coelner/pico-fido
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-fido.git synced 2024-09-20 03:10:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Moving AUT UNLOCK to Vendor command instead of using VendorConfig.

Browse Source 
To do this a MSE command is added, to manage a secure environment. It performs a ephemeral ECDH exchange to derive a shared secret that will be used by vendor commands to convey ciphered data.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos 2022-10-30 00:47:50 +02:00
parent 9a8f4c0f4d
commit 4577e4430c
No known key found for this signature in database
GPG Key ID: C0095B7870A4CCD3
5 changed files with 288 additions and 282 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

135
src/fido/cbor_config.c
View File

@ -29,9 +29,6 @@
#include "mbedtls/chachapoly.h" #include "mbedtls/chachapoly.h"
#include "mbedtls/hkdf.h" #include "mbedtls/hkdf.h"
static mbedtls_ecdh_context hkey;
static bool hkey_init = false;
extern uint8_t keydev_dec[32]; extern uint8_t keydev_dec[32];
extern bool has_keydev_dec; extern bool has_keydev_dec;
@ -40,10 +37,9 @@ int cbor_config(const uint8_t *data, size_t len) {
CborValue map; CborValue map;
CborError error = CborNoError; CborError error = CborNoError;
uint64_t subcommand = 0, pinUvAuthProtocol = 0, vendorCommandId = 0; uint64_t subcommand = 0, pinUvAuthProtocol = 0, vendorCommandId = 0;
int64_t kty = 0, alg = 0, crv = 0; CborByteString pinUvAuthParam = {0}, vendorAutCt = {0};
CborByteString pinUvAuthParam = {0}, vendorAutCt = {0}, kax = {0}, kay = {0};
size_t resp_size = 0; size_t resp_size = 0;
CborEncoder encoder, mapEncoder, mapEncoder2; CborEncoder encoder, mapEncoder;
CBOR_CHECK(cbor_parser_init(data, len, 0, &parser, &map)); CBOR_CHECK(cbor_parser_init(data, len, 0, &parser, &map));
uint64_t val_c = 1; uint64_t val_c = 1;
@ -67,30 +63,6 @@ int cbor_config(const uint8_t *data, size_t len) {
CBOR_FIELD_GET_UINT(vendorCommandId, 2); CBOR_FIELD_GET_UINT(vendorCommandId, 2);
} }
else if (subpara == 0x02) { else if (subpara == 0x02) {
int64_t key = 0;
CBOR_PARSE_MAP_START(_f2, 3) {
CBOR_FIELD_GET_INT(key, 3);
if (key == 1) {
CBOR_FIELD_GET_INT(kty, 3);
}
else if (key == 3) {
CBOR_FIELD_GET_INT(alg, 3);
}
else if (key == -1) {
CBOR_FIELD_GET_INT(crv, 3);
}
else if (key == -2) {
CBOR_FIELD_GET_BYTES(kax, 3);
}
else if (key == -3) {
CBOR_FIELD_GET_BYTES(kay, 3);
}
else
CBOR_ADVANCE(3);
}
CBOR_PARSE_MAP_END(_f2, 3);
}
else if (subpara == 0x03) {
CBOR_FIELD_GET_BYTES(vendorAutCt, 2); CBOR_FIELD_GET_BYTES(vendorAutCt, 2);
} }
} }
@ -109,39 +81,7 @@ int cbor_config(const uint8_t *data, size_t len) {
cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0); cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
if (subcommand == 0xff) { if (subcommand == 0xff) {
if (vendorCommandId == CTAP_CONFIG_KEY_AGREEMENT) { if (vendorCommandId == CTAP_CONFIG_AUT_DISABLE) {
if (hkey_init == true)
mbedtls_ecdh_free(&hkey);
mbedtls_ecdh_init(&hkey);
mbedtls_ecdh_setup(&hkey, MBEDTLS_ECP_DP_SECP256R1);
int ret = mbedtls_ecdh_gen_public(&hkey.ctx.mbed_ecdh.grp, &hkey.ctx.mbed_ecdh.d, &hkey.ctx.mbed_ecdh.Q, random_gen, NULL);
mbedtls_mpi_lset(&hkey.ctx.mbed_ecdh.Qp.Z, 1);
if (ret != 0) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
hkey_init = true;
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2, 5));
CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 1));
CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 2));
CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 3));
CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, -FIDO2_ALG_ECDH_ES_HKDF_256));
CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 1));
CBOR_CHECK(cbor_encode_uint(&mapEncoder2, FIDO2_CURVE_P256));
CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 2));
uint8_t pkey[32];
mbedtls_mpi_write_binary(&hkey.ctx.mbed_ecdh.Q.X, pkey, 32);
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, pkey, 32));
CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 3));
mbedtls_mpi_write_binary(&hkey.ctx.mbed_ecdh.Q.Y, pkey, 32);
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, pkey, 32));
CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2));
}
else if (vendorCommandId == CTAP_CONFIG_AUT || vendorCommandId == CTAP_CONFIG_UNLOCK) {
if (vendorCommandId == CTAP_CONFIG_AUT && (kax.present == false || kay.present == false || vendorAutCt.present == false || alg == 0)) { // Disable
if (!file_has_data(ef_keydev_enc)) if (!file_has_data(ef_keydev_enc))
CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED); CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
if (has_keydev_dec == false) if (has_keydev_dec == false)
@ -151,56 +91,18 @@ int cbor_config(const uint8_t *data, size_t len) {
flash_write_data_to_file(ef_keydev_enc, NULL, 0); // Set ef to 0 bytes flash_write_data_to_file(ef_keydev_enc, NULL, 0); // Set ef to 0 bytes
low_flash_available(); low_flash_available();
} }
else { // Enable else if (vendorCommandId == CTAP_CONFIG_AUT_ENABLE) {
if (vendorCommandId == CTAP_CONFIG_AUT && !file_has_data(ef_keydev)) if (!file_has_data(ef_keydev))
CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
if (mse.init == false)
CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED); CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
if (kax.present == false || kay.present == false || alg == 0)
CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.X, kax.data, kax.len) != 0) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
mbedtls_mpi z;
mbedtls_mpi_init(&z);
int ret = mbedtls_ecdh_compute_shared(&hkey.ctx.mbed_ecdh.grp, &z, &hkey.ctx.mbed_ecdh.Qp, &hkey.ctx.mbed_ecdh.d, random_gen, NULL);
if (ret != 0) {
mbedtls_mpi_free(&z);
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
uint8_t buf[32], Qpt[65];
size_t olen = 0;
ret = mbedtls_ecp_point_write_binary(&hkey.ctx.mbed_ecdh.grp, &hkey.ctx.mbed_ecdh.Qp, MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, Qpt, sizeof(Qpt));
if (ret != 0) {
mbedtls_mpi_free(&z);
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
ret = mbedtls_mpi_write_binary(&z, buf, sizeof(buf));
mbedtls_mpi_free(&z);
if (ret != 0) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
uint8_t key_enc[12+32];
ret = mbedtls_hkdf(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), NULL, 0, buf, sizeof(buf), Qpt, 65, key_enc, 12+32);
if (ret != 0){
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
mbedtls_chachapoly_context chatx; mbedtls_chachapoly_context chatx;
mbedtls_chachapoly_init(&chatx); int ret = mse_decrypt_ct(vendorAutCt.data, vendorAutCt.len);
mbedtls_chachapoly_setkey(&chatx, key_enc + 12);
ret = mbedtls_chachapoly_auth_decrypt(&chatx, vendorAutCt.len - 16, key_enc, Qpt, 65, vendorAutCt.data + vendorAutCt.len - 16, vendorAutCt.data, vendorAutCt.data);
mbedtls_chachapoly_free(&chatx);
mbedtls_ecdh_free(&hkey);
hkey_init = false;
if (ret != 0) { if (ret != 0) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER); CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
} }
if (vendorCommandId == CTAP_CONFIG_AUT) {
uint8_t key_dev_enc[12+32+16]; uint8_t key_dev_enc[12+32+16];
random_gen(NULL, key_dev_enc, 12); random_gen(NULL, key_dev_enc, 12);
mbedtls_chachapoly_init(&chatx); mbedtls_chachapoly_init(&chatx);
@ -217,27 +119,10 @@ int cbor_config(const uint8_t *data, size_t len) {
flash_write_data_to_file(ef_keydev, NULL, 0); // Set ef to 0 bytes flash_write_data_to_file(ef_keydev, NULL, 0); // Set ef to 0 bytes
low_flash_available(); low_flash_available();
} }
else if (vendorCommandId == CTAP_CONFIG_UNLOCK) {
if (!file_has_data(ef_keydev_enc))
CBOR_ERROR(CTAP2_ERR_INTEGRITY_FAILURE);
uint8_t *keyenc = file_get_data(ef_keydev_enc);
size_t keyenc_len = file_get_size(ef_keydev_enc);
mbedtls_chachapoly_init(&chatx);
mbedtls_chachapoly_setkey(&chatx, vendorAutCt.data);
ret = mbedtls_chachapoly_auth_decrypt(&chatx, sizeof(keydev_dec), keyenc, NULL, 0, keyenc + keyenc_len - 16, keyenc + 12, keydev_dec);
mbedtls_chachapoly_free(&chatx);
if (ret != 0){
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
has_keydev_dec = true;
}
}
goto err; //No return
}
else { else {
CBOR_ERROR(CTAP2_ERR_INVALID_SUBCOMMAND); CBOR_ERROR(CTAP2_ERR_INVALID_SUBCOMMAND);
} }
goto err;
} }
else else
CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION); CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
@ -247,8 +132,6 @@ int cbor_config(const uint8_t *data, size_t len) {
err: err:
CBOR_FREE_BYTE_STRING(pinUvAuthParam); CBOR_FREE_BYTE_STRING(pinUvAuthParam);
CBOR_FREE_BYTE_STRING(vendorAutCt); CBOR_FREE_BYTE_STRING(vendorAutCt);
CBOR_FREE_BYTE_STRING(kax);
CBOR_FREE_BYTE_STRING(kay);
if (error != CborNoError) { if (error != CborNoError) {
if (error == CborErrorImproperValue) if (error == CborErrorImproperValue)

7
src/fido/cbor_get_info.c
View File

@ -80,10 +80,9 @@ int cbor_get_info() {
CBOR_CHECK(cbor_encode_uint(&mapEncoder, PICO_FIDO_VERSION)); // firmwareVersion CBOR_CHECK(cbor_encode_uint(&mapEncoder, PICO_FIDO_VERSION)); // firmwareVersion
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x15)); CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x15));
CBOR_CHECK(cbor_encoder_create_array(&mapEncoder, &arrayEncoder, 3)); CBOR_CHECK(cbor_encoder_create_array(&mapEncoder, &arrayEncoder, 2));
CBOR_CHECK(cbor_encode_uint(&arrayEncoder, CTAP_CONFIG_AUT)); CBOR_CHECK(cbor_encode_uint(&arrayEncoder, CTAP_CONFIG_AUT_ENABLE));
CBOR_CHECK(cbor_encode_uint(&arrayEncoder, CTAP_CONFIG_KEY_AGREEMENT)); CBOR_CHECK(cbor_encode_uint(&arrayEncoder, CTAP_CONFIG_AUT_DISABLE));
CBOR_CHECK(cbor_encode_uint(&arrayEncoder, CTAP_CONFIG_UNLOCK));
CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &arrayEncoder)); CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &arrayEncoder));
CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder)); CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));

148
src/fido/cbor_vendor.c
View File

@ -15,23 +15,41 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>. * along with this program. If not, see <http://www.gnu.org/licenses/>.
*/ */
#include "common.h"
#include "ctap2_cbor.h" #include "ctap2_cbor.h"
#include "fido.h" #include "fido.h"
#include "ctap.h" #include "ctap.h"
#include "files.h" #include "files.h"
#include "apdu.h" #include "apdu.h"
#include "hsm.h" #include "hsm.h"
#include "random.h"
#include "mbedtls/ecdh.h"
#include "mbedtls/chachapoly.h"
#include "mbedtls/hkdf.h"
extern uint8_t keydev_dec[32];
extern bool has_keydev_dec; extern bool has_keydev_dec;
mse_t mse = {.init = false};
int mse_decrypt_ct(uint8_t *data, size_t len) {
mbedtls_chachapoly_context chatx;
mbedtls_chachapoly_init(&chatx);
mbedtls_chachapoly_setkey(&chatx, mse.key_enc + 12);
int ret = mbedtls_chachapoly_auth_decrypt(&chatx, len - 16, mse.key_enc, mse.Qpt, 65, data + len - 16, data, data);
mbedtls_chachapoly_free(&chatx);
return ret;
}
int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) { int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
CborParser parser; CborParser parser;
CborValue map; CborValue map;
CborError error = CborNoError; CborError error = CborNoError;
CborByteString pinUvAuthParam = {0}, vendorParam = {0}; CborByteString pinUvAuthParam = {0}, vendorParam = {0}, kax = {0}, kay = {0};
size_t resp_size = 0; size_t resp_size = 0;
uint64_t vendorCmd = 0, pinUvAuthProtocol = 0; uint64_t vendorCmd = 0, pinUvAuthProtocol = 0;
CborEncoder encoder, mapEncoder; int64_t kty = 0, alg = 0, crv = 0;
CborEncoder encoder, mapEncoder, mapEncoder2;
CBOR_CHECK(cbor_parser_init(data, len, 0, &parser, &map)); CBOR_CHECK(cbor_parser_init(data, len, 0, &parser, &map));
uint64_t val_c = 1; uint64_t val_c = 1;
@ -53,6 +71,30 @@ int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
if (subpara == 0x01) { if (subpara == 0x01) {
CBOR_FIELD_GET_BYTES(vendorParam, 2); CBOR_FIELD_GET_BYTES(vendorParam, 2);
} }
else if (subpara == 0x02) {
int64_t key = 0;
CBOR_PARSE_MAP_START(_f2, 3) {
CBOR_FIELD_GET_INT(key, 3);
if (key == 1) {
CBOR_FIELD_GET_INT(kty, 3);
}
else if (key == 3) {
CBOR_FIELD_GET_INT(alg, 3);
}
else if (key == -1) {
CBOR_FIELD_GET_INT(crv, 3);
}
else if (key == -2) {
CBOR_FIELD_GET_BYTES(kax, 3);
}
else if (key == -3) {
CBOR_FIELD_GET_BYTES(kay, 3);
}
else
CBOR_ADVANCE(3);
}
CBOR_PARSE_MAP_END(_f2, 3);
}
else else
CBOR_ADVANCE(2); CBOR_ADVANCE(2);
} }
@ -94,6 +136,106 @@ int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
CBOR_ERROR(CTAP2_ERR_INVALID_SUBCOMMAND); CBOR_ERROR(CTAP2_ERR_INVALID_SUBCOMMAND);
} }
} }
else if (cmd == CTAP_VENDOR_MSE) {
if (vendorCmd == 0x01) { // KeyAgreement
if (kax.present == false || kay.present == false || alg == 0)
CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
mbedtls_ecdh_context hkey;
mbedtls_ecdh_init(&hkey);
mbedtls_ecdh_setup(&hkey, MBEDTLS_ECP_DP_SECP256R1);
int ret = mbedtls_ecdh_gen_public(&hkey.ctx.mbed_ecdh.grp, &hkey.ctx.mbed_ecdh.d, &hkey.ctx.mbed_ecdh.Q, random_gen, NULL);
mbedtls_mpi_lset(&hkey.ctx.mbed_ecdh.Qp.Z, 1);
if (ret != 0) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.X, kax.data, kax.len) != 0) {
mbedtls_ecdh_free(&hkey);
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
if (mbedtls_mpi_read_binary(&hkey.ctx.mbed_ecdh.Qp.Y, kay.data, kay.len) != 0) {
mbedtls_ecdh_free(&hkey);
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
mbedtls_mpi z;
mbedtls_mpi_init(&z);
ret = mbedtls_ecdh_compute_shared(&hkey.ctx.mbed_ecdh.grp, &z, &hkey.ctx.mbed_ecdh.Qp, &hkey.ctx.mbed_ecdh.d, random_gen, NULL);
if (ret != 0) {
mbedtls_mpi_free(&z);
mbedtls_ecdh_free(&hkey);
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
uint8_t buf[32];
size_t olen = 0;
ret = mbedtls_ecp_point_write_binary(&hkey.ctx.mbed_ecdh.grp, &hkey.ctx.mbed_ecdh.Qp, MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, mse.Qpt, sizeof(mse.Qpt));
if (ret != 0) {
mbedtls_mpi_free(&z);
mbedtls_ecdh_free(&hkey);
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
ret = mbedtls_mpi_write_binary(&z, buf, sizeof(buf));
mbedtls_mpi_free(&z);
if (ret != 0) {
mbedtls_ecdh_free(&hkey);
mbedtls_platform_zeroize(buf, sizeof(buf));
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
ret = mbedtls_hkdf(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), NULL, 0, buf, sizeof(buf), mse.Qpt, sizeof(mse.Qpt), mse.key_enc, sizeof(mse.key_enc));
if (ret != 0){
mbedtls_ecdh_free(&hkey);
mbedtls_platform_zeroize(buf, sizeof(buf));
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
mbedtls_platform_zeroize(buf, sizeof(buf));
mse.init = true;
CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2, 5));
CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 1));
CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 2));
CBOR_CHECK(cbor_encode_uint(&mapEncoder2, 3));
CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, -FIDO2_ALG_ECDH_ES_HKDF_256));
CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 1));
CBOR_CHECK(cbor_encode_uint(&mapEncoder2, FIDO2_CURVE_P256));
CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 2));
uint8_t pkey[32];
mbedtls_mpi_write_binary(&hkey.ctx.mbed_ecdh.Q.X, pkey, 32);
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, pkey, 32));
CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, 3));
mbedtls_mpi_write_binary(&hkey.ctx.mbed_ecdh.Q.Y, pkey, 32);
CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, pkey, 32));
CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2));
mbedtls_ecdh_free(&hkey);
}
}
else if (cmd == CTAP_VENDOR_UNLOCK) {
if (mse.init == false)
CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
mbedtls_chachapoly_context chatx;
int ret = mse_decrypt_ct(vendorParam.data, vendorParam.len);
if (ret != 0) {
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
if (!file_has_data(ef_keydev_enc))
CBOR_ERROR(CTAP2_ERR_INTEGRITY_FAILURE);
uint8_t *keyenc = file_get_data(ef_keydev_enc);
size_t keyenc_len = file_get_size(ef_keydev_enc);
mbedtls_chachapoly_init(&chatx);
mbedtls_chachapoly_setkey(&chatx, vendorParam.data);
ret = mbedtls_chachapoly_auth_decrypt(&chatx, sizeof(keydev_dec), keyenc, NULL, 0, keyenc + keyenc_len - 16, keyenc + 12, keydev_dec);
mbedtls_chachapoly_free(&chatx);
if (ret != 0){
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
has_keydev_dec = true;
goto err;
}
else else
CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION); CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder)); CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
@ -115,7 +257,7 @@ int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
int cbor_vendor(const uint8_t *data, size_t len) { int cbor_vendor(const uint8_t *data, size_t len) {
if (len == 0) if (len == 0)
return CTAP1_ERR_INVALID_LEN; return CTAP1_ERR_INVALID_LEN;
if (data[0] == CTAP_VENDOR_BACKUP) if (data[0] >= CTAP_VENDOR_BACKUP)
return cbor_vendor_generic(data[0], data + 1, len - 1); return cbor_vendor_generic(data[0], data + 1, len - 1);
return CTAP2_ERR_INVALID_CBOR; return CTAP2_ERR_INVALID_CBOR;
} }

16
src/fido/ctap.h
View File

@ -116,13 +116,23 @@ typedef struct {
#define CTAP_SELECTION 0x0B #define CTAP_SELECTION 0x0B
#define CTAP_CONFIG 0x0D #define CTAP_CONFIG 0x0D
#define CTAP_CONFIG_AUT 0x03e43f56b34285e2 #define CTAP_CONFIG_AUT_ENABLE 0x03e43f56b34285e2
#define CTAP_CONFIG_KEY_AGREEMENT 0x1831a40f04a25ed9 #define CTAP_CONFIG_AUT_DISABLE 0x1831a40f04a25ed9
#define CTAP_CONFIG_UNLOCK 0x54365966c9a74770
#define CTAP_VENDOR_CBOR (CTAPHID_VENDOR_FIRST + 1) #define CTAP_VENDOR_CBOR (CTAPHID_VENDOR_FIRST + 1)
#define CTAP_VENDOR_BACKUP 0x01 #define CTAP_VENDOR_BACKUP 0x01
#define CTAP_VENDOR_MSE 0x02
#define CTAP_VENDOR_UNLOCK 0x03
typedef struct mse {
uint8_t Qpt[65];
uint8_t key_enc[12 + 32];
bool init;
} mse_t;
extern mse_t mse;
extern int mse_decrypt_ct(uint8_t *, size_t);
// Command status responses // Command status responses

208
tools/pico-fido-tool.py
View File

@ -69,133 +69,32 @@ class VendorConfig(Config):
class PARAM(IntEnum): class PARAM(IntEnum):
VENDOR_COMMAND_ID = 0x01 VENDOR_COMMAND_ID = 0x01
VENDOR_AUT_KEY_AGREEMENT = 0x02 VENDOR_AUT_CT = 0x02
VENDOR_AUT_CT = 0x03
class CMD(IntEnum): class CMD(IntEnum):
CONFIG_AUT = 0x03e43f56b34285e2 CONFIG_AUT_ENABLE = 0x03e43f56b34285e2
CONFIG_KEY_AGREEMENT = 0x1831a40f04a25ed9 CONFIG_AUT_DISABLE = 0x1831a40f04a25ed9
CONFIG_UNLOCK = 0x54365966c9a74770
CONFIG_BACKUP = 0x6b1ede62beff0d5e
class RESP(IntEnum): class RESP(IntEnum):
KEY_AGREEMENT = 0x01 KEY_AGREEMENT = 0x01
BACKUP = 0x01
def __init__(self, ctap, pin_uv_protocol=None, pin_uv_token=None): def __init__(self, ctap, pin_uv_protocol=None, pin_uv_token=None):
super().__init__(ctap, pin_uv_protocol, pin_uv_token) super().__init__(ctap, pin_uv_protocol, pin_uv_token)
def _get_key_device(self): def enable_device_aut(self, ct):
return skey.get_secure_key()
def _get_shared_key(self):
ret = self._call(
Config.CMD.VENDOR_PROTOTYPE,
{
VendorConfig.PARAM.VENDOR_COMMAND_ID: VendorConfig.CMD.CONFIG_KEY_AGREEMENT,
},
)
peer_cose_key = ret[VendorConfig.RESP.KEY_AGREEMENT]
sk = ec.generate_private_key(ec.SECP256R1())
pn = sk.public_key().public_numbers()
pb = sk.public_key().public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)
key_agreement = {
1: 2,
3: -25, # Per the spec, "although this is NOT the algorithm actually used"
-1: 1,
-2: int2bytes(pn.x, 32),
-3: int2bytes(pn.y, 32),
}
x = bytes2int(peer_cose_key[-2])
y = bytes2int(peer_cose_key[-3])
pk = ec.EllipticCurvePublicNumbers(x, y, ec.SECP256R1()).public_key()
shared_key = sk.exchange(ec.ECDH(), pk)
xkdf = HKDF(
algorithm=hashes.SHA256(),
length=12+32,
salt=None,
info=pb
)
kdf_out = xkdf.derive(shared_key)
key_enc = kdf_out[12:]
iv = kdf_out[:12]
return iv, key_enc, key_agreement, pb
def _send_command_key(self, cmd):
iv, key_enc, key_agreement, pb = self._get_shared_key()
chacha = ChaCha20Poly1305(key_enc)
ct = chacha.encrypt(iv, self._get_key_device(), pb)
self._call( self._call(
Config.CMD.VENDOR_PROTOTYPE, Config.CMD.VENDOR_PROTOTYPE,
{ {
VendorConfig.PARAM.VENDOR_COMMAND_ID: cmd, VendorConfig.PARAM.VENDOR_COMMAND_ID: VendorConfig.CMD.CONFIG_AUT_ENABLE,
VendorConfig.PARAM.VENDOR_AUT_KEY_AGREEMENT: key_agreement,
VendorConfig.PARAM.VENDOR_AUT_CT: ct VendorConfig.PARAM.VENDOR_AUT_CT: ct
}, },
) )
def enable_device_aut(self):
self._send_command_key(VendorConfig.CMD.CONFIG_AUT)
def unlock_device(self):
self._send_command_key(VendorConfig.CMD.CONFIG_UNLOCK)
def disable_device_aut(self): def disable_device_aut(self):
self._call( self._call(
Config.CMD.VENDOR_PROTOTYPE, Config.CMD.VENDOR_PROTOTYPE,
{ {
VendorConfig.PARAM.VENDOR_COMMAND_ID: VendorConfig.CMD.CONFIG_AUT, VendorConfig.PARAM.VENDOR_COMMAND_ID: VendorConfig.CMD.CONFIG_AUT_DISABLE
},
)
def backup_save(self, filename):
ret = self._call(
Config.CMD.VENDOR_PROTOTYPE,
{
VendorConfig.PARAM.VENDOR_COMMAND_ID: VendorConfig.CMD.CONFIG_BACKUP,
},
)
data = ret[VendorConfig.RESP.BACKUP]
d = int.from_bytes(skey.get_secure_key(), 'big')
with open(filename, 'wb') as fp:
fp.write(b'\x01')
fp.write(data)
pk = ec.derive_private_key(d, ec.SECP256R1())
signature = pk.sign(data, ec.ECDSA(hashes.SHA256()))
fp.write(signature)
print('Remember the following words in this order:')
for c in range(24):
coef = (d//(2048**c))%2048
print(f'{(c+1):02d} - {words[coef]}')
def backup_load(self, filename):
d = 0
if (d == 0):
for c in range(24):
word = input(f'Introduce word {(c+1):02d}: ')
while (word not in words):
word = input(f'Word not found. Please, tntroduce the correct word {(c+1):02d}: ')
coef = words.index(word)
d = d+(2048**c)*coef
pk = ec.derive_private_key(d, ec.SECP256R1())
pb = pk.public_key()
with open(filename, 'rb') as fp:
format = fp.read(1)[0]
if (format == 0x1):
data = fp.read(60)
signature = fp.read()
pb.verify(signature, data, ec.ECDSA(hashes.SHA256()))
skey.set_secure_key(pk)
self._call(
Config.CMD.VENDOR_PROTOTYPE,
{
VendorConfig.PARAM.VENDOR_COMMAND_ID: VendorConfig.CMD.CONFIG_BACKUP,
VendorConfig.PARAM.VENDOR_AUT_CT: data,
}, },
) )
@ -280,17 +179,22 @@ class Vendor:
@unique @unique
class CMD(IntEnum): class CMD(IntEnum):
VENDOR_BACKUP = 0x01 VENDOR_BACKUP = 0x01
VENDOR_MSE = 0x02
VENDOR_UNLOCK = 0x03
@unique @unique
class PARAM(IntEnum): class PARAM(IntEnum):
PARAM = 0x01 PARAM = 0x01
COSE_KEY = 0x02
class SUBCMD(IntEnum): class SUBCMD(IntEnum):
ENABLE = 0x01 ENABLE = 0x01
DISABLE = 0x02 DISABLE = 0x02
KEY_AGREEMENT = 0x01
class RESP(IntEnum): class RESP(IntEnum):
PARAM = 0x01 PARAM = 0x01
COSE_KEY = 0x02
def __init__( def __init__(
self, self,
@ -304,6 +208,10 @@ class Vendor:
if pin_uv_protocol and pin_uv_token if pin_uv_protocol and pin_uv_token
else None else None
) )
self.__key_enc = None
self.__iv = None
self.vcfg = VendorConfig(ctap)
def _call(self, cmd, sub_cmd, params=None): def _call(self, cmd, sub_cmd, params=None):
if params: if params:
@ -369,6 +277,72 @@ class Vendor:
}, },
) )
def mse(self):
sk = ec.generate_private_key(ec.SECP256R1())
pn = sk.public_key().public_numbers()
self.__pb = sk.public_key().public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)
key_agreement = {
1: 2,
3: -25, # Per the spec, "although this is NOT the algorithm actually used"
-1: 1,
-2: int2bytes(pn.x, 32),
-3: int2bytes(pn.y, 32),
}
ret = self._call(
Vendor.CMD.VENDOR_MSE,
Vendor.SUBCMD.KEY_AGREEMENT,
{
Vendor.PARAM.COSE_KEY: key_agreement,
},
)
peer_cose_key = ret[VendorConfig.RESP.KEY_AGREEMENT]
x = bytes2int(peer_cose_key[-2])
y = bytes2int(peer_cose_key[-3])
pk = ec.EllipticCurvePublicNumbers(x, y, ec.SECP256R1()).public_key()
shared_key = sk.exchange(ec.ECDH(), pk)
xkdf = HKDF(
algorithm=hashes.SHA256(),
length=12+32,
salt=None,
info=self.__pb
)
kdf_out = xkdf.derive(shared_key)
self.__key_enc = kdf_out[12:]
self.__iv = kdf_out[:12]
def encrypt_chacha(self, data):
chacha = ChaCha20Poly1305(self.__key_enc)
ct = chacha.encrypt(self.__iv, data, self.__pb)
return ct
def unlock_device(self):
ct = self.get_skey()
self._call(
Vendor.CMD.VENDOR_UNLOCK,
Vendor.SUBCMD.ENABLE,
{
Vendor.PARAM.PARAM: ct
},
)
def _get_key_device(self):
return skey.get_secure_key()
def get_skey(self):
self.mse()
ct = self.encrypt_chacha(self._get_key_device())
return ct
def enable_device_aut(self):
ct = self.get_skey()
self.vcfg.enable_device_aut(ct)
def disable_device_aut(self):
self.vcfg.disable_device_aut()
def parse_args(): def parse_args():
parser = argparse.ArgumentParser() parser = argparse.ArgumentParser()
@ -383,19 +357,15 @@ def parse_args():
args = parser.parse_args() args = parser.parse_args()
return args return args
def secure(dev, args): def secure(vdr, args):
vcfg = VendorConfig(Ctap2(dev))
if (args.subcommand == 'enable'): if (args.subcommand == 'enable'):
vcfg.enable_device_aut() vdr.enable_device_aut()
elif (args.subcommand == 'unlock'): elif (args.subcommand == 'unlock'):
vcfg.unlock_device() vdr.unlock_device()
elif (args.subcommand == 'disable'): elif (args.subcommand == 'disable'):
vcfg.disable_device_aut() vdr.disable_device_aut()
def backup(dev, args):
vdr = Vendor(Ctap2Vendor(dev))
def backup(vdr, args):
if (args.subcommand == 'save'): if (args.subcommand == 'save'):
vdr.backup_save(args.filename) vdr.backup_save(args.filename)
elif (args.subcommand == 'load'): elif (args.subcommand == 'load'):
@ -411,10 +381,12 @@ def main(args):
dev = next(CtapHidDevice.list_devices(), None) dev = next(CtapHidDevice.list_devices(), None)
vdr = Vendor(Ctap2Vendor(dev))
if (args.command == 'secure'): if (args.command == 'secure'):
secure(dev, args) secure(vdr, args)
elif (args.command == 'backup'): elif (args.command == 'backup'):
backup(dev, args) backup(vdr, args)
def run(): def run():
args = parse_args() args = parse_args()