// Copyright 2020-2021 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. use super::command::AuthenticatorClientPinParameters; use super::data_formats::{ClientPinSubCommand, CoseKey, GetAssertionHmacSecretInput}; use super::response::{AuthenticatorClientPinResponse, ResponseData}; use super::status_code::Ctap2StatusCode; use super::storage::PersistentStore; use alloc::str; use alloc::string::String; use alloc::vec; use alloc::vec::Vec; use arrayref::array_ref; use core::convert::TryInto; use crypto::cbc::{cbc_decrypt, cbc_encrypt}; use crypto::hmac::{hmac_256, verify_hmac_256_first_128bits}; use crypto::rng256::Rng256; use crypto::sha256::Sha256; use crypto::Hash256; #[cfg(test)] use enum_iterator::IntoEnumIterator; use subtle::ConstantTimeEq; // Those constants have to be multiples of 16, the AES block size. pub const PIN_AUTH_LENGTH: usize = 16; const PIN_PADDED_LENGTH: usize = 64; const PIN_TOKEN_LENGTH: usize = 32; /// Checks the given pin_auth against the truncated output of HMAC-SHA256. /// Returns LEFT(HMAC(hmac_key, hmac_contents), 16) == pin_auth). fn verify_pin_auth(hmac_key: &[u8], hmac_contents: &[u8], pin_auth: &[u8]) -> bool { if pin_auth.len() != PIN_AUTH_LENGTH { return false; } verify_hmac_256_first_128bits::( hmac_key, hmac_contents, array_ref![pin_auth, 0, PIN_AUTH_LENGTH], ) } /// Encrypts the HMAC-secret outputs. To compute them, we first have to /// decrypt the HMAC secret salt(s) that were encrypted with the shared secret. /// The credRandom is used as a secret to HMAC those salts. fn encrypt_hmac_secret_output( shared_secret: &[u8; 32], salt_enc: &[u8], cred_random: &[u8; 32], ) -> Result, Ctap2StatusCode> { if salt_enc.len() != 32 && salt_enc.len() != 64 { return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER); } let aes_enc_key = crypto::aes256::EncryptionKey::new(shared_secret); let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key); // The specification specifically asks for a zero IV. let iv = [0u8; 16]; // With the if clause restriction above, block_len can only be 2 or 4. let block_len = salt_enc.len() / 16; let mut blocks = vec![[0u8; 16]; block_len]; for i in 0..block_len { blocks[i].copy_from_slice(&salt_enc[16 * i..16 * (i + 1)]); } cbc_decrypt(&aes_dec_key, iv, &mut blocks[..block_len]); let mut decrypted_salt1 = [0u8; 32]; decrypted_salt1[..16].copy_from_slice(&blocks[0]); decrypted_salt1[16..].copy_from_slice(&blocks[1]); let output1 = hmac_256::(&cred_random[..], &decrypted_salt1[..]); for i in 0..2 { blocks[i].copy_from_slice(&output1[16 * i..16 * (i + 1)]); } if block_len == 4 { let mut decrypted_salt2 = [0u8; 32]; decrypted_salt2[..16].copy_from_slice(&blocks[2]); decrypted_salt2[16..].copy_from_slice(&blocks[3]); let output2 = hmac_256::(&cred_random[..], &decrypted_salt2[..]); for i in 0..2 { blocks[i + 2].copy_from_slice(&output2[16 * i..16 * (i + 1)]); } } cbc_encrypt(&aes_enc_key, iv, &mut blocks[..block_len]); let mut encrypted_output = Vec::with_capacity(salt_enc.len()); for b in &blocks[..block_len] { encrypted_output.extend(b); } Ok(encrypted_output) } /// Decrypts the new_pin_enc and outputs the found PIN. fn decrypt_pin( aes_dec_key: &crypto::aes256::DecryptionKey, new_pin_enc: Vec, ) -> Option> { if new_pin_enc.len() != PIN_PADDED_LENGTH { return None; } let iv = [0u8; 16]; // Assuming PIN_PADDED_LENGTH % block_size == 0 here. const BLOCK_COUNT: usize = PIN_PADDED_LENGTH / 16; let mut blocks = [[0u8; 16]; BLOCK_COUNT]; for i in 0..BLOCK_COUNT { blocks[i].copy_from_slice(&new_pin_enc[i * 16..(i + 1) * 16]); } cbc_decrypt(aes_dec_key, iv, &mut blocks); // In CTAP 2.1, the specification changed. The new wording might lead to // different behavior when there are non-zero bytes after zero bytes. // This implementation consistently ignores those degenerate cases. Some( blocks .iter() .flatten() .cloned() .take_while(|&c| c != 0) .collect::>(), ) } /// Stores the encrypted new PIN in the persistent storage, if it satisfies the /// PIN policy. The PIN is decrypted and stripped from its padding. Next, the /// length of the PIN is checked to fulfill policy requirements. Last, the PIN /// is hashed, truncated to 16 bytes and persistently stored. fn check_and_store_new_pin( persistent_store: &mut PersistentStore, aes_dec_key: &crypto::aes256::DecryptionKey, new_pin_enc: Vec, ) -> Result<(), Ctap2StatusCode> { let pin = decrypt_pin(aes_dec_key, new_pin_enc) .ok_or(Ctap2StatusCode::CTAP2_ERR_PIN_POLICY_VIOLATION)?; let min_pin_length = persistent_store.min_pin_length()? as usize; let pin_length = str::from_utf8(&pin).unwrap_or("").chars().count(); if pin_length < min_pin_length || pin.len() == PIN_PADDED_LENGTH { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_POLICY_VIOLATION); } let mut pin_hash = [0u8; 16]; pin_hash.copy_from_slice(&Sha256::hash(&pin[..])[..16]); // The PIN length is always < 64. persistent_store.set_pin(&pin_hash, pin_length as u8)?; Ok(()) } #[cfg_attr(test, derive(IntoEnumIterator))] // TODO remove when all variants are used #[allow(dead_code)] pub enum PinPermission { // All variants should use integers with a single bit set. MakeCredential = 0x01, GetAssertion = 0x02, CredentialManagement = 0x04, BioEnrollment = 0x08, LargeBlobWrite = 0x10, AuthenticatorConfiguration = 0x20, } pub struct PinProtocolV1 { key_agreement_key: crypto::ecdh::SecKey, pin_uv_auth_token: [u8; PIN_TOKEN_LENGTH], consecutive_pin_mismatches: u8, permissions: u8, permissions_rp_id: Option, } impl PinProtocolV1 { pub fn new(rng: &mut impl Rng256) -> PinProtocolV1 { let key_agreement_key = crypto::ecdh::SecKey::gensk(rng); let pin_uv_auth_token = rng.gen_uniform_u8x32(); PinProtocolV1 { key_agreement_key, pin_uv_auth_token, consecutive_pin_mismatches: 0, permissions: 0, permissions_rp_id: None, } } /// Decrypts the encrypted pin_hash and compares it to the stored pin_hash. /// Resets or decreases the PIN retries, depending on success or failure. /// Also, in case of failure, the key agreement key is randomly reset. fn verify_pin_hash_enc( &mut self, rng: &mut impl Rng256, persistent_store: &mut PersistentStore, aes_dec_key: &crypto::aes256::DecryptionKey, pin_hash_enc: Vec, ) -> Result<(), Ctap2StatusCode> { match persistent_store.pin_hash()? { Some(pin_hash) => { if self.consecutive_pin_mismatches >= 3 { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_BLOCKED); } persistent_store.decr_pin_retries()?; if pin_hash_enc.len() != PIN_AUTH_LENGTH { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID); } let iv = [0u8; 16]; let mut blocks = [[0u8; 16]; 1]; blocks[0].copy_from_slice(&pin_hash_enc); cbc_decrypt(aes_dec_key, iv, &mut blocks); if !bool::from(pin_hash.ct_eq(&blocks[0])) { self.key_agreement_key = crypto::ecdh::SecKey::gensk(rng); if persistent_store.pin_retries()? == 0 { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_BLOCKED); } self.consecutive_pin_mismatches += 1; if self.consecutive_pin_mismatches >= 3 { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_BLOCKED); } return Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID); } } // This status code is not explicitly mentioned in the specification. None => return Err(Ctap2StatusCode::CTAP2_ERR_PUAT_REQUIRED), } persistent_store.reset_pin_retries()?; self.consecutive_pin_mismatches = 0; Ok(()) } /// Uses the self-owned and passed halves of the key agreement to generate the /// shared secret for checking pin_auth and generating a decryption key. fn exchange_decryption_key( &self, key_agreement: CoseKey, pin_auth: &[u8], authenticated_message: &[u8], ) -> Result { let pk: crypto::ecdh::PubKey = CoseKey::try_into(key_agreement)?; let shared_secret = self.key_agreement_key.exchange_x_sha256(&pk); if !verify_pin_auth(&shared_secret, authenticated_message, pin_auth) { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID); } let aes_enc_key = crypto::aes256::EncryptionKey::new(&shared_secret); let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key); Ok(aes_dec_key) } fn process_get_pin_retries( &self, persistent_store: &PersistentStore, ) -> Result { Ok(AuthenticatorClientPinResponse { key_agreement: None, pin_token: None, retries: Some(persistent_store.pin_retries()? as u64), }) } fn process_get_key_agreement(&self) -> Result { let pk = self.key_agreement_key.genpk(); Ok(AuthenticatorClientPinResponse { key_agreement: Some(CoseKey::from(pk)), pin_token: None, retries: None, }) } fn process_set_pin( &mut self, persistent_store: &mut PersistentStore, key_agreement: CoseKey, pin_auth: Vec, new_pin_enc: Vec, ) -> Result<(), Ctap2StatusCode> { if persistent_store.pin_hash()?.is_some() { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID); } let pin_decryption_key = self.exchange_decryption_key(key_agreement, &pin_auth, &new_pin_enc)?; check_and_store_new_pin(persistent_store, &pin_decryption_key, new_pin_enc)?; persistent_store.reset_pin_retries()?; Ok(()) } fn process_change_pin( &mut self, rng: &mut impl Rng256, persistent_store: &mut PersistentStore, key_agreement: CoseKey, pin_auth: Vec, new_pin_enc: Vec, pin_hash_enc: Vec, ) -> Result<(), Ctap2StatusCode> { if persistent_store.pin_retries()? == 0 { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_BLOCKED); } let mut auth_param_data = new_pin_enc.clone(); auth_param_data.extend(&pin_hash_enc); let pin_decryption_key = self.exchange_decryption_key(key_agreement, &pin_auth, &auth_param_data)?; self.verify_pin_hash_enc(rng, persistent_store, &pin_decryption_key, pin_hash_enc)?; check_and_store_new_pin(persistent_store, &pin_decryption_key, new_pin_enc)?; self.pin_uv_auth_token = rng.gen_uniform_u8x32(); Ok(()) } fn process_get_pin_token( &mut self, rng: &mut impl Rng256, persistent_store: &mut PersistentStore, key_agreement: CoseKey, pin_hash_enc: Vec, ) -> Result { if persistent_store.pin_retries()? == 0 { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_BLOCKED); } let pk: crypto::ecdh::PubKey = CoseKey::try_into(key_agreement)?; let shared_secret = self.key_agreement_key.exchange_x_sha256(&pk); let token_encryption_key = crypto::aes256::EncryptionKey::new(&shared_secret); let pin_decryption_key = crypto::aes256::DecryptionKey::new(&token_encryption_key); self.verify_pin_hash_enc(rng, persistent_store, &pin_decryption_key, pin_hash_enc)?; // TODO(kaczmarczyck) can this be moved up in the specification? if persistent_store.has_force_pin_change()? { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID); } // Assuming PIN_TOKEN_LENGTH % block_size == 0 here. let iv = [0u8; 16]; let mut blocks = [[0u8; 16]; PIN_TOKEN_LENGTH / 16]; for (i, item) in blocks.iter_mut().take(PIN_TOKEN_LENGTH / 16).enumerate() { item.copy_from_slice(&self.pin_uv_auth_token[i * 16..(i + 1) * 16]); } cbc_encrypt(&token_encryption_key, iv, &mut blocks); let pin_token: Vec = blocks.iter().flatten().cloned().collect(); self.permissions = 0x03; self.permissions_rp_id = None; Ok(AuthenticatorClientPinResponse { key_agreement: None, pin_token: Some(pin_token), retries: None, }) } fn process_get_pin_uv_auth_token_using_uv_with_permissions( &self, // If you want to support local user verification, implement this function. // Lacking a fingerprint reader, this subcommand is currently unsupported. _key_agreement: CoseKey, _permissions: u8, _permissions_rp_id: Option, ) -> Result { // User verifications is only supported through PIN currently. Err(Ctap2StatusCode::CTAP2_ERR_INVALID_SUBCOMMAND) } fn process_get_uv_retries(&self) -> Result { // User verifications is only supported through PIN currently. Err(Ctap2StatusCode::CTAP2_ERR_INVALID_SUBCOMMAND) } fn process_get_pin_uv_auth_token_using_pin_with_permissions( &mut self, rng: &mut impl Rng256, persistent_store: &mut PersistentStore, key_agreement: CoseKey, pin_hash_enc: Vec, permissions: u8, permissions_rp_id: Option, ) -> Result { if permissions == 0 { return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER); } // This check is not mentioned protocol steps, but mentioned in a side note. if permissions & 0x03 != 0 && permissions_rp_id.is_none() { return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER); } let response = self.process_get_pin_token(rng, persistent_store, key_agreement, pin_hash_enc)?; self.permissions = permissions; self.permissions_rp_id = permissions_rp_id; Ok(response) } pub fn process_subcommand( &mut self, rng: &mut impl Rng256, persistent_store: &mut PersistentStore, client_pin_params: AuthenticatorClientPinParameters, ) -> Result { let AuthenticatorClientPinParameters { pin_protocol, sub_command, key_agreement, pin_auth, new_pin_enc, pin_hash_enc, permissions, permissions_rp_id, } = client_pin_params; if pin_protocol != 1 { return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER); } let response = match sub_command { ClientPinSubCommand::GetPinRetries => { Some(self.process_get_pin_retries(persistent_store)?) } ClientPinSubCommand::GetKeyAgreement => Some(self.process_get_key_agreement()?), ClientPinSubCommand::SetPin => { self.process_set_pin( persistent_store, key_agreement.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, pin_auth.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, new_pin_enc.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, )?; None } ClientPinSubCommand::ChangePin => { self.process_change_pin( rng, persistent_store, key_agreement.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, pin_auth.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, new_pin_enc.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, pin_hash_enc.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, )?; None } ClientPinSubCommand::GetPinToken => Some(self.process_get_pin_token( rng, persistent_store, key_agreement.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, pin_hash_enc.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, )?), ClientPinSubCommand::GetPinUvAuthTokenUsingUvWithPermissions => Some( self.process_get_pin_uv_auth_token_using_uv_with_permissions( key_agreement.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, permissions.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, permissions_rp_id, )?, ), ClientPinSubCommand::GetUvRetries => Some(self.process_get_uv_retries()?), ClientPinSubCommand::GetPinUvAuthTokenUsingPinWithPermissions => Some( self.process_get_pin_uv_auth_token_using_pin_with_permissions( rng, persistent_store, key_agreement.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, pin_hash_enc.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, permissions.ok_or(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)?, permissions_rp_id, )?, ), }; Ok(ResponseData::AuthenticatorClientPin(response)) } pub fn verify_pin_auth_token(&self, hmac_contents: &[u8], pin_auth: &[u8]) -> bool { verify_pin_auth(&self.pin_uv_auth_token, &hmac_contents, &pin_auth) } pub fn reset(&mut self, rng: &mut impl Rng256) { self.key_agreement_key = crypto::ecdh::SecKey::gensk(rng); self.pin_uv_auth_token = rng.gen_uniform_u8x32(); self.consecutive_pin_mismatches = 0; self.permissions = 0; self.permissions_rp_id = None; } pub fn process_hmac_secret( &self, hmac_secret_input: GetAssertionHmacSecretInput, cred_random: &[u8; 32], ) -> Result, Ctap2StatusCode> { let GetAssertionHmacSecretInput { key_agreement, salt_enc, salt_auth, } = hmac_secret_input; let pk: crypto::ecdh::PubKey = CoseKey::try_into(key_agreement)?; let shared_secret = self.key_agreement_key.exchange_x_sha256(&pk); // HMAC-secret does the same 16 byte truncated check. if !verify_pin_auth(&shared_secret, &salt_enc, &salt_auth) { // Hard to tell what the correct error code here is. return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID); } encrypt_hmac_secret_output(&shared_secret, &salt_enc[..], cred_random) } pub fn has_permission(&self, permission: PinPermission) -> Result<(), Ctap2StatusCode> { // Relies on the fact that all permissions are represented by powers of two. if permission as u8 & self.permissions != 0 { Ok(()) } else { Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID) } } pub fn has_no_permission_rp_id(&self) -> Result<(), Ctap2StatusCode> { if self.permissions_rp_id.is_some() { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID); } Ok(()) } pub fn has_permission_for_rp_id(&mut self, rp_id: &str) -> Result<(), Ctap2StatusCode> { if let Some(permissions_rp_id) = &self.permissions_rp_id { if rp_id != permissions_rp_id { return Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID); } } else { self.permissions_rp_id = Some(String::from(rp_id)); } Ok(()) } #[cfg(test)] pub fn new_test( key_agreement_key: crypto::ecdh::SecKey, pin_uv_auth_token: [u8; PIN_TOKEN_LENGTH], ) -> PinProtocolV1 { PinProtocolV1 { key_agreement_key, pin_uv_auth_token, consecutive_pin_mismatches: 0, permissions: 0xFF, permissions_rp_id: None, } } } #[cfg(test)] mod test { use super::*; use crypto::rng256::ThreadRng256; // Stores a PIN hash corresponding to the dummy PIN "1234". fn set_standard_pin(persistent_store: &mut PersistentStore) { let mut pin = [0u8; 64]; pin[..4].copy_from_slice(b"1234"); let mut pin_hash = [0u8; 16]; pin_hash.copy_from_slice(&Sha256::hash(&pin[..])[..16]); persistent_store.set_pin(&pin_hash, 4).unwrap(); } // Encrypts the message with a zero IV and key derived from shared_secret. fn encrypt_message(shared_secret: &[u8; 32], message: &[u8]) -> Vec { assert!(message.len() % 16 == 0); let block_len = message.len() / 16; let mut blocks = vec![[0u8; 16]; block_len]; for i in 0..block_len { blocks[i][..].copy_from_slice(&message[i * 16..(i + 1) * 16]); } let aes_enc_key = crypto::aes256::EncryptionKey::new(shared_secret); let iv = [0u8; 16]; cbc_encrypt(&aes_enc_key, iv, &mut blocks); blocks.iter().flatten().cloned().collect::>() } // Decrypts the message with a zero IV and key derived from shared_secret. fn decrypt_message(shared_secret: &[u8; 32], message: &[u8]) -> Vec { assert!(message.len() % 16 == 0); let block_len = message.len() / 16; let mut blocks = vec![[0u8; 16]; block_len]; for i in 0..block_len { blocks[i][..].copy_from_slice(&message[i * 16..(i + 1) * 16]); } let aes_enc_key = crypto::aes256::EncryptionKey::new(shared_secret); let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key); let iv = [0u8; 16]; cbc_decrypt(&aes_dec_key, iv, &mut blocks); blocks.iter().flatten().cloned().collect::>() } // Fails on PINs bigger than 64 bytes. fn encrypt_pin(shared_secret: &[u8; 32], pin: Vec) -> Vec { assert!(pin.len() <= 64); let mut padded_pin = [0u8; 64]; padded_pin[..pin.len()].copy_from_slice(&pin[..]); encrypt_message(shared_secret, &padded_pin) } // Encrypts the dummy PIN "1234". fn encrypt_standard_pin(shared_secret: &[u8; 32]) -> Vec { encrypt_pin(shared_secret, b"1234".to_vec()) } // Encrypts the PIN hash corresponding to the dummy PIN "1234". fn encrypt_standard_pin_hash(shared_secret: &[u8; 32]) -> Vec { let mut pin = [0u8; 64]; pin[..4].copy_from_slice(b"1234"); let pin_hash = Sha256::hash(&pin); encrypt_message(shared_secret, &pin_hash[..16]) } #[test] fn test_verify_pin_hash_enc() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); // The PIN is "1234". let pin_hash = [ 0x01, 0xD9, 0x88, 0x40, 0x50, 0xBB, 0xD0, 0x7A, 0x23, 0x1A, 0xEB, 0x69, 0xD8, 0x36, 0xC4, 0x12, ]; persistent_store.set_pin(&pin_hash, 4).unwrap(); let shared_secret = [0x88; 32]; let aes_enc_key = crypto::aes256::EncryptionKey::new(&shared_secret); let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key); let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); let pin_hash_enc = vec![ 0x8D, 0x7A, 0xA3, 0x9F, 0x7F, 0xC6, 0x08, 0x13, 0x9A, 0xC8, 0x56, 0x97, 0x70, 0x74, 0x99, 0x66, ]; assert_eq!( pin_protocol_v1.verify_pin_hash_enc( &mut rng, &mut persistent_store, &aes_dec_key, pin_hash_enc ), Ok(()) ); let pin_hash_enc = vec![0xEE; 16]; assert_eq!( pin_protocol_v1.verify_pin_hash_enc( &mut rng, &mut persistent_store, &aes_dec_key, pin_hash_enc ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID) ); let pin_hash_enc = vec![ 0x8D, 0x7A, 0xA3, 0x9F, 0x7F, 0xC6, 0x08, 0x13, 0x9A, 0xC8, 0x56, 0x97, 0x70, 0x74, 0x99, 0x66, ]; pin_protocol_v1.consecutive_pin_mismatches = 3; assert_eq!( pin_protocol_v1.verify_pin_hash_enc( &mut rng, &mut persistent_store, &aes_dec_key, pin_hash_enc ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_BLOCKED) ); pin_protocol_v1.consecutive_pin_mismatches = 0; let pin_hash_enc = vec![0x77; PIN_AUTH_LENGTH - 1]; assert_eq!( pin_protocol_v1.verify_pin_hash_enc( &mut rng, &mut persistent_store, &aes_dec_key, pin_hash_enc ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID) ); let pin_hash_enc = vec![0x77; PIN_AUTH_LENGTH + 1]; assert_eq!( pin_protocol_v1.verify_pin_hash_enc( &mut rng, &mut persistent_store, &aes_dec_key, pin_hash_enc ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID) ); } #[test] fn test_process_get_pin_retries() { let mut rng = ThreadRng256 {}; let persistent_store = PersistentStore::new(&mut rng); let pin_protocol_v1 = PinProtocolV1::new(&mut rng); let expected_response = Ok(AuthenticatorClientPinResponse { key_agreement: None, pin_token: None, retries: Some(persistent_store.pin_retries().unwrap() as u64), }); assert_eq!( pin_protocol_v1.process_get_pin_retries(&persistent_store), expected_response ); } #[test] fn test_process_get_key_agreement() { let mut rng = ThreadRng256 {}; let pin_protocol_v1 = PinProtocolV1::new(&mut rng); let pk = pin_protocol_v1.key_agreement_key.genpk(); let expected_response = Ok(AuthenticatorClientPinResponse { key_agreement: Some(CoseKey::from(pk)), pin_token: None, retries: None, }); assert_eq!( pin_protocol_v1.process_get_key_agreement(), expected_response ); } #[test] fn test_process_set_pin() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); let pk = pin_protocol_v1.key_agreement_key.genpk(); let shared_secret = pin_protocol_v1.key_agreement_key.exchange_x_sha256(&pk); let key_agreement = CoseKey::from(pk); let new_pin_enc = encrypt_standard_pin(&shared_secret); let pin_auth = hmac_256::(&shared_secret, &new_pin_enc[..])[..16].to_vec(); assert_eq!( pin_protocol_v1.process_set_pin( &mut persistent_store, key_agreement, pin_auth, new_pin_enc ), Ok(()) ); } #[test] fn test_process_change_pin() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); set_standard_pin(&mut persistent_store); let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); let pk = pin_protocol_v1.key_agreement_key.genpk(); let shared_secret = pin_protocol_v1.key_agreement_key.exchange_x_sha256(&pk); let key_agreement = CoseKey::from(pk); let new_pin_enc = encrypt_standard_pin(&shared_secret); let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret); let mut auth_param_data = new_pin_enc.clone(); auth_param_data.extend(&pin_hash_enc); let pin_auth = hmac_256::(&shared_secret, &auth_param_data[..])[..16].to_vec(); assert_eq!( pin_protocol_v1.process_change_pin( &mut rng, &mut persistent_store, key_agreement.clone(), pin_auth.clone(), new_pin_enc.clone(), pin_hash_enc.clone() ), Ok(()) ); let bad_pin_hash_enc = vec![0xEE; 16]; assert_eq!( pin_protocol_v1.process_change_pin( &mut rng, &mut persistent_store, key_agreement.clone(), pin_auth.clone(), new_pin_enc.clone(), bad_pin_hash_enc ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID) ); while persistent_store.pin_retries().unwrap() > 0 { persistent_store.decr_pin_retries().unwrap(); } assert_eq!( pin_protocol_v1.process_change_pin( &mut rng, &mut persistent_store, key_agreement, pin_auth, new_pin_enc, pin_hash_enc, ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_BLOCKED) ); } #[test] fn test_process_get_pin_token() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); set_standard_pin(&mut persistent_store); let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); let pk = pin_protocol_v1.key_agreement_key.genpk(); let shared_secret = pin_protocol_v1.key_agreement_key.exchange_x_sha256(&pk); let key_agreement = CoseKey::from(pk); let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret); assert!(pin_protocol_v1 .process_get_pin_token( &mut rng, &mut persistent_store, key_agreement.clone(), pin_hash_enc ) .is_ok()); let pin_hash_enc = vec![0xEE; 16]; assert_eq!( pin_protocol_v1.process_get_pin_token( &mut rng, &mut persistent_store, key_agreement, pin_hash_enc ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID) ); } #[test] fn test_process_get_pin_token_force_pin_change() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); set_standard_pin(&mut persistent_store); assert_eq!(persistent_store.force_pin_change(), Ok(())); let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); let pk = pin_protocol_v1.key_agreement_key.genpk(); let shared_secret = pin_protocol_v1.key_agreement_key.exchange_x_sha256(&pk); let key_agreement = CoseKey::from(pk); let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret); assert_eq!( pin_protocol_v1.process_get_pin_token( &mut rng, &mut persistent_store, key_agreement, pin_hash_enc ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID), ); } #[test] fn test_process_get_pin_uv_auth_token_using_pin_with_permissions() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); set_standard_pin(&mut persistent_store); let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); let pk = pin_protocol_v1.key_agreement_key.genpk(); let shared_secret = pin_protocol_v1.key_agreement_key.exchange_x_sha256(&pk); let key_agreement = CoseKey::from(pk); let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret); assert!(pin_protocol_v1 .process_get_pin_uv_auth_token_using_pin_with_permissions( &mut rng, &mut persistent_store, key_agreement.clone(), pin_hash_enc.clone(), 0x03, Some(String::from("example.com")), ) .is_ok()); assert_eq!(pin_protocol_v1.permissions, 0x03); assert_eq!( pin_protocol_v1.permissions_rp_id, Some(String::from("example.com")) ); assert_eq!( pin_protocol_v1.process_get_pin_uv_auth_token_using_pin_with_permissions( &mut rng, &mut persistent_store, key_agreement.clone(), pin_hash_enc.clone(), 0x00, Some(String::from("example.com")), ), Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER) ); assert_eq!( pin_protocol_v1.process_get_pin_uv_auth_token_using_pin_with_permissions( &mut rng, &mut persistent_store, key_agreement.clone(), pin_hash_enc, 0x03, None, ), Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER) ); let pin_hash_enc = vec![0xEE; 16]; assert_eq!( pin_protocol_v1.process_get_pin_uv_auth_token_using_pin_with_permissions( &mut rng, &mut persistent_store, key_agreement, pin_hash_enc, 0x03, Some(String::from("example.com")), ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID) ); } #[test] fn test_process_get_pin_token_force_pin_change_force_pin_change() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); set_standard_pin(&mut persistent_store); assert_eq!(persistent_store.force_pin_change(), Ok(())); let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); let pk = pin_protocol_v1.key_agreement_key.genpk(); let shared_secret = pin_protocol_v1.key_agreement_key.exchange_x_sha256(&pk); let key_agreement = CoseKey::from(pk); let pin_hash_enc = encrypt_standard_pin_hash(&shared_secret); assert_eq!( pin_protocol_v1.process_get_pin_uv_auth_token_using_pin_with_permissions( &mut rng, &mut persistent_store, key_agreement, pin_hash_enc, 0x03, Some(String::from("example.com")), ), Err(Ctap2StatusCode::CTAP2_ERR_PIN_INVALID), ); } #[test] fn test_process() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); let client_pin_params = AuthenticatorClientPinParameters { pin_protocol: 1, sub_command: ClientPinSubCommand::GetPinRetries, key_agreement: None, pin_auth: None, new_pin_enc: None, pin_hash_enc: None, permissions: None, permissions_rp_id: None, }; assert!(pin_protocol_v1 .process_subcommand(&mut rng, &mut persistent_store, client_pin_params) .is_ok()); let client_pin_params = AuthenticatorClientPinParameters { pin_protocol: 2, sub_command: ClientPinSubCommand::GetPinRetries, key_agreement: None, pin_auth: None, new_pin_enc: None, pin_hash_enc: None, permissions: None, permissions_rp_id: None, }; let error_code = Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER; assert_eq!( pin_protocol_v1.process_subcommand(&mut rng, &mut persistent_store, client_pin_params), Err(error_code) ); } #[test] fn test_decrypt_pin() { let shared_secret = [0x88; 32]; let aes_enc_key = crypto::aes256::EncryptionKey::new(&shared_secret); let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key); // "1234" let new_pin_enc = vec![ 0xC0, 0xCF, 0xAE, 0x4C, 0x79, 0x56, 0x87, 0x99, 0xE5, 0x83, 0x4F, 0xE6, 0x4D, 0xFE, 0x53, 0x32, 0x36, 0x0D, 0xF9, 0x1E, 0x47, 0x66, 0x10, 0x5C, 0x63, 0x30, 0x1D, 0xCC, 0x00, 0x09, 0x91, 0xA4, 0x20, 0x6B, 0x78, 0x10, 0xFE, 0xC6, 0x2E, 0x7E, 0x75, 0x14, 0xEE, 0x01, 0x99, 0x6C, 0xD7, 0xE5, 0x2B, 0xA5, 0x7A, 0x5A, 0xE1, 0xEC, 0x69, 0x31, 0x18, 0x35, 0x06, 0x66, 0x97, 0x84, 0x68, 0xC2, ]; assert_eq!( decrypt_pin(&aes_dec_key, new_pin_enc), Some(b"1234".to_vec()), ); // "123" let new_pin_enc = vec![ 0xF3, 0x54, 0x29, 0x17, 0xD4, 0xF8, 0xCD, 0x23, 0x1D, 0x59, 0xED, 0xE5, 0x33, 0x42, 0x13, 0x39, 0x22, 0xBB, 0x91, 0x28, 0x87, 0x6A, 0xF9, 0xB1, 0x80, 0x9C, 0x9D, 0x76, 0xFF, 0xDD, 0xB8, 0xD6, 0x8D, 0x66, 0x99, 0xA2, 0x42, 0x67, 0xB0, 0x5C, 0x82, 0x3F, 0x08, 0x55, 0x8C, 0x04, 0xC5, 0x91, 0xF0, 0xF9, 0x58, 0x44, 0x00, 0x1B, 0x99, 0xA6, 0x7C, 0xC7, 0x2D, 0x43, 0x74, 0x4C, 0x1D, 0x7E, ]; assert_eq!( decrypt_pin(&aes_dec_key, new_pin_enc), Some(b"123".to_vec()), ); // Encrypted PIN is too short. let new_pin_enc = vec![0x44; 63]; assert_eq!(decrypt_pin(&aes_dec_key, new_pin_enc), None,); // Encrypted PIN is too long. let new_pin_enc = vec![0x44; 65]; assert_eq!(decrypt_pin(&aes_dec_key, new_pin_enc), None,); } #[test] fn test_check_and_store_new_pin() { let mut rng = ThreadRng256 {}; let mut persistent_store = PersistentStore::new(&mut rng); let shared_secret = [0x88; 32]; let aes_enc_key = crypto::aes256::EncryptionKey::new(&shared_secret); let aes_dec_key = crypto::aes256::DecryptionKey::new(&aes_enc_key); let test_cases = vec![ // Accept PIN "1234". (b"1234".to_vec(), Ok(())), // Reject PIN "123" since it is too short. ( b"123".to_vec(), Err(Ctap2StatusCode::CTAP2_ERR_PIN_POLICY_VIOLATION), ), // Reject PIN "12'\0'4" (a zero byte at index 2). ( b"12\04".to_vec(), Err(Ctap2StatusCode::CTAP2_ERR_PIN_POLICY_VIOLATION), ), // PINs must be at most 63 bytes long, to allow for a trailing 0u8 padding. ( vec![0x30; 64], Err(Ctap2StatusCode::CTAP2_ERR_PIN_POLICY_VIOLATION), ), ]; for (pin, result) in test_cases { let old_pin_hash = persistent_store.pin_hash().unwrap(); let new_pin_enc = encrypt_pin(&shared_secret, pin); assert_eq!( check_and_store_new_pin(&mut persistent_store, &aes_dec_key, new_pin_enc), result ); if result.is_ok() { assert_ne!(old_pin_hash, persistent_store.pin_hash().unwrap()); } else { assert_eq!(old_pin_hash, persistent_store.pin_hash().unwrap()); } } } #[test] fn test_verify_pin_auth() { let hmac_key = [0x88; 16]; let pin_auth = [ 0x88, 0x09, 0x41, 0x13, 0xF7, 0x97, 0x32, 0x0B, 0x3E, 0xD9, 0xBC, 0x76, 0x4F, 0x18, 0x56, 0x5D, ]; assert!(verify_pin_auth(&hmac_key, &[], &pin_auth)); assert!(!verify_pin_auth(&hmac_key, &[0x00], &pin_auth)); } #[test] fn test_encrypt_hmac_secret_output() { let shared_secret = [0x55; 32]; let salt_enc = [0x5E; 32]; let cred_random = [0xC9; 32]; let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random); assert_eq!(output.unwrap().len(), 32); let salt_enc = [0x5E; 48]; let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random); assert_eq!(output, Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER)); let salt_enc = [0x5E; 64]; let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random); assert_eq!(output.unwrap().len(), 64); let mut salt_enc = [0x00; 32]; let cred_random = [0xC9; 32]; // Test values to check for reproducibility. let salt1 = [0x01; 32]; let salt2 = [0x02; 32]; let expected_output1 = hmac_256::(&cred_random, &salt1); let expected_output2 = hmac_256::(&cred_random, &salt2); let salt_enc1 = encrypt_message(&shared_secret, &salt1); salt_enc.copy_from_slice(salt_enc1.as_slice()); let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap(); let output_dec = decrypt_message(&shared_secret, &output); assert_eq!(&output_dec, &expected_output1); let salt_enc2 = &encrypt_message(&shared_secret, &salt2); salt_enc.copy_from_slice(salt_enc2.as_slice()); let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap(); let output_dec = decrypt_message(&shared_secret, &output); assert_eq!(&output_dec, &expected_output2); let mut salt_enc = [0x00; 64]; let mut salt12 = [0x00; 64]; salt12[..32].copy_from_slice(&salt1); salt12[32..].copy_from_slice(&salt2); let salt_enc12 = encrypt_message(&shared_secret, &salt12); salt_enc.copy_from_slice(salt_enc12.as_slice()); let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap(); let output_dec = decrypt_message(&shared_secret, &output); assert_eq!(&output_dec[..32], &expected_output1); assert_eq!(&output_dec[32..], &expected_output2); let mut salt_enc = [0x00; 64]; let mut salt02 = [0x00; 64]; salt02[32..].copy_from_slice(&salt2); let salt_enc02 = encrypt_message(&shared_secret, &salt02); salt_enc.copy_from_slice(salt_enc02.as_slice()); let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap(); let output_dec = decrypt_message(&shared_secret, &output); assert_eq!(&output_dec[32..], &expected_output2); let mut salt_enc = [0x00; 64]; let mut salt10 = [0x00; 64]; salt10[..32].copy_from_slice(&salt1); let salt_enc10 = encrypt_message(&shared_secret, &salt10); salt_enc.copy_from_slice(salt_enc10.as_slice()); let output = encrypt_hmac_secret_output(&shared_secret, &salt_enc, &cred_random).unwrap(); let output_dec = decrypt_message(&shared_secret, &output); assert_eq!(&output_dec[..32], &expected_output1); } #[test] fn test_has_permission() { let mut rng = ThreadRng256 {}; let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); pin_protocol_v1.permissions = 0x7F; for permission in PinPermission::into_enum_iter() { assert_eq!(pin_protocol_v1.has_permission(permission), Ok(())); } pin_protocol_v1.permissions = 0x00; for permission in PinPermission::into_enum_iter() { assert_eq!( pin_protocol_v1.has_permission(permission), Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID) ); } } #[test] fn test_has_no_permission_rp_id() { let mut rng = ThreadRng256 {}; let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); assert_eq!(pin_protocol_v1.has_no_permission_rp_id(), Ok(())); assert_eq!(pin_protocol_v1.permissions_rp_id, None,); pin_protocol_v1.permissions_rp_id = Some("example.com".to_string()); assert_eq!( pin_protocol_v1.has_no_permission_rp_id(), Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID) ); } #[test] fn test_has_permission_for_rp_id() { let mut rng = ThreadRng256 {}; let mut pin_protocol_v1 = PinProtocolV1::new(&mut rng); assert_eq!( pin_protocol_v1.has_permission_for_rp_id("example.com"), Ok(()) ); assert_eq!( pin_protocol_v1.permissions_rp_id, Some(String::from("example.com")) ); assert_eq!( pin_protocol_v1.has_permission_for_rp_id("example.com"), Ok(()) ); assert_eq!( pin_protocol_v1.has_permission_for_rp_id("counter-example.com"), Err(Ctap2StatusCode::CTAP2_ERR_PIN_AUTH_INVALID) ); } }