feat: u2f
This commit is contained in:
109
src/register.rs
109
src/register.rs
@@ -2,44 +2,12 @@ use clap::{ArgMatches, SubCommand, App, Arg};
|
||||
use crate::cmd::{Command, CommandError};
|
||||
use authenticator::authenticatorservice::AuthenticatorService;
|
||||
use authenticator::statecallback::StateCallback;
|
||||
use authenticator::{RegisterFlags, StatusUpdate};
|
||||
use sha2::{Digest, Sha256};
|
||||
use authenticator::RegisterFlags;
|
||||
use std::sync::mpsc::channel;
|
||||
use std::thread;
|
||||
use rust_util::XResult;
|
||||
use rand::Rng;
|
||||
use base64::URL_SAFE_NO_PAD;
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
#[derive(Clone, Debug, Serialize, Deserialize)]
|
||||
struct U2fV2Challenge {
|
||||
challenge: String,
|
||||
version: String,
|
||||
#[serde(rename = "appId")]
|
||||
app_id: String,
|
||||
}
|
||||
|
||||
impl U2fV2Challenge {
|
||||
fn new_random<S>(app_id: S) -> Self where S: Into<String> {
|
||||
let mut rng = rand::thread_rng();
|
||||
let mut rand_bytes = [0_u8; 32];
|
||||
for i in 0..32 {
|
||||
let b: u8 = rng.gen();
|
||||
rand_bytes[i] = b;
|
||||
}
|
||||
|
||||
let challenge = base64::encode_config(&rand_bytes, URL_SAFE_NO_PAD);
|
||||
Self::new(challenge, app_id)
|
||||
}
|
||||
|
||||
fn new<S1, S2>(challenge: S1, app_id: S2) -> Self where S1: Into<String>, S2: Into<String> {
|
||||
Self {
|
||||
challenge: challenge.into(),
|
||||
version: "U2F_V2".into(),
|
||||
app_id: app_id.into(),
|
||||
}
|
||||
}
|
||||
}
|
||||
use crate::fido;
|
||||
use crate::digest;
|
||||
use crate::fido::U2fV2Challenge;
|
||||
|
||||
pub struct CommandImpl;
|
||||
|
||||
@@ -49,48 +17,24 @@ impl Command for CommandImpl {
|
||||
fn subcommand<'a>(&self) -> App<'a, 'a> {
|
||||
SubCommand::with_name(self.name()).about("Register subcommand")
|
||||
.arg(Arg::with_name("app-id").long("app-id").default_value("https://example.com").help("App id"))
|
||||
.arg(Arg::with_name("timeout").long("timeout").default_value("10").help("Timeout in seconds"))
|
||||
}
|
||||
|
||||
fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
|
||||
let mut manager = AuthenticatorService::new()?;
|
||||
manager.add_u2f_usb_hid_platform_transports();
|
||||
|
||||
let app_id = sub_arg_matches.value_of("app-id").unwrap();
|
||||
let timeout_ms = 10000;
|
||||
let timeout_ms = match sub_arg_matches.value_of("timeout").unwrap().parse::<u32>() {
|
||||
Ok(t) => (t * 1000) as u64,
|
||||
Err(e) => return simple_error!("Timeout should be a number: {}", e),
|
||||
};
|
||||
|
||||
let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
|
||||
let challenge_str = serde_json::to_string(&u2fv2_challenge).unwrap();
|
||||
|
||||
let mut challenge = Sha256::default();
|
||||
Digest::update(&mut challenge, challenge_str.as_bytes());
|
||||
let chall_bytes = challenge.finalize().to_vec();
|
||||
|
||||
let mut application = Sha256::default();
|
||||
// application.update(app_id.as_bytes());
|
||||
Digest::update(&mut application, app_id.as_bytes());
|
||||
let app_bytes = application.finalize().to_vec();
|
||||
let chall_bytes = digest::sha256(&u2fv2_challenge.to_json());
|
||||
|
||||
let app_bytes = digest::sha256(app_id);
|
||||
|
||||
let flags = RegisterFlags::empty();
|
||||
|
||||
let (status_tx, status_rx) = channel::<StatusUpdate>();
|
||||
thread::spawn(move || loop {
|
||||
match status_rx.recv() {
|
||||
Ok(StatusUpdate::DeviceAvailable { dev_info }) => {
|
||||
debugging!("STATUS: device available: {}", dev_info)
|
||||
}
|
||||
Ok(StatusUpdate::DeviceUnavailable { dev_info }) => {
|
||||
debugging!("STATUS: device unavailable: {}", dev_info)
|
||||
}
|
||||
Ok(StatusUpdate::Success { dev_info }) => {
|
||||
debugging!("STATUS: success using device: {}", dev_info);
|
||||
}
|
||||
Err(_recv_error) => {
|
||||
debugging!("STATUS: end");
|
||||
return;
|
||||
}
|
||||
}
|
||||
});
|
||||
let status_tx = fido::start_status_updater();
|
||||
|
||||
let (register_tx, register_rx) = channel();
|
||||
let callback = StateCallback::new(Box::new(move |rv| {
|
||||
@@ -99,6 +43,9 @@ impl Command for CommandImpl {
|
||||
|
||||
information!("Start U2F register...");
|
||||
information!("App id: {}", app_id);
|
||||
debugging!("Wait timeout: {} ms", timeout_ms);
|
||||
let mut manager = AuthenticatorService::new()?;
|
||||
manager.add_u2f_usb_hid_platform_transports();
|
||||
manager.register(
|
||||
flags,
|
||||
timeout_ms,
|
||||
@@ -112,8 +59,8 @@ impl Command for CommandImpl {
|
||||
let register_result = register_rx.recv()?;
|
||||
let (register_data, device_info) = register_result?;
|
||||
|
||||
success!("Register result: {}", base64::encode(®ister_data));
|
||||
success!("Device info: {}", &device_info);
|
||||
success!("Register result: {}", base64::encode(®ister_data));
|
||||
let credential = u2f_get_key_handle_from_register_response(®ister_data).unwrap();
|
||||
success!("Key handle: {}", base64::encode(&credential));
|
||||
success!("Key handle: {}", hex::encode(&credential));
|
||||
@@ -122,6 +69,18 @@ impl Command for CommandImpl {
|
||||
}
|
||||
}
|
||||
|
||||
// U2F raw message format specification (version 20170411) section 4.3
|
||||
// In case of success we need to send back the following reply
|
||||
// (excluding ISO7816 success code)
|
||||
// +------+--------------------+---------------------+------------+------------+------+
|
||||
// + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign |
|
||||
// +------+--------------------+---------------------+------------+------------+------+
|
||||
//
|
||||
// Where Sign is an ECDSA signature over the following structure:
|
||||
// +------+-------------------+-----------------+------------+--------------------+
|
||||
// + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) |
|
||||
// +------+-------------------+-----------------+------------+--------------------+
|
||||
// see https://github.com/google/OpenSK/blob/stable/src/ctap/ctap1.rs
|
||||
fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResult<Vec<u8>> {
|
||||
if register_response[0] != 0x05 {
|
||||
return simple_error!("Reserved byte not set correctly");
|
||||
@@ -133,4 +92,16 @@ fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResul
|
||||
let _attestation = key_handle.split_off(key_handle_len);
|
||||
|
||||
Ok(key_handle)
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test() {
|
||||
let app_id = "https://webencrypt.org";
|
||||
let client_data = base64::decode("eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6ImFHVnNiRzlmZDI5eWJHUSIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViZW5jcnlwdC5vcmciLCJjcm9zc09yaWdpbiI6ZmFsc2V9").unwrap();
|
||||
let register_data = base64::decode("BQSpAR+aliPCpz2u8c84Mv13bAYUcJnT9OgiXkCX9CTR/xhWqbJwoL9l6WRqvqwtG77NMvkDexcTKf9Mtf5+V1NCQKYfXWCP+IL2Lfbyng7mX0GV/etsHqlIiiaoEQo5g0Zetn+JimnLx5f259OZlEsvzB7Qs6swN5WRy57FRqREOPcwggE0MIHboAMCAQICCiBzHdQQUIQZ+ZgwCgYIKoZIzj0EAwIwFTETMBEGA1UEAxMKVTJGIElzc3VlcjAaFwswMDAxMDEwMDAwWhcLMDAwMTAxMDAwMFowFTETMBEGA1UEAxMKVTJGIERldmljZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvum43LiwAMJacjIFh7SCIrl1e1ltYXeK50v2HWDRZ9pw38HSPmx2SjT+2hTY1YMVagbgXimYrb8+WWlZ6j9bqjFzAVMBMGCysGAQQBguUcAgEBBAQDAgUgMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8/cwIgC1945RGqGBKfbyNtkhMifZK05n7fU+gW37Bdnci5D94wRQIhAJHR1EsN/+Fb+74FyxSjBMaoD6p2edlqGPYEb4SiXwccAiAM48XFf/sWsgzS2YU4EeObztVLErUb1JaA2qHJtTUoig==").unwrap();
|
||||
let r = u2f::register::parse_registration(app_id.to_string(), client_data, register_data);
|
||||
let rr = r.unwrap();
|
||||
println!("{}", hex::encode(rr.pub_key));
|
||||
println!("{}", hex::encode(rr.attestation_cert.unwrap()));
|
||||
println!("{}", hex::encode(rr.key_handle));
|
||||
}
|
||||
Reference in New Issue
Block a user