Skip to content

Commit

Permalink
Remove compile time crypto material.
Browse files Browse the repository at this point in the history
  • Loading branch information
jmichelp committed Dec 16, 2020
1 parent efb6378 commit 3c93c8d
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 94 deletions.
1 change: 0 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ elf2tab = "0.6.0"
enum-iterator = "0.6.0"

[build-dependencies]
openssl = "0.10"
uuid = { version = "0.8", features = ["v4"] }

[profile.dev]
Expand Down
59 changes: 0 additions & 59 deletions build.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.

use openssl::asn1;
use openssl::ec;
use openssl::nid::Nid;
use openssl::pkey::PKey;
use openssl::x509;
use std::env;
use std::fs::File;
use std::io::Read;
Expand All @@ -25,65 +20,11 @@ use std::path::Path;
use uuid::Uuid;

fn main() {
println!("cargo:rerun-if-changed=crypto_data/opensk.key");
println!("cargo:rerun-if-changed=crypto_data/opensk_cert.pem");
println!("cargo:rerun-if-changed=crypto_data/aaguid.txt");

let out_dir = env::var_os("OUT_DIR").unwrap();
let priv_key_bin_path = Path::new(&out_dir).join("opensk_pkey.bin");
let cert_bin_path = Path::new(&out_dir).join("opensk_cert.bin");
let aaguid_bin_path = Path::new(&out_dir).join("opensk_aaguid.bin");

// Load the OpenSSL PEM ECC key
let ecc_data = include_bytes!("crypto_data/opensk.key");
let pkey =
ec::EcKey::private_key_from_pem(ecc_data).expect("Failed to load OpenSK private key file");

// Check key validity
pkey.check_key().unwrap();
assert_eq!(pkey.group().curve_name(), Some(Nid::X9_62_PRIME256V1));

// Private keys generated by OpenSSL have variable size but we only handle
// constant size. Serialization is done in big endian so if the size is less
// than 32 bytes, we need to prepend with null bytes.
// If the size is 33 bytes, this means the serialized BigInt is negative.
// Any other size is invalid.
let priv_key_hex = pkey.private_key().to_hex_str().unwrap();
let priv_key_vec = pkey.private_key().to_vec();
let key_len = priv_key_vec.len();

assert!(
key_len <= 33,
"Invalid private key (too big): {} ({:#?})",
priv_key_hex,
priv_key_vec,
);

// Copy OpenSSL generated key to our vec, starting from the end
let mut output_vec = [0u8; 32];
let min_key_len = std::cmp::min(key_len, 32);
output_vec[32 - min_key_len..].copy_from_slice(&priv_key_vec[key_len - min_key_len..]);

// Create the raw private key out of the OpenSSL data
let mut priv_key_bin_file = File::create(&priv_key_bin_path).unwrap();
priv_key_bin_file.write_all(&output_vec).unwrap();

// Convert the PEM certificate to DER and extract the serial for AAGUID
let input_pem_cert = include_bytes!("crypto_data/opensk_cert.pem");
let cert = x509::X509::from_pem(input_pem_cert).expect("Failed to load OpenSK certificate");

// Do some sanity check on the certificate
assert!(cert
.public_key()
.unwrap()
.public_eq(&PKey::from_ec_key(pkey).unwrap()));
let now = asn1::Asn1Time::days_from_now(0).unwrap();
assert!(cert.not_after() > now);
assert!(cert.not_before() <= now);

let mut cert_bin_file = File::create(&cert_bin_path).unwrap();
cert_bin_file.write_all(&cert.to_der().unwrap()).unwrap();

let mut aaguid_bin_file = File::create(&aaguid_bin_path).unwrap();
let mut aaguid_txt_file = File::open("crypto_data/aaguid.txt").unwrap();
let mut content = String::new();
Expand Down
6 changes: 0 additions & 6 deletions src/ctap/key_material.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,3 @@ pub const AAGUID_LENGTH: usize = 16;

pub const AAGUID: &[u8; AAGUID_LENGTH] =
include_bytes!(concat!(env!("OUT_DIR"), "/opensk_aaguid.bin"));

pub const ATTESTATION_CERTIFICATE: &[u8] =
include_bytes!(concat!(env!("OUT_DIR"), "/opensk_cert.bin"));

pub const ATTESTATION_PRIVATE_KEY: &[u8; ATTESTATION_PRIVATE_KEY_LENGTH] =
include_bytes!(concat!(env!("OUT_DIR"), "/opensk_pkey.bin"));
35 changes: 7 additions & 28 deletions src/ctap/storage.rs
Original file line number Diff line number Diff line change
Expand Up @@ -115,36 +115,12 @@ impl PersistentStore {
self.store.insert(key::CRED_RANDOM_SECRET, &cred_random)?;
}

// TODO(jmichel): remove this when vendor command is in place
#[cfg(not(test))]
self.load_attestation_data_from_firmware()?;
if self.store.find_handle(key::AAGUID)?.is_none() {
self.set_aaguid(key_material::AAGUID)?;
}
Ok(())
}

// TODO(jmichel): remove this function when vendor command is in place.
#[cfg(not(test))]
fn load_attestation_data_from_firmware(&mut self) -> Result<(), Ctap2StatusCode> {
// The following 2 entries are meant to be written by vendor-specific commands.
if self
.store
.find_handle(key::ATTESTATION_PRIVATE_KEY)?
.is_none()
{
self.set_attestation_private_key(key_material::ATTESTATION_PRIVATE_KEY)?;
}
if self
.store
.find_handle(key::ATTESTATION_CERTIFICATE)?
.is_none()
{
self.set_attestation_certificate(key_material::ATTESTATION_CERTIFICATE)?;
}
Ok(())
}

/// Returns the first matching credential.
///
/// Returns `None` if no credentials are matched or if `check_cred_protect` is set and the first
Expand Down Expand Up @@ -989,23 +965,26 @@ mod test {
.is_none());

// Make sure the persistent keys are initialized.
// Put dummy values
let dummy_key = [0x41u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH];
let dummy_cert = [0xddu8; 20];
persistent_store
.set_attestation_private_key(key_material::ATTESTATION_PRIVATE_KEY)
.set_attestation_private_key(&dummy_key)
.unwrap();
persistent_store
.set_attestation_certificate(key_material::ATTESTATION_CERTIFICATE)
.set_attestation_certificate(&dummy_cert)
.unwrap();
assert_eq!(&persistent_store.aaguid().unwrap(), key_material::AAGUID);

// The persistent keys stay initialized and preserve their value after a reset.
persistent_store.reset(&mut rng).unwrap();
assert_eq!(
&persistent_store.attestation_private_key().unwrap().unwrap(),
key_material::ATTESTATION_PRIVATE_KEY
&dummy_key
);
assert_eq!(
persistent_store.attestation_certificate().unwrap().unwrap(),
key_material::ATTESTATION_CERTIFICATE
&dummy_cert
);
assert_eq!(&persistent_store.aaguid().unwrap(), key_material::AAGUID);
}
Expand Down

0 comments on commit 3c93c8d

Please sign in to comment.