Fork ctap-types

[robin-nitrokey]

This patch replaces upstream ctap-types with a fork that improves compatibility when deserializing COSE keys.

[robin-nitrokey]

In my tests, this fixes the hmac example from ctap-hmac so I assume that it will fix fido2luks too (#177).

[szszszsz]

Does not seem to fix the fido2luks problem per se, but looks better than the last time:

 INFO  usbd_ctaphid::pipe             > 00 00 00 03 03 02 02 58 20 2B 38 4C A2 88 7C FF
 INFO  !                              > found 1 applicable credentials
 INFO  !                              > Credential { ctap: Fido21Pre, data: CredentialData { rp: PublicKeyCredentialRpEntity { id: "fido2luks", name: None, url: None }, user: PublicKeyCredentialUserEntity { id: b'\x00', icon: None, name:
None, display_name: None }, creation_time: 0, use_counter: true, algorithm: -7, key: ResidentKey(KeyId(Id(529a775f19d6af9c0c2214d15758b8e4))), hmac_secret: Some(true), cred_protect: None }, nonce: b'\x0c=\x11\x10\xf7\xf0t!\x84\x9f\x0f\x8d
' }
 INFO  !                              > asking for up
 INFO  usbip                          > >>>> Received confirmation request. Confirming automatically.
thread 'main' panicked at 'source slice length (0) does not match destination slice length (32)', /home/sz/.cargo/registry/src/github.com-1ecc6299db9ec823/fido-authenticator-0.1.1/src/ctap2.rs:955:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

(done with usbip sim, using Makefile from the linked #177 ticket)

        self.state.runtime.active_get_assertion = Some(state::ActiveGetAssertionData {
            rp_id_hash: {
                let mut buf = [0u8; 32];
                buf.copy_from_slice(&rp_id_hash);
                buf
            },
            client_data_hash: {
                let mut buf = [0u8; 32];
                buf.copy_from_slice(&parameters.client_data_hash); // <---
                buf
            },
            uv_performed,
            up_performed,
            multiple_credentials,
            extensions: parameters.extensions.clone(),
        });

Whole log:

click to show

 INFO  usbd_ctaphid::pipe    > >>
 INFO  usbd_ctaphid::pipe    > FF FF FF FF 86 00 08 7A 55 6D C1 09 83 B5 74 00
 INFO  usbd_ctaphid::pipe    > init
 INFO  usbd_ctaphid::pipe    > >>
 INFO  usbd_ctaphid::pipe    > 00 00 00 01 90 00 01 04 00 00 00 00 00 00 00 00
 INFO  usbd_ctaphid::pipe    > init
 INFO  fido_authenticator::state > err loading: Other
 INFO  fido_authenticator::state > error with previous state! Other
 INFO  !                         > attestation key does not exist
 INFO  usbd_ctaphid::pipe        > Got 159 bytes response from authenticator, starting send
 INFO  usbd_ctaphid::pipe        > >>
 INFO  usbd_ctaphid::pipe        > 00 00 00 01 90 00 06 06 A2 01 01 02 02 00 00 00
 INFO  usbd_ctaphid::pipe        > init
 INFO  usbd_ctaphid::pipe        > Got 81 bytes response from authenticator, starting send
 INFO  usbd_ctaphid::pipe        > >>
 INFO  usbd_ctaphid::pipe        > 00 00 00 01 90 00 77 01 A6 01 58 20 00 00 00 00
 INFO  usbd_ctaphid::pipe        > init
 INFO  usbd_ctaphid::pipe        > >>
 INFO  usbd_ctaphid::pipe        > 00 00 00 01 00 41 00 64 6E 61 6D 65 69 66 69 64
 INFO  usbd_ctaphid::pipe        > >>
 INFO  usbd_ctaphid::pipe        > 00 00 00 01 01 72 6B F5 00 00 00 00 00 00 00 00
 INFO  !                         > algo: -7
 INFO  !                         > MC options: Some(AuthenticatorOptions { rk: Some(true), up: None, uv: None })
 INFO  usbip                     > >>>> Received confirmation request. Confirming automatically.
 INFO  !                         > deleted public P256 key: true
 INFO  !                         > nonce = [12, 61, 17, 16, 247, 240, 116, 33, 132, 159, 15, 141]
 INFO  fido_authenticator::credential > credential for algorithm -7
 INFO  !                              > :: stripping ID
 INFO  !                              > this may be an RK: None
 INFO  !                              > MC created cred id
 INFO  !                              > attestation key does not exist
 INFO  usbd_ctaphid::pipe             > Got 348 bytes response from authenticator, starting send
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 01 91 00 01 01 00 00 00 00 00 00 00 00
 INFO  usbd_ctaphid::pipe             > init
 INFO  usbd_ctaphid::pipe             > Got waiting reply from authenticator??
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > FF FF FF FF 86 00 08 6B 2C 09 4A 55 B6 52 86 00
 INFO  usbd_ctaphid::pipe             > init
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 02 90 00 01 04 00 00 00 00 00 00 00 00
 INFO  usbd_ctaphid::pipe             > init
 INFO  !                              > attestation key does not exist
 INFO  usbd_ctaphid::pipe             > Got 159 bytes response from authenticator, starting send
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > FF FF FF FF 86 00 08 90 93 F0 60 6D CD 7A F6 00
 INFO  usbd_ctaphid::pipe             > init
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 03 90 00 01 04 00 00 00 00 00 00 00 00
 INFO  usbd_ctaphid::pipe             > init
 INFO  !                              > attestation key does not exist
 INFO  usbd_ctaphid::pipe             > Got 159 bytes response from authenticator, starting send
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 03 90 00 06 06 A2 01 01 02 02 00 00 00
 INFO  usbd_ctaphid::pipe             > init
 INFO  usbd_ctaphid::pipe             > Got 81 bytes response from authenticator, starting send
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 03 90 01 20 02 A4 01 69 66 69 64 6F 32
 INFO  usbd_ctaphid::pipe             > init
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 03 00 B8 02 88 83 97 41 A2 A5 0C 50 EC
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 03 01 D8 5D 43 29 E3 6E A6 70 CE 41 DE
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 03 02 94 9C AC A4 C7 39 98 16 01 B7 5E
 INFO  usbd_ctaphid::pipe             > >>
 INFO  usbd_ctaphid::pipe             > 00 00 00 03 03 02 02 58 20 2B 38 4C A2 88 7C FF
 INFO  !                              > found 1 applicable credentials
 INFO  !                              > Credential { ctap: Fido21Pre, data: CredentialData { rp: PublicKeyCredentialRpEntity { id: "fido2luks", name: None, url: None }, user: PublicKeyCredentialUserEntity { id: b'\x00', icon: None, name:
None, display_name: None }, creation_time: 0, use_counter: true, algorithm: -7, key: ResidentKey(KeyId(Id(529a775f19d6af9c0c2214d15758b8e4))), hmac_secret: Some(true), cred_protect: None }, nonce: b'\x0c=\x11\x10\xf7\xf0t!\x84\x9f\x0f\x8d
' }
 INFO  !                              > asking for up
 INFO  usbip                          > >>>> Received confirmation request. Confirming automatically.
thread 'main' panicked at 'source slice length (0) does not match destination slice length (32)', /home/sz/.cargo/registry/src/github.com-1ecc6299db9ec823/fido-authenticator-0.1.1/src/ctap2.rs:955:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

[robin-nitrokey]

This means we receive an empty clientDataHash with the authenticatorGetAssertion request. The question whether this is an issue when constructing the request in fido2luks or when parsing the request in fido-authenticator.