card-cli/src/register.rs

use clap::{ArgMatches, SubCommand, App, Arg};
use authenticator::authenticatorservice::AuthenticatorService;
use authenticator::statecallback::StateCallback;
use authenticator::RegisterFlags;
use std::sync::mpsc::channel;
use crate::fido;
use crate::digest;
use crate::fido::{U2fV2Challenge, U2fRegistrationData};
use rust_util::util_clap::{Command, CommandError};

pub struct CommandImpl;

impl Command for CommandImpl {
    fn name(&self) -> &str { "register" }

    fn subcommand<'a>(&self) -> App<'a, 'a> {
        SubCommand::with_name(self.name()).about("Register subcommand")
            .arg(Arg::with_name("app-id").short("a").long("app-id").default_value("https://example.com").help("App id"))
            .arg(Arg::with_name("timeout").short("t").long("timeout").default_value("10").help("Timeout in seconds"))
            .arg(Arg::with_name("json").long("json").help("JSON output"))
    }

    fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
        let json_output = sub_arg_matches.is_present("json");
        if json_output {
            rust_util::util_msg::set_logger_std_out(false);
        }
        let app_id = sub_arg_matches.value_of("app-id").unwrap();
        let timeout_ms = match sub_arg_matches.value_of("timeout").unwrap().parse::<u32>() {
            Ok(t) => (t * 1000) as u64,
            Err(e) => return simple_error!("Timeout should be a number: {}", e),
        };

        let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
        let u2fv2_challenge_str = u2fv2_challenge.to_json();
        let chall_bytes = digest::sha256(&u2fv2_challenge_str);

        let app_bytes = digest::sha256(app_id);

        let flags = RegisterFlags::empty();

        let status_tx = fido::start_status_updater();

        let (register_tx, register_rx) = channel();
        let callback = StateCallback::new(Box::new(move |rv| {
            register_tx.send(rv).unwrap();
        }));

        information!("Start U2F register...");
        information!("App id: {}", app_id);
        debugging!("Wait timeout: {} ms", timeout_ms);
        let mut manager = AuthenticatorService::new()?;
        manager.add_u2f_usb_hid_platform_transports();
        manager.register(
            flags,
            timeout_ms,
            chall_bytes,
            app_bytes,
            vec![],
            status_tx,
            callback,
        )?;

        let register_result = register_rx.recv()?;

        let u2f_registration_data = U2fRegistrationData::from(app_id, &u2fv2_challenge_str, register_result?);

        match u2f_registration_data {
            Ok(data) => {
                if json_output {
                    println!("{}", serde_json::to_string_pretty(&data).unwrap());
                } else {
                    success!("Device info: {}", data.device_info);
                    success!("Register challenge: {}", u2fv2_challenge_str);
                    success!("Register challenge base64: {}", base64::encode(&u2fv2_challenge_str));
                    if let Some(cert) = data.attestation_cert_pem {
                        success!("Certificate: {}", cert);
                    }
                    if let Some(device_name) = data.device_name {
                        success!("Device name: {}", device_name);
                    }
                    success!("Public key: {}", data.pub_key);
                    success!("Key handle: {}", data.key_handle);
                }
            }
            Err(e) => {
                return simple_error!("Parse registration data failed: {}", e);
            }
        }
        Ok(None)
    }
}
//
// // U2F raw message format specification (version 20170411) section 4.3
// // In case of success we need to send back the following reply
// // (excluding ISO7816 success code)
// // +------+--------------------+---------------------+------------+------------+------+
// // + 0x05 | User pub key (65B) | key handle len (1B) | key handle | X.509 Cert | Sign |
// // +------+--------------------+---------------------+------------+------------+------+
// //
// // Where Sign is an ECDSA signature over the following structure:
// // +------+-------------------+-----------------+------------+--------------------+
// // + 0x00 | application (32B) | challenge (32B) | key handle | User pub key (65B) |
// // +------+-------------------+-----------------+------------+--------------------+
// // see https://github.com/google/OpenSK/blob/stable/src/ctap/ctap1.rs
// fn u2f_get_key_handle_from_register_response(register_response: &[u8]) -> XResult<Vec<u8>> {
//     if register_response[0] != 0x05 {
//         return simple_error!("Reserved byte not set correctly");
//     }
//
//     let key_handle_len = register_response[66] as usize;
//     let mut public_key = register_response.to_owned();
//     let mut key_handle = public_key.split_off(67);
//     let _attestation = key_handle.split_off(key_handle_len);
//
//     Ok(key_handle)
// }