diff --git a/Cargo.lock b/Cargo.lock index 3142407..681c6c3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -384,7 +384,7 @@ dependencies = [ [[package]] name = "card-cli" -version = "1.1.12" +version = "1.1.13" dependencies = [ "authenticator", "base64 0.13.0", diff --git a/Cargo.toml b/Cargo.toml index a0fd7d0..f464afe 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "card-cli" -version = "1.1.12" +version = "1.1.13" authors = ["Hatter Jiang "] edition = "2018" diff --git a/src/cmd_u2fregister.rs b/src/cmd_u2fregister.rs index 8a80a83..8ec0fe7 100644 --- a/src/cmd_u2fregister.rs +++ b/src/cmd_u2fregister.rs @@ -1,10 +1,17 @@ +use std::collections::BTreeMap; use std::sync::mpsc::channel; use authenticator::authenticatorservice::AuthenticatorService; use authenticator::RegisterFlags; use authenticator::statecallback::StateCallback; +use base64::URL_SAFE_NO_PAD; use clap::{App, Arg, ArgMatches, SubCommand}; +use openssl::hash::MessageDigest; +use openssl::pkey::PKey; +use openssl::sign::Verifier; use rust_util::util_clap::{Command, CommandError}; +use x509_parser::certificate::X509Certificate; +use x509_parser::prelude::FromDer; use crate::digest; use crate::fido; @@ -19,6 +26,7 @@ impl Command for CommandImpl { SubCommand::with_name(self.name()).about("FIDO U2F Register subcommand") .arg(Arg::with_name("app-id").short("a").long("app-id").default_value("https://example.com").help("App id")) .arg(Arg::with_name("timeout").short("t").long("timeout").default_value("30").help("Timeout in seconds")) + .arg(Arg::with_name("challenge").long("challenge").takes_value(true).help("Challenge HEX")) .arg(Arg::with_name("json").long("json").help("JSON output")) } @@ -32,7 +40,15 @@ impl Command for CommandImpl { Err(e) => return simple_error!("Timeout should be a number: {}", e), }; - let u2fv2_challenge = U2fV2Challenge::new_random(app_id); + let u2fv2_challenge = match sub_arg_matches.value_of("challenge") { + None => U2fV2Challenge::new_random(app_id), + Some(challenge_hex) => { + let challenge_bytes = opt_result!(hex::decode(challenge_hex), "Decode challenge hex failed: {}"); + let challenge = base64::encode_config(&challenge_bytes, URL_SAFE_NO_PAD); + U2fV2Challenge::new(challenge, app_id) + } + }; + let u2fv2_challenge_str = u2fv2_challenge.to_json(); let chall_bytes = digest::sha256(&u2fv2_challenge_str); @@ -54,8 +70,8 @@ impl Command for CommandImpl { if let Err(e) = manager.register( flags, timeout_ms, - chall_bytes, - app_bytes, + chall_bytes.clone(), + app_bytes.clone(), vec![], status_tx, callback, @@ -66,10 +82,44 @@ impl Command for CommandImpl { let register_result = opt_result!(register_rx.recv()?, "Register U2F failed: {}"); let u2f_registration_data = opt_result!( - U2fRegistrationData::from(app_id, &u2fv2_challenge_str, register_result), "Parse registration data failed: {}"); + U2fRegistrationData::from(app_id, &u2fv2_challenge_str, ®ister_result), "Parse registration data failed: {}"); + // +------+-------------------+-----------------+------------+--------------------+ + // + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) | + // +------+-------------------+-----------------+------------+--------------------+ + let mut to_be_signed = Vec::with_capacity(200); + to_be_signed.push(0x00); + to_be_signed.extend_from_slice(&app_bytes); + to_be_signed.extend_from_slice(&chall_bytes); + to_be_signed.extend_from_slice(&u2f_registration_data.key_handle); + to_be_signed.extend_from_slice(&u2f_registration_data.pub_key); + // +------+--------------------+---------------------+------------+------------+------+ + // + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign | + // +------+--------------------+---------------------+------------+------------+------+ + let sign_prefix_len = 1 + 65 + 1 + + u2f_registration_data.key_handle.len() + + u2f_registration_data.attestation_cert.as_ref().map(|c| c.len()).unwrap_or(0); + let sign = ®ister_result.0[sign_prefix_len..]; + + let mut json = BTreeMap::new(); if json_output { - println!("{}", serde_json::to_string_pretty(&u2f_registration_data).unwrap()); + // println!("{}", serde_json::to_string_pretty(&u2f_registration_data).unwrap()); + if let Some(device_name) = u2f_registration_data.device_name { + json.insert("device_name", device_name); + } + if let Some(attestation_cert_pem) = u2f_registration_data.attestation_cert_pem { + json.insert("attestation_cert_pem", attestation_cert_pem); + } + json.insert("device_info", format!("{}", u2f_registration_data.device_info)); + json.insert("pub_key", hex::encode(&u2f_registration_data.pub_key)); + json.insert("key_handle", hex::encode(&u2f_registration_data.key_handle)); + json.insert("signature", hex::encode(sign)); + json.insert("to_be_signed", hex::encode(&to_be_signed)); + json.insert("registration_data", hex::encode(®ister_result.0)); + json.insert("app_id", app_id.to_string()); + json.insert("app_id_hash", hex::encode(&app_bytes)); + json.insert("challenge", u2fv2_challenge_str); + json.insert("challenge_hash", hex::encode(&chall_bytes)); } else { success!("Device info: {}", u2f_registration_data.device_info); information!("Register challenge: {}", u2fv2_challenge_str); @@ -80,34 +130,31 @@ impl Command for CommandImpl { if let Some(device_name) = u2f_registration_data.device_name { information!("Device name: {}", device_name); } - success!("Public key: {}", u2f_registration_data.pub_key); - success!("Key handle: {}", u2f_registration_data.key_handle); + success!("Public key: {}", hex::encode(&u2f_registration_data.pub_key)); + success!("Key handle: {}", hex::encode(&u2f_registration_data.key_handle)); + debugging!("Registration data: {}", hex::encode(®ister_result.0)); + information!("To be signed: {}", hex::encode(&to_be_signed)); + information!("Signature: {}", hex::encode(sign)); + + if let Some(attestation_cert) = &u2f_registration_data.attestation_cert { + let cert = opt_result!(X509Certificate::from_der(attestation_cert), "Parse attestation cert failed: {}"); + debugging!("Attestation public key: {:?}", cert.1.public_key().subject_public_key); + let pkey = opt_result!(PKey::public_key_from_der(cert.1.public_key().raw), "Parse public key failed: {}"); + let mut verifier = opt_result!(Verifier::new(MessageDigest::sha256(), &pkey), "Verifier new failed: {}"); + verifier.update(&to_be_signed)?; + let verify_result = opt_result!(verifier.verify(sign), "Verifier verify failed: {}"); + if verify_result { + success!("Verify success"); + } else { + failure!("Verify failed"); + } + } else { + warning!("Cannot find attestation cert!"); + } + } + if json_output { + println!("{}", serde_json::to_string_pretty(&json).unwrap()); } Ok(None) } } -// -// // U2F raw message format specification (version 20170411) section 4.3 -// // In case of success we need to send back the following reply -// // (excluding ISO7816 success code) -// // +------+--------------------+---------------------+------------+------------+------+ -// // + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign | -// // +------+--------------------+---------------------+------------+------------+------+ -// // -// // Where Sign is an ECDSA signature over the following structure: -// // +------+-------------------+-----------------+------------+--------------------+ -// // + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) | -// // +------+-------------------+-----------------+------------+--------------------+ -// // see https://github.com/google/OpenSK/blob/stable/src/ctap/ctap1.rs -// fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResult> { -// if register_response[0] != 0x05 { -// return simple_error!("Reserved byte not set correctly"); -// } -// -// let key_handle_len = register_response[66] as usize; -// let mut public_key = register_response.to_owned(); -// let mut key_handle = public_key.split_off(67); -// let _attestation = key_handle.split_off(key_handle_len); -// -// Ok(key_handle) -// } diff --git a/src/fido.rs b/src/fido.rs index c6d3f18..497449d 100644 --- a/src/fido.rs +++ b/src/fido.rs @@ -58,13 +58,14 @@ pub struct U2fRegistrationData { pub device_name: Option, pub client_data: String, pub registration_data: String, + pub attestation_cert: Option>, pub attestation_cert_pem: Option, - pub pub_key: String, - pub key_handle: String, + pub pub_key: Vec, + pub key_handle: Vec, } impl U2fRegistrationData { - pub fn from(app_id: &str, client_data: &str, register_result: RegisterResult) -> XResult { + pub fn from(app_id: &str, client_data: &str, register_result: &RegisterResult) -> XResult { let registration = opt_result!( u2f::register::parse_registration(app_id.to_string(), client_data.as_bytes().to_vec(), register_result.0.to_vec()), "Parse registration data failed: {}"); @@ -74,11 +75,12 @@ impl U2fRegistrationData { device_name: registration.device_name, client_data: client_data.into(), registration_data: base64::encode(®ister_result.0), - attestation_cert_pem: registration.attestation_cert.map(|c| { - bytes_to_pem("CERTIFICATE", c) + attestation_cert: registration.attestation_cert.clone(), + attestation_cert_pem: registration.attestation_cert.map(|cert| { + bytes_to_pem("CERTIFICATE", cert) }), - pub_key: hex::encode(registration.pub_key), - key_handle: hex::encode(registration.key_handle), + pub_key: registration.pub_key, + key_handle: registration.key_handle, }) } }