hatter/card-cli
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: u2f

Browse Source
This commit is contained in:
Hatter Jiang
2021-07-03 00:15:32 +08:00
parent c6ee7ab43a
commit 1e3fa35bdf
7 changed files with 311 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/digest.rs Normal file
View File

@@ -0,0 +1,7 @@
use sha2::{Digest, Sha256};
pub fn sha256(input: &str) -> Vec<u8> {
let mut challenge = Sha256::default();
Digest::update(&mut challenge, input.as_bytes());
challenge.finalize().to_vec()
}

62
src/fido.rs Normal file
View File

@@ -0,0 +1,62 @@
use std::thread;
use std::sync::mpsc::{channel, Sender};
use serde::{Deserialize, Serialize};
use authenticator::StatusUpdate;
use base64::URL_SAFE_NO_PAD;
use rand::Rng;
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct U2fV2Challenge {
challenge: String,
version: String,
#[serde(rename = "appId")]
app_id: String,
}
impl U2fV2Challenge {
pub fn new_random<S>(app_id: S) -> Self where S: Into<String> {
let mut rng = rand::thread_rng();
let mut rand_bytes = [0_u8; 32];
for i in 0..32 {
let b: u8 = rng.gen();
rand_bytes[i] = b;
}
let challenge = base64::encode_config(&rand_bytes, URL_SAFE_NO_PAD);
Self::new(challenge, app_id)
}
pub fn new<S1, S2>(challenge: S1, app_id: S2) -> Self where S1: Into<String>, S2: Into<String> {
Self {
challenge: challenge.into(),
version: "U2F_V2".into(),
app_id: app_id.into(),
}
}
pub fn to_json(&self) -> String {
serde_json::to_string(&self).unwrap()
}
}
pub fn start_status_updater() -> Sender<StatusUpdate> {
let (status_tx, status_rx) = channel::<StatusUpdate>();
thread::spawn(move || loop {
match status_rx.recv() {
Ok(StatusUpdate::DeviceAvailable { dev_info }) => {
debugging!("STATUS: device available: {}", dev_info)
}
Ok(StatusUpdate::DeviceUnavailable { dev_info }) => {
debugging!("STATUS: device unavailable: {}", dev_info)
}
Ok(StatusUpdate::Success { dev_info }) => {
debugging!("STATUS: success using device: {}", dev_info);
}
Err(_) => {
debugging!("STATUS: end");
return;
}
}
});
status_tx
}

11
src/main.rs
View File

@@ -1,10 +1,13 @@
#[macro_use] extern crate rust_util;
#[macro_use]
extern crate rust_util;
mod cmd;
mod fido;
mod digest;
mod register;
mod sign;
use clap::App;
use clap::{App, AppSettings};
use cmd::{Command, CommandError};
use cmd::DefaultCommandImpl;
@@ -15,7 +18,9 @@ fn main() -> CommandError {
];
let mut app = App::new(env!("CARGO_PKG_NAME"))
.version(env!("CARGO_PKG_VERSION"))
.about(env!("CARGO_PKG_DESCRIPTION"));
.about(env!("CARGO_PKG_DESCRIPTION"))
.long_about("Webauthn Cli is a command tool register and sign using FIDO security key")
.setting(AppSettings::ColoredHelp);
app = DefaultCommandImpl::process_command(app);
for command in &commands {
app = app.subcommand(command.subcommand());

109
src/register.rs
View File

@@ -2,44 +2,12 @@ use clap::{ArgMatches, SubCommand, App, Arg};
use crate::cmd::{Command, CommandError};
use authenticator::authenticatorservice::AuthenticatorService;
use authenticator::statecallback::StateCallback;
use authenticator::{RegisterFlags, StatusUpdate};
use sha2::{Digest, Sha256};
use authenticator::RegisterFlags;
use std::sync::mpsc::channel;
use std::thread;
use rust_util::XResult;
use rand::Rng;
use base64::URL_SAFE_NO_PAD;
use serde::{Deserialize, Serialize};
#[derive(Clone, Debug, Serialize, Deserialize)]
struct U2fV2Challenge {
challenge: String,
version: String,
#[serde(rename = "appId")]
app_id: String,
}
impl U2fV2Challenge {
fn new_random<S>(app_id: S) -> Self where S: Into<String> {
let mut rng = rand::thread_rng();
let mut rand_bytes = [0_u8; 32];
for i in 0..32 {
let b: u8 = rng.gen();
rand_bytes[i] = b;
}
let challenge = base64::encode_config(&rand_bytes, URL_SAFE_NO_PAD);
Self::new(challenge, app_id)
}
fn new<S1, S2>(challenge: S1, app_id: S2) -> Self where S1: Into<String>, S2: Into<String> {
Self {
challenge: challenge.into(),
version: "U2F_V2".into(),
app_id: app_id.into(),
}
}
}
use crate::fido;
use crate::digest;
use crate::fido::U2fV2Challenge;
pub struct CommandImpl;
@@ -49,48 +17,24 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("Register subcommand")
.arg(Arg::with_name("app-id").long("app-id").default_value("https://example.com").help("App id"))
.arg(Arg::with_name("timeout").long("timeout").default_value("10").help("Timeout in seconds"))
}
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
let mut manager = AuthenticatorService::new()?;
manager.add_u2f_usb_hid_platform_transports();
let app_id = sub_arg_matches.value_of("app-id").unwrap();
let timeout_ms = 10000;
let timeout_ms = match sub_arg_matches.value_of("timeout").unwrap().parse::<u32>() {
Ok(t) => (t * 1000) as u64,
Err(e) => return simple_error!("Timeout should be a number: {}", e),
};
let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
let challenge_str = serde_json::to_string(&u2fv2_challenge).unwrap();
let mut challenge = Sha256::default();
Digest::update(&mut challenge, challenge_str.as_bytes());
let chall_bytes = challenge.finalize().to_vec();
let mut application = Sha256::default();
// application.update(app_id.as_bytes());
Digest::update(&mut application, app_id.as_bytes());
let app_bytes = application.finalize().to_vec();
let chall_bytes = digest::sha256(&u2fv2_challenge.to_json());
let app_bytes = digest::sha256(app_id);
let flags = RegisterFlags::empty();
let (status_tx, status_rx) = channel::<StatusUpdate>();
thread::spawn(move || loop {
match status_rx.recv() {
Ok(StatusUpdate::DeviceAvailable { dev_info }) => {
debugging!("STATUS: device available: {}", dev_info)
}
Ok(StatusUpdate::DeviceUnavailable { dev_info }) => {
debugging!("STATUS: device unavailable: {}", dev_info)
}
Ok(StatusUpdate::Success { dev_info }) => {
debugging!("STATUS: success using device: {}", dev_info);
}
Err(_recv_error) => {
debugging!("STATUS: end");
return;
}
}
});
let status_tx = fido::start_status_updater();
let (register_tx, register_rx) = channel();
let callback = StateCallback::new(Box::new(move |rv| {
@@ -99,6 +43,9 @@ impl Command for CommandImpl {
information!("Start U2F register...");
information!("App id: {}", app_id);
debugging!("Wait timeout: {} ms", timeout_ms);
let mut manager = AuthenticatorService::new()?;
manager.add_u2f_usb_hid_platform_transports();
manager.register(
flags,
timeout_ms,
@@ -112,8 +59,8 @@ impl Command for CommandImpl {
let register_result = register_rx.recv()?;
let (register_data, device_info) = register_result?;
success!("Register result: {}", base64::encode(&register_data));
success!("Device info: {}", &device_info);
success!("Register result: {}", base64::encode(&register_data));
let credential = u2f_get_key_handle_from_register_response(&register_data).unwrap();
success!("Key handle: {}", base64::encode(&credential));
success!("Key handle: {}", hex::encode(&credential));
@@ -122,6 +69,18 @@ impl Command for CommandImpl {
}
}
// U2F raw message format specification (version 20170411) section 4.3
// In case of success we need to send back the following reply
// (excluding ISO7816 success code)
// +------+--------------------+---------------------+------------+------------+------+
// + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign |
// +------+--------------------+---------------------+------------+------------+------+
//
// Where Sign is an ECDSA signature over the following structure:
// +------+-------------------+-----------------+------------+--------------------+
// + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) |
// +------+-------------------+-----------------+------------+--------------------+
// see https://github.com/google/OpenSK/blob/stable/src/ctap/ctap1.rs
fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResult<Vec<u8>> {
if register_response[0] != 0x05 {
return simple_error!("Reserved byte not set correctly");
@@ -133,4 +92,16 @@ fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResul
let _attestation = key_handle.split_off(key_handle_len);
Ok(key_handle)
}
#[test]
fn test() {
let app_id = "https://webencrypt.org";
let client_data = base64::decode("eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6ImFHVnNiRzlmZDI5eWJHUSIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViZW5jcnlwdC5vcmciLCJjcm9zc09yaWdpbiI6ZmFsc2V9").unwrap();
let register_data = base64::decode("BQSpAR+aliPCpz2u8c84Mv13bAYUcJnT9OgiXkCX9CTR/xhWqbJwoL9l6WRqvqwtG77NMvkDexcTKf9Mtf5+V1NCQKYfXWCP+IL2Lfbyng7mX0GV/etsHqlIiiaoEQo5g0Zetn+JimnLx5f259OZlEsvzB7Qs6swN5WRy57FRqREOPcwggE0MIHboAMCAQICCiBzHdQQUIQZ+ZgwCgYIKoZIzj0EAwIwFTETMBEGA1UEAxMKVTJGIElzc3VlcjAaFwswMDAxMDEwMDAwWhcLMDAwMTAxMDAwMFowFTETMBEGA1UEAxMKVTJGIERldmljZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvum43LiwAMJacjIFh7SCIrl1e1ltYXeK50v2HWDRZ9pw38HSPmx2SjT+2hTY1YMVagbgXimYrb8+WWlZ6j9bqjFzAVMBMGCysGAQQBguUcAgEBBAQDAgUgMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8/cwIgC1945RGqGBKfbyNtkhMifZK05n7fU+gW37Bdnci5D94wRQIhAJHR1EsN/+Fb+74FyxSjBMaoD6p2edlqGPYEb4SiXwccAiAM48XFf/sWsgzS2YU4EeObztVLErUb1JaA2qHJtTUoig==").unwrap();
let r = u2f::register::parse_registration(app_id.to_string(), client_data, register_data);
let rr = r.unwrap();
println!("{}", hex::encode(rr.pub_key));
println!("{}", hex::encode(rr.attestation_cert.unwrap()));
println!("{}", hex::encode(rr.key_handle));
}

88
src/sign.rs
View File

@@ -1,11 +1,12 @@
use clap::{ArgMatches, SubCommand, App, Arg};
use crate::cmd::{Command, CommandError};
use authenticator::{KeyHandle, AuthenticatorTransports, SignFlags, StatusUpdate};
use authenticator::{KeyHandle, AuthenticatorTransports, SignFlags};
use std::sync::mpsc::channel;
use authenticator::statecallback::StateCallback;
use authenticator::authenticatorservice::AuthenticatorService;
use sha2::{Sha256, Digest};
use std::thread;
use crate::fido;
use crate::digest;
use crate::fido::U2fV2Challenge;
pub struct CommandImpl;
@@ -14,21 +15,30 @@ impl Command for CommandImpl {
fn subcommand<'a>(&self) -> App<'a, 'a> {
SubCommand::with_name(self.name()).about("Sign subcommand")
.arg(Arg::with_name("app-id").long("app-id").default_value("https://example.com").help("App id"))
.arg(Arg::with_name("key-handle").long("key-handle").takes_value(true).help("Key handle"))
.arg(Arg::with_name("timeout").long("timeout").default_value("10").help("Timeout in seconds"))
.arg(Arg::with_name("key-handle").long("key-handle").takes_value(true).multiple(true).help("Key handle"))
}
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
let app_id = sub_arg_matches.value_of("app-id").unwrap();
let key_handle = opt_value_result!( sub_arg_matches.value_of("key-handle"), "Key handle is required");
let timeout_ms = match sub_arg_matches.value_of("timeout").unwrap().parse::<u32>() {
Ok(t) => (t * 1000) as u64,
Err(e) => return simple_error!("Timeout should be a number: {}", e),
};
let key_handles = opt_value_result!( sub_arg_matches.values_of("key-handle"), "Key handle is required");
// opt_result!(hex::decode(key_handle),"{}", "");
let credential = match hex::decode(key_handle) {
Ok(c) => c,
Err(e) => return simple_error!("Key handle decode failed: {}", e),
};
let key_handle = KeyHandle {
credential,
transports: AuthenticatorTransports::empty(),
};
let mut request_key_handles = vec![];
for kh in key_handles {
match hex::decode(kh) {
Ok(k) => request_key_handles.push(KeyHandle {
credential: k,
transports: AuthenticatorTransports::empty(),
}),
Err(e) => warning!("Parse key handle: {}, failed: {}", kh, e),
}
}
if request_key_handles.is_empty() {
return simple_error!("No valid key handle provided");
}
let flags = SignFlags::empty();
let (sign_tx, sign_rx) = channel();
@@ -37,50 +47,23 @@ impl Command for CommandImpl {
sign_tx.send(rv).unwrap();
}));
let mut manager = AuthenticatorService::new()?;
manager.add_u2f_usb_hid_platform_transports();
let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
let chall_bytes = digest::sha256(&u2fv2_challenge.to_json());
let timeout_ms = 10000;
let app_bytes = digest::sha256(app_id);
// let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
let challenge_str = "aaaa".to_owned();// serde_json::to_string(&u2fv2_challenge).unwrap();
let mut challenge = Sha256::default();
Digest::update(&mut challenge, challenge_str.as_bytes());
let chall_bytes = challenge.finalize().to_vec();
let mut application = Sha256::default();
// application.update(app_id.as_bytes());
Digest::update(&mut application, app_id.as_bytes());
let app_bytes = application.finalize().to_vec();
let (status_tx, status_rx) = channel::<StatusUpdate>();
thread::spawn(move || loop {
match status_rx.recv() {
Ok(StatusUpdate::DeviceAvailable { dev_info }) => {
debugging!("STATUS: device available: {}", dev_info)
}
Ok(StatusUpdate::DeviceUnavailable { dev_info }) => {
debugging!("STATUS: device unavailable: {}", dev_info)
}
Ok(StatusUpdate::Success { dev_info }) => {
debugging!("STATUS: success using device: {}", dev_info);
}
Err(_recv_error) => {
debugging!("STATUS: end");
return;
}
}
});
let status_tx = fido::start_status_updater();
information!("Start sign...");
information!("App id: {}", app_id);
let mut manager = AuthenticatorService::new()?;
manager.add_u2f_usb_hid_platform_transports();
if let Err(e) = manager.sign(
flags,
timeout_ms,
chall_bytes,
vec![app_bytes],
vec![key_handle],
request_key_handles,
status_tx,
callback,
) {
@@ -92,11 +75,10 @@ impl Command for CommandImpl {
.expect("Problem receiving, unable to continue");
let (_, handle_used, sign_data, device_info) = sign_result.expect("Sign failed");
println!("Sign result: {}", base64::encode(&sign_data));
println!("Key handle used: {}", base64::encode(&handle_used));
println!("Key handle used: {}", hex::encode(&handle_used));
println!("Device info: {}", &device_info);
println!("Done.");
success!("Device info: {}", &device_info);
success!("Sign result: {}", base64::encode(&sign_data));
success!("Key handle used: {}", base64::encode(&handle_used));
success!("Key handle used: {}", hex::encode(&handle_used));
Ok(())
}