Correct flag byte contents

2023-08-16 09:36:05 -05:00 · 2023-08-16 09:36:05 -05:00 · 55112f5869
commit 55112f5869
parent a2587c2a4f
3 changed files with 19 additions and 10 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -489,6 +489,7 @@ name = "fido_ssh_maker"
 version = "0.1.0"
 dependencies = [
 "anyhow",
+ "bitflags",
 "clap",
 "ctap-hid-fido2",
 "rpassword",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -7,6 +7,7 @@ edition = "2021"

 [dependencies]
 anyhow = "1.0.72"
+bitflags = "2.4.0"
 clap = { version = "4.3.21", features = ["derive"] }
 ctap-hid-fido2 = "3.5.0"
 rpassword = "7.2.0"
--- a/src/main.rs
+++ b/src/main.rs
@ -1,18 +1,29 @@
 use std::{
    fs::Permissions,
    os::unix::prelude::PermissionsExt,
-    path::{Path, PathBuf}, fmt::Display, io::Write,
+    path::{Path, PathBuf}, fmt::Display,
 };

 use anyhow::anyhow;
+use bitflags::bitflags;
 use clap::{Parser, ValueEnum};
 use ctap_hid_fido2::{
-    fidokey::{CredentialSupportedKeyType, MakeCredentialArgsBuilder, CredentialExtension, credential_management::credential_management_params::CredentialProtectionPolicy},
+    fidokey::{CredentialSupportedKeyType, MakeCredentialArgsBuilder},
    verifier, FidoKeyHidFactory, LibCfg,
 };
 use ssh_encoding::{Decode, Encode, LineEnding};
 use ssh_key::{private, PrivateKey};

+bitflags! {
+   #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+    struct SshSkFlags: u8 {
+        const UserPresenceRequired = 0x01;
+        const UserVerificationRequired = 0x4;
+        const ForceOperation = 0x10;
+        const ResidentKey = 0x20;
+    }
+}
+
 /// Generate FIDO-backed SSH keys
 #[derive(Parser, Debug)]
 #[command(author, version, about, long_about = None, arg_required_else_help = true)]
@ -84,20 +95,18 @@ fn main() -> anyhow::Result<()> {
    
    let device_has_pin = device.get_info()?.options.contains(&("clientPin".into(), true));
    let pin = if device_has_pin {
-        rpassword::prompt_password("Enter FIDO2 PIN:")?
+        rpassword::prompt_password("Enter FIDO2 PIN: ")?
    } else {
        String::new()
    };
    let make_credential_args = if device_has_pin {
        MakeCredentialArgsBuilder::new("ssh:", &challenge)
        .pin(&pin)
-        .extensions(&[CredentialExtension::CredProtect(Some(CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList))])
        .key_type(args.key_type.into())
        .build()
    } else {
        MakeCredentialArgsBuilder::new("ssh:", &challenge)
        .without_pin_and_uv()
-        .extensions(&[CredentialExtension::CredProtect(Some(CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList))])
        .key_type(args.key_type.into())
        .build()
    };
@ -117,11 +126,9 @@ fn main() -> anyhow::Result<()> {
        .der
        .encode(&mut privkey_bytes)?;
    "ssh:".encode(&mut privkey_bytes)?;
-    let flags = (attestation.flags_user_present_result as u8)
-        | (attestation.flags_user_verified_result as u8) << 2
-        | (attestation.flags_attested_credential_data_included as u8) << 6
-        | (attestation.flags_extension_data_included as u8) << 7;
-    privkey_bytes.push(flags);
+    let mut flags = SshSkFlags::UserPresenceRequired;
+    flags.set(SshSkFlags::UserVerificationRequired, args.user_verify);
+    privkey_bytes.push(flags.bits());
    verify_result.credential_id.encode(&mut privkey_bytes)?;
    "".encode(&mut privkey_bytes)?;
    let privkey = match args.key_type {