use clap::{ArgMatches, SubCommand, App, Arg}; use crate::cmd::{Command, CommandError}; use authenticator::authenticatorservice::AuthenticatorService; use authenticator::statecallback::StateCallback; use authenticator::RegisterFlags; use std::sync::mpsc::channel; use crate::fido; use crate::digest; use crate::fido::{U2fV2Challenge, U2fRegistrationData}; pub struct CommandImpl; impl Command for CommandImpl { fn name(&self) -> &str { "register" } fn subcommand<'a>(&self) -> App<'a, 'a> { SubCommand::with_name(self.name()).about("Register subcommand") .arg(Arg::with_name("app-id").long("app-id").default_value("https://example.com").help("App id")) .arg(Arg::with_name("timeout").long("timeout").default_value("10").help("Timeout in seconds")) .arg(Arg::with_name("json").long("json").help("JSON output")) } fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError { let json_output = sub_arg_matches.is_present("json"); if json_output { rust_util::util_msg::set_logger_std_out(false); } let app_id = sub_arg_matches.value_of("app-id").unwrap(); let timeout_ms = match sub_arg_matches.value_of("timeout").unwrap().parse::() { Ok(t) => (t * 1000) as u64, Err(e) => return simple_error!("Timeout should be a number: {}", e), }; let u2fv2_challenge = U2fV2Challenge::new_random(app_id); let u2fv2_challenge_str = u2fv2_challenge.to_json(); let chall_bytes = digest::sha256(&u2fv2_challenge_str); let app_bytes = digest::sha256(app_id); let flags = RegisterFlags::empty(); let status_tx = fido::start_status_updater(); let (register_tx, register_rx) = channel(); let callback = StateCallback::new(Box::new(move |rv| { register_tx.send(rv).unwrap(); })); information!("Start U2F register..."); information!("App id: {}", app_id); debugging!("Wait timeout: {} ms", timeout_ms); let mut manager = AuthenticatorService::new()?; manager.add_u2f_usb_hid_platform_transports(); manager.register( flags, timeout_ms, chall_bytes.clone(), app_bytes.clone(), vec![], status_tx.clone(), callback, )?; let register_result = register_rx.recv()?; let u2f_registration_data = U2fRegistrationData::from(app_id, &u2fv2_challenge_str, register_result?); match u2f_registration_data { Ok(data) => { if json_output { println!("{}", serde_json::to_string_pretty(&data).unwrap()); } else { success!("Device info: {}", data.device_info); if let Some(cert) = data.attestation_cert_pem { success!("Certificate: {}", cert); } if let Some(device_name) = data.device_name { success!("Device name: {}", device_name); } success!("Public key: {}", data.pub_key); success!("Key handle: {}", data.key_handle); } } Err(e) => { return simple_error!("Parse registration data failed: {}", e); } } Ok(()) } } // // // U2F raw message format specification (version 20170411) section 4.3 // // In case of success we need to send back the following reply // // (excluding ISO7816 success code) // // +------+--------------------+---------------------+------------+------------+------+ // // + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign | // // +------+--------------------+---------------------+------------+------------+------+ // // // // Where Sign is an ECDSA signature over the following structure: // // +------+-------------------+-----------------+------------+--------------------+ // // + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) | // // +------+-------------------+-----------------+------------+--------------------+ // // see https://github.com/google/OpenSK/blob/stable/src/ctap/ctap1.rs // fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResult> { // if register_response[0] != 0x05 { // return simple_error!("Reserved byte not set correctly"); // } // // let key_handle_len = register_response[66] as usize; // let mut public_key = register_response.to_owned(); // let mut key_handle = public_key.split_off(67); // let _attestation = key_handle.split_off(key_handle_len); // // Ok(key_handle) // }