Known device advertisement

Author: AlfioEmanueleFresta

libwebauthn/examples/webauthn_cable.rs

@@ -5,7 +5,7 @@ use std::time::Duration;
 
 use libwebauthn::pin::PinRequestReason;
 use libwebauthn::transport::cable::known_devices::{
-    CableKnownDeviceInfoStore, EphemeralDeviceInfoStore,
+    self, CableKnownDevice, CableKnownDeviceId, CableKnownDeviceInfoStore, EphemeralDeviceInfoStore,
 };
 use libwebauthn::transport::cable::qr_code_device::{CableQrCodeDevice, QrCodeOperationHint};
 use libwebauthn::UxUpdate;
@@ -14,6 +14,7 @@ use qrcode::QrCode;
 use rand::{thread_rng, Rng};
 use text_io::read;
 use tokio::sync::mpsc::Receiver;
+use tokio::time::sleep;
 use tracing_subscriber::{self, EnvFilter};
 
 use libwebauthn::ops::webauthn::{
@@ -79,68 +80,71 @@ async fn handle_updates(mut state_recv: Receiver<UxUpdate>) {
 pub async fn main() -> Result<(), Box<dyn Error>> {
     setup_logging();
 
-    let device_info_store: Arc<dyn CableKnownDeviceInfoStore> =
-        Arc::new(EphemeralDeviceInfoStore::default());
-
-    // Create QR code
-    let mut device: CableQrCodeDevice = CableQrCodeDevice::new_persistent(
-        QrCodeOperationHint::MakeCredential,
-        device_info_store.clone(),
-    );
-
-    println!("Created QR code, awaiting for advertisement.");
-    let qr_code = QrCode::new(device.qr_code.to_string()).unwrap();
-    let image = qr_code
-        .render::<unicode::Dense1x2>()
-        .dark_color(unicode::Dense1x2::Light)
-        .light_color(unicode::Dense1x2::Dark)
-        .build();
-    println!("{}", image);
-
-    // Connect to a known device
-    let (mut channel, state_recv) = device.channel().await.unwrap();
-    println!("Tunnel established {:?}", channel);
-
-    tokio::spawn(handle_updates(state_recv));
-
+    let device_info_store = Arc::new(EphemeralDeviceInfoStore::default());
     let user_id: [u8; 32] = thread_rng().gen();
     let challenge: [u8; 32] = thread_rng().gen();
 
-    // Make Credentials ceremony
-    let make_credentials_request = MakeCredentialRequest {
-        origin: "example.org".to_owned(),
-        hash: Vec::from(challenge),
-        relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
-        user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
-        require_resident_key: false,
-        user_verification: UserVerificationRequirement::Preferred,
-        algorithms: vec![Ctap2CredentialType::default()],
-        exclude: None,
-        extensions: None,
-        timeout: TIMEOUT,
-    };
+    let credential: Ctap2PublicKeyCredentialDescriptor = {
+        // Create QR code
+        let mut device: CableQrCodeDevice = CableQrCodeDevice::new_persistent(
+            QrCodeOperationHint::MakeCredential,
+            device_info_store.clone(),
+        );
+
+        println!("Created QR code, awaiting for advertisement.");
+        let qr_code = QrCode::new(device.qr_code.to_string()).unwrap();
+        let image = qr_code
+            .render::<unicode::Dense1x2>()
+            .dark_color(unicode::Dense1x2::Light)
+            .light_color(unicode::Dense1x2::Dark)
+            .build();
+        println!("{}", image);
+
+        // Connect to a known device
+        let (mut channel, state_recv) = device.channel().await.unwrap();
+        println!("Tunnel established {:?}", channel);
+
+        tokio::spawn(handle_updates(state_recv));
+
+        // Make Credentials ceremony
+        let make_credentials_request = MakeCredentialRequest {
+            origin: "example.org".to_owned(),
+            hash: Vec::from(challenge),
+            relying_party: Ctap2PublicKeyCredentialRpEntity::new("example.org", "example.org"),
+            user: Ctap2PublicKeyCredentialUserEntity::new(&user_id, "mario.rossi", "Mario Rossi"),
+            require_resident_key: false,
+            user_verification: UserVerificationRequirement::Preferred,
+            algorithms: vec![Ctap2CredentialType::default()],
+            exclude: None,
+            extensions: None,
+            timeout: TIMEOUT,
+        };
 
-    let response = loop {
-        match channel
-            .webauthn_make_credential(&make_credentials_request)
-            .await
-        {
-            Ok(response) => break Ok(response),
-            Err(WebAuthnError::Ctap(ctap_error)) => {
-                if ctap_error.is_retryable_user_error() {
-                    println!("Oops, try again! Error: {}", ctap_error);
-                    continue;
+        let response = loop {
+            match channel
+                .webauthn_make_credential(&make_credentials_request)
+                .await
+            {
+                Ok(response) => break Ok(response),
+                Err(WebAuthnError::Ctap(ctap_error)) => {
+                    if ctap_error.is_retryable_user_error() {
+                        println!("Oops, try again! Error: {}", ctap_error);
+                        continue;
+                    }
+                    break Err(WebAuthnError::Ctap(ctap_error));
                 }
-                break Err(WebAuthnError::Ctap(ctap_error));
-            }
-            Err(err) => break Err(err),
-        };
-    }
-    .unwrap();
-    println!("WebAuthn MakeCredential response: {:?}", response);
+                Err(err) => break Err(err),
+            };
+        }
+        .unwrap();
+        println!("WebAuthn MakeCredential response: {:?}", response);
+
+        (&response.authenticator_data).try_into().unwrap()
+    };
+
+    println!("Waiting for 10 seconds before contacting the device...");
+    sleep(Duration::from_secs(30)).await;
 
-    let credential: Ctap2PublicKeyCredentialDescriptor =
-        (&response.authenticator_data).try_into().unwrap();
     let get_assertion = GetAssertionRequest {
         relying_party_id: "example.org".to_owned(),
         hash: Vec::from(challenge),
@@ -150,24 +154,17 @@ pub async fn main() -> Result<(), Box<dyn Error>> {
         timeout: TIMEOUT,
     };
 
-    // Create QR code
-    let mut device: CableQrCodeDevice = CableQrCodeDevice::new_persistent(
-        QrCodeOperationHint::GetAssertionRequest,
-        device_info_store.clone(),
-    );
-
-    println!("Created QR code, awaiting for advertisement.");
-    let qr_code = QrCode::new(device.qr_code.to_string()).unwrap();
-    let image = qr_code
-        .render::<unicode::Dense1x2>()
-        .dark_color(unicode::Dense1x2::Light)
-        .light_color(unicode::Dense1x2::Dark)
-        .build();
-    println!("{}", image);
+    let all_devices = device_info_store.list_all().await;
+    let (_known_device_id, known_device_info) =
+        all_devices.first().expect("No known devices found");
+
+    let mut known_device: CableKnownDevice =
+        CableKnownDevice::new(known_device_info, device_info_store.clone())
+            .await
+            .unwrap();
 
     // Connect to a known device
-    println!("Tunnel established {:?}", channel);
-    let (mut channel, state_recv) = device.channel().await.unwrap();
+    let (mut channel, state_recv) = known_device.channel().await.unwrap();
     println!("Tunnel established {:?}", channel);
 
     tokio::spawn(handle_updates(state_recv));

libwebauthn/src/transport/ble/btleplug/manager.rs

@@ -56,7 +56,7 @@ async fn on_peripheral_service_data(
     id: &PeripheralId,
     uuids: &[Uuid],
     service_data: HashMap<Uuid, Vec<u8>>,
-) -> Option<(Peripheral, Vec<u8>)> {
+) -> Option<(Adapter, Peripheral, Vec<u8>)> {
     for uuid in uuids {
         if let Some(service_data) = service_data.get(uuid) {
             trace!(?id, ?service_data, "Found service data");
@@ -66,7 +66,7 @@ async fn on_peripheral_service_data(
             };
 
             debug!({ ?id, ?service_data }, "Found service data for peripheral");
-            return Some((peripheral, service_data.to_owned()));
+            return Some((adapter.clone(), peripheral, service_data.to_owned()));
         }
     }
 
@@ -81,7 +81,7 @@ async fn on_peripheral_service_data(
 /// Starts a discovery for devices advertising service data on any of the provided UUIDs
 pub async fn start_discovery_for_service_data(
     uuids: &[Uuid],
-) -> Result<impl Stream<Item = (Peripheral, Vec<u8>)> + use<'_>, Error> {
+) -> Result<impl Stream<Item = (Adapter, Peripheral, Vec<u8>)> + use<'_>, Error> {
     let adapter = get_adapter().await?;
     let scan_filter = ScanFilter::default();
 

libwebauthn/src/transport/cable/advertisement.rs

@@ -0,0 +1,90 @@
+use ::btleplug::api::Central;
+use futures::StreamExt;
+use std::pin::pin;
+use tracing::{debug, trace, warn};
+use uuid::Uuid;
+
+use crate::transport::ble::btleplug::{self, FidoDevice};
+use crate::transport::cable::crypto::trial_decrypt_advert;
+use crate::webauthn::{Error, TransportError};
+
+const CABLE_UUID_FIDO: &str = "0000fff9-0000-1000-8000-00805f9b34fb";
+const CABLE_UUID_GOOGLE: &str = "0000fde2-0000-1000-8000-00805f9b34fb";
+
+#[derive(Debug)]
+pub(crate) struct DecryptedAdvert {
+    pub plaintext: [u8; 16],
+    pub nonce: [u8; 10],
+    pub routing_id: [u8; 3],
+    pub encoded_tunnel_server_domain: u16,
+}
+
+impl From<&[u8]> for DecryptedAdvert {
+    fn from(plaintext: &[u8]) -> Self {
+        let mut nonce = [0u8; 10];
+        nonce.copy_from_slice(&plaintext[1..11]);
+        let mut routing_id = [0u8; 3];
+        routing_id.copy_from_slice(&plaintext[11..14]);
+        let encoded_tunnel_server_domain = u16::from_le_bytes([plaintext[14], plaintext[15]]);
+        let mut plaintext_fixed = [0u8; 16];
+        plaintext_fixed.copy_from_slice(&plaintext[..16]);
+        Self {
+            plaintext: plaintext_fixed,
+            nonce,
+            routing_id,
+            encoded_tunnel_server_domain,
+        }
+    }
+}
+
+pub(crate) async fn await_advertisement(
+    eid_key: &[u8],
+) -> Result<(FidoDevice, DecryptedAdvert), Error> {
+    let uuids = &[
+        Uuid::parse_str(CABLE_UUID_FIDO).unwrap(),
+        Uuid::parse_str(CABLE_UUID_GOOGLE).unwrap(), // Deprecated, but may still be in use.
+    ];
+    let stream = btleplug::manager::start_discovery_for_service_data(uuids)
+        .await
+        .or(Err(Error::Transport(TransportError::TransportUnavailable)))?;
+
+    let mut stream = pin!(stream);
+    while let Some((adapter, peripheral, data)) = stream.as_mut().next().await {
+        debug!({ ?peripheral, ?data }, "Found device with service data");
+
+        let Some(device) = btleplug::manager::get_device(peripheral.clone())
+            .await
+            .or(Err(Error::Transport(TransportError::TransportUnavailable)))?
+        else {
+            warn!(
+                ?peripheral,
+                "Unable to fetch peripheral properties, ignoring"
+            );
+            continue;
+        };
+
+        trace!(?device, ?data, ?eid_key);
+        let Some(decrypted) = trial_decrypt_advert(&eid_key, &data) else {
+            warn!(?device, "Trial decrypt failed, ignoring");
+            continue;
+        };
+        trace!(?decrypted);
+
+        let advert = DecryptedAdvert::from(decrypted.as_slice());
+        debug!(
+            ?device,
+            ?decrypted,
+            "Successfully decrypted advertisement from device"
+        );
+
+        adapter
+            .stop_scan()
+            .await
+            .or(Err(Error::Transport(TransportError::TransportUnavailable)))?;
+
+        return Ok((device, advert));
+    }
+
+    warn!("BLE advertisement discovery stream terminated");
+    Err(Error::Transport(TransportError::TransportUnavailable))
+}

libwebauthn/src/transport/cable/channel.rs

@@ -47,6 +47,12 @@ impl Display for CableChannel {
     }
 }
 
+impl Drop for CableChannel {
+    fn drop(&mut self) {
+        self.handle_connection.abort();
+    }
+}
+
 #[async_trait]
 impl<'d> Channel for CableChannel {
     async fn supported_protocols(&self) -> Result<SupportedProtocols, Error> {

libwebauthn/src/transport/cable/crypto.rs

@@ -13,12 +13,12 @@ pub enum KeyPurpose {
 }
 
 
-pub fn derive(secret: &[u8; 16], salt: Option<&[u8]>, purpose: KeyPurpose) -> Vec<u8> {
+pub fn derive(secret: &[u8], salt: Option<&[u8]>, purpose: KeyPurpose) -> [u8; 64] {
     let mut purpose32 = [0u8; 4];
     purpose32[0] = purpose as u8;
 
     let hkdf = Hkdf::<Sha256>::new(salt, secret);
-    let mut output = vec![0u8; 64];
+    let mut output = [0u8; 64];
     hkdf.expand(&purpose32, &mut output).unwrap();
     output
 }
@@ -66,7 +66,7 @@ mod tests {
     #[test]
     fn derive_eidkey_nosalt() {
         let input: [u8; 16] = hex::decode("00112233445566778899aabbccddeeff").unwrap().try_into().unwrap();
-        let output = derive(&input, None, KeyPurpose::EIDKey);
+        let output = derive(&input, None, KeyPurpose::EIDKey).to_vec();
         let expected = hex::decode("efafab5b2c84a11c80e3ad0770353138b414a859ccd3afcc99e3d3250dba65084ede8e38e75432617c0ccae1ffe5d8143df0db0cd6d296f489419cd6411ee505").unwrap();
         assert_eq!(output, expected);
     }
@@ -75,7 +75,7 @@ mod tests {
     fn derive_eidkey_salt() {
         let input: [u8; 16] = hex::decode("00112233445566778899aabbccddeeff").unwrap().try_into().unwrap();
         let salt = hex::decode("ffeeddccbbaa998877665544332211").unwrap();
-        let output = derive(&input, Some(&salt), KeyPurpose::EIDKey);
+        let output = derive(&input, Some(&salt), KeyPurpose::EIDKey).to_vec();
         let expected = hex::decode("168cf3dd220a7907f8bac30f559be92a3b6d937fe5594beeaf1e50e35976b7d654dd550e22ae4c801b9d1cdbf0d2b1472daa1328661eb889acae3023b7ffa509").unwrap();
         assert_eq!(output, expected);
     }