feat: v1.1.13, u2f-register

Cargo.lock

@@ -384,7 +384,7 @@ dependencies = [
 
 [[package]]
 name = "card-cli"
-version = "1.1.12"
+version = "1.1.13"
 dependencies = [
  "authenticator",
  "base64 0.13.0",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "card-cli"
-version = "1.1.12"
+version = "1.1.13"
 authors = ["Hatter Jiang <jht5945@gmail.com>"]
 edition = "2018"
 

src/cmd_u2fregister.rs

@@ -1,10 +1,17 @@
+use std::collections::BTreeMap;
 use std::sync::mpsc::channel;
 
 use authenticator::authenticatorservice::AuthenticatorService;
 use authenticator::RegisterFlags;
 use authenticator::statecallback::StateCallback;
+use base64::URL_SAFE_NO_PAD;
 use clap::{App, Arg, ArgMatches, SubCommand};
+use openssl::hash::MessageDigest;
+use openssl::pkey::PKey;
+use openssl::sign::Verifier;
 use rust_util::util_clap::{Command, CommandError};
+use x509_parser::certificate::X509Certificate;
+use x509_parser::prelude::FromDer;
 
 use crate::digest;
 use crate::fido;
@@ -19,6 +26,7 @@ impl Command for CommandImpl {
         SubCommand::with_name(self.name()).about("FIDO U2F Register subcommand")
             .arg(Arg::with_name("app-id").short("a").long("app-id").default_value("https://example.com").help("App id"))
             .arg(Arg::with_name("timeout").short("t").long("timeout").default_value("30").help("Timeout in seconds"))
+            .arg(Arg::with_name("challenge").long("challenge").takes_value(true).help("Challenge HEX"))
             .arg(Arg::with_name("json").long("json").help("JSON output"))
     }
 
@@ -32,7 +40,15 @@ impl Command for CommandImpl {
             Err(e) => return simple_error!("Timeout should be a number: {}", e),
         };
 
-        let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
+        let u2fv2_challenge = match sub_arg_matches.value_of("challenge") {
+            None => U2fV2Challenge::new_random(app_id),
+            Some(challenge_hex) => {
+                let challenge_bytes = opt_result!(hex::decode(challenge_hex), "Decode challenge hex failed: {}");
+                let challenge = base64::encode_config(&challenge_bytes, URL_SAFE_NO_PAD);
+                U2fV2Challenge::new(challenge, app_id)
+            }
+        };
+
         let u2fv2_challenge_str = u2fv2_challenge.to_json();
         let chall_bytes = digest::sha256(&u2fv2_challenge_str);
 
@@ -54,8 +70,8 @@ impl Command for CommandImpl {
         if let Err(e) = manager.register(
             flags,
             timeout_ms,
-            chall_bytes,
+            chall_bytes.clone(),
-            app_bytes,
+            app_bytes.clone(),
             vec![],
             status_tx,
             callback,
@@ -66,10 +82,44 @@ impl Command for CommandImpl {
         let register_result = opt_result!(register_rx.recv()?, "Register U2F failed: {}");
 
         let u2f_registration_data = opt_result!(
-            U2fRegistrationData::from(app_id, &u2fv2_challenge_str, register_result), "Parse registration data failed: {}");
+            U2fRegistrationData::from(app_id, &u2fv2_challenge_str, &register_result), "Parse registration data failed: {}");
 
+        // +------+-------------------+-----------------+------------+--------------------+
+        // + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) |
+        // +------+-------------------+-----------------+------------+--------------------+
+        let mut to_be_signed = Vec::with_capacity(200);
+        to_be_signed.push(0x00);
+        to_be_signed.extend_from_slice(&app_bytes);
+        to_be_signed.extend_from_slice(&chall_bytes);
+        to_be_signed.extend_from_slice(&u2f_registration_data.key_handle);
+        to_be_signed.extend_from_slice(&u2f_registration_data.pub_key);
+        // +------+--------------------+---------------------+------------+------------+------+
+        // + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign |
+        // +------+--------------------+---------------------+------------+------------+------+
+        let sign_prefix_len = 1 + 65 + 1
+            + u2f_registration_data.key_handle.len()
+            + u2f_registration_data.attestation_cert.as_ref().map(|c| c.len()).unwrap_or(0);
+        let sign = &register_result.0[sign_prefix_len..];
+
+        let mut json = BTreeMap::new();
         if json_output {
-            println!("{}", serde_json::to_string_pretty(&u2f_registration_data).unwrap());
+            // println!("{}", serde_json::to_string_pretty(&u2f_registration_data).unwrap());
+            if let Some(device_name) = u2f_registration_data.device_name {
+                json.insert("device_name", device_name);
+            }
+            if let Some(attestation_cert_pem) = u2f_registration_data.attestation_cert_pem {
+                json.insert("attestation_cert_pem", attestation_cert_pem);
+            }
+            json.insert("device_info", format!("{}", u2f_registration_data.device_info));
+            json.insert("pub_key", hex::encode(&u2f_registration_data.pub_key));
+            json.insert("key_handle", hex::encode(&u2f_registration_data.key_handle));
+            json.insert("signature", hex::encode(sign));
+            json.insert("to_be_signed", hex::encode(&to_be_signed));
+            json.insert("registration_data", hex::encode(&register_result.0));
+            json.insert("app_id", app_id.to_string());
+            json.insert("app_id_hash", hex::encode(&app_bytes));
+            json.insert("challenge", u2fv2_challenge_str);
+            json.insert("challenge_hash", hex::encode(&chall_bytes));
         } else {
             success!("Device info: {}", u2f_registration_data.device_info);
             information!("Register challenge: {}", u2fv2_challenge_str);
@@ -80,34 +130,31 @@ impl Command for CommandImpl {
             if let Some(device_name) = u2f_registration_data.device_name {
                 information!("Device name: {}", device_name);
             }
-            success!("Public key: {}", u2f_registration_data.pub_key);
+            success!("Public key: {}", hex::encode(&u2f_registration_data.pub_key));
-            success!("Key handle: {}", u2f_registration_data.key_handle);
+            success!("Key handle: {}", hex::encode(&u2f_registration_data.key_handle));
+            debugging!("Registration data: {}", hex::encode(&register_result.0));
+            information!("To be signed: {}", hex::encode(&to_be_signed));
+            information!("Signature: {}", hex::encode(sign));
+
+            if let Some(attestation_cert) = &u2f_registration_data.attestation_cert {
+                let cert = opt_result!(X509Certificate::from_der(attestation_cert), "Parse attestation cert failed: {}");
+                debugging!("Attestation public key: {:?}", cert.1.public_key().subject_public_key);
+                let pkey = opt_result!(PKey::public_key_from_der(cert.1.public_key().raw), "Parse public key failed: {}");
+                let mut verifier = opt_result!(Verifier::new(MessageDigest::sha256(), &pkey), "Verifier new failed: {}");
+                verifier.update(&to_be_signed)?;
+                let verify_result = opt_result!(verifier.verify(sign), "Verifier verify failed: {}");
+                if verify_result {
+                    success!("Verify success");
+                } else {
+                    failure!("Verify failed");
+                }
+            } else {
+                warning!("Cannot find attestation cert!");
+            }
+        }
+        if json_output {
+            println!("{}", serde_json::to_string_pretty(&json).unwrap());
         }
         Ok(None)
     }
 }
-//
-// // U2F raw message format specification (version 20170411) section 4.3
-// // In case of success we need to send back the following reply
-// // (excluding ISO7816 success code)
-// // +------+--------------------+---------------------+------------+------------+------+
-// // + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign |
-// // +------+--------------------+---------------------+------------+------------+------+
-// //
-// // Where Sign is an ECDSA signature over the following structure:
-// // +------+-------------------+-----------------+------------+--------------------+
-// // + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) |
-// // +------+-------------------+-----------------+------------+--------------------+
-// // see https://github.com/google/OpenSK/blob/stable/src/ctap/ctap1.rs
-// fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResult<Vec<u8>> {
-//     if register_response[0] != 0x05 {
-//         return simple_error!("Reserved byte not set correctly");
-//     }
-//
-//     let key_handle_len = register_response[66] as usize;
-//     let mut public_key = register_response.to_owned();
-//     let mut key_handle = public_key.split_off(67);
-//     let _attestation = key_handle.split_off(key_handle_len);
-//
-//     Ok(key_handle)
-// }

src/fido.rs

@@ -58,13 +58,14 @@ pub struct U2fRegistrationData {
     pub device_name: Option<String>,
     pub client_data: String,
     pub registration_data: String,
+    pub attestation_cert: Option<Vec<u8>>,
     pub attestation_cert_pem: Option<String>,
-    pub pub_key: String,
+    pub pub_key: Vec<u8>,
-    pub key_handle: String,
+    pub key_handle: Vec<u8>,
 }
 
 impl U2fRegistrationData {
-    pub fn from(app_id: &str, client_data: &str, register_result: RegisterResult) -> XResult<Self> {
+    pub fn from(app_id: &str, client_data: &str, register_result: &RegisterResult) -> XResult<Self> {
         let registration = opt_result!(
             u2f::register::parse_registration(app_id.to_string(), client_data.as_bytes().to_vec(), register_result.0.to_vec()),
             "Parse registration data failed: {}");
@@ -74,11 +75,12 @@ impl U2fRegistrationData {
             device_name: registration.device_name,
             client_data: client_data.into(),
             registration_data: base64::encode(&register_result.0),
-            attestation_cert_pem: registration.attestation_cert.map(|c| {
+            attestation_cert: registration.attestation_cert.clone(),
-                bytes_to_pem("CERTIFICATE", c)
+            attestation_cert_pem: registration.attestation_cert.map(|cert| {
+                bytes_to_pem("CERTIFICATE", cert)
             }),
-            pub_key: hex::encode(registration.pub_key),
+            pub_key: registration.pub_key,
-            key_handle: hex::encode(registration.key_handle),
+            key_handle: registration.key_handle,
         })
     }
 }