feat: v1.1.14

src/cmd_u2fsign.rs

@@ -4,7 +4,13 @@ use authenticator::{AuthenticatorTransports, KeyHandle, SignFlags};
 use authenticator::authenticatorservice::AuthenticatorService;
 use authenticator::statecallback::StateCallback;
 use clap::{App, Arg, ArgMatches, SubCommand};
+use openssl::bn::BigNumContext;
+use openssl::ec::{EcGroup, EcKey, EcPoint};
+use openssl::hash::MessageDigest;
+use openssl::nid::Nid;
+use openssl::pkey::PKey;
 use openssl::sha::sha256;
+use openssl::sign::Verifier;
 use rust_util::util_clap::{Command, CommandError};
 
 use crate::digest;
@@ -20,6 +26,7 @@ impl Command for CommandImpl {
             .arg(Arg::with_name("app-id").short("a").long("app-id").default_value("https://example.com").help("App id"))
             .arg(Arg::with_name("timeout").short("t").long("timeout").default_value("30").help("Timeout in seconds"))
             .arg(Arg::with_name("public-key-hex").long("public-key-hex").takes_value(true).help("Public key hex"))
+            .arg(Arg::with_name("challenge").long("challenge").takes_value(true).help("Challenge HEX"))
             .arg(Arg::with_name("key-handle").short("k").long("key-handle").takes_value(true).multiple(true).help("Key handle"))
     }
     fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
@@ -51,7 +58,9 @@ impl Command for CommandImpl {
             sign_tx.send(rv).unwrap();
         }));
 
-        let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
+
+        let u2fv2_challenge = U2fV2Challenge::new_challenge(sub_arg_matches.value_of("challenge"), app_id)?;
+
         let u2fv2_challenge_str = u2fv2_challenge.to_json();
         let chall_bytes = digest::sha256(&u2fv2_challenge_str);
 
@@ -88,7 +97,7 @@ impl Command for CommandImpl {
         information!("Sign result : {}", base64::encode(&sign_data));
         information!("- presence : {}", user_presence_flag);
         information!("- counter  : {}", u32::from_be_bytes([counter[0], counter[1], counter[2], counter[3]]));
-        information!("- signature: {}", base64::encode(&signature));
+        information!("- signature: {}", hex::encode(&signature));
         // success!("Key handle used: {}", base64::encode(&handle_used));
         information!("Key handle: {}", hex::encode(&handle_used));
 
@@ -98,23 +107,37 @@ impl Command for CommandImpl {
             let client_data = u2fv2_challenge_str.as_bytes().to_vec();
             let app_id_hash = sha256(app_id.as_bytes());
             let client_data_hash = sha256(&client_data[..]);
-            let mut msg = Vec::with_capacity(128);
-            msg.extend_from_slice(&app_id_hash);
-            msg.push(*user_presence_flag);
-            msg.extend_from_slice(counter);
-            msg.extend_from_slice(&client_data_hash);
+            let mut signed_message = Vec::with_capacity(128);
+            signed_message.extend_from_slice(&app_id_hash);
+            signed_message.push(*user_presence_flag);
+            signed_message.extend_from_slice(counter);
+            signed_message.extend_from_slice(&client_data_hash);
 
-            information!("Public key: {}", base64::encode(&public_key));
-            information!("Signed message: {}", base64::encode(&msg));
+            information!("Public key: {}", hex::encode(&public_key));
+            information!("Signed message: {}", hex::encode(&signed_message));
 
             let authorization_result = u2f::authorization::parse_sign_response(
                 app_id.to_string(),
                 client_data,
-                public_key,
-                sign_data,
+                public_key.clone(),
+                sign_data.clone(),
             );
             let authorization = opt_result!(authorization_result, "Parse authorization failed: {}");
             success!("Parse authorization success, counter: {}", authorization.counter);
+
+            // PKey::public_key_from_der()
+            let ec_group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap();
+            let ec_point = EcPoint::from_bytes(&ec_group, &public_key, &mut BigNumContext::new().unwrap()).unwrap();
+            let ec_key = EcKey::from_public_key(&ec_group, &ec_point).unwrap();
+            let ec_pkey = PKey::from_ec_key(ec_key).unwrap();
+            let mut verifier = opt_result!(Verifier::new(MessageDigest::sha256(), &ec_pkey), "Verifier new failed: {}");
+            verifier.update(&signed_message)?;
+            let verify_result = opt_result!(verifier.verify(signature), "Verifier verify failed: {}");
+            if verify_result {
+                success!("Verify success");
+            } else {
+                failure!("Verify failed");
+            }
         }
 
         Ok(None)