Replace cosey with ctap-types

Author: AlfioEmanueleFresta

.gitmodules

@@ -1,6 +1,6 @@
 [submodule "solo/src/ext"]
 	path = solo/src/ext
 	url = https://github.com/AlfioEmanueleFresta/solo.git
-[submodule "cosey"]
-	path = cosey
-	url = https://github.com/AlfioEmanueleFresta/cosey.git
+[submodule "ctap-types"]
+	path = ctap-types
+	url = https://github.com/AlfioEmanueleFresta/ctap-types.git

cosey

@@ -51,7 +51,7 @@ aes = "0.8.2"
 hmac = "0.12.1"
 cbc = { version = "0.1", features = ["alloc"] }
 hkdf = "0.12"
-cosey = { path = "../cosey" }
+ctap-types = { path = "../ctap-types", features = ["alloc"] }
 solo = { path = "../solo", optional = true }
 text_io = "0.1"
 

ctap-types

@@ -6,6 +6,7 @@ use serde_cbor::to_vec;
 use sha2::{Digest, Sha256};
 use tracing::{error, trace};
 use x509_parser::nom::AsBytes;
+use ctap_types::cose;
 
 use super::webauthn::MakeCredentialRequest;
 use crate::ops::webauthn::{GetAssertionResponse, MakeCredentialResponse};
@@ -40,6 +41,7 @@ impl SignRequest {
         }
     }
 }
+
 pub trait UpgradableResponse<T, R> {
     fn try_upgrade(&self, request: &R) -> Result<T, Error>;
 }
@@ -68,15 +70,15 @@ impl UpgradableResponse<MakeCredentialResponse, MakeCredentialRequest> for Regis
                 .expect("Not the identity point")
                 .as_bytes(),
         )
-        .unwrap();
+            .unwrap();
         let y: heapless::Vec<u8, 32> = heapless::Vec::from_slice(
             encoded_point
                 .y()
                 .expect("Not identity nor compressed")
                 .as_bytes(),
         )
-        .unwrap();
-        let cose_public_key = cosey::PublicKey::P256Key(cosey::P256PublicKey {
+            .unwrap();
+        let cose_public_key = cose::PublicKey::P256Key(cose::P256PublicKey {
             x: x.into(),
             y: y.into(),
         });
@@ -159,7 +161,7 @@ impl UpgradableResponse<GetAssertionResponse, SignRequest> for SignResponse {
         // See also Authenticator Data section of [WebAuthn].
         let mut flags: u8 = 0;
         flags |= 0b00000001; // up always set
-                             // bit 1 is unused, ignoring
+        // bit 1 is unused, ignoring
 
         // Let signCount be a 4-byte unsigned integer initialized with CTAP1/U2F response counter field.
         let sign_count = self.counter;
@@ -188,7 +190,7 @@ impl UpgradableResponse<GetAssertionResponse, SignRequest> for SignResponse {
             credentials_count: None,
             user_selected: None,
         }
-        .into();
+            .into();
 
         trace!(?upgraded_response);
         Ok(upgraded_response)

libwebauthn/Cargo.toml

@@ -13,6 +13,7 @@ use rand::{rngs::OsRng, thread_rng, Rng};
 use sha2::{Digest, Sha256};
 use tracing::{error, info, instrument, warn};
 use x509_parser::nom::AsBytes;
+use ctap_types::cose;
 
 use crate::proto::{ctap2::Ctap2PinUvAuthProtocol, CtapError};
 
@@ -108,8 +109,8 @@ pub trait PinUvAuthProtocol: Send + Sync {
     ///   shared secret.
     fn encapsulate(
         &self,
-        peer_public_key: &cosey::PublicKey,
-    ) -> Result<(cosey::PublicKey, Vec<u8>), Error>;
+        peer_public_key: &cose::PublicKey,
+    ) -> Result<(cose::PublicKey, Vec<u8>), Error>;
 
     // encrypt(key, demPlaintext) → ciphertext
     //   Encrypts a plaintext to produce a ciphertext, which may be longer than the plaintext.
@@ -130,14 +131,15 @@ trait ECPrivateKeyPinUvAuthProtocol {
     fn public_key(&self) -> &P256PublicKey;
     fn kdf(&self, bytes: &[u8]) -> Vec<u8>;
 }
+
 /// Common functionality between ECDH-based PIN/UV auth protocols (1 & 2)
 trait ECDHPinUvAuthProtocol {
-    fn ecdh(&self, peer_public_key: &cosey::PublicKey) -> Result<Vec<u8>, Error>;
+    fn ecdh(&self, peer_public_key: &cose::PublicKey) -> Result<Vec<u8>, Error>;
     fn encapsulate(
         &self,
-        peer_public_key: &cosey::PublicKey,
-    ) -> Result<(cosey::PublicKey, Vec<u8>), Error>;
-    fn get_public_key(&self) -> cosey::PublicKey;
+        peer_public_key: &cose::PublicKey,
+    ) -> Result<(cose::PublicKey, Vec<u8>), Error>;
+    fn get_public_key(&self) -> cose::PublicKey;
 }
 
 pub struct PinUvAuthProtocolOne {
@@ -174,14 +176,14 @@ impl ECPrivateKeyPinUvAuthProtocol for PinUvAuthProtocolOne {
 }
 
 impl<P> ECDHPinUvAuthProtocol for P
-where
-    P: ECPrivateKeyPinUvAuthProtocol,
+    where
+        P: ECPrivateKeyPinUvAuthProtocol,
 {
     #[instrument(skip_all)]
     fn encapsulate(
         &self,
-        peer_public_key: &cosey::PublicKey,
-    ) -> Result<(cosey::PublicKey, Vec<u8>), Error> {
+        peer_public_key: &cose::PublicKey,
+    ) -> Result<(cose::PublicKey, Vec<u8>), Error> {
         // Let sharedSecret be the result of calling ecdh(peerCoseKey). Return any resulting error.
         let shared_secret = self.ecdh(peer_public_key)?;
 
@@ -190,10 +192,10 @@ where
     }
 
     /// ecdh(peerCoseKey) → sharedSecret | error
-    fn ecdh(&self, peer_public_key: &cosey::PublicKey) -> Result<Vec<u8>, Error> {
+    fn ecdh(&self, peer_public_key: &cose::PublicKey) -> Result<Vec<u8>, Error> {
         // Parse peerCoseKey as specified for getPublicKey, below, and produce a P-256 point, Y.
         // If unsuccessful, or if the resulting point is not on the curve, return error.
-        let cosey::PublicKey::EcdhEsHkdf256Key(peer_public_key) = peer_public_key else {
+        let cose::PublicKey::EcdhEsHkdf256Key(peer_public_key) = peer_public_key else {
             error!(
                 ?peer_public_key,
                 "Unsupported peerCoseKey format. Only EcdhEsHkdf256Key is supported."
@@ -219,15 +221,15 @@ where
     }
 
     /// getPublicKey()
-    fn get_public_key(&self) -> cosey::PublicKey {
+    fn get_public_key(&self) -> cose::PublicKey {
         let point = EncodedPoint::from(self.public_key());
         let x: heapless::Vec<u8, 32> =
             heapless::Vec::from_slice(point.x().expect("Not the identity point").as_bytes())
                 .unwrap();
         let y: heapless::Vec<u8, 32> =
             heapless::Vec::from_slice(point.y().expect("Not identity nor compressed").as_bytes())
                 .unwrap();
-        cosey::PublicKey::P256Key(cosey::P256PublicKey {
+        cose::PublicKey::P256Key(cose::P256PublicKey {
             x: x.into(),
             y: y.into(),
         })
@@ -284,8 +286,8 @@ impl PinUvAuthProtocol for PinUvAuthProtocolOne {
 
     fn encapsulate(
         &self,
-        peer_public_key: &cosey::PublicKey,
-    ) -> Result<(cosey::PublicKey, Vec<u8>), Error> {
+        peer_public_key: &cose::PublicKey,
+    ) -> Result<(cose::PublicKey, Vec<u8>), Error> {
         <Self as ECDHPinUvAuthProtocol>::encapsulate(self, peer_public_key)
     }
 }
@@ -335,8 +337,8 @@ impl PinUvAuthProtocol for PinUvAuthProtocolTwo {
     #[instrument(skip_all)]
     fn encapsulate(
         &self,
-        peer_public_key: &cosey::PublicKey,
-    ) -> Result<(cosey::PublicKey, Vec<u8>), Error> {
+        peer_public_key: &cose::PublicKey,
+    ) -> Result<(cose::PublicKey, Vec<u8>), Error> {
         <Self as ECDHPinUvAuthProtocol>::encapsulate(self, peer_public_key)
     }
 

libwebauthn/src/ops/u2f.rs

@@ -3,7 +3,6 @@ use std::convert::TryFrom;
 use std::io::Cursor as IOCursor;
 
 use byteorder::{BigEndian, ReadBytesExt};
-use cosey::PublicKey;
 use num_enum::{IntoPrimitive, TryFromPrimitive};
 use serde_bytes::ByteBuf;
 use serde_derive::{Deserialize, Serialize};
@@ -12,12 +11,14 @@ use serde_repr::{Deserialize_repr, Serialize_repr};
 use tracing::debug;
 use tracing::warn;
 
+use ctap_types::cose::PublicKey;
+
 use crate::ops::webauthn::GetAssertionRequest;
 use crate::ops::webauthn::MakeCredentialRequest;
 use crate::proto::ctap1::Ctap1Transport;
 use crate::transport::error::CtapError;
 
-// 32 (rpIdHash) + 1 (flags) + 4 (signCount) + 16 (aaguid)
+// 32 (rpIdHash) + 1 (flags) + 4 (signCount) + 16 (aaguid
 const AUTHENTICATOR_DATA_PUBLIC_KEY_OFFSET: usize = 53;
 
 #[derive(Debug, IntoPrimitive, TryFromPrimitive, Copy, Clone, PartialEq, Serialize_repr)]
@@ -115,6 +116,7 @@ impl From<&Ctap1Transport> for Ctap2Transport {
         }
     }
 }
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Ctap2PublicKeyCredentialDescriptor {
     pub r#type: Ctap2PublicKeyCredentialType,
@@ -622,8 +624,8 @@ impl Ctap2GetInfoResponse {
     ///   and either clientPin option ID is present and set to true or uv option ID is present and set to true or both.
     pub fn is_uv_protected(&self) -> bool {
         self.option_enabled("uv") || // Deprecated no-op UV
-        self.option_enabled("clientPin") ||
-        (self.option_enabled("pinUvAuthToken") && self.option_enabled("uv"))
+            self.option_enabled("clientPin") ||
+            (self.option_enabled("pinUvAuthToken") && self.option_enabled("uv"))
     }
 
     pub fn uv_operation(&self) -> Ctap2UserVerificationOperation {

libwebauthn/src/pin.rs

@@ -1,9 +1,10 @@
 use std::time::Duration;
 
 use async_trait::async_trait;
-use cosey::PublicKey;
 use tracing::{debug, error, info, instrument, trace, warn};
 
+use ctap_types::cose::PublicKey;
+
 use crate::fido::FidoProtocol;
 use crate::ops::u2f::{RegisterRequest, SignRequest, UpgradableResponse};
 use crate::ops::webauthn::{
@@ -19,7 +20,6 @@ use crate::proto::ctap2::{
     Ctap2MakeCredentialRequest, Ctap2UserVerifiableRequest, Ctap2UserVerificationOperation,
 };
 use crate::transport::Channel;
-
 pub use crate::transport::error::{CtapError, Error, TransportError};
 
 #[async_trait]
@@ -74,10 +74,10 @@ async fn select_uv_proto(
 
 #[async_trait]
 impl<C> WebAuthn for C
-where
-    C: Channel,
+    where
+        C: Channel,
 {
-    #[instrument(skip_all, fields(dev = %self))]
+    #[instrument(skip_all, fields(dev = % self))]
     async fn webauthn_make_credential(
         &mut self,
         op: &MakeCredentialRequest,
@@ -104,7 +104,7 @@ where
             pin_provider,
             op.timeout,
         )
-        .await?;
+            .await?;
         self.ctap2_make_credential(&ctap2_request, op.timeout).await
     }
 
@@ -118,7 +118,7 @@ where
             .try_upgrade(op)
     }
 
-    #[instrument(skip_all, fields(dev = %self))]
+    #[instrument(skip_all, fields(dev = % self))]
     async fn webauthn_get_assertion(
         &mut self,
         op: &GetAssertionRequest,
@@ -145,7 +145,7 @@ where
             pin_provider,
             op.timeout,
         )
-        .await?;
+            .await?;
 
         let response = self.ctap2_get_assertion(&ctap2_request, op.timeout).await?;
         let count = response.credentials_count.unwrap_or(1);
@@ -221,9 +221,9 @@ async fn user_verification<R, C>(
     pin_provider: &Box<dyn PinProvider>,
     timeout: Duration,
 ) -> Result<(), Error>
-where
-    C: Channel,
-    R: Ctap2UserVerifiableRequest,
+    where
+        C: Channel,
+        R: Ctap2UserVerifiableRequest,
 {
     let get_info_response = channel.ctap2_get_info().await?;
 
@@ -325,8 +325,8 @@ async fn obtain_shared_secret<C>(
     pin_proto: &Box<dyn PinUvAuthProtocol>,
     timeout: Duration,
 ) -> Result<(PublicKey, Vec<u8>), Error>
-where
-    C: Channel,
+    where
+        C: Channel,
 {
     let client_pin_request = Ctap2ClientPinRequest::new_get_key_agreement(pin_proto.version());
     let client_pin_response = channel
@@ -344,8 +344,8 @@ async fn obtain_pin<C>(
     pin_provider: &Box<dyn PinProvider>,
     timeout: Duration,
 ) -> Result<Vec<u8>, Error>
-where
-    C: Channel,
+    where
+        C: Channel,
 {
     let attempts_left = channel
         .ctap2_client_pin(&Ctap2ClientPinRequest::new_get_pin_retries(), timeout)