Merge pull request #14 from jmichelp/master

Change the way private key and cert are embedded.

.gitignore

@@ -3,5 +3,3 @@ Cargo.lock
 
 # Prevent people from commiting sensitive files.
 crypto_data/
-src/ctap/key_material.rs
-

.travis.yml

@@ -19,13 +19,13 @@ rust:
 os:
   - linux
 
-dist: "trusty"  # we need python3-pip
-
 addons:
   apt:
     packages:
       - "python3"
       - "python3-pip"
+      - "python3-setuptools"
+      - "python3-wheel"
 
 cache:
   - rust

Cargo.toml

@@ -26,6 +26,9 @@ panic_console = ["libtock/panic_console"]
 [dev-dependencies]
 elf2tab = "0.4.0"
 
+[build-dependencies]
+openssl = "0.10"
+
 [profile.dev]
 panic = "abort"
 lto = true # Link Time Optimization usually reduces size of binaries and static libraries

build.rs

@@ -0,0 +1,78 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+extern crate openssl;
+
+use openssl::asn1;
+use openssl::ec;
+use openssl::nid::Nid;
+use openssl::pkey::PKey;
+use openssl::x509;
+use std::env;
+use std::fs::File;
+use std::io::Write;
+use std::path::Path;
+
+fn main() {
+    println!("cargo:rerun-if-changed=crypto_data/opensk.key");
+    println!("cargo:rerun-if-changed=crypto_data/opensk_cert.pem");
+
+    let out_dir = env::var_os("OUT_DIR").unwrap();
+    let priv_key_bin_path = Path::new(&out_dir).join("opensk_pkey.bin");
+    let cert_bin_path = Path::new(&out_dir).join("opensk_cert.bin");
+    let aaguid_bin_path = Path::new(&out_dir).join("opensk_aaguid.bin");
+
+    // Load the OpenSSL PEM ECC key
+    let ecc_data = include_bytes!("crypto_data/opensk.key");
+    let pkey = ec::EcKey::private_key_from_pem(ecc_data)
+        .ok()
+        .expect("Failed to load OpenSK private key file");
+
+    // Check key validity
+    pkey.check_key().unwrap();
+    assert_eq!(pkey.group().curve_name(), Some(Nid::X9_62_PRIME256V1));
+
+    let mut priv_key = pkey.private_key().to_vec();
+    if priv_key.len() == 33 && priv_key[0] == 0 {
+        priv_key.remove(0);
+    }
+    assert_eq!(priv_key.len(), 32);
+
+    // Create the raw private key out of the OpenSSL data
+    let mut priv_key_bin_file = File::create(&priv_key_bin_path).unwrap();
+    priv_key_bin_file.write_all(&priv_key).unwrap();
+
+    // Convert the PEM certificate to DER and extract the serial for AAGUID
+    let input_pem_cert = include_bytes!("crypto_data/opensk_cert.pem");
+    let cert = x509::X509::from_pem(input_pem_cert)
+        .ok()
+        .expect("Failed to load OpenSK certificate");
+
+    // Do some sanity check on the certificate
+    assert!(cert
+        .public_key()
+        .unwrap()
+        .public_eq(&PKey::from_ec_key(pkey).unwrap()));
+    let now = asn1::Asn1Time::days_from_now(0).unwrap();
+    assert!(cert.not_after() > now);
+    assert!(cert.not_before() <= now);
+
+    let mut cert_bin_file = File::create(&cert_bin_path).unwrap();
+    cert_bin_file.write_all(&cert.to_der().unwrap()).unwrap();
+
+    let mut aaguid_bin_file = File::create(&aaguid_bin_path).unwrap();
+    let mut serial = cert.serial_number().to_bn().unwrap().to_vec();
+    serial.resize(16, 0);
+    aaguid_bin_file.write_all(&serial).unwrap();
+}

src/ctap/key_material.rs

@@ -0,0 +1,21 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+pub const AAGUID: [u8; 16] = *include_bytes!(concat!(env!("OUT_DIR"), "/opensk_aaguid.bin"));
+
+pub const ATTESTATION_CERTIFICATE: &[u8] =
+    include_bytes!(concat!(env!("OUT_DIR"), "/opensk_cert.bin"));
+
+pub const ATTESTATION_PRIVATE_KEY: [u8; 32] =
+    *include_bytes!(concat!(env!("OUT_DIR"), "/opensk_pkey.bin"));

tools/gen_key_materials.sh

@@ -36,6 +36,7 @@ generate_crypto_materials () {
     exit 1
   fi
 
+  force_generate="$1"
   mkdir -p crypto_data
   if [ ! -f "${ca_priv_key}" ]
   then
@@ -60,12 +61,12 @@ generate_crypto_materials () {
       -sha256
   fi
 
-  if [ ! -f "${opensk_key}" ]
+  if [ "${force_generate}" = "Y" -o ! -f "${opensk_key}" ]
   then
     "${openssl}" ecparam -genkey -name prime256v1 -out "${opensk_key}"
   fi
 
-  if [ ! -f "${opensk_cert_name}.pem" ]
+  if [ "${force_generate}" = "Y" -o ! -f "${opensk_cert_name}.pem" ]
   then
     "${openssl}" req \
       -new \
@@ -83,87 +84,4 @@ generate_crypto_materials () {
       -out "${opensk_cert_name}.pem" \
       -sha256
   fi
-
-  local cert_mtime=$(stat --printf="%Y" "${opensk_cert_name}.pem")
-  local rust_file_mtime=0
-  # Only take into consideration the mtime of the file if it exists and if we're not forcing
-  # the rust file to be re-generated.
-  if [ -f "${rust_file}" -a "x$1" != "xY" ]
-  then
-    rust_file_mtime=$(stat --printf="%Y" "${rust_file}")
-  fi
-  if [ $cert_mtime -gt $rust_file_mtime ]
-  then
-    local cert_size=$("${openssl}" x509 \
-      -in "${opensk_cert_name}.pem" \
-      -outform der 2>/dev/null \
-      | wc -c)
-    local cert_serial_hex=$("${openssl}" x509 \
-      -in "${opensk_cert_name}.pem" \
-      -noout \
-      -serial \
-      | cut -d'=' -f2)
-    # Pad with zeroes in case the serial is too short. We don't care if the
-    # serial is longer than 32 characters as we will only process the first 32
-    # characters in the loop later.
-    cert_serial_hex="${cert_serial_hex}00000000000000000000000000000000"
-
-    # Create header
-    echo "// This file had been generated by OpenSK deploy.sh script" > "${rust_file}"
-    echo "" >> "${rust_file}"
-
-    echo "pub const AAGUID: [u8; 16] = [" >> "${rust_file}"
-    for i in `seq 0 2 30`
-    do
-      echo -n "0x${cert_serial_hex:$i:2}, " >> "${rust_file}"
-    done
-    echo "" >> "${rust_file}"
-    echo "];" >> "${rust_file}"
-    echo "" >> "${rust_file}"
-
-    echo "pub const ATTESTATION_CERTIFICATE: [u8; ${cert_size}] = [" >> "${rust_file}"
-    "${openssl}" x509 \
-      -in "${opensk_cert_name}.pem" \
-      -outform der 2>/dev/null \
-      | xxd -i >> "${rust_file}"
-    echo "];" >> "${rust_file}"
-    echo "" >> "${rust_file}"
-
-    # Private key is tricky to extract as we want the raw value and not the DER encoding
-    # Example output of openssl ec -in file.key -noout -text:
-    # read EC key
-    # Private-Key: (256 bit)
-    # priv:
-    #     47:b3:58:b8:f0:09:1d:72:b1:03:34:62:9a:c7:b2:
-    #     b2:e1:06:28:15:69:d4:82:b5:4e:21:6d:98:bf:65:
-    #     98:34
-    # pub:
-    #     04:32:84:a1:3c:90:db:3f:db:d7:fb:ff:e9:00:c8:
-    #     8a:a1:79:2e:95:2e:7c:86:ec:19:03:97:6e:7c:d6:
-    #     67:eb:28:56:f1:d8:dd:cb:ae:ce:b9:cb:e4:6d:9d:
-    #     1d:76:96:fc:48:9b:2d:d5:80:86:04:3d:f9:fe:6c:
-    #     f3:9a:45:bc:b1
-    # ASN1 OID: prime256v1
-    # NIST CURVE: P-256
-    #
-    # The awk script starts printing lines after seeing a line starting with
-    # "priv:" and stops printing as soon as it reaches a line that doesn't start
-    # with a space.
-    # The sed script then converts the output into a proper hex-encode byte
-    # array by replacing the initial spaces on each line with "0x", replacing
-    # the semicolons at the end of each line by commas and replacing all
-    # remainging semicolons by ". 0x".
-    echo "pub const ATTESTATION_PRIVATE_KEY: [u8; 32] = [" >> "${rust_file}"
-    "${openssl}" ec \
-      -in "${opensk_key}" \
-      -noout \
-      -text 2>/dev/null \
-      | awk '/^priv:/{p=1;next}/^[^ ]/{p=0}p' \
-      | sed -e 's/^  */0x/;s/:$/,/;s/:/, 0x/g' >> "${rust_file}"
-    echo "];" >> "${rust_file}"
-    echo "" >> "${rust_file}"
-
-    # If the tool is installed, prettify the file. It will catch syntax errors earlier.
-    which rustfmt > /dev/null 2>&1 && rustfmt "${rust_file}"
-  fi
 }