Compare commits
5 Commits
Author | SHA1 | Date |
---|---|---|
Nick Zana | fa6a8d4c1e | 6 months ago |
Nick Zana | cf003d07e6 | 12 months ago |
Nick Zana | ce905e422d | 12 months ago |
Nick Zana | 1daffb7db7 | 12 months ago |
Nick Zana | cf792b97cb | 1 year ago |
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
#![feature(associated_const_equality, async_fn_in_trait)]
|
||||
#![allow(clippy::missing_errors_doc, incomplete_features)]
|
||||
|
||||
pub mod credential;
|
||||
pub mod discovery;
|
||||
pub mod mediation;
|
||||
// #![feature(associated_const_equality, async_fn_in_trait)]
|
||||
// #![allow(clippy::missing_errors_doc, incomplete_features)]
|
||||
//
|
||||
// pub mod credential;
|
||||
// pub mod discovery;
|
||||
// pub mod mediation;
|
||||
|
@ -0,0 +1,16 @@
|
||||
[package]
|
||||
name = "ctap2-platform"
|
||||
version = "0.1.0"
|
||||
edition = "2021"
|
||||
|
||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||
|
||||
[dependencies]
|
||||
aes = { version = "0.8.2", default-features = false, features = ["zeroize"] }
|
||||
cbc = { version = "0.1.2", default-features = false, features = ["zeroize"] }
|
||||
cosey = "0.3.0"
|
||||
ctap2-proto = { path = "../ctap2-proto" }
|
||||
hmac = { version = "0.12.1", default-features = false }
|
||||
p256 = { version = "0.13.2", default-features = false, features = ["ecdh", "sha2", "sha256", "pkcs8"] }
|
||||
rand = { version = "0.8.5", features = ["getrandom"], default-features = false }
|
||||
sha2 = { version = "0.10.6", default-features = false }
|
@ -0,0 +1,414 @@
|
||||
use crate::{prelude::client_pin::{PinUvAuthParam, self}, extensions::cred_protect};
|
||||
|
||||
use super::{Error, Request, Response, RelyingParty, Credential};
|
||||
use fido_common::{credential::public_key, Sha256Hash};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use serde_with::{serde_as, Bytes};
|
||||
use std::borrow::Cow;
|
||||
|
||||
#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
|
||||
#[serde(into = "u8", try_from = "u8")]
|
||||
pub(super) enum RawSubcommand {
|
||||
GetCredsMetadata = 0x01,
|
||||
EnumerateRpsBegin = 0x02,
|
||||
EnumerateRpsGetNextRp = 0x03,
|
||||
EnumerateCredentialsBegin = 0x04,
|
||||
EnumerateCredentialsGetNextCredential = 0x05,
|
||||
DeleteCredential = 0x06,
|
||||
UpdateUserInformation = 0x07,
|
||||
}
|
||||
|
||||
impl From<RawSubcommand> for u8 {
|
||||
fn from(val: RawSubcommand) -> Self {
|
||||
val as u8
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<u8> for RawSubcommand {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: u8) -> Result<Self, Self::Error> {
|
||||
Ok(match value {
|
||||
0x01 => RawSubcommand::GetCredsMetadata,
|
||||
0x02 => RawSubcommand::EnumerateRpsBegin,
|
||||
0x03 => RawSubcommand::EnumerateRpsGetNextRp,
|
||||
0x04 => RawSubcommand::EnumerateCredentialsBegin,
|
||||
0x05 => RawSubcommand::EnumerateCredentialsGetNextCredential,
|
||||
0x06 => RawSubcommand::DeleteCredential,
|
||||
0x07 => RawSubcommand::UpdateUserInformation,
|
||||
_ => return Err(Error::InvalidParameter),
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
#[serde_as]
|
||||
#[derive(Clone, Serialize, Deserialize)]
|
||||
pub(super) struct RawSubcommandParams<'a> {
|
||||
#[serde(rename = 0x01)]
|
||||
pub rp_id_hash: Option<Sha256Hash>,
|
||||
#[serde(rename = 0x02)]
|
||||
pub credential_id: Option<Cow<'a, public_key::Descriptor>>,
|
||||
#[serde(rename = 0x03)]
|
||||
pub user: Option<Cow<'a, public_key::UserEntity>>,
|
||||
}
|
||||
|
||||
#[serde_as]
|
||||
#[derive(Clone, Serialize, Deserialize)]
|
||||
pub(super) struct RawRequest<'a> {
|
||||
#[serde(rename = 0x01)]
|
||||
pub subcommand: RawSubcommand,
|
||||
#[serde(rename = 0x02, skip_serializing_if = "Option::is_none")]
|
||||
pub subcommand_params: Option<RawSubcommandParams<'a>>,
|
||||
#[serde(rename = 0x03)]
|
||||
pub pin_uv_auth_protocol: client_pin::auth_protocol::Version,
|
||||
#[serde_as(as = "Bytes")]
|
||||
#[serde(rename = 0x04)]
|
||||
pub pin_uv_auth_param: PinUvAuthParam,
|
||||
}
|
||||
|
||||
impl<'a> From<Request<'a>> for RawRequest<'a> {
|
||||
fn from(value: Request<'a>) -> Self {
|
||||
match value {
|
||||
Request::GetCredentialsMetadata {
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
} => RawRequest {
|
||||
subcommand: RawSubcommand::GetCredsMetadata,
|
||||
subcommand_params: None,
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
},
|
||||
Request::EnumerateRPsBegin {
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
} => RawRequest {
|
||||
subcommand: RawSubcommand::EnumerateRpsBegin,
|
||||
subcommand_params: None,
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
},
|
||||
Request::EnumerateRPsGetNextRP => todo!(),
|
||||
Request::EnumerateCredentialsBegin {
|
||||
relying_party_id_hash,
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
} => RawRequest {
|
||||
subcommand: RawSubcommand::EnumerateCredentialsBegin,
|
||||
subcommand_params: Some(RawSubcommandParams {
|
||||
rp_id_hash: Some(relying_party_id_hash),
|
||||
credential_id: None,
|
||||
user: None,
|
||||
}),
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
},
|
||||
Request::EnumerateCredentialsGetNextCredential => todo!(),
|
||||
Request::DeleteCredential {
|
||||
credential_id,
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
} => RawRequest {
|
||||
subcommand: RawSubcommand::DeleteCredential,
|
||||
subcommand_params: Some(RawSubcommandParams {
|
||||
rp_id_hash: None,
|
||||
credential_id: Some(credential_id),
|
||||
user: None,
|
||||
}),
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
},
|
||||
Request::UpdateUserInformation {
|
||||
credential_id,
|
||||
user,
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
} => RawRequest {
|
||||
subcommand: RawSubcommand::UpdateUserInformation,
|
||||
subcommand_params: Some(RawSubcommandParams {
|
||||
rp_id_hash: None,
|
||||
credential_id: Some(credential_id),
|
||||
user: Some(user),
|
||||
}),
|
||||
pin_uv_auth_protocol,
|
||||
pin_uv_auth_param,
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl<'a> TryFrom<RawRequest<'a>> for Request<'a> {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: RawRequest<'a>) -> Result<Self, Self::Error> {
|
||||
Ok(match value.subcommand {
|
||||
RawSubcommand::GetCredsMetadata => Request::GetCredentialsMetadata {
|
||||
pin_uv_auth_protocol: value.pin_uv_auth_protocol,
|
||||
pin_uv_auth_param: value.pin_uv_auth_param,
|
||||
},
|
||||
RawSubcommand::EnumerateRpsBegin => Request::EnumerateRPsBegin {
|
||||
pin_uv_auth_protocol: value.pin_uv_auth_protocol,
|
||||
pin_uv_auth_param: value.pin_uv_auth_param,
|
||||
},
|
||||
RawSubcommand::EnumerateRpsGetNextRp => Request::EnumerateRPsGetNextRP,
|
||||
RawSubcommand::EnumerateCredentialsBegin => Request::EnumerateCredentialsBegin {
|
||||
relying_party_id_hash: value
|
||||
.subcommand_params
|
||||
.ok_or(Error::MissingParameter)?
|
||||
.rp_id_hash
|
||||
.ok_or(Error::MissingParameter)?,
|
||||
pin_uv_auth_protocol: value.pin_uv_auth_protocol,
|
||||
pin_uv_auth_param: value.pin_uv_auth_param,
|
||||
},
|
||||
RawSubcommand::EnumerateCredentialsGetNextCredential => {
|
||||
Request::EnumerateCredentialsGetNextCredential
|
||||
}
|
||||
RawSubcommand::DeleteCredential => Request::DeleteCredential {
|
||||
credential_id: value
|
||||
.subcommand_params
|
||||
.ok_or(Error::MissingParameter)?
|
||||
.credential_id
|
||||
.ok_or(Error::MissingParameter)?,
|
||||
pin_uv_auth_protocol: value.pin_uv_auth_protocol,
|
||||
pin_uv_auth_param: value.pin_uv_auth_param,
|
||||
},
|
||||
RawSubcommand::UpdateUserInformation => {
|
||||
let subcommand_params = value.subcommand_params.ok_or(Error::MissingParameter)?;
|
||||
Request::UpdateUserInformation {
|
||||
credential_id: subcommand_params
|
||||
.credential_id
|
||||
.ok_or(Error::MissingParameter)?,
|
||||
user: subcommand_params.user.ok_or(Error::MissingParameter)?,
|
||||
pin_uv_auth_protocol: value.pin_uv_auth_protocol,
|
||||
pin_uv_auth_param: value.pin_uv_auth_param,
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize)]
|
||||
pub(super) struct RawResponse {
|
||||
#[serde(rename = 0x01)]
|
||||
pub existing_resident_credentials_count: Option<usize>,
|
||||
#[serde(rename = 0x02)]
|
||||
pub max_possible_remaining_resident_credentials_count: Option<usize>,
|
||||
#[serde(rename = 0x03)]
|
||||
pub rp: Option<public_key::RelyingPartyEntity>,
|
||||
#[serde(rename = 0x04)]
|
||||
pub rp_id_hash: Option<Sha256Hash>,
|
||||
#[serde(rename = 0x05)]
|
||||
pub total_rps: Option<usize>,
|
||||
#[serde(rename = 0x06)]
|
||||
pub user: Option<public_key::UserEntity>,
|
||||
#[serde(rename = 0x07)]
|
||||
pub credential_id: Option<public_key::Descriptor>,
|
||||
#[serde(rename = 0x08)]
|
||||
pub public_key: Option<Vec<u8>>, // TODO: COSE_Key type
|
||||
#[serde(rename = 0x09)]
|
||||
pub total_credentials: Option<usize>,
|
||||
#[serde(rename = 0x0A)]
|
||||
pub cred_protect: Option<cred_protect::Policy>,
|
||||
#[serde(rename = 0x0B)]
|
||||
pub large_blob_key: Option<Vec<u8>>,
|
||||
#[serde(rename = 0x0C)]
|
||||
pub third_party_payment: Option<bool>,
|
||||
}
|
||||
|
||||
impl From<Response> for RawResponse {
|
||||
fn from(value: Response) -> Self {
|
||||
match value {
|
||||
Response::GetCredentialsMetadata {
|
||||
existing_resident_credentials_count,
|
||||
max_possible_remaining_resident_credentials_count,
|
||||
} => RawResponse {
|
||||
existing_resident_credentials_count: Some(existing_resident_credentials_count),
|
||||
max_possible_remaining_resident_credentials_count: Some(
|
||||
max_possible_remaining_resident_credentials_count,
|
||||
),
|
||||
rp: None,
|
||||
rp_id_hash: None,
|
||||
total_rps: None,
|
||||
user: None,
|
||||
credential_id: None,
|
||||
public_key: None,
|
||||
total_credentials: None,
|
||||
cred_protect: None,
|
||||
large_blob_key: None,
|
||||
third_party_payment: None,
|
||||
},
|
||||
Response::EnumerateRPsBegin {
|
||||
relying_party,
|
||||
total_relying_parties,
|
||||
} => RawResponse {
|
||||
existing_resident_credentials_count: None,
|
||||
max_possible_remaining_resident_credentials_count: None,
|
||||
rp: Some(relying_party.relying_party),
|
||||
rp_id_hash: Some(relying_party.relying_party_id_hash),
|
||||
total_rps: Some(total_relying_parties),
|
||||
user: None,
|
||||
credential_id: None,
|
||||
public_key: None,
|
||||
total_credentials: None,
|
||||
cred_protect: None,
|
||||
large_blob_key: None,
|
||||
third_party_payment: None,
|
||||
},
|
||||
Response::EnumerateRPsGetNextRP { relying_party } => RawResponse {
|
||||
existing_resident_credentials_count: None,
|
||||
max_possible_remaining_resident_credentials_count: None,
|
||||
rp: Some(relying_party.relying_party),
|
||||
rp_id_hash: Some(relying_party.relying_party_id_hash),
|
||||
total_rps: None,
|
||||
user: None,
|
||||
credential_id: None,
|
||||
public_key: None,
|
||||
total_credentials: None,
|
||||
cred_protect: None,
|
||||
large_blob_key: None,
|
||||
third_party_payment: None,
|
||||
},
|
||||
Response::EnumerateCredentialsBegin {
|
||||
credential,
|
||||
total_credentials,
|
||||
} => RawResponse {
|
||||
existing_resident_credentials_count: None,
|
||||
max_possible_remaining_resident_credentials_count: None,
|
||||
rp: None,
|
||||
rp_id_hash: None,
|
||||
total_rps: None,
|
||||
user: Some(credential.user),
|
||||
credential_id: Some(credential.credential_id),
|
||||
public_key: None,
|
||||
total_credentials: Some(total_credentials),
|
||||
cred_protect: None,
|
||||
large_blob_key: None,
|
||||
third_party_payment: None,
|
||||
},
|
||||
Response::EnumerateCredentialsGetNextCredential { credential } => RawResponse {
|
||||
existing_resident_credentials_count: None,
|
||||
max_possible_remaining_resident_credentials_count: None,
|
||||
rp: None,
|
||||
rp_id_hash: None,
|
||||
total_rps: None,
|
||||
user: Some(credential.user),
|
||||
credential_id: Some(credential.credential_id),
|
||||
public_key: None,
|
||||
total_credentials: None,
|
||||
cred_protect: None,
|
||||
large_blob_key: None,
|
||||
third_party_payment: None,
|
||||
},
|
||||
Response::DeleteCredential => RawResponse {
|
||||
existing_resident_credentials_count: None,
|
||||
max_possible_remaining_resident_credentials_count: None,
|
||||
rp: None,
|
||||
rp_id_hash: None,
|
||||
total_rps: None,
|
||||
user: None,
|
||||
credential_id: None,
|
||||
public_key: None,
|
||||
total_credentials: None,
|
||||
cred_protect: None,
|
||||
large_blob_key: None,
|
||||
third_party_payment: None,
|
||||
},
|
||||
Response::UpdateUserInformation => RawResponse {
|
||||
existing_resident_credentials_count: None,
|
||||
max_possible_remaining_resident_credentials_count: None,
|
||||
rp: None,
|
||||
rp_id_hash: None,
|
||||
total_rps: None,
|
||||
user: None,
|
||||
credential_id: None,
|
||||
public_key: None,
|
||||
total_credentials: None,
|
||||
cred_protect: None,
|
||||
large_blob_key: None,
|
||||
third_party_payment: None,
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<RawResponse> for Response {
|
||||
type Error = Error;
|
||||
|
||||
fn try_from(value: RawResponse) -> Result<Self, Self::Error> {
|
||||
// These values are manually checked becaues I guess the client is expected to
|
||||
// hold the state of which type of request was made and subsequently
|
||||
// which type of response it is expecting, and thus the response does
|
||||
// not have a subcommand field.
|
||||
//
|
||||
// This should be compared against other implementations to see if there is a
|
||||
// better way to handle this.
|
||||
match value {
|
||||
RawResponse {
|
||||
existing_resident_credentials_count: Some(existing),
|
||||
max_possible_remaining_resident_credentials_count: Some(max),
|
||||
..
|
||||
} => Ok(Self::GetCredentialsMetadata {
|
||||
existing_resident_credentials_count: existing,
|
||||
max_possible_remaining_resident_credentials_count: max,
|
||||
}),
|
||||
RawResponse {
|
||||
rp: Some(rp),
|
||||
rp_id_hash: Some(rp_id_hash),
|
||||
total_rps: Some(total_rps),
|
||||
..
|
||||
} => Ok(Self::EnumerateRPsBegin {
|
||||
relying_party: RelyingParty {
|
||||
relying_party: rp,
|
||||
relying_party_id_hash: rp_id_hash,
|
||||
},
|
||||
total_relying_parties: total_rps,
|
||||
}),
|
||||
RawResponse {
|
||||
rp: Some(rp),
|
||||
rp_id_hash: Some(rp_id_hash),
|
||||
..
|
||||
} => Ok(Self::EnumerateRPsGetNextRP {
|
||||
relying_party: RelyingParty {
|
||||
relying_party: rp,
|
||||
relying_party_id_hash: rp_id_hash,
|
||||
},
|
||||
}),
|
||||
RawResponse {
|
||||
user: Some(user),
|
||||
credential_id: Some(credential_id),
|
||||
public_key: Some(public_key),
|
||||
total_credentials: Some(total_credentials),
|
||||
cred_protect: Some(cred_protect),
|
||||
large_blob_key: Some(large_blob_key),
|
||||
..
|
||||
} => Ok(Self::EnumerateCredentialsBegin {
|
||||
credential: Credential {
|
||||
user,
|
||||
credential_id,
|
||||
public_key,
|
||||
credential_protection_policy: cred_protect,
|
||||
large_blob_key,
|
||||
},
|
||||
total_credentials,
|
||||
}),
|
||||
RawResponse {
|
||||
user: Some(user),
|
||||
public_key: Some(public_key),
|
||||
credential_id: Some(credential_id),
|
||||
cred_protect: Some(cred_protect),
|
||||
large_blob_key: Some(large_blob_key),
|
||||
..
|
||||
} => Ok(Self::EnumerateCredentialsGetNextCredential {
|
||||
credential: Credential {
|
||||
user,
|
||||
credential_id,
|
||||
public_key,
|
||||
credential_protection_policy: cred_protect,
|
||||
large_blob_key,
|
||||
},
|
||||
}),
|
||||
// Looks like we have to have the context of what the request was to
|
||||
// know the response type when no fields are set...
|
||||
_ => todo!(),
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,28 @@
|
||||
#[cfg(feature = "serde")]
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
#[repr(usize)]
|
||||
#[derive(Debug, Clone, Copy)]
|
||||
#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
|
||||
pub enum Kind {
|
||||
/// > In this case, an enterprise attestation capable authenticator, on
|
||||
/// > which enterprise attestation is enabled, upon receiving the
|
||||
/// > enterpriseAttestation parameter with a value of 1 (or 2, see Note
|
||||
/// > below) on a authenticatorMakeCredential command, will provide
|
||||
/// > enterprise attestation to a non-updateable pre-configured RP ID
|
||||
/// > list, as identified by the enterprise and provided to the
|
||||
/// > authenticator vendor, which is "burned into" the authenticator by
|
||||
/// > the vendor.
|
||||
/// > If enterprise attestation is requested for any RP ID other than
|
||||
/// > the pre-configured RP ID(s), the attestation returned along with
|
||||
/// > the new credential is a regular privacy-preserving attestation,
|
||||
/// > i.e., NOT an enterprise attestation.
|
||||
VendorFacilitated = 1,
|
||||
/// > In this case, an enterprise attestation capable authenticator on
|
||||
/// > which enterprise attestation is enabled, upon receiving the
|
||||
/// > enterpriseAttestation parameter with a value of 2 on a
|
||||
/// > authenticatorMakeCredential command, will return an enterprise
|
||||
/// > attestation. The platform is enterprise-managed and has already
|
||||
/// > performed the necessary vetting of the RP ID.
|
||||
PlatformManaged = 2,
|
||||
}
|
@ -1,7 +1,11 @@
|
||||
pub mod authenticator;
|
||||
#![feature(cfg_eval, split_array, slice_take)]
|
||||
|
||||
pub mod attestation;
|
||||
pub mod authenticator;
|
||||
pub mod credential;
|
||||
pub mod extensions;
|
||||
pub mod registry;
|
||||
|
||||
pub type Sha256Hash = [u8; 32];
|
||||
|
||||
|
||||
|
@ -0,0 +1,29 @@
|
||||
[package]
|
||||
name = "hid-ctap2-proto"
|
||||
version = "0.1.0"
|
||||
edition = "2021"
|
||||
|
||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||
|
||||
[dependencies]
|
||||
ciborium = "0.2.1"
|
||||
ciborium-io = "0.2.1"
|
||||
ctap2-proto = { path = "../ctap2-proto", features = ["serde"] }
|
||||
hidapi = { version = "2.3.2" }
|
||||
ctaphid = { version = "0.3.1", default_features = false }
|
||||
<<<<<<< Updated upstream
|
||||
serde = "1.0.163"
|
||||
=======
|
||||
serde = "=1.0.136"
|
||||
ctap2-platform = { path = "../ctap2-platform" }
|
||||
sha2 = "0.10.6"
|
||||
hmac = { version = "0.12.1", default-features = false }
|
||||
>>>>>>> Stashed changes
|
||||
|
||||
[dev-dependencies]
|
||||
rand = "0.8.5"
|
||||
env_logger = "0.10.0"
|
||||
<<<<<<< Updated upstream
|
||||
=======
|
||||
hex = "0.4.3"
|
||||
>>>>>>> Stashed changes
|
@ -0,0 +1,140 @@
|
||||
use ctap2_proto::Command;
|
||||
use device::{DeviceInfo, HidDevice};
|
||||
|
||||
pub struct HidAuthenticator<D: ctaphid::HidDevice = HidDevice>(ctaphid::Device<D>);
|
||||
|
||||
impl TryFrom<hidapi::HidDevice> for HidAuthenticator<HidDevice> {
|
||||
type Error = ctaphid::error::Error;
|
||||
|
||||
fn try_from(device: hidapi::HidDevice) -> Result<Self, Self::Error> {
|
||||
let info = device
|
||||
.get_device_info()
|
||||
.map_err(|e| ctaphid::error::RequestError::PacketSendingFailed(Box::new(e)))?;
|
||||
let device = ctaphid::Device::new(HidDevice(device), DeviceInfo(info))?;
|
||||
Ok(Self(device))
|
||||
}
|
||||
}
|
||||
|
||||
mod device {
|
||||
//! Provides wrapper types for `hidapi` device types that implement required
|
||||
//! `ctaphid` interfaces.
|
||||
use std::borrow::Cow;
|
||||
|
||||
pub struct HidDevice(pub hidapi::HidDevice);
|
||||
#[derive(Debug)]
|
||||
pub struct DeviceInfo(pub hidapi::DeviceInfo);
|
||||
|
||||
impl ctaphid::HidDevice for HidDevice {
|
||||
type Info = DeviceInfo;
|
||||
|
||||
fn send(&self, data: &[u8]) -> Result<(), ctaphid::error::RequestError> {
|
||||
self.0
|
||||
.write(data)
|
||||
.map_err(|e| ctaphid::error::RequestError::PacketSendingFailed(e.into()))?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn receive<'a>(
|
||||
&self,
|
||||
buffer: &'a mut [u8],
|
||||
timeout: Option<std::time::Duration>,
|
||||
) -> Result<&'a [u8], ctaphid::error::ResponseError> {
|
||||
let timeout_millis: i32 = match timeout {
|
||||
Some(timeout) => timeout.as_millis() as i32,
|
||||
None => -1,
|
||||
};
|
||||
let count = self
|
||||
.0
|
||||
.read_timeout(buffer, timeout_millis)
|
||||
.map_err(|e| match e {
|
||||
hidapi::HidError::HidApiError { message } => {
|
||||
ctaphid::error::ResponseError::PacketReceivingFailed(message.into())
|
||||
}
|
||||
_ => todo!(),
|
||||
})?;
|
||||
|
||||
Ok(&buffer[..count])
|
||||
}
|
||||
}
|
||||
|
||||
impl ctaphid::HidDeviceInfo for DeviceInfo {
|
||||
fn vendor_id(&self) -> u16 {
|
||||
self.0.vendor_id()
|
||||
}
|
||||
|
||||
fn product_id(&self) -> u16 {
|
||||
self.0.product_id()
|
||||
}
|
||||
|
||||
fn path(&self) -> std::borrow::Cow<'_, str> {
|
||||
let path = self
|
||||
.0
|
||||
.path()
|
||||
.to_str()
|
||||
.expect("Device path must be valid UTF-8.");
|
||||
Cow::from(path)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl<D: ctaphid::HidDevice> HidAuthenticator<D> {
|
||||
<<<<<<< Updated upstream
|
||||
fn send_raw(&self, command: Command, bytes: &[u8]) -> Result<Vec<u8>, ctaphid::error::Error> {
|
||||
=======
|
||||
fn send_ctap1_raw(&self, bytes: &[u8]) -> Result<Vec<u8>, ctaphid::error::Error> {
|
||||
self.0.ctap1(bytes)
|
||||
}
|
||||
|
||||
fn send_ctap2_raw(
|
||||
&self,
|
||||
command: Command,
|
||||
bytes: &[u8],
|
||||
) -> Result<Vec<u8>, ctaphid::error::Error> {
|
||||
>>>>>>> Stashed changes
|
||||
self.0.ctap2(command as u8, bytes)
|
||||
}
|
||||
|
||||
pub fn send<Req, Res>(&self, command: Command, req: Req) -> Result<Res, ctaphid::error::Error>
|
||||
where
|
||||
Req: serde::Serialize,
|
||||
Res: for<'de> serde::Deserialize<'de>,
|
||||
{
|
||||
let mut data: Vec<u8> = Vec::new();
|
||||
ciborium::ser::into_writer(&req, &mut data).map_err(|e| match e {
|
||||
ciborium::ser::Error::Io(_) => ctaphid::error::RequestError::IncompleteWrite,
|
||||
ciborium::ser::Error::Value(desc) => {
|
||||
ctaphid::error::RequestError::PacketSendingFailed(desc.into())
|
||||
}
|
||||
})?;
|
||||
|
||||
<<<<<<< Updated upstream
|
||||
let response = self.send_raw(command, &data)?;
|
||||
|
||||
match ciborium::de::from_reader(response.as_slice()) {
|
||||
Ok(response) => Ok(response),
|
||||
// TODO: Improve error handling
|
||||
Err(e) => {
|
||||
println!("ERROR: {e}");
|
||||
todo!()
|
||||
}
|
||||
}
|
||||
=======
|
||||
let response = self.send_ctap2_raw(command, &data)?;
|
||||
|
||||
ciborium::de::from_reader(response.as_slice())
|
||||
.map_err(|e| match e {
|
||||
ciborium::de::Error::Io(io_err) => match io_err.kind() {
|
||||
std::io::ErrorKind::UnexpectedEof => ctaphid::types::ParseError::NotEnoughData,
|
||||
_ => todo!(),
|
||||
},
|
||||
ciborium::de::Error::Syntax(_) => todo!(),
|
||||
ciborium::de::Error::Semantic(pos, err) => {
|
||||
panic!("semantic error at {pos:#?}: {err:#?}")
|
||||
}
|
||||
ciborium::de::Error::RecursionLimitExceeded => todo!(),
|
||||
})
|
||||
.map_err(ctaphid::error::ResponseError::PacketParsingFailed)
|
||||
.map_err(ctaphid::error::Error::ResponseError)
|
||||
>>>>>>> Stashed changes
|
||||
}
|
||||
}
|
@ -0,0 +1,221 @@
|
||||
#![cfg_attr(test, feature(split_array, lazy_cell))]
|
||||
|
||||
use ctap2_proto::{prelude::*, Ctap2_2Authenticator};
|
||||
use hid::HidAuthenticator;
|
||||
|
||||
pub mod hid;
|
||||
|
||||
<<<<<<< Updated upstream
|
||||
=======
|
||||
#[cfg(test)]
|
||||
mod tests;
|
||||
|
||||
>>>>>>> Stashed changes
|
||||
impl<D: ctaphid::HidDevice> Ctap2_2Authenticator for HidAuthenticator<D> {
|
||||
fn make_credential(&mut self, request: make::Request) -> Result<make::Response, make::Error> {
|
||||
Ok(self
|
||||
.send(Command::AuthenticatorMakeCredential, request)
|
||||
.unwrap()) // TODO: Properly parse/convert errors
|
||||
}
|
||||
|
||||
fn get_assertion(&mut self, request: get::Request) -> Result<get::Response, get::Error> {
|
||||
Ok(self
|
||||
.send(Command::AuthenticatorGetAssertion, request)
|
||||
.unwrap())
|
||||
}
|
||||
|
||||
fn get_info(&self) -> device::Info {
|
||||
self.send(Command::AuthenticatorGetInfo, ()).unwrap()
|
||||
}
|
||||
|
||||
fn client_pin(
|
||||
<<<<<<< Updated upstream
|
||||
_request: client_pin::Request,
|
||||
) -> Result<client_pin::Response, client_pin::Error> {
|
||||
todo!()
|
||||
}
|
||||
|
||||
fn reset(&mut self) -> Result<(), reset::Error> {
|
||||
let _: () = self.send(Command::AuthenticatorReset, ()).unwrap();
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn selection() -> Result<(), ctap2_proto::authenticator::selection::Error> {
|
||||
todo!()
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
extern crate hidapi;
|
||||
|
||||
use std::sync::{LazyLock, Mutex};
|
||||
|
||||
use crate::hid::HidAuthenticator;
|
||||
use ctap2_proto::prelude::{credential::public_key, *};
|
||||
use rand::{distributions, Rng};
|
||||
|
||||
static AUTHENTICATOR: LazyLock<Mutex<Option<HidAuthenticator>>> =
|
||||
LazyLock::new(|| Mutex::new(get_authenticator()));
|
||||
|
||||
fn init() {
|
||||
let _ = env_logger::builder().is_test(true).try_init();
|
||||
}
|
||||
|
||||
fn get_authenticator() -> Option<HidAuthenticator> {
|
||||
let hidapi = hidapi::HidApi::new().unwrap();
|
||||
for info in hidapi.device_list() {
|
||||
let Ok(device) = info.open_device(&hidapi) else {
|
||||
continue;
|
||||
};
|
||||
let Ok(authenticator) = device.try_into() else { continue };
|
||||
return Some(authenticator);
|
||||
}
|
||||
|
||||
None
|
||||
}
|
||||
|
||||
// #[test]
|
||||
fn reset() {
|
||||
init();
|
||||
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let authenticator = guard.as_mut().unwrap();
|
||||
|
||||
authenticator.reset().unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_get_info() {
|
||||
init();
|
||||
|
||||
let guard = AUTHENTICATOR.lock().unwrap();
|
||||
let authenticator = guard.as_ref().unwrap();
|
||||
|
||||
let info = authenticator.get_info();
|
||||
println!("deserialized: {:#?}", info);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn make_credential() {
|
||||
init();
|
||||
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let info = authenticator.get_info();
|
||||
|
||||
let client_data_hash: Vec<u8> = rand::thread_rng()
|
||||
.sample_iter(&distributions::Standard)
|
||||
.take(32)
|
||||
.collect();
|
||||
|
||||
let user_id = rand::thread_rng()
|
||||
.sample_iter(&distributions::Standard)
|
||||
.take(32)
|
||||
.collect();
|
||||
|
||||
let rp = public_key::RelyingPartyEntity {
|
||||
id: "com.example".to_string(),
|
||||
name: Some("Example Inc.".into()),
|
||||
};
|
||||
|
||||
let user = public_key::UserEntity {
|
||||
id: user_id,
|
||||
name: Some("example_user".to_string()),
|
||||
display_name: Some("Example User".to_string()),
|
||||
};
|
||||
|
||||
let pub_key_params = info.algorithms.unwrap();
|
||||
|
||||
let options = [(make::OptionKey::Discoverable, true)].into();
|
||||
|
||||
let req = make::Request::builder()
|
||||
.client_data_hash(&client_data_hash.split_array_ref::<32>().0)
|
||||
.relying_party(&rp)
|
||||
.user(&user)
|
||||
.public_key_credential_params(pub_key_params.as_slice())
|
||||
.options(&options)
|
||||
.build();
|
||||
|
||||
println!("request: {req:#?}");
|
||||
let response = authenticator.make_credential(req);
|
||||
println!("response: {response:#?}");
|
||||
|
||||
let req = get::Request {
|
||||
relying_party_id: &rp.id,
|
||||
client_data_hash: client_data_hash.as_slice().try_into().unwrap(),
|
||||
allow_list: None,
|
||||
extensions: None,
|
||||
options: None,
|
||||
pin_uv_auth_param: None,
|
||||
pin_uv_auth_protocol_version: None,
|
||||
};
|
||||
|
||||
println!("request: {req:#?}");
|
||||
let response = authenticator.get_assertion(req);
|
||||
println!("response: {response:#?}");
|
||||
}
|
||||
}
|
||||
=======
|
||||
&mut self,
|
||||
request: client_pin::Request,
|
||||
) -> Result<client_pin::Response, client_pin::Error> {
|
||||
let response = self.send(Command::AuthenticatorClientPin, request.clone());
|
||||
match &request {
|
||||
client_pin::Request::SetPin { .. } | client_pin::Request::ChangePin { .. } => {
|
||||
// Workaround for ctaphid not supporting empty response types
|
||||
let Err(ctaphid::error::Error::ResponseError(
|
||||
ctaphid::error::ResponseError::PacketParsingFailed(
|
||||
ctaphid::types::ParseError::NotEnoughData,
|
||||
),
|
||||
)) = response else {
|
||||
return Ok(response.unwrap());
|
||||
};
|
||||
Ok(client_pin::Response::SetPin)
|
||||
}
|
||||
_ => Ok(response.unwrap()),
|
||||
}
|
||||
}
|
||||
|
||||
fn reset(&mut self) -> Result<(), reset::Error> {
|
||||
use ctaphid::{
|
||||
error::{Error, ResponseError},
|
||||
types::ParseError,
|
||||
};
|
||||
|
||||
let response = self.send::<_, ()>(Command::AuthenticatorReset, &[0u8; 0]);
|
||||
|
||||
// Workaround for ctaphid not supporting empty response types
|
||||
let Err(Error::ResponseError(ResponseError::PacketParsingFailed(ParseError::NotEnoughData))) = response else {
|
||||
return Ok(response.unwrap());
|
||||
};
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn selection(&mut self) -> Result<(), ctap2_proto::authenticator::selection::Error> {
|
||||
todo!()
|
||||
}
|
||||
|
||||
fn bio_enrollment(
|
||||
&mut self,
|
||||
request: bio_enrollment::Request,
|
||||
) -> Result<bio_enrollment::Response, bio_enrollment::Error> {
|
||||
todo!()
|
||||
}
|
||||
|
||||
fn credential_management(
|
||||
&mut self,
|
||||
request: management::Request,
|
||||
) -> Result<management::Response, management::Error> {
|
||||
Ok(self
|
||||
.send(Command::PrototypeAuthenticatorCredentialManagement, request)
|
||||
.unwrap())
|
||||
}
|
||||
|
||||
fn authenticator_config(&mut self, request: config::Request) -> Result<(), config::Error> {
|
||||
todo!()
|
||||
}
|
||||
}
|
||||
>>>>>>> Stashed changes
|
@ -0,0 +1,152 @@
|
||||
extern crate hidapi;
|
||||
|
||||
use crate::hid::HidAuthenticator;
|
||||
use ctap2_proto::prelude::{
|
||||
client_pin::auth_protocol::{self, platform::Session},
|
||||
credential::public_key,
|
||||
*,
|
||||
};
|
||||
use rand::{distributions, Rng};
|
||||
use std::sync::{LazyLock, Mutex};
|
||||
|
||||
mod test_client_pin;
|
||||
mod test_credential_management;
|
||||
|
||||
static AUTHENTICATOR: LazyLock<Mutex<Option<HidAuthenticator>>> =
|
||||
LazyLock::new(|| Mutex::new(get_authenticator()));
|
||||
|
||||
fn init() {
|
||||
let _ = env_logger::builder().is_test(true).try_init();
|
||||
}
|
||||
|
||||
fn get_authenticator() -> Option<HidAuthenticator> {
|
||||
init(); // done here to ensure init is only run once
|
||||
|
||||
let hidapi = hidapi::HidApi::new().unwrap();
|
||||
for info in hidapi.device_list() {
|
||||
let Ok(device) = info.open_device(&hidapi) else {
|
||||
continue;
|
||||
};
|
||||
let Ok(authenticator) = device.try_into() else { continue };
|
||||
return Some(authenticator);
|
||||
}
|
||||
|
||||
None
|
||||
}
|
||||
|
||||
fn get_session(authenticator: &mut HidAuthenticator) -> ctap2_platform::Session {
|
||||
let info = authenticator.get_info();
|
||||
assert!(info
|
||||
.pin_uv_auth_protocols
|
||||
.unwrap()
|
||||
.contains(&auth_protocol::Version::One));
|
||||
|
||||
let version = auth_protocol::Version::One;
|
||||
|
||||
// Getting Shared Secret K
|
||||
let req = client_pin::Request::GetKeyAgreement { version };
|
||||
println!("request: {req:#?}");
|
||||
let res = authenticator.client_pin(req).unwrap();
|
||||
println!("response: {res:#?}");
|
||||
|
||||
let client_pin::Response::GetKeyAgreement { key_agreement } = res else {
|
||||
panic!("unexpected response");
|
||||
};
|
||||
let session = ctap2_platform::Session::initialize(key_agreement).unwrap();
|
||||
|
||||
return session;
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_get_info() {
|
||||
let guard = AUTHENTICATOR.lock().unwrap();
|
||||
let authenticator = guard.as_ref().unwrap();
|
||||
|
||||
let info = authenticator.get_info();
|
||||
println!("deserialized: {:#?}", info);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_reset() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let guarded_authenticator = guard.as_mut().unwrap();
|
||||
|
||||
println!("Remove and re-insert your YubiKey to perform the reset...");
|
||||
|
||||
// Wait for the authenticator to be removed
|
||||
while let Some(_) = get_authenticator() {
|
||||
std::thread::sleep(std::time::Duration::from_millis(500));
|
||||
}
|
||||
|
||||
// Wait for the authenticator to be re-inserted
|
||||
let authenticator = loop {
|
||||
if let Some(authenticator) = get_authenticator() {
|
||||
break authenticator;
|
||||
}
|
||||
std::thread::sleep(std::time::Duration::from_millis(500));
|
||||
};
|
||||
|
||||
*guarded_authenticator = authenticator;
|
||||
|
||||
// Reset the authenticator
|
||||
guarded_authenticator.reset().unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_make_credential() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let info = authenticator.get_info();
|
||||
|
||||
let client_data_hash: Vec<u8> = rand::thread_rng()
|
||||
.sample_iter(&distributions::Standard)
|
||||
.take(32)
|
||||
.collect();
|
||||
|
||||
let user_id = rand::thread_rng()
|
||||
.sample_iter(&distributions::Standard)
|
||||
.take(32)
|
||||
.collect();
|
||||
|
||||
let rp = public_key::RelyingPartyEntity {
|
||||
id: "com.example".to_string(),
|
||||
name: Some("Example Inc.".into()),
|
||||
};
|
||||
|
||||
let user = public_key::UserEntity {
|
||||
id: user_id,
|
||||
name: Some("example_user".to_string()),
|
||||
display_name: Some("Example User".to_string()),
|
||||
};
|
||||
|
||||
let pub_key_params: Vec<_> = info.algorithms.unwrap().into_iter().collect();
|
||||
|
||||
let options = [(make::OptionKey::Discoverable, true)].into();
|
||||
|
||||
let req = make::Request::builder()
|
||||
.client_data_hash(&client_data_hash.split_array_ref::<32>().0)
|
||||
.relying_party(&rp)
|
||||
.user(&user)
|
||||
.public_key_credential_params(&pub_key_params)
|
||||
.options(&options)
|
||||
.build();
|
||||
|
||||
println!("request: {req:#?}");
|
||||
let response = authenticator.make_credential(req);
|
||||
println!("response: {response:#?}");
|
||||
|
||||
let req = get::Request {
|
||||
relying_party_id: &rp.id,
|
||||
client_data_hash: client_data_hash.as_slice().try_into().unwrap(),
|
||||
allow_list: None,
|
||||
extensions: None,
|
||||
options: None,
|
||||
pin_uv_auth_param: None,
|
||||
pin_uv_auth_protocol_version: None,
|
||||
};
|
||||
|
||||
println!("request: {req:#?}");
|
||||
let response = authenticator.get_assertion(req);
|
||||
println!("response: {response:#?}");
|
||||
}
|
@ -0,0 +1,247 @@
|
||||
use super::get_session;
|
||||
use crate::tests::AUTHENTICATOR;
|
||||
use ctap2_proto::{
|
||||
prelude::{
|
||||
client_pin::{
|
||||
auth_protocol::{self, platform::Session},
|
||||
Permission, Request, Response,
|
||||
},
|
||||
device,
|
||||
},
|
||||
Ctap2_2Authenticator,
|
||||
};
|
||||
use sha2::Digest;
|
||||
|
||||
#[test]
|
||||
fn test_get_pin_retries() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let req = Request::GetPinRetries;
|
||||
println!("request: {req:#?}");
|
||||
let res = authenticator.client_pin(req).unwrap();
|
||||
println!("response: {res:#?}");
|
||||
|
||||
let Response::GetPinRetries {
|
||||
pin_retries,
|
||||
power_cycle_state,
|
||||
} = res
|
||||
else {
|
||||
panic!("unexpected response");
|
||||
};
|
||||
|
||||
println!(
|
||||
"pin_retries: {:#?}, power_cycle_state: {:#?}",
|
||||
pin_retries, power_cycle_state
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_get_key_agreement() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let mut authenticator = guard.as_mut().unwrap();
|
||||
|
||||
get_session(&mut authenticator);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_set_new_pin() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let mut authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let version = auth_protocol::Version::One;
|
||||
let session = get_session(&mut authenticator);
|
||||
|
||||
let pin = "12345678";
|
||||
let mut padded_pin = [0u8; 64];
|
||||
pin.as_bytes().iter().enumerate().for_each(|(i, b)| {
|
||||
padded_pin[i] = *b;
|
||||
});
|
||||
let padded_pin: [[u8; 16]; 4] = unsafe { std::mem::transmute(padded_pin) };
|
||||
let new_pin_encrypted = session.encrypt(&padded_pin).unwrap();
|
||||
let new_pin_encrypted = new_pin_encrypted.into_iter().flatten().collect::<Vec<_>>();
|
||||
|
||||
println!("new_pin_encrypted: {:#?}", new_pin_encrypted);
|
||||
|
||||
// Set New Pin
|
||||
let req = Request::SetPin {
|
||||
key_agreement: session.platform_key_agreement_key().clone(),
|
||||
new_pin_encrypted: new_pin_encrypted.split_array_ref::<64>().0.to_owned(),
|
||||
pin_uv_auth_param: session.authenticate(&new_pin_encrypted).unwrap(),
|
||||
version,
|
||||
};
|
||||
println!("request: {req:#?}");
|
||||
let res = authenticator.client_pin(req).unwrap();
|
||||
println!("response: {res:#?}");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_change_pin() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let mut authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let version = auth_protocol::Version::One;
|
||||
let session = get_session(&mut authenticator);
|
||||
|
||||
let old_pin = "12345678";
|
||||
let new_pin = "87654321";
|
||||
|
||||
let mut padded_new_pin = [0u8; 64];
|
||||
new_pin.as_bytes().iter().enumerate().for_each(|(i, b)| {
|
||||
padded_new_pin[i] = *b;
|
||||
});
|
||||
let padded_new_pin: [[u8; 16]; 4] = unsafe { std::mem::transmute(padded_new_pin) };
|
||||
let new_pin_encrypted = session.encrypt(&padded_new_pin).unwrap();
|
||||
let new_pin_encrypted = new_pin_encrypted.into_iter().flatten().collect::<Vec<_>>();
|
||||
|
||||
println!("new_pin_encrypted: {:#?}", new_pin_encrypted);
|
||||
|
||||
// pinHashEnc: The result of calling encrypt(shared secret,
|
||||
// LEFT(SHA-256(curPin), 16)).
|
||||
let pin_hash_encrypted = session
|
||||
.encrypt(&[*sha2::Sha256::digest(old_pin.as_bytes())
|
||||
.split_array_ref::<16>()
|
||||
.0])
|
||||
.unwrap()[0];
|
||||
|
||||
// newPinEnc: the result of calling encrypt(shared secret, paddedPin)
|
||||
let new_pin_encrypted = session.encrypt(&padded_new_pin).unwrap();
|
||||
let new_pin_encrypted = unsafe { std::mem::transmute::<_, [u8; 64]>(new_pin_encrypted) };
|
||||
|
||||
// pinUvAuthParam: the result of calling authenticate(shared secret, newPinEnc
|
||||
// || pinHashEnc).
|
||||
let pin_uv_auth_param = session
|
||||
.authenticate(
|
||||
[new_pin_encrypted.as_slice(), pin_hash_encrypted.as_slice()]
|
||||
.concat()
|
||||
.as_slice(),
|
||||
)
|
||||
.unwrap();
|
||||
|
||||
// Change Pin
|
||||
let req = Request::ChangePin {
|
||||
version,
|
||||
pin_hash_encrypted,
|
||||
new_pin_encrypted,
|
||||
pin_uv_auth_param,
|
||||
key_agreement: session.platform_key_agreement_key().clone(),
|
||||
};
|
||||
println!("request: {req:#?}");
|
||||
let res = authenticator.client_pin(req).unwrap();
|
||||
println!("response: {res:#?}");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_get_pin_token() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let mut authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let version = auth_protocol::Version::One;
|
||||
let session = get_session(&mut authenticator);
|
||||
|
||||
let pin = "87654321";
|
||||
|
||||
let mut padded_pin = [0u8; 64];
|
||||
pin.as_bytes().iter().enumerate().for_each(|(i, b)| {
|
||||
padded_pin[i] = *b;
|
||||
});
|
||||
let padded_pin: [[u8; 16]; 4] = unsafe { std::mem::transmute(padded_pin) };
|
||||
let new_pin_encrypted = session.encrypt(&padded_pin).unwrap();
|
||||
let new_pin_encrypted = new_pin_encrypted.into_iter().flatten().collect::<Vec<_>>();
|
||||
|
||||
println!("new_pin_encrypted: {:#?}", new_pin_encrypted);
|
||||
|
||||
// pinHashEnc: The result of calling encrypt(shared secret,
|
||||
// LEFT(SHA-256(curPin), 16)).
|
||||
let pin_hash_encrypted = session
|
||||
.encrypt(&[*sha2::Sha256::digest(pin.as_bytes())
|
||||
.split_array_ref::<16>()
|
||||
.0])
|
||||
.unwrap()[0];
|
||||
|
||||
// Get Pin Token
|
||||
let req = Request::GetPinToken {
|
||||
key_agreement: session.platform_key_agreement_key().clone(),
|
||||
version,
|
||||
pin_hash_encrypted,
|
||||
};
|
||||
println!("request: {req:#?}");
|
||||
let res = authenticator.client_pin(req).unwrap();
|
||||
println!("response: {res:#?}");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_get_pin_uv_auth_token_using_uv_with_permissions() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let info = authenticator.get_info();
|
||||
|
||||
if let Some(options) = info.options {
|
||||
if !options.contains_key(&device::OptionId::UserVerification) {
|
||||
panic!("UserVerification not supported");
|
||||
}
|
||||
}
|
||||
|
||||
todo!()
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_get_uv_retries() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let options = authenticator.get_info().options.unwrap();
|
||||
if !options.contains_key(&device::OptionId::UserVerification) {
|
||||
panic!("UserVerification not supported");
|
||||
}
|
||||
|
||||
// Get UV Retries
|
||||
let req = Request::GetUvRetries;
|
||||
println!("request: {req:#?}");
|
||||
let res = authenticator.client_pin(req).unwrap();
|
||||
println!("response: {res:#?}");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_get_pin_uv_auth_token_using_pin_with_permissions() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let mut authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let info = authenticator.get_info();
|
||||
if let Some(options) = info.options {
|
||||
if !options
|
||||
.get(&device::OptionId::UserVerification)
|
||||
.unwrap_or(&false)
|
||||
|| !options.get(&device::OptionId::ClientPin).unwrap_or(&false)
|
||||
{
|
||||
panic!("UserVerification or ClientPin not supported");
|
||||
}
|
||||
}
|
||||
|
||||
let pin = "87654321";
|
||||
let pin_hash_encrypted = sha2::Sha256::digest(pin.as_bytes())
|
||||
.split_array_ref::<16>()
|
||||
.0
|
||||
.to_owned();
|
||||
|
||||
let version = auth_protocol::Version::One;
|
||||
let session = get_session(&mut authenticator);
|
||||
|
||||
let req = Request::GetPinUvAuthTokenUsingPinWithPermissions {
|
||||
version,
|
||||
key_agreement: session.platform_key_agreement_key().clone(),
|
||||
pin_hash_encrypted,
|
||||
permissions: &[
|
||||
Permission::MakeCredential,
|
||||
Permission::GetAssertion,
|
||||
Permission::CredentialManagement,
|
||||
]
|
||||
.into_iter()
|
||||
.collect(),
|
||||
relying_party_id: Some("example.com".into()),
|
||||
};
|
||||
println!("request: {req:#?}");
|
||||
let res = authenticator.client_pin(req).unwrap();
|
||||
println!("response: {res:#?}");
|
||||
}
|
@ -0,0 +1,67 @@
|
||||
use ctap2_proto::{
|
||||
prelude::{
|
||||
client_pin::{self, auth_protocol::platform::Session, Permission, PinUvAuthToken},
|
||||
credential, management,
|
||||
},
|
||||
Ctap2_2Authenticator,
|
||||
};
|
||||
use hmac::{Hmac, Mac};
|
||||
use sha2::Digest;
|
||||
|
||||
use super::{get_session, AUTHENTICATOR};
|
||||
|
||||
#[test]
|
||||
fn test_get_credentials_metadata() {
|
||||
let mut guard = AUTHENTICATOR.lock().unwrap();
|
||||
let mut authenticator = guard.as_mut().unwrap();
|
||||
|
||||
let session = get_session(&mut authenticator);
|
||||
|
||||
let pin = "87654321";
|
||||
|
||||
// pinHashEnc: The result of calling encrypt(shared secret,
|
||||
// LEFT(SHA-256(curPin), 16)).
|
||||
let pin_hash_encrypted = session
|
||||
.encrypt(&[*sha2::Sha256::digest(pin.as_bytes())
|
||||
.split_array_ref::<16>()
|
||||
.0])
|
||||
.unwrap()[0];
|
||||
|
||||
let req = client_pin::Request::GetPinToken {
|
||||
version: client_pin::auth_protocol::Version::One,
|
||||
key_agreement: session.platform_key_agreement_key().clone(),
|
||||
pin_hash_encrypted,
|
||||
};
|
||||
|
||||
let res = authenticator.client_pin(req).unwrap();
|
||||
|
||||
let client_pin::Response::GetPinToken { pin_uv_auth_token } = res else {
|
||||
panic!("expected GetPinToken response");
|
||||
};
|
||||
|
||||
let PinUvAuthToken::Long(pin_uv_auth_token) = pin_uv_auth_token else {
|
||||
panic!("Expected long pinuvauthtoken");
|
||||
};
|
||||
|
||||
// Decrypt pin_uv_auth_token
|
||||
let encrypted: &[_; 2] = unsafe { std::mem::transmute(&pin_uv_auth_token) };
|
||||
let pin_uv_auth_token: [u8; 32] = unsafe { std::mem::transmute(session.decrypt(encrypted)) };
|
||||
|
||||
// pinAuth (0x04): LEFT(HMAC-SHA-256(pinToken, getCredsMetadata (0x01)), 16).
|
||||
let mut mac = Hmac::<sha2::Sha256>::new_from_slice(pin_uv_auth_token.as_ref()).unwrap();
|
||||
|
||||
mac.update(&[0x01]);
|
||||
|
||||
let pin_uv_auth_param: [u8; 16] = mac
|
||||
.finalize()
|
||||
.into_bytes()
|
||||
.split_array_ref::<16>()
|
||||
.0
|
||||
.to_owned();
|
||||
|
||||
let req = management::Request::GetCredentialsMetadata {
|
||||
pin_uv_auth_protocol: client_pin::auth_protocol::Version::One,
|
||||
pin_uv_auth_param,
|
||||
};
|
||||
let res = authenticator.credential_management(req).unwrap();
|
||||
}
|
@ -1,34 +1,34 @@
|
||||
#![feature(async_fn_in_trait, adt_const_params, associated_const_equality)]
|
||||
#![allow(incomplete_features, clippy::unused_async, clippy::doc_markdown)]
|
||||
|
||||
pub mod attestation;
|
||||
pub mod authenticator;
|
||||
pub mod client;
|
||||
pub mod public_key;
|
||||
pub mod token;
|
||||
|
||||
#[cfg(feature = "serde")]
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
|
||||
#[derive(Debug, Clone, Copy)]
|
||||
/// > A WebAuthn Relying Party may require user verification for some of its
|
||||
/// > operations but not for others, and may use this type to express its needs.
|
||||
pub enum UserVerificationRequirement {
|
||||
/// > The Relying Party requires user verification for the operation and
|
||||
/// > will fail the overall ceremony if the response does not have the UV
|
||||
/// > flag set. The client MUST return an error if user verification cannot
|
||||
/// > be performed.
|
||||
#[cfg_attr(feature = "serde", serde(rename = "required"))]
|
||||
Required,
|
||||
/// > The Relying Party prefers user verification for the operation if
|
||||
/// > possible, but will not fail the operation if the response does not
|
||||
/// > have the UV flag set.
|
||||
#[cfg_attr(feature = "serde", serde(rename = "preferred"))]
|
||||
Preferred,
|
||||
/// > The Relying Party does not want user verification employed during the
|
||||
/// > operation (e.g., in the interest of minimizing disruption to the user
|
||||
/// > interaction flow).
|
||||
#[cfg_attr(feature = "serde", serde(rename = "discouraged"))]
|
||||
Discouraged,
|
||||
}
|
||||
// #![feature(async_fn_in_trait, adt_const_params, associated_const_equality)]
|
||||
// #![allow(incomplete_features, clippy::unused_async, clippy::doc_markdown)]
|
||||
//
|
||||
// pub mod attestation;
|
||||
// pub mod authenticator;
|
||||
// pub mod client;
|
||||
// pub mod public_key;
|
||||
// pub mod token;
|
||||
//
|
||||
// #[cfg(feature = "serde")]
|
||||
// use serde::{Deserialize, Serialize};
|
||||
//
|
||||
// #[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
|
||||
// #[derive(Debug, Clone, Copy)]
|
||||
// > A WebAuthn Relying Party may require user verification for some of its
|
||||
// > operations but not for others, and may use this type to express its needs.
|
||||
// pub enum UserVerificationRequirement {
|
||||
// > The Relying Party requires user verification for the operation and
|
||||
// > will fail the overall ceremony if the response does not have the UV
|
||||
// > flag set. The client MUST return an error if user verification cannot
|
||||
// > be performed.
|
||||
// #[cfg_attr(feature = "serde", serde(rename = "required"))]
|
||||
// Required,
|
||||
// > The Relying Party prefers user verification for the operation if
|
||||
// > possible, but will not fail the operation if the response does not
|
||||
// > have the UV flag set.
|
||||
// #[cfg_attr(feature = "serde", serde(rename = "preferred"))]
|
||||
// Preferred,
|
||||
// > The Relying Party does not want user verification employed during the
|
||||
// > operation (e.g., in the interest of minimizing disruption to the user
|
||||
// > interaction flow).
|
||||
// #[cfg_attr(feature = "serde", serde(rename = "discouraged"))]
|
||||
// Discouraged,
|
||||
// }
|
||||
|
Loading…
Reference in New Issue