shimun/solo
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

make_credential works

Browse Source
This commit is contained in:
Conor Patrick 2018-05-11 23:20:10 -04:00
parent 71a0f1b55c
commit f1deb635b1
7 changed files with 67 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
crypto.c
View File

@ -69,7 +69,11 @@ void crypto_ecc256_load_attestation_key()
void crypto_ecc256_sign(uint8_t * data, int len, uint8_t * sig) void crypto_ecc256_sign(uint8_t * data, int len, uint8_t * sig)
{ {
uECC_sign(_signing_key, data, len, sig, _es256_curve); if ( uECC_sign(_signing_key, data, len, sig, _es256_curve) == 0)
{
printf("error, uECC failed\n");
exit(1);
}
} }
@ -94,33 +98,41 @@ void crypto_derive_ecc256_public_key(uint8_t * rpId, int len1, uint8_t * entropy
const uint8_t attestation_cert_der[] = const uint8_t attestation_cert_der[] =
"\x30\x82\x01\x4e\x30\x81\xf6\x02\x01\x00\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d\x04" "\x30\x82\x01\xfb\x30\x82\x01\xa1\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0a\x06\x08"
"\x03\x02\x30\x2c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0b\x30" "\x2a\x86\x48\xce\x3d\x04\x03\x02\x30\x2c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13"
"\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x10\x30\x0e\x06\x03\x55\x04\x0a\x0c" "\x02\x55\x53\x31\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x10\x30\x0e"
"\x07\x54\x45\x53\x54\x20\x43\x41\x30\x20\x17\x0d\x31\x38\x30\x35\x30\x36\x32\x32" "\x06\x03\x55\x04\x0a\x0c\x07\x54\x45\x53\x54\x20\x43\x41\x30\x20\x17\x0d\x31\x38"
"\x34\x39\x32\x35\x5a\x18\x0f\x32\x30\x36\x38\x30\x34\x32\x33\x32\x32\x34\x39\x32" "\x30\x35\x31\x30\x30\x33\x30\x36\x32\x30\x5a\x18\x0f\x32\x30\x36\x38\x30\x34\x32"
"\x35\x5a\x30\x3a\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0b\x30" "\x37\x30\x33\x30\x36\x32\x30\x5a\x30\x7c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13"
"\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x1e\x30\x1c\x06\x03\x55\x04\x0a\x0c" "\x02\x55\x53\x31\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x0f\x30\x0d"
"\x15\x54\x45\x53\x54\x20\x41\x54\x54\x45\x53\x54\x41\x54\x49\x4f\x4e\x20\x43\x45" "\x06\x03\x55\x04\x07\x0c\x06\x4c\x61\x75\x72\x65\x6c\x31\x15\x30\x13\x06\x03\x55"
"\x52\x54\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48" "\x04\x0a\x0c\x0c\x54\x45\x53\x54\x20\x43\x4f\x4d\x50\x41\x4e\x59\x31\x22\x30\x20"
"\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x45\xa9\x02\xc1\x2e\x9c\x0a\x33\xfa\x3e\x84" "\x06\x03\x55\x04\x0b\x0c\x19\x41\x75\x74\x68\x65\x6e\x74\x69\x63\x61\x74\x6f\x72"
"\x50\x4a\xb8\x02\xdc\x4d\xb9\xaf\x15\xb1\xb6\x3a\xea\x8d\x3f\x03\x03\x55\x65\x7d" "\x20\x41\x74\x74\x65\x73\x74\x61\x74\x69\x6f\x6e\x31\x14\x30\x12\x06\x03\x55\x04"
"\x70\x3f\xb4\x02\xa4\x97\xf4\x83\xb8\xa6\xf9\x3c\xd0\x18\xad\x92\x0c\xb7\x8a\x5a" "\x03\x0c\x0b\x63\x6f\x6e\x6f\x72\x70\x70\x2e\x63\x6f\x6d\x30\x59\x30\x13\x06\x07"
"\x3e\x14\x48\x92\xef\x08\xf8\xca\xea\xfb\x32\xab\x20\x30\x0a\x06\x08\x2a\x86\x48" "\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00"
"\xce\x3d\x04\x03\x02\x03\x47\x00\x30\x44\x02\x20\x03\x81\x09\xa6\x99\xb3\x69\x69" "\x04\x45\xa9\x02\xc1\x2e\x9c\x0a\x33\xfa\x3e\x84\x50\x4a\xb8\x02\xdc\x4d\xb9\xaf"
"\x69\xa1\xd9\x40\xbc\x32\xa5\x37\x05\x1d\xa8\x42\x54\x3b\xee\x77\xbe\x25\xb2\x03" "\x15\xb1\xb6\x3a\xea\x8d\x3f\x03\x03\x55\x65\x7d\x70\x3f\xb4\x02\xa4\x97\xf4\x83"
"\x16\x90\x77\x9c\x02\x20\x6b\xfb\x26\x30\x68\x6d\x72\x49\xac\xbf\x0e\x06\xd3\x61" "\xb8\xa6\xf9\x3c\xd0\x18\xad\x92\x0c\xb7\x8a\x5a\x3e\x14\x48\x92\xef\x08\xf8\xca"
"\x32\xe0\x60\x78\x60\xab\x7e\x7f\xd3\x4f\xd7\x25\xfa\x2d\x95\x1b\x19\xdd"; "\xea\xfb\x32\xab\x20\xa3\x62\x30\x60\x30\x46\x06\x03\x55\x1d\x23\x04\x3f\x30\x3d"
"\xa1\x30\xa4\x2e\x30\x2c\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31"
"\x0b\x30\x09\x06\x03\x55\x04\x08\x0c\x02\x4d\x44\x31\x10\x30\x0e\x06\x03\x55\x04"
"\x0a\x0c\x07\x54\x45\x53\x54\x20\x43\x41\x82\x09\x00\xf7\xc9\xec\x89\xf2\x63\x94"
"\xd9\x30\x09\x06\x03\x55\x1d\x13\x04\x02\x30\x00\x30\x0b\x06\x03\x55\x1d\x0f\x04"
"\x04\x03\x02\x04\xf0\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d\x04\x03\x02\x03\x48\x00"
"\x30\x45\x02\x20\x18\x38\xb0\x45\x03\x69\xaa\xa7\xb7\x38\x62\x01\xaf\x24\x97\x5e"
"\x7e\x74\x64\x1b\xa3\x7b\xf7\xe6\xd3\xaf\x79\x28\xdb\xdc\xa5\x88\x02\x21\x00\xcd"
"\x06\xf1\xe3\xab\x16\x21\x8e\xd8\xc0\x14\xaf\x09\x4f\x5b\x73\xef\x5e\x9e\x4b\xe7"
"\x35\xeb\xdd\x9b\x6d\x8f\x7d\xf3\xc4\x3a\xd7";
const uint16_t attestation_cert_der_size = sizeof(attestation_cert_der)-1; const uint16_t attestation_cert_der_size = sizeof(attestation_cert_der)-1;
const uint8_t attestation_key[] = "\xcdg\xaa1\r\t\x1e\xd1n~\x98\x92\xaa\x07\x0e\x19\x94\xfc\xd7\x14\xae|@\x8f\xb9F\xb7._\xe7]0"; const uint8_t attestation_key[] = "\xcd\x67\xaa\x31\x0d\x09\x1e\xd1\x6e\x7e\x98\x92\xaa\x07\x0e\x19\x94\xfc\xd7\x14\xae\x7c\x40\x8f\xb9\x46\xb7\x2e\x5f\xe7\x5d\x30";
const uint16_t attestation_key_size = sizeof(attestation_key)-1; const uint16_t attestation_key_size = sizeof(attestation_key)-1;
#else #else
#error "No crypto implementation defined" #error "No crypto implementation defined"
#endif #endif

24
ctap.c
View File

@ -601,13 +601,14 @@ void ctap_make_credential(CborEncoder * encoder, uint8_t * request, int length)
uint8_t auth_data_buf[200]; uint8_t auth_data_buf[200];
uint8_t * cose_key_buf = auth_data_buf + + sizeof(CTAP_authData); uint8_t * cose_key_buf = auth_data_buf + + sizeof(CTAP_authData);
uint8_t hashbuf[32]; uint8_t hashbuf[32];
uint8_t sigbuf[64]; static uint8_t sigbuf[164];
uint8_t sigder[64 + 2 + 6]; uint8_t sigder[64 + 2 + 6];
int auth_data_sz; int auth_data_sz;
CTAP_authData * authData = (CTAP_authData *)auth_data_buf; CTAP_authData * authData = (CTAP_authData *)auth_data_buf;
CborEncoder cose_key; CborEncoder cose_key;
CborEncoder map; CborEncoder map;
CborEncoder stmtmap; CborEncoder stmtmap;
CborEncoder x5carr;
cbor_encoder_init(&cose_key, cose_key_buf, sizeof(auth_data_buf) - sizeof(CTAP_authData), 0); cbor_encoder_init(&cose_key, cose_key_buf, sizeof(auth_data_buf) - sizeof(CTAP_authData), 0);
@ -678,6 +679,10 @@ void ctap_make_credential(CborEncoder * encoder, uint8_t * request, int length)
crypto_ecc256_load_attestation_key(); crypto_ecc256_load_attestation_key();
crypto_ecc256_sign(hashbuf, 32, sigbuf); crypto_ecc256_sign(hashbuf, 32, sigbuf);
printf("signature hash: "); dump_hex(hashbuf, 32);
printf("R: "); dump_hex(sigbuf, 32);
printf("S: "); dump_hex(sigbuf+32, 32);
// Need to caress into dumb der format .. // Need to caress into dumb der format ..
uint8_t pad_s = (sigbuf[32] & 0x80) == 0x80; uint8_t pad_s = (sigbuf[32] & 0x80) == 0x80;
uint8_t pad_r = (sigbuf[0] & 0x80) == 0x80; uint8_t pad_r = (sigbuf[0] & 0x80) == 0x80;
@ -694,7 +699,7 @@ void ctap_make_credential(CborEncoder * encoder, uint8_t * request, int length)
sigder[5 + 32 + pad_r] = 0x20 + pad_s; sigder[5 + 32 + pad_r] = 0x20 + pad_s;
memmove(sigder + 6 + 32 + pad_r + pad_s, sigbuf + 32, 32); memmove(sigder + 6 + 32 + pad_r + pad_s, sigbuf + 32, 32);
// //
printf("der sig [%d]: ", 0x44+pad_s+pad_r); dump_hex(sigder, 0x44+pad_s+pad_r); printf("der sig [%d]: ", 0x44+pad_s+pad_r); dump_hex(sigder, 0x46+pad_s+pad_r);
{ {
ret = cbor_encode_int(&map,RESP_attStmt); ret = cbor_encode_int(&map,RESP_attStmt);
@ -710,23 +715,30 @@ void ctap_make_credential(CborEncoder * encoder, uint8_t * request, int length)
{ {
ret = cbor_encode_text_stringz(&stmtmap,"sig"); ret = cbor_encode_text_stringz(&stmtmap,"sig");
check_ret(ret); check_ret(ret);
ret = cbor_encode_byte_string(&stmtmap, sigder, 0x44 + pad_s + pad_r); ret = cbor_encode_byte_string(&stmtmap, sigder, 0x46 + pad_s + pad_r);
check_ret(ret); check_ret(ret);
} }
{ {
ret = cbor_encode_text_stringz(&stmtmap,"x5c"); ret = cbor_encode_text_stringz(&stmtmap,"x5c");
check_ret(ret); check_ret(ret);
ret = cbor_encode_byte_string(&stmtmap, attestation_cert_der, attestation_cert_der_size); ret = cbor_encoder_create_array(&stmtmap, &x5carr, 1);
check_ret(ret);
{
ret = cbor_encode_byte_string(&x5carr, attestation_cert_der, attestation_cert_der_size);
check_ret(ret);
ret = cbor_encoder_close_container(&stmtmap, &x5carr);
check_ret(ret); check_ret(ret);
} }
}
cbor_encoder_close_container(&map, &stmtmap); ret = cbor_encoder_close_container(&map, &stmtmap);
check_ret(ret); check_ret(ret);
} }
cbor_encoder_close_container(encoder, &map); ret = cbor_encoder_close_container(encoder, &map);
check_ret(ret);
} }

2
ctap.h
View File

@ -79,8 +79,8 @@
typedef struct typedef struct
{ {
uint8_t aaguid[16]; uint8_t aaguid[16];
uint8_t credLenL;
uint8_t credLenH; uint8_t credLenH;
uint8_t credLenL;
uint8_t credentialId[CREDENTIAL_ID_SIZE]; uint8_t credentialId[CREDENTIAL_ID_SIZE];
} __attribute__((packed)) CTAP_attestHeader; } __attribute__((packed)) CTAP_attestHeader;

1
ctap_device.c
View File

@ -46,5 +46,6 @@ int ctap_generate_rng(uint8_t * dst, size_t num)
} }
fread(dst, 1, num, urand); fread(dst, 1, num, urand);
fclose(urand); fclose(urand);
return 1;
} }

2
tools/ca_sign.sh
View File

@ -7,7 +7,7 @@ openssl req -new -key "$1" -out "$1".csr
# CA sign the request # CA sign the request
echo "sign request with CA key" echo "sign request with CA key"
openssl x509 -days 18250 -req -in "$1".csr -CA "$2" -CAkey "$3" -out "$4" -set_serial 0 openssl x509 -days 18250 -req -in "$1".csr -extfile v3.ext -CA "$2" -CAkey "$3" -out "$4" -set_serial 0
echo "output as der" echo "output as der"
openssl x509 -in "$4" -outform der -out "$4".der openssl x509 -in "$4" -outform der -out "$4".der

13
tools/dump_pem.py
View File

@ -17,5 +17,14 @@ if len(sys.argv) not in [2]:
pemkey = sys.argv[1] pemkey = sys.argv[1]
attestkey = ecdsa.SigningKey.from_pem(open(pemkey).read()) attestkey = ecdsa.SigningKey.from_pem(open(pemkey).read())
print(binascii.hexlify(attestkey.to_string())) hstr = binascii.hexlify(attestkey.to_string())
print(repr(attestkey.to_string())) print(hstr)
cstr = ''
it = iter(hstr)
for d1 in it:
d2 = next(it)
cstr += '\\x'+d1+d2
print('"%s"' % cstr)

3
tools/v3.ext Normal file
View File

@ -0,0 +1,3 @@
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment