kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a key store to avoid storing secrets in the store

Browse Source
This commit is contained in:
Julien Cretin
2022-06-29 11:55:02 +02:00
parent 667c269552
commit d793a992d3
9 changed files with 172 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/ctap/crypto_wrapper.rs
View File

@@ -12,6 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use crate::api::key_store::KeyStore;
#[cfg(feature = "ed25519")]
use crate::ctap::data_formats::EDDSA_ALGORITHM;
use crate::ctap::data_formats::{
@@ -19,7 +20,6 @@ use crate::ctap::data_formats::{
PublicKeyCredentialType, SignatureAlgorithm, ES256_ALGORITHM,
};
use crate::ctap::status_code::Ctap2StatusCode;
use crate::ctap::storage;
use crate::env::Env;
use alloc::string::String;
use alloc::vec;
@@ -245,8 +245,7 @@ pub fn encrypt_key_handle(
private_key: &PrivateKey,
application: &[u8; 32],
) -> Result<Vec<u8>, Ctap2StatusCode> {
let master_keys = storage::master_keys(env)?;
let aes_enc_key = crypto::aes256::EncryptionKey::new(&master_keys.encryption);
let aes_enc_key = crypto::aes256::EncryptionKey::new(&env.key_store().kh_encryption()?);
let mut plaintext = [0; 64];
let version = match private_key {
@@ -265,7 +264,7 @@ pub fn encrypt_key_handle(
let mut encrypted_id = aes256_cbc_encrypt(env.rng(), &aes_enc_key, &plaintext, true)?;
encrypted_id.insert(0, version);
let id_hmac = hmac_256::<Sha256>(&master_keys.hmac, &encrypted_id[..]);
let id_hmac = hmac_256::<Sha256>(&env.key_store().kh_authentication()?, &encrypted_id[..]);
encrypted_id.extend(&id_hmac);
Ok(encrypted_id)
}
@@ -289,10 +288,9 @@ pub fn decrypt_credential_source(
if credential_id.len() < LEGACY_CREDENTIAL_ID_SIZE {
return Ok(None);
}
let master_keys = storage::master_keys(env)?;
let hmac_message_size = credential_id.len() - 32;
if !verify_hmac_256::<Sha256>(
&master_keys.hmac,
&env.key_store().kh_authentication()?,
&credential_id[..hmac_message_size],
array_ref![credential_id, hmac_message_size, 32],
) {
@@ -316,7 +314,7 @@ pub fn decrypt_credential_source(
return Ok(None);
}
let aes_enc_key = crypto::aes256::EncryptionKey::new(&master_keys.encryption);
let aes_enc_key = crypto::aes256::EncryptionKey::new(&env.key_store().kh_encryption()?);
let decrypted_id = aes256_cbc_decrypt(&aes_enc_key, payload, true)?;
if rp_id_hash != &decrypted_id[32..] {
@@ -548,7 +546,6 @@ mod test {
fn test_encrypt_decrypt_credential(signature_algorithm: SignatureAlgorithm) {
let mut env = TestEnv::new();
storage::init(&mut env).ok().unwrap();
let private_key = PrivateKey::new(env.rng(), signature_algorithm);
let rp_id_hash = [0x55; 32];
@@ -574,7 +571,6 @@ mod test {
#[test]
fn test_encrypt_decrypt_bad_version() {
let mut env = TestEnv::new();
storage::init(&mut env).ok().unwrap();
let private_key = PrivateKey::new(env.rng(), SignatureAlgorithm::ES256);
let rp_id_hash = [0x55; 32];
@@ -582,8 +578,8 @@ mod test {
encrypted_id[0] = UNSUPPORTED_CREDENTIAL_ID_VERSION;
// Override the HMAC to pass the check.
encrypted_id.truncate(&encrypted_id.len() - 32);
let master_keys = storage::master_keys(&mut env).unwrap();
let id_hmac = hmac_256::<Sha256>(&master_keys.hmac, &encrypted_id[..]);
let hmac_key = env.key_store().kh_authentication().unwrap();
let id_hmac = hmac_256::<Sha256>(&hmac_key, &encrypted_id[..]);
encrypted_id.extend(&id_hmac);
assert_eq!(
@@ -594,7 +590,6 @@ mod test {
fn test_encrypt_decrypt_bad_hmac(signature_algorithm: SignatureAlgorithm) {
let mut env = TestEnv::new();
storage::init(&mut env).ok().unwrap();
let private_key = PrivateKey::new(env.rng(), signature_algorithm);
let rp_id_hash = [0x55; 32];
@@ -622,7 +617,6 @@ mod test {
fn test_decrypt_credential_missing_blocks(signature_algorithm: SignatureAlgorithm) {
let mut env = TestEnv::new();
storage::init(&mut env).ok().unwrap();
let private_key = PrivateKey::new(env.rng(), signature_algorithm);
let rp_id_hash = [0x55; 32];
@@ -653,14 +647,13 @@ mod test {
private_key: crypto::ecdsa::SecKey,
application: &[u8; 32],
) -> Result<Vec<u8>, Ctap2StatusCode> {
let master_keys = storage::master_keys(env)?;
let aes_enc_key = crypto::aes256::EncryptionKey::new(&master_keys.encryption);
let aes_enc_key = crypto::aes256::EncryptionKey::new(&env.key_store().kh_encryption()?);
let mut plaintext = [0; 64];
private_key.to_bytes(array_mut_ref!(plaintext, 0, 32));
plaintext[32..64].copy_from_slice(application);
let mut encrypted_id = aes256_cbc_encrypt(env.rng(), &aes_enc_key, &plaintext, true)?;
let id_hmac = hmac_256::<Sha256>(&master_keys.hmac, &encrypted_id[..]);
let id_hmac = hmac_256::<Sha256>(&env.key_store().kh_authentication()?, &encrypted_id[..]);
encrypted_id.extend(&id_hmac);
Ok(encrypted_id)
}
@@ -668,7 +661,6 @@ mod test {
#[test]
fn test_encrypt_decrypt_credential_legacy() {
let mut env = TestEnv::new();
storage::init(&mut env).ok().unwrap();
let ecdsa_key = crypto::ecdsa::SecKey::gensk(env.rng());
let private_key = PrivateKey::from(ecdsa_key.clone());
@@ -684,7 +676,6 @@ mod test {
#[test]
fn test_encrypt_credential_size() {
let mut env = TestEnv::new();
storage::init(&mut env).ok().unwrap();
let private_key = PrivateKey::new(env.rng(), SignatureAlgorithm::ES256);
let rp_id_hash = [0x55; 32];

7
src/ctap/status_code.rs
View File

@@ -12,6 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use crate::api::key_store;
use crate::api::user_presence::UserPresenceError;
// CTAP specification (version 20190130) section 6.3
@@ -93,3 +94,9 @@ impl From<UserPresenceError> for Ctap2StatusCode {
}
}
}
impl From<key_store::Error> for Ctap2StatusCode {
fn from(_: key_store::Error) -> Self {
Self::CTAP2_ERR_VENDOR_INTERNAL_ERROR
}
}

57
src/ctap/storage.rs
View File

@@ -15,6 +15,7 @@
mod key;
use crate::api::customization::Customization;
use crate::api::key_store::KeyStore;
use crate::ctap::client_pin::PIN_AUTH_LENGTH;
use crate::ctap::data_formats::{
extract_array, extract_text_string, CredentialProtectionPolicy, PublicKeyCredentialSource,
@@ -33,15 +34,6 @@ use persistent_store::{fragment, StoreUpdate};
use rng256::Rng256;
use sk_cbor::cbor_array_vec;
/// Wrapper for master keys.
pub struct MasterKeys {
/// Master encryption key.
pub encryption: [u8; 32],
/// Master hmac key.
pub hmac: [u8; 32],
}
/// Wrapper for PIN properties.
struct PinProperties {
/// 16 byte prefix of SHA256 of the currently set PIN.
@@ -53,16 +45,6 @@ struct PinProperties {
/// Initializes the store by creating missing objects.
pub fn init(env: &mut impl Env) -> Result<(), Ctap2StatusCode> {
// Generate and store the master keys if they are missing.
if env.store().find_handle(key::MASTER_KEYS)?.is_none() {
let master_encryption_key = env.rng().gen_uniform_u8x32();
let master_hmac_key = env.rng().gen_uniform_u8x32();
let mut master_keys = Vec::with_capacity(64);
master_keys.extend_from_slice(&master_encryption_key);
master_keys.extend_from_slice(&master_hmac_key);
env.store().insert(key::MASTER_KEYS, &master_keys)?;
}
// Generate and store the CredRandom secrets if they are missing.
if env.store().find_handle(key::CRED_RANDOM_SECRET)?.is_none() {
let cred_random_with_uv = env.rng().gen_uniform_u8x32();
@@ -280,21 +262,6 @@ pub fn incr_global_signature_counter(
Ok(())
}
/// Returns the master keys.
pub fn master_keys(env: &mut impl Env) -> Result<MasterKeys, Ctap2StatusCode> {
let master_keys = env
.store()
.find(key::MASTER_KEYS)?
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)?;
if master_keys.len() != 64 {
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
}
Ok(MasterKeys {
encryption: *array_ref![master_keys, 0, 32],
hmac: *array_ref![master_keys, 32, 32],
})
}
/// Returns the CredRandom secret.
pub fn cred_random_secret(env: &mut impl Env, has_uv: bool) -> Result<[u8; 32], Ctap2StatusCode> {
let cred_random_secret = env
@@ -549,6 +516,7 @@ pub fn set_aaguid(
/// In particular persistent entries are not reset.
pub fn reset(env: &mut impl Env) -> Result<(), Ctap2StatusCode> {
env.store().clear(key::NUM_PERSISTENT_KEYS)?;
env.key_store().reset()?;
init(env)?;
Ok(())
}
@@ -981,27 +949,6 @@ mod test {
assert_eq!(no_credential, None);
}
#[test]
fn test_master_keys() {
let mut env = TestEnv::new();
init(&mut env).unwrap();
// Master keys stay the same within the same CTAP reset cycle.
let master_keys_1 = master_keys(&mut env).unwrap();
let master_keys_2 = master_keys(&mut env).unwrap();
assert_eq!(master_keys_2.encryption, master_keys_1.encryption);
assert_eq!(master_keys_2.hmac, master_keys_1.hmac);
// Master keys change after reset. This test may fail if the random generator produces the
// same keys.
let master_encryption_key = master_keys_1.encryption.to_vec();
let master_hmac_key = master_keys_1.hmac.to_vec();
reset(&mut env).unwrap();
let master_keys_3 = master_keys(&mut env).unwrap();
assert!(master_keys_3.encryption != master_encryption_key.as_slice());
assert!(master_keys_3.hmac != master_hmac_key.as_slice());
}
#[test]
fn test_cred_random_secret() {
let mut env = TestEnv::new();

6
src/ctap/storage/key.rs
View File

@@ -125,10 +125,8 @@ make_partition! {
/// the length, the following are an array with the hash.
PIN_PROPERTIES = 2045;
/// The encryption and hmac keys.
///
/// This entry is always present. It is generated at startup if absent.
MASTER_KEYS = 2046;
/// Reserved for the key store implementation of the environment.
_RESERVED_KEY_STORE = 2046;
/// The global signature counter.
///