hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: v1.1.13, u2f-register

Browse Source
This commit is contained in:
Hatter Jiang
2022-04-10 21:35:50 +08:00
parent af8a9c3047
commit 088910fb8d
4 changed files with 90 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.lock generated
View File

@@ -384,7 +384,7 @@ dependencies = [
[[package]]
name = "card-cli"
version = "1.1.12"
version = "1.1.13"
dependencies = [
"authenticator",
"base64 0.13.0",

2
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "card-cli"
version = "1.1.12"
version = "1.1.13"
authors = ["Hatter Jiang <jht5945@gmail.com>"]
edition = "2018"

111
src/cmd_u2fregister.rs
View File

@@ -1,10 +1,17 @@
use std::collections::BTreeMap;
use std::sync::mpsc::channel;
use authenticator::authenticatorservice::AuthenticatorService;
use authenticator::RegisterFlags;
use authenticator::statecallback::StateCallback;
use base64::URL_SAFE_NO_PAD;
use clap::{App, Arg, ArgMatches, SubCommand};
use openssl::hash::MessageDigest;
use openssl::pkey::PKey;
use openssl::sign::Verifier;
use rust_util::util_clap::{Command, CommandError};
use x509_parser::certificate::X509Certificate;
use x509_parser::prelude::FromDer;
use crate::digest;
use crate::fido;
@@ -19,6 +26,7 @@ impl Command for CommandImpl {
SubCommand::with_name(self.name()).about("FIDO U2F Register subcommand")
.arg(Arg::with_name("app-id").short("a").long("app-id").default_value("https://example.com").help("App id"))
.arg(Arg::with_name("timeout").short("t").long("timeout").default_value("30").help("Timeout in seconds"))
.arg(Arg::with_name("challenge").long("challenge").takes_value(true).help("Challenge HEX"))
.arg(Arg::with_name("json").long("json").help("JSON output"))
}
@@ -32,7 +40,15 @@ impl Command for CommandImpl {
Err(e) => return simple_error!("Timeout should be a number: {}", e),
};
let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
let u2fv2_challenge = match sub_arg_matches.value_of("challenge") {
None => U2fV2Challenge::new_random(app_id),
Some(challenge_hex) => {
let challenge_bytes = opt_result!(hex::decode(challenge_hex), "Decode challenge hex failed: {}");
let challenge = base64::encode_config(&challenge_bytes, URL_SAFE_NO_PAD);
U2fV2Challenge::new(challenge, app_id)
}
};
let u2fv2_challenge_str = u2fv2_challenge.to_json();
let chall_bytes = digest::sha256(&u2fv2_challenge_str);
@@ -54,8 +70,8 @@ impl Command for CommandImpl {
if let Err(e) = manager.register(
flags,
timeout_ms,
chall_bytes,
app_bytes,
chall_bytes.clone(),
app_bytes.clone(),
vec![],
status_tx,
callback,
@@ -66,10 +82,44 @@ impl Command for CommandImpl {
let register_result = opt_result!(register_rx.recv()?, "Register U2F failed: {}");
let u2f_registration_data = opt_result!(
U2fRegistrationData::from(app_id, &u2fv2_challenge_str, register_result), "Parse registration data failed: {}");
U2fRegistrationData::from(app_id, &u2fv2_challenge_str, &register_result), "Parse registration data failed: {}");
// +------+-------------------+-----------------+------------+--------------------+
// + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) |
// +------+-------------------+-----------------+------------+--------------------+
let mut to_be_signed = Vec::with_capacity(200);
to_be_signed.push(0x00);
to_be_signed.extend_from_slice(&app_bytes);
to_be_signed.extend_from_slice(&chall_bytes);
to_be_signed.extend_from_slice(&u2f_registration_data.key_handle);
to_be_signed.extend_from_slice(&u2f_registration_data.pub_key);
// +------+--------------------+---------------------+------------+------------+------+
// + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign |
// +------+--------------------+---------------------+------------+------------+------+
let sign_prefix_len = 1 + 65 + 1
+ u2f_registration_data.key_handle.len()
+ u2f_registration_data.attestation_cert.as_ref().map(|c| c.len()).unwrap_or(0);
let sign = &register_result.0[sign_prefix_len..];
let mut json = BTreeMap::new();
if json_output {
println!("{}", serde_json::to_string_pretty(&u2f_registration_data).unwrap());
// println!("{}", serde_json::to_string_pretty(&u2f_registration_data).unwrap());
if let Some(device_name) = u2f_registration_data.device_name {
json.insert("device_name", device_name);
}
if let Some(attestation_cert_pem) = u2f_registration_data.attestation_cert_pem {
json.insert("attestation_cert_pem", attestation_cert_pem);
}
json.insert("device_info", format!("{}", u2f_registration_data.device_info));
json.insert("pub_key", hex::encode(&u2f_registration_data.pub_key));
json.insert("key_handle", hex::encode(&u2f_registration_data.key_handle));
json.insert("signature", hex::encode(sign));
json.insert("to_be_signed", hex::encode(&to_be_signed));
json.insert("registration_data", hex::encode(&register_result.0));
json.insert("app_id", app_id.to_string());
json.insert("app_id_hash", hex::encode(&app_bytes));
json.insert("challenge", u2fv2_challenge_str);
json.insert("challenge_hash", hex::encode(&chall_bytes));
} else {
success!("Device info: {}", u2f_registration_data.device_info);
information!("Register challenge: {}", u2fv2_challenge_str);
@@ -80,34 +130,31 @@ impl Command for CommandImpl {
if let Some(device_name) = u2f_registration_data.device_name {
information!("Device name: {}", device_name);
}
success!("Public key: {}", u2f_registration_data.pub_key);
success!("Key handle: {}", u2f_registration_data.key_handle);
success!("Public key: {}", hex::encode(&u2f_registration_data.pub_key));
success!("Key handle: {}", hex::encode(&u2f_registration_data.key_handle));
debugging!("Registration data: {}", hex::encode(&register_result.0));
information!("To be signed: {}", hex::encode(&to_be_signed));
information!("Signature: {}", hex::encode(sign));
if let Some(attestation_cert) = &u2f_registration_data.attestation_cert {
let cert = opt_result!(X509Certificate::from_der(attestation_cert), "Parse attestation cert failed: {}");
debugging!("Attestation public key: {:?}", cert.1.public_key().subject_public_key);
let pkey = opt_result!(PKey::public_key_from_der(cert.1.public_key().raw), "Parse public key failed: {}");
let mut verifier = opt_result!(Verifier::new(MessageDigest::sha256(), &pkey), "Verifier new failed: {}");
verifier.update(&to_be_signed)?;
let verify_result = opt_result!(verifier.verify(sign), "Verifier verify failed: {}");
if verify_result {
success!("Verify success");
} else {
failure!("Verify failed");
}
} else {
warning!("Cannot find attestation cert!");
}
}
if json_output {
println!("{}", serde_json::to_string_pretty(&json).unwrap());
}
Ok(None)
}
}
//
// // U2F raw message format specification (version 20170411) section 4.3
// // In case of success we need to send back the following reply
// // (excluding ISO7816 success code)
// // +------+--------------------+---------------------+------------+------------+------+
// // + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign |
// // +------+--------------------+---------------------+------------+------------+------+
// //
// // Where Sign is an ECDSA signature over the following structure:
// // +------+-------------------+-----------------+------------+--------------------+
// // + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) |
// // +------+-------------------+-----------------+------------+--------------------+
// // see https://github.com/google/OpenSK/blob/stable/src/ctap/ctap1.rs
// fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResult<Vec<u8>> {
// if register_response[0] != 0x05 {
// return simple_error!("Reserved byte not set correctly");
// }
//
// let key_handle_len = register_response[66] as usize;
// let mut public_key = register_response.to_owned();
// let mut key_handle = public_key.split_off(67);
// let _attestation = key_handle.split_off(key_handle_len);
//
// Ok(key_handle)
// }

16
src/fido.rs
View File

@@ -58,13 +58,14 @@ pub struct U2fRegistrationData {
pub device_name: Option<String>,
pub client_data: String,
pub registration_data: String,
pub attestation_cert: Option<Vec<u8>>,
pub attestation_cert_pem: Option<String>,
pub pub_key: String,
pub key_handle: String,
pub pub_key: Vec<u8>,
pub key_handle: Vec<u8>,
}
impl U2fRegistrationData {
pub fn from(app_id: &str, client_data: &str, register_result: RegisterResult) -> XResult<Self> {
pub fn from(app_id: &str, client_data: &str, register_result: &RegisterResult) -> XResult<Self> {
let registration = opt_result!(
u2f::register::parse_registration(app_id.to_string(), client_data.as_bytes().to_vec(), register_result.0.to_vec()),
"Parse registration data failed: {}");
@@ -74,11 +75,12 @@ impl U2fRegistrationData {
device_name: registration.device_name,
client_data: client_data.into(),
registration_data: base64::encode(&register_result.0),
attestation_cert_pem: registration.attestation_cert.map(|c| {
bytes_to_pem("CERTIFICATE", c)
attestation_cert: registration.attestation_cert.clone(),
attestation_cert_pem: registration.attestation_cert.map(|cert| {
bytes_to_pem("CERTIFICATE", cert)
}),
pub_key: hex::encode(registration.pub_key),
key_handle: hex::encode(registration.key_handle),
pub_key: registration.pub_key,
key_handle: registration.key_handle,
})
}
}