diff --git a/Cargo.toml b/Cargo.toml index ed293cc..611b2a0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -35,7 +35,6 @@ elf2tab = "0.6.0" enum-iterator = "0.6.0" [build-dependencies] -openssl = "0.10" uuid = { version = "0.8", features = ["v4"] } [profile.dev] diff --git a/build.rs b/build.rs index e981555..b581d8e 100644 --- a/build.rs +++ b/build.rs @@ -12,11 +12,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -use openssl::asn1; -use openssl::ec; -use openssl::nid::Nid; -use openssl::pkey::PKey; -use openssl::x509; use std::env; use std::fs::File; use std::io::Read; @@ -25,65 +20,11 @@ use std::path::Path; use uuid::Uuid; fn main() { - println!("cargo:rerun-if-changed=crypto_data/opensk.key"); - println!("cargo:rerun-if-changed=crypto_data/opensk_cert.pem"); println!("cargo:rerun-if-changed=crypto_data/aaguid.txt"); let out_dir = env::var_os("OUT_DIR").unwrap(); - let priv_key_bin_path = Path::new(&out_dir).join("opensk_pkey.bin"); - let cert_bin_path = Path::new(&out_dir).join("opensk_cert.bin"); let aaguid_bin_path = Path::new(&out_dir).join("opensk_aaguid.bin"); - // Load the OpenSSL PEM ECC key - let ecc_data = include_bytes!("crypto_data/opensk.key"); - let pkey = - ec::EcKey::private_key_from_pem(ecc_data).expect("Failed to load OpenSK private key file"); - - // Check key validity - pkey.check_key().unwrap(); - assert_eq!(pkey.group().curve_name(), Some(Nid::X9_62_PRIME256V1)); - - // Private keys generated by OpenSSL have variable size but we only handle - // constant size. Serialization is done in big endian so if the size is less - // than 32 bytes, we need to prepend with null bytes. - // If the size is 33 bytes, this means the serialized BigInt is negative. - // Any other size is invalid. - let priv_key_hex = pkey.private_key().to_hex_str().unwrap(); - let priv_key_vec = pkey.private_key().to_vec(); - let key_len = priv_key_vec.len(); - - assert!( - key_len <= 33, - "Invalid private key (too big): {} ({:#?})", - priv_key_hex, - priv_key_vec, - ); - - // Copy OpenSSL generated key to our vec, starting from the end - let mut output_vec = [0u8; 32]; - let min_key_len = std::cmp::min(key_len, 32); - output_vec[32 - min_key_len..].copy_from_slice(&priv_key_vec[key_len - min_key_len..]); - - // Create the raw private key out of the OpenSSL data - let mut priv_key_bin_file = File::create(&priv_key_bin_path).unwrap(); - priv_key_bin_file.write_all(&output_vec).unwrap(); - - // Convert the PEM certificate to DER and extract the serial for AAGUID - let input_pem_cert = include_bytes!("crypto_data/opensk_cert.pem"); - let cert = x509::X509::from_pem(input_pem_cert).expect("Failed to load OpenSK certificate"); - - // Do some sanity check on the certificate - assert!(cert - .public_key() - .unwrap() - .public_eq(&PKey::from_ec_key(pkey).unwrap())); - let now = asn1::Asn1Time::days_from_now(0).unwrap(); - assert!(cert.not_after() > now); - assert!(cert.not_before() <= now); - - let mut cert_bin_file = File::create(&cert_bin_path).unwrap(); - cert_bin_file.write_all(&cert.to_der().unwrap()).unwrap(); - let mut aaguid_bin_file = File::create(&aaguid_bin_path).unwrap(); let mut aaguid_txt_file = File::open("crypto_data/aaguid.txt").unwrap(); let mut content = String::new(); diff --git a/src/ctap/key_material.rs b/src/ctap/key_material.rs index 2563798..eec5456 100644 --- a/src/ctap/key_material.rs +++ b/src/ctap/key_material.rs @@ -17,9 +17,3 @@ pub const AAGUID_LENGTH: usize = 16; pub const AAGUID: &[u8; AAGUID_LENGTH] = include_bytes!(concat!(env!("OUT_DIR"), "/opensk_aaguid.bin")); - -pub const ATTESTATION_CERTIFICATE: &[u8] = - include_bytes!(concat!(env!("OUT_DIR"), "/opensk_cert.bin")); - -pub const ATTESTATION_PRIVATE_KEY: &[u8; ATTESTATION_PRIVATE_KEY_LENGTH] = - include_bytes!(concat!(env!("OUT_DIR"), "/opensk_pkey.bin")); diff --git a/src/ctap/storage.rs b/src/ctap/storage.rs index 5f17052..110184f 100644 --- a/src/ctap/storage.rs +++ b/src/ctap/storage.rs @@ -115,36 +115,12 @@ impl PersistentStore { self.store.insert(key::CRED_RANDOM_SECRET, &cred_random)?; } - // TODO(jmichel): remove this when vendor command is in place - #[cfg(not(test))] - self.load_attestation_data_from_firmware()?; if self.store.find_handle(key::AAGUID)?.is_none() { self.set_aaguid(key_material::AAGUID)?; } Ok(()) } - // TODO(jmichel): remove this function when vendor command is in place. - #[cfg(not(test))] - fn load_attestation_data_from_firmware(&mut self) -> Result<(), Ctap2StatusCode> { - // The following 2 entries are meant to be written by vendor-specific commands. - if self - .store - .find_handle(key::ATTESTATION_PRIVATE_KEY)? - .is_none() - { - self.set_attestation_private_key(key_material::ATTESTATION_PRIVATE_KEY)?; - } - if self - .store - .find_handle(key::ATTESTATION_CERTIFICATE)? - .is_none() - { - self.set_attestation_certificate(key_material::ATTESTATION_CERTIFICATE)?; - } - Ok(()) - } - /// Returns the first matching credential. /// /// Returns `None` if no credentials are matched or if `check_cred_protect` is set and the first @@ -989,11 +965,14 @@ mod test { .is_none()); // Make sure the persistent keys are initialized. + // Put dummy values + let dummy_key = [0x41u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH]; + let dummy_cert = [0xddu8; 20]; persistent_store - .set_attestation_private_key(key_material::ATTESTATION_PRIVATE_KEY) + .set_attestation_private_key(&dummy_key) .unwrap(); persistent_store - .set_attestation_certificate(key_material::ATTESTATION_CERTIFICATE) + .set_attestation_certificate(&dummy_cert) .unwrap(); assert_eq!(&persistent_store.aaguid().unwrap(), key_material::AAGUID); @@ -1001,11 +980,11 @@ mod test { persistent_store.reset(&mut rng).unwrap(); assert_eq!( &persistent_store.attestation_private_key().unwrap().unwrap(), - key_material::ATTESTATION_PRIVATE_KEY + &dummy_key ); assert_eq!( persistent_store.attestation_certificate().unwrap().unwrap(), - key_material::ATTESTATION_CERTIFICATE + &dummy_cert ); assert_eq!(&persistent_store.aaguid().unwrap(), key_material::AAGUID); }