card-cli/src/cmd_u2fsign.rs

use std::sync::mpsc::channel;

use authenticator::{AuthenticatorTransports, KeyHandle, SignFlags};
use authenticator::authenticatorservice::AuthenticatorService;
use authenticator::statecallback::StateCallback;
use clap::{App, Arg, ArgMatches, SubCommand};
use openssl::sha::sha256;
use rust_util::util_clap::{Command, CommandError};

use crate::digest;
use crate::fido;
use crate::fido::U2fV2Challenge;

pub struct CommandImpl;

impl Command for CommandImpl {
    fn name(&self) -> &str { "u2f-sign" }
    fn subcommand<'a>(&self) -> App<'a, 'a> {
        SubCommand::with_name(self.name()).about("FIDO U2F Sign subcommand")
            .arg(Arg::with_name("app-id").short("a").long("app-id").default_value("https://example.com").help("App id"))
            .arg(Arg::with_name("timeout").short("t").long("timeout").default_value("10").help("Timeout in seconds"))
            .arg(Arg::with_name("public-key-hex").long("public-key-hex").takes_value(true).help("Public key hex"))
            .arg(Arg::with_name("key-handle").short("k").long("key-handle").takes_value(true).multiple(true).help("Key handle"))
    }
    fn run(&self, _arg_matches: &ArgMatches, sub_arg_matches: &ArgMatches) -> CommandError {
        let app_id = sub_arg_matches.value_of("app-id").unwrap();
        let timeout_ms = match sub_arg_matches.value_of("timeout").unwrap().parse::<u32>() {
            Ok(t) => (t * 1000) as u64,
            Err(e) => return simple_error!("Timeout should be a number: {}", e),
        };
        let key_handles = opt_value_result!( sub_arg_matches.values_of("key-handle"), "Key handle is required");

        let mut request_key_handles = vec![];
        for kh in key_handles {
            match hex::decode(kh) {
                Ok(k) => request_key_handles.push(KeyHandle {
                    credential: k,
                    transports: AuthenticatorTransports::empty(),
                }),
                Err(e) => warning!("Parse key handle: {}, failed: {}", kh, e),
            }
        }
        if request_key_handles.is_empty() {
            return simple_error!("No valid key handle provided");
        }

        let flags = SignFlags::empty();
        let (sign_tx, sign_rx) = channel();

        let callback = StateCallback::new(Box::new(move |rv| {
            sign_tx.send(rv).unwrap();
        }));

        let u2fv2_challenge = U2fV2Challenge::new_random(app_id);
        let u2fv2_challenge_str = u2fv2_challenge.to_json();
        let chall_bytes = digest::sha256(&u2fv2_challenge_str);

        let app_bytes = digest::sha256(app_id);

        let status_tx = fido::start_status_updater();

        information!("App id: {}, Start sign...", app_id);
        debugging!("Wait timeout: {} ms", timeout_ms);
        let mut manager = opt_result!(AuthenticatorService::new(), "Create authenticator service failed: {}");
        manager.add_u2f_usb_hid_platform_transports();
        if let Err(e) = manager.sign(
            flags,
            timeout_ms,
            chall_bytes,
            vec![app_bytes],
            request_key_handles,
            status_tx,
            callback,
        ) {
            return simple_error!("Couldn't sign: {:?}", e);
        }

        let sign_result = opt_result!(sign_rx.recv(), "Problem receiving, unable to continue: {}");
        let (_, handle_used, sign_data, device_info) = opt_result!(sign_result, "Sign failed: {}");

        let user_presence_flag = &sign_data[0];
        let counter = &sign_data[1..=4];
        let signature = &sign_data[5..];

        success!("Device info: {}", &device_info);
        success!("Sign challenge: {}", u2fv2_challenge_str);
        success!("Sign challenge base64: {}", base64::encode(&u2fv2_challenge_str));
        success!("Sign result : {}", base64::encode(&sign_data));
        success!("- presence : {}", user_presence_flag);
        success!("- counter  : {}", u32::from_be_bytes([counter[0], counter[1], counter[2], counter[3]]));
        success!("- signature: {}", base64::encode(&signature));
        // success!("Key handle used: {}", base64::encode(&handle_used));
        success!("Key handle: {}", hex::encode(&handle_used));

        if let Some(public_key_hex) = sub_arg_matches.value_of("public-key-hex") {
            let public_key = opt_result!(hex::decode(public_key_hex), "Parse public key hex failed: {}");

            let client_data = u2fv2_challenge_str.as_bytes().to_vec();
            let app_id_hash = sha256(app_id.as_bytes());
            let client_data_hash = sha256(&client_data[..]);
            let mut msg = Vec::with_capacity(128);
            msg.extend_from_slice(&app_id_hash);
            msg.push(*user_presence_flag);
            msg.extend_from_slice(counter);
            msg.extend_from_slice(&client_data_hash);

            information!("Public key: {}", base64::encode(&public_key));
            information!("Signed message: {}", base64::encode(&msg));

            let authorization = u2f::authorization::parse_sign_response(
                app_id.to_string(),
                client_data,
                public_key,
                sign_data,
            );
            match authorization {
                Ok(authorization) => success!("Parse authorization success, counter: {}", authorization.counter),
                Err(e) => failure!("Parse authorization failed: {}", e),
            }
        }

        Ok(None)
    }
}