token_id: Option<u32>,
+    },
+    /// Remove all unassigned tokens
+    GC {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+    },
+}

src/device.rs

@@ -1,73 +1,133 @@
 use crate::error::*;
 
 use crate::util;
-use ctap::{
+use ctap_hid_fido2;
-    self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
+use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params;
-    FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
+use ctap_hid_fido2::fidokey::make_credential::make_credential_params;
-};
+use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder;
+use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
+use ctap_hid_fido2::get_fidokey_devices;
+use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
+use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
+use ctap_hid_fido2::FidoKeyHidFactory;
+use ctap_hid_fido2::HidInfo;
+use ctap_hid_fido2::LibCfg;
 use std::time::Duration;
 
 const RP_ID: &str = "fido2luks";
 
+fn lib_cfg() -> LibCfg {
+    let mut cfg = LibCfg::init();
+    cfg.enable_log = false;
+    cfg.keep_alive_msg = String::new();
+    cfg
+}
+
 pub fn make_credential_id(
     name: Option<&str>,
     pin: Option<&str>,
-) -> Fido2LuksResult<FidoCredential> {
+    exclude: &[&PublicKeyCredentialDescriptor],
-    let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
+) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
-    if let Some(user_name) = name {
+    let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
-        request = request.user_name(user_name);
+        .extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
+    if let Some(pin) = pin {
+        req = req.pin(pin);
+    } else {
+        req = req.without_pin_and_uv();
     }
-    let request = request.build().unwrap();
+    for cred in exclude {
-    let make_credential = |device: &mut FidoDevice| {
+        req = req.exclude_authenticator(cred.id.as_ref());
-        if let Some(pin) = pin {
+    }
-            device.unlock(pin)?;
+    if let Some(_) = name {
+        req = req.user_entity(&PublicKeyCredentialUserEntity::new(
+            Some(b"00"),
+            name.clone(),
+            name,
+        ));
+    }
+    let devices = get_devices()?;
+    let mut err: Option<Fido2LuksError> = None;
+    let req = req.build();
+    for dev in devices {
+        let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
+        match handle.make_credential_with_args(&req) {
+            Ok(resp) => return Ok(resp.credential_descriptor),
+            Err(e) => err = Some(e.into()),
         }
-        device.make_hmac_credential(&request)
+    }
-    };
+    Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
-    Ok(request_multiple_devices(
-        get_devices()?
-            .iter_mut()
-            .map(|device| (device, &make_credential)),
-        None,
-    )?)
 }
 
-pub fn perform_challenge(
+pub fn perform_challenge<'a>(
-    credentials: &[&FidoCredential],
+    credentials: &'a [&'a PublicKeyCredentialDescriptor],
     salt: &[u8; 32],
-    timeout: Duration,
+    _timeout: Duration,
     pin: Option<&str>,
-) -> Fido2LuksResult<[u8; 32]> {
+) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
-    let request = FidoAssertionRequestBuilder::default()
+    if credentials.is_empty() {
-        .rp_id(RP_ID)
+        return Err(Fido2LuksError::InsufficientCredentials);
-        .credentials(credentials)
+    }
-        .build()
+    let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[
-        .unwrap();
+        get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))),
-    let get_assertion = |device: &mut FidoDevice| {
+    ]);
-        if let Some(pin) = pin {
+    for cred in credentials {
-            device.unlock(pin)?;
+        req = req.add_credential_id(&cred.id);
+    }
+    if let Some(pin) = pin {
+        req = req.pin(pin);
+    } else {
+        req = req.without_pin_and_uv();
+    }
+    let process_response = |resp: Vec<get_assertion_params::Assertion>| -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
+    for att in resp {
+        for ext in att.extensions.iter() {
+            match ext {
+                get_assertion_params::Extension::HmacSecret(Some(secret)) => {
+                    //TODO: eliminate unwrap
+                    let cred_used = credentials
+                        .iter()
+                        .copied()
+                        .find(|cred| {
+                            att.credential_id == cred.id
+                        })
+                        .unwrap();
+                    return Ok((secret.clone(), cred_used));
+                }
+                _ => continue,
+            }
         }
-        device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
+     }
+        Err(Fido2LuksError::WrongSecret)
     };
-    let (_, (secret, _)) = request_multiple_devices(
-        get_devices()?
-            .iter_mut()
-            .map(|device| (device, &get_assertion)),
-        Some(timeout),
-    )?;
-    Ok(secret)
-}
 
-pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
+    let devices = get_devices()?;
-    let mut devices = Vec::with_capacity(2);
+    let mut err: Option<Fido2LuksError> = None;
-    for di in ctap::get_devices()? {
+    let req = req.build();
-        match FidoDevice::new(&di) {
+    for dev in devices {
-            Err(e) => match e.kind() {
+        let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
-                FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
+        match handle.get_assertion_with_args(&req) {
-                err => return Err(FidoError::from(err).into()),
+            Ok(resp) => return process_response(resp),
-            },
+            Err(e) => err = Some(e.into()),
-            Ok(dev) => devices.push(dev),
         }
     }
-    Ok(devices)
+    Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
+}
+
+pub fn may_require_pin() -> Fido2LuksResult<bool> {
+    for dev in get_devices()? {
+        let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
+        let info = handle.get_info()?;
+        let needs_pin = info
+            .options
+            .iter()
+            .any(|(name, val)| &name[..] == "clientPin" && *val);
+        if needs_pin {
+            return Ok(true);
+        }
+    }
+    Ok(false)
+}
+
+pub fn get_devices() -> Fido2LuksResult<Vec<HidInfo>> {
+    Ok(get_fidokey_devices())
 }

src/error.rs

@@ -1,5 +1,9 @@
-use ctap::FidoError;
+use anyhow;
+use libcryptsetup_rs::LibcryptErr;
 use std::io;
+use std::io::ErrorKind;
+use std::string::FromUtf8Error;
+use Fido2LuksError::*;
 
 pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
 
@@ -10,19 +14,31 @@ pub enum Fido2LuksError {
     #[fail(display = "unable to read keyfile: {}", cause)]
     KeyfileError { cause: io::Error },
     #[fail(display = "authenticator error: {}", cause)]
-    AuthenticatorError { cause: ctap::FidoError },
+    AuthenticatorError { cause: anyhow::Error },
     #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     NoAuthenticatorError,
-    #[fail(display = "luks err")]
+    #[fail(display = " {}", cause)]
-    LuksError {
+    CryptsetupError {
         cause: libcryptsetup_rs::LibcryptErr,
     },
-    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
+    #[fail(display = "{}", cause)]
+    LuksError { cause: LuksError },
+    #[fail(display = "{}", cause)]
     IoError { cause: io::Error },
     #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,
     #[fail(display = "not an utf8 string")]
     StringEncodingError { cause: FromUtf8Error },
+    #[fail(display = "not an hex string: {}", string)]
+    HexEncodingError { string: String },
+    #[fail(display = "couldn't obtain at least one credential")]
+    InsufficientCredentials,
+}
+
+impl From<anyhow::Error> for Fido2LuksError {
+    fn from(cause: anyhow::Error) -> Self {
+        Fido2LuksError::AuthenticatorError { cause }
+    }
 }
 
 impl Fido2LuksError {
@@ -44,15 +60,40 @@ pub enum AskPassError {
     IO(io::Error),
     #[fail(display = "provided passwords don't match")]
     Mismatch,
+    #[fail(display = "failed to call password helper")]
+    FailedHelper,
 }
 
-use libcryptsetup_rs::LibcryptErr;
+#[derive(Debug, Fail)]
-use std::string::FromUtf8Error;
+pub enum LuksError {
-use Fido2LuksError::*;
+    #[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
+    Luks2Required,
+    #[fail(display = "Invalid token: {}", _0)]
+    InvalidToken(String),
+    #[fail(display = "No token found")]
+    NoToken,
+    #[fail(display = "The device already exists")]
+    DeviceExists,
+}
 
-impl From<FidoError> for Fido2LuksError {
+impl LuksError {
-    fn from(e: FidoError) -> Self {
+    pub fn activate(e: LibcryptErr) -> Fido2LuksError {
-        AuthenticatorError { cause: e }
+        match e {
+            LibcryptErr::IOError(ref io) => match io.raw_os_error() {
+                Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
+                Some(17) => Fido2LuksError::LuksError {
+                    cause: LuksError::DeviceExists,
+                },
+                _ => return Fido2LuksError::CryptsetupError { cause: e },
+            },
+            _ => Fido2LuksError::CryptsetupError { cause: e },
+        }
+    }
+}
+
+impl From<LuksError> for Fido2LuksError {
+    fn from(e: LuksError) -> Self {
+        Fido2LuksError::LuksError { cause: e }
     }
 }
 
@@ -62,7 +103,7 @@ impl From<LibcryptErr> for Fido2LuksError {
             LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
                 WrongSecret
             }
-            _ => LuksError { cause: e },
+            _ => CryptsetupError { cause: e },
         }
     }
 }

src/luks.rs

@@ -1,82 +1,365 @@
 use crate::error::*;
 
-use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
+use libcryptsetup_rs::consts::flags::CryptActivate;
+use libcryptsetup_rs::consts::vals::{EncryptionFormat, KeyslotInfo};
+use libcryptsetup_rs::{CryptDevice, CryptInit, CryptTokenInfo, TokenInput};
+use std::collections::{HashMap, HashSet};
 use std::path::Path;
 
-fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+pub struct LuksDevice {
-    let mut device = CryptInit::init(path.as_ref())?;
+    device: CryptDevice,
-    //TODO: determine luks version some way other way than just trying
+    luks2: Option<bool>,
-    let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
+}
-    vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
+
-        .into_iter()
+impl LuksDevice {
-        .fold(None, |res, format| match res {
+    pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
-            Some(Ok(())) => res,
+        let mut device = CryptInit::init(path.as_ref())?;
-            Some(e) => Some(e.or_else(|_| load(format))),
+        device.context_handle().load::<()>(None, None)?;
-            None => Some(load(format)),
+        Ok(Self {
+            device,
+            luks2: None,
         })
-        .unwrap()?;
-    Ok(device)
-}
-
-pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8], slot_hint: Option<u32>) -> Fido2LuksResult<()> {
-    let mut device = load_device_handle(path)?;
-    device
-        .activate_handle()
-        .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
-        .map(|_slot| ())
-        .map_err(|_e| Fido2LuksError::WrongSecret)
-}
-
-pub fn add_key<P: AsRef<Path>>(
-    path: P,
-    secret: &[u8],
-    old_secret: &[u8],
-    iteration_time: Option<u64>,
-) -> Fido2LuksResult<u32> {
-    let mut device = load_device_handle(path)?;
-    if let Some(millis) = iteration_time {
-        device.settings_handle().set_iteration_time(millis)
     }
-    let slot = device
-        .keyslot_handle(None)
-        .add_by_passphrase(old_secret, secret)?;
-    Ok(slot)
-}
 
-pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
+    pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
-    let mut device = load_device_handle(path)?;
+        if let Some(luks2) = self.luks2 {
-    let mut handle;
+            Ok(luks2)
-    let mut destroyed = 0;
+        } else {
-    //TODO: detect how many keyslots there are instead of trying within a given range
+            self.luks2 = Some(match self.device.format_handle().get_type()? {
-    for slot in 0..1024 {
+                EncryptionFormat::Luks2 => true,
-        handle = device.keyslot_handle(Some(slot));
+                _ => false,
-        match handle.status()? {
+            });
-            KeyslotInfo::Inactive => continue,
+            self.is_luks2()
-            KeyslotInfo::Active if !exclude.contains(&slot) => {
+        }
-                handle.destroy()?;
+    }
-                destroyed += 1;
+
+    fn require_luks2(&mut self) -> Fido2LuksResult<()> {
+        if !self.is_luks2()? {
+            return Err(LuksError::Luks2Required.into());
+        }
+        Ok(())
+    }
+
+    pub fn tokens<'a>(
+        &'a mut self,
+    ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
+    {
+        self.require_luks2()?;
+        Ok(Box::new(
+            (0..32)
+                .map(move |i| {
+                    let status = match self.device.token_handle().status(i) {
+                        Ok(status) => status,
+                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                    };
+                    match status {
+                        CryptTokenInfo::Inactive => return None,
+                        CryptTokenInfo::Internal(s)
+                        | CryptTokenInfo::InternalUnknown(s)
+                        | CryptTokenInfo::ExternalUnknown(s)
+                        | CryptTokenInfo::External(s)
+                            if &s != Fido2LuksToken::default_type() =>
+                        {
+                            return None
+                        }
+                        _ => (),
+                    };
+                    let json = match self.device.token_handle().json_get(i) {
+                        Ok(json) => json,
+                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                    };
+                    let info: Fido2LuksToken =
+                        match serde_json::from_value(json.clone()).map_err(|_| {
+                            Fido2LuksError::LuksError {
+                                cause: LuksError::InvalidToken(json.to_string()),
+                            }
+                        }) {
+                            Ok(info) => info,
+                            Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                        };
+                    Some(Ok((i, info)))
+                })
+                .filter_map(|o| o),
+        ))
+    }
+
+    pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
+        let slot_str = slot.to_string();
+        for token in self.tokens()? {
+            let (id, token) = token?;
+            if token.keyslots.contains(&slot_str) {
+                return Ok(Some((id, token)));
             }
-            _ => (),
-        }
-        if let KeyslotInfo::ActiveLast = handle.status()? {
-            break;
         }
+        Ok(None)
+    }
+
+    pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
+        Ok(())
+    }
+
+    pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::RemoveToken(token))?;
+        Ok(())
+    }
+
+    pub fn remove_token_slot(&mut self, slot: u32) -> Fido2LuksResult<()> {
+        let mut remove = HashSet::new();
+        for token in self.tokens()? {
+            let (id, token) = token?;
+            if token.keyslots.contains(&slot.to_string()) {
+                remove.insert(id);
+            }
+        }
+        for rm in remove {
+            self.remove_token(rm)?;
+        }
+        Ok(())
+    }
+
+    pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::ReplaceToken(
+                token,
+                &serde_json::to_value(&data).unwrap(),
+            ))?;
+        Ok(())
+    }
+
+    pub fn add_key(
+        &mut self,
+        secret: &[u8],
+        old_secret: &[u8],
+        iteration_time: Option<u64>,
+        credential_id: Option<&[u8]>,
+        comment: Option<String>,
+    ) -> Fido2LuksResult<u32> {
+        if let Some(millis) = iteration_time {
+            self.device.settings_handle().set_iteration_time(millis)
+        }
+        let slot = self
+            .device
+            .keyslot_handle()
+            .add_by_passphrase(None, old_secret, secret)?;
+        if let Some(id) = credential_id {
+            self.device.token_handle().json_set(TokenInput::AddToken(
+                &serde_json::to_value(&Fido2LuksToken::new(id, slot, comment)).unwrap(),
+            ))?;
+        }
+
+        Ok(slot)
+    }
+
+    pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
+        let mut destroyed = 0;
+        let mut tokens = Vec::new();
+        for slot in 0..256 {
+            match self.device.keyslot_handle().status(slot)? {
+                KeyslotInfo::Inactive => continue,
+                KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
+                    if self.is_luks2()? {
+                        if let Some((id, _token)) = self.find_token(slot)? {
+                            tokens.push(id);
+                        }
+                    }
+                    self.device.keyslot_handle().destroy(slot)?;
+                    destroyed += 1;
+                }
+                KeyslotInfo::ActiveLast => break,
+                _ => (),
+            }
+            if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
+                break;
+            }
+        }
+        // Ensure indices stay valid
+        tokens.sort();
+        for token in tokens.iter().rev() {
+            self.remove_token(*token)?;
+        }
+        Ok(destroyed)
+    }
+
+    pub fn replace_key(
+        &mut self,
+        secret: &[u8],
+        old_secret: &[u8],
+        iteration_time: Option<u64>,
+        credential_id: Option<&[u8]>,
+    ) -> Fido2LuksResult<u32> {
+        if let Some(millis) = iteration_time {
+            self.device.settings_handle().set_iteration_time(millis)
+        }
+        // Use activate dry-run to locate keyslot
+        let slot = self.device.activate_handle().activate_by_passphrase(
+            None,
+            None,
+            old_secret,
+            CryptActivate::empty(),
+        )?;
+
+        // slot should stay the same but better be safe than sorry
+        let slot = self.device.keyslot_handle().change_by_passphrase(
+            Some(slot),
+            Some(slot),
+            old_secret,
+            secret,
+        )? as u32;
+        if let Some(id) = credential_id {
+            if self.is_luks2()? {
+                let (token_id, token_data) = match self.find_token(slot)? {
+                    Some((id, data)) => (Some(id), Some(data)),
+                    _ => (None, None),
+                };
+                let json = serde_json::to_value(&Fido2LuksToken::new(
+                    id,
+                    slot,
+                    // retain comment on replace
+                    token_data.map(|data| data.comment).flatten(),
+                ))
+                .unwrap();
+                if let Some(token) = token_id {
+                    self.device
+                        .token_handle()
+                        .json_set(TokenInput::ReplaceToken(token, &json))?;
+                } else {
+                    self.device
+                        .token_handle()
+                        .json_set(TokenInput::AddToken(&json))?;
+                }
+            }
+        }
+        Ok(slot)
+    }
+
+    pub fn activate(
+        &mut self,
+        name: &str,
+        secret: &[u8],
+        slot_hint: Option<u32>,
+        dry_run: bool,
+        allow_discard: bool,
+    ) -> Fido2LuksResult<u32> {
+        let mut flags = CryptActivate::empty();
+        if allow_discard {
+            flags = flags | CryptActivate::ALLOW_DISCARDS;
+        }
+        self.device
+            .activate_handle()
+            .activate_by_passphrase(Some(name).filter(|_| !dry_run), slot_hint, secret, flags)
+            .map_err(LuksError::activate)
+    }
+
+    pub fn activate_token(
+        &mut self,
+        name: &str,
+        secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
+        slot_hint: Option<u32>,
+        dry_run: bool,
+        allow_discard: bool,
+    ) -> Fido2LuksResult<u32> {
+        if !self.is_luks2()? {
+            return Err(LuksError::Luks2Required.into());
+        }
+        let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
+        for token in self.tokens()? {
+            let token = match token {
+                Ok((_id, t)) => t,
+                _ => continue, // An corrupted token should't lock the user out
+            };
+            let slots = || {
+                token
+                    .keyslots
+                    .iter()
+                    .filter_map(|slot| slot.parse::<u32>().ok())
+            };
+            for cred in token.credential.iter() {
+                creds
+                    .entry(cred.clone())
+                    .or_insert_with(|| slots().collect::<HashSet<u32>>())
+                    .extend(slots());
+            }
+        }
+        if creds.is_empty() {
+            return Err(Fido2LuksError::LuksError {
+                cause: LuksError::NoToken,
+            });
+        }
+        let (secret, credential) = secret(creds.keys().cloned().collect())?;
+        let empty;
+        let slots = if let Some(slots) = creds.get(&credential) {
+            slots
+        } else {
+            empty = HashSet::new();
+            &empty
+        };
+        //Try slots associated with the credential used
+        let slots = slots.iter().cloned().map(Option::Some).chain(
+            std::iter::once(slot_hint) // Try slot hint if there is one
+                .take(slot_hint.is_some() as usize)
+                .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
+        );
+        for slot in slots {
+            match self.activate(name, &secret, slot, dry_run, allow_discard) {
+                Err(Fido2LuksError::WrongSecret) => (),
+                res => return res,
+            }
+        }
+        Err(Fido2LuksError::WrongSecret)
     }
-    Ok(destroyed)
 }
 
-pub fn replace_key<P: AsRef<Path>>(
+#[derive(Debug, Clone, Serialize, Deserialize)]
-    path: P,
+pub struct Fido2LuksToken {
-    secret: &[u8],
+    #[serde(rename = "type")]
-    old_secret: &[u8],
+    pub type_: String,
-    iteration_time: Option<u64>,
+    pub credential: HashSet<String>,
-) -> Fido2LuksResult<u32> {
+    pub keyslots: HashSet<String>,
-    let mut device = load_device_handle(path)?;
+    #[serde(skip_serializing_if = "Option::is_none")]
-    // Set iteration time not sure wether this applies to luks2 as well
+    pub comment: Option<String>,
-    if let Some(millis) = iteration_time {
+}
-        device.settings_handle().set_iteration_time(millis)
+
-    }
+impl Fido2LuksToken {
-    Ok(device
+    pub fn new(credential_id: impl AsRef<[u8]>, slot: u32, comment: Option<String>) -> Self {
-        .keyslot_handle(None)
+        Self::with_credentials(std::iter::once(credential_id), slot, comment)
-        .change_by_passphrase(None, None, old_secret, secret)? as u32)
+    }
+
+    pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
+        credentials: I,
+        slot: u32,
+        comment: Option<String>,
+    ) -> Self {
+        Self {
+            credential: credentials
+                .into_iter()
+                .map(|cred| hex::encode(cred.as_ref()))
+                .collect(),
+            keyslots: vec![slot.to_string()].into_iter().collect(),
+            comment,
+            ..Default::default()
+        }
+    }
+    pub fn default_type() -> &'static str {
+        "fido2luks"
+    }
+}
+
+impl Default for Fido2LuksToken {
+    fn default() -> Self {
+        Self {
+            type_: Self::default_type().into(),
+            credential: HashSet::new(),
+            keyslots: HashSet::new(),
+            comment: None,
+        }
+    }
 }

src/main.rs

@@ -1,16 +1,15 @@
 #[macro_use]
 extern crate failure;
-extern crate ctap_hmac as ctap;
+#[macro_use]
+extern crate serde_derive;
 use crate::cli::*;
-use crate::config::*;
 use crate::device::*;
 use crate::error::*;
 use std::io;
-use std::path::PathBuf;
 use std::process::exit;
 
 mod cli;
-mod config;
+pub mod cli_args;
 mod device;
 mod error;
 mod luks;
@@ -19,10 +18,7 @@ mod util;
 fn main() -> Fido2LuksResult<()> {
     match run_cli() {
         Err(e) => {
-            #[cfg(debug_assertions)]
             eprintln!("{:?}", e);
-            #[cfg(not(debug_assertions))]
-            eprintln!("{}", e);
             exit(e.exit_code())
         }
         _ => exit(0),

src/util.rs

@@ -13,9 +13,17 @@ pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
     secret.as_mut().copy_from_slice(digest.finish().as_ref());
     secret
 }
-
+pub fn read_password_tty(q: &str, verify: bool) -> Fido2LuksResult<String> {
-pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
+    read_password(q, verify, true)
-    match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
+}
+pub fn read_password(q: &str, verify: bool, tty: bool) -> Fido2LuksResult<String> {
+    let res = if tty {
+        rpassword::read_password_from_tty(Some(&[q, ": "].join("")))
+    } else {
+        print!("{}: ", q);
+        rpassword::read_password()
+    }?;
+    match res {
         ref pass
             if verify
                 && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
@@ -29,10 +37,6 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
     }
 }
 
-pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> {
-    read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()]))
-}
-
 pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
     let mut file = File::open(path.into())?;
     let mut key = Vec::new();