[WIP] Add basic NFC support

.travis.yml

@@ -17,6 +17,7 @@ addons:
     packages:
       - build-essential
       - libudev-dev
+      - libpcsclite-dev
 
 install:
   - rustup component add rustfmt

Cargo.toml

@@ -17,6 +17,8 @@ maintenance = { status = "actively-developed" }
 binding-recompile = ["bindgen"]
 webdriver = ["base64", "bytes", "warp", "tokio", "serde", "serde_json"]
 
+nfc = ["pcsc"]
+
 [target.'cfg(target_os = "linux")'.dependencies]
 libudev = "^0.2"
 
@@ -51,6 +53,7 @@ serde = { version = "1.0", optional = true, features = ["derive"] }
 serde_json = { version = "1.0", optional = true }
 bytes = { version = "0.5", optional = true, features = ["serde"] }
 base64 = { version = "^0.10", optional = true }
+pcsc = { version = "2", optional = true }
 
 [dev-dependencies]
 sha2 = "^0.8.2"

examples/main.rs

@@ -42,6 +42,8 @@ fn main() {
     opts.optflag("x", "no-u2f-usb-hid", "do not enable u2f-usb-hid platforms");
     #[cfg(feature = "webdriver")]
     opts.optflag("w", "webdriver", "enable WebDriver virtual bus");
+    #[cfg(feature = "nfc")]
+    opts.optflag("n", "no-nfc", "do not enable u2f-nfc platform");
 
     opts.optflag("h", "help", "print this help menu").optopt(
         "t",
@@ -74,6 +76,13 @@ fn main() {
         }
     }
 
+    #[cfg(feature = "nfc")]
+    {
+        if !matches.opt_present("no-nfc") {
+            manager.add_u2f_nfc_transports();
+        }
+    }
+
     let timeout_ms = match matches.opt_get_default::<u64>("timeout", 15) {
         Ok(timeout_s) => {
             println!("Using {}s as the timeout", &timeout_s);

fuzz/fuzz_targets/u2f_read.rs

@@ -9,7 +9,7 @@ extern crate authenticator;
 
 use std::{cmp, io};
 
-use authenticator::{sendrecv, U2FDevice, U2FDeviceInfo};
+use authenticator::{sendrecv, U2FDevice, U2FDeviceInfo, U2FInfoQueryable};
 use authenticator::{CID_BROADCAST, MAX_HID_RPT_SIZE};
 
 struct TestDevice<'a> {
@@ -70,15 +70,17 @@ impl<'a> U2FDevice for TestDevice<'a> {
         Err(io::Error::new(io::ErrorKind::Other, "Not implemented"))
     }
 
+    fn set_device_info(&mut self, dev_info: U2FDeviceInfo) {
+        self.dev_info = Some(dev_info);
+    }
+}
+
+impl<'a> U2FInfoQueryable for TestDevice<'a> {
     fn get_device_info(&self) -> U2FDeviceInfo {
         // unwrap is okay, as dev_info must have already been set, else
         // a programmer error
         self.dev_info.clone().unwrap()
     }
-
-    fn set_device_info(&mut self, dev_info: U2FDeviceInfo) {
-        self.dev_info = Some(dev_info);
-    }
 }
 
 fuzz_target!(|data: &[u8]| {

fuzz/fuzz_targets/u2f_read_write.rs

@@ -9,7 +9,7 @@ extern crate authenticator;
 
 use std::{cmp, io};
 
-use authenticator::{sendrecv, U2FDevice, U2FDeviceInfo};
+use authenticator::{sendrecv, U2FDevice, U2FDeviceInfo, U2FInfoQueryable};
 use authenticator::{CID_BROADCAST, MAX_HID_RPT_SIZE};
 
 struct TestDevice {
@@ -71,15 +71,17 @@ impl U2FDevice for TestDevice {
         Err(io::Error::new(io::ErrorKind::Other, "Not implemented"))
     }
 
+    fn set_device_info(&mut self, dev_info: U2FDeviceInfo) {
+        self.dev_info = Some(dev_info);
+    }
+}
+
+impl U2FInfoQueryable for TestDevice {
     fn get_device_info(&self) -> U2FDeviceInfo {
         // unwrap is okay, as dev_info must have already been set, else
         // a programmer error
         self.dev_info.clone().unwrap()
     }
-
-    fn set_device_info(&mut self, dev_info: U2FDeviceInfo) {
-        self.dev_info = Some(dev_info);
-    }
 }
 
 fuzz_target!(|data: &[u8]| {

src/apdu.rs

@@ -0,0 +1,200 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use std::ffi::CString;
+use std::io;
+
+use crate::consts::*;
+use crate::util::io_err;
+
+pub trait APDUDevice {
+    fn init_apdu(&mut self) -> io::Result<()>;
+    fn send_apdu(&mut self, cmd: u8, p1: u8, send: &[u8]) -> io::Result<(Vec<u8>, [u8; 2])>;
+}
+
+////////////////////////////////////////////////////////////////////////
+// Device Commands
+////////////////////////////////////////////////////////////////////////
+
+pub fn apdu_register<T>(dev: &mut T, challenge: &[u8], application: &[u8]) -> io::Result<Vec<u8>>
+where
+    T: APDUDevice,
+{
+    if challenge.len() != PARAMETER_SIZE || application.len() != PARAMETER_SIZE {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "Invalid parameter sizes",
+        ));
+    }
+
+    let mut register_data = Vec::with_capacity(2 * PARAMETER_SIZE);
+    register_data.extend(challenge);
+    register_data.extend(application);
+
+    let flags = U2F_REQUEST_USER_PRESENCE;
+    let (resp, status) = dev.send_apdu(U2F_REGISTER, flags, &register_data)?;
+    apdu_status_to_result(status, resp)
+}
+
+pub fn apdu_sign<T>(
+    dev: &mut T,
+    challenge: &[u8],
+    application: &[u8],
+    key_handle: &[u8],
+) -> io::Result<Vec<u8>>
+where
+    T: APDUDevice,
+{
+    if challenge.len() != PARAMETER_SIZE || application.len() != PARAMETER_SIZE {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "Invalid parameter sizes",
+        ));
+    }
+
+    if key_handle.len() > 256 {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "Key handle too large",
+        ));
+    }
+
+    let mut sign_data = Vec::with_capacity(2 * PARAMETER_SIZE + 1 + key_handle.len());
+    sign_data.extend(challenge);
+    sign_data.extend(application);
+    sign_data.push(key_handle.len() as u8);
+    sign_data.extend(key_handle);
+
+    let flags = U2F_REQUEST_USER_PRESENCE;
+    let (resp, status) = dev.send_apdu(U2F_AUTHENTICATE, flags, &sign_data)?;
+    apdu_status_to_result(status, resp)
+}
+
+pub fn apdu_is_keyhandle_valid<T>(
+    dev: &mut T,
+    challenge: &[u8],
+    application: &[u8],
+    key_handle: &[u8],
+) -> io::Result<bool>
+where
+    T: APDUDevice,
+{
+    if challenge.len() != PARAMETER_SIZE || application.len() != PARAMETER_SIZE {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "Invalid parameter sizes",
+        ));
+    }
+
+    if key_handle.len() > 256 {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "Key handle too large",
+        ));
+    }
+
+    let mut sign_data = Vec::with_capacity(2 * PARAMETER_SIZE + 1 + key_handle.len());
+    sign_data.extend(challenge);
+    sign_data.extend(application);
+    sign_data.push(key_handle.len() as u8);
+    sign_data.extend(key_handle);
+
+    let flags = U2F_CHECK_IS_REGISTERED;
+    let (_, status) = dev.send_apdu(U2F_AUTHENTICATE, flags, &sign_data)?;
+    Ok(status == SW_CONDITIONS_NOT_SATISFIED)
+}
+
+pub fn apdu_is_v2_device<T>(dev: &mut T) -> io::Result<bool>
+where
+    T: APDUDevice,
+{
+    let (data, status) = dev.send_apdu(U2F_VERSION, 0x00, &[])?;
+    let actual = CString::new(data)?;
+    let expected = CString::new("U2F_V2")?;
+    apdu_status_to_result(status, actual == expected)
+}
+
+////////////////////////////////////////////////////////////////////////
+// Error Handling
+////////////////////////////////////////////////////////////////////////
+
+pub fn apdu_status_to_result<T>(status: [u8; 2], val: T) -> io::Result<T> {
+    use self::io::ErrorKind::{InvalidData, InvalidInput};
+
+    match status {
+        SW_NO_ERROR => Ok(val),
+        SW_WRONG_DATA => Err(io::Error::new(InvalidData, "wrong data")),
+        SW_WRONG_LENGTH => Err(io::Error::new(InvalidInput, "wrong length")),
+        SW_CONDITIONS_NOT_SATISFIED => Err(io_err("conditions not satisfied")),
+        _ => Err(io_err(&format!("failed with status {:?}", status))),
+    }
+}
+
+// https://en.wikipedia.org/wiki/Smart_card_application_protocol_data_unit
+// https://fidoalliance.org/specs/fido-u2f-v1.
+// 0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html#u2f-message-framing
+pub struct APDU {}
+
+impl APDU {
+    pub fn serialize_long(ins: u8, p1: u8, data: &[u8]) -> io::Result<Vec<u8>> {
+        let class: u8 = 0x00;
+        if data.len() > 0xffff {
+            return Err(io_err("payload length > 2^16"));
+        }
+
+        // Size of header + data + 2 zero bytes for maximum return size.
+        let mut bytes = vec![0u8; U2FAPDUHEADER_SIZE + data.len() + 2];
+        bytes[0] = class;
+        bytes[1] = ins;
+        bytes[2] = p1;
+        // p2 is always 0, at least, for our requirements.
+        // lc[0] should always be 0.
+        bytes[5] = (data.len() >> 8) as u8;
+        bytes[6] = data.len() as u8;
+        bytes[7..7 + data.len()].copy_from_slice(data);
+
+        // When sending zero data, the two data length bytes should be omitted.
+        // Luckily, all later bytes are zero, so we can just truncate.
+        if data.is_empty() {
+            bytes.truncate(bytes.len() - 2);
+        }
+
+        Ok(bytes)
+    }
+
+    // This will be used by future NFC code
+    #[allow(dead_code)]
+    pub fn serialize_short(ins: u8, p1: u8, data: &[u8]) -> io::Result<Vec<u8>> {
+        let class: u8 = 0x00;
+        if data.len() > 0xff {
+            return Err(io_err("payload length > 2^8"));
+        }
+
+        let mut size = 5; // class, ins, p1, p2, response size field
+        if !data.is_empty() {
+            size += 1 + data.len(); // data size field and data itself
+        }
+        let mut bytes = vec![0u8; size];
+        bytes[0] = class;
+        bytes[1] = ins;
+        bytes[2] = p1;
+        // p2 is always 0, at least, for our requirements.
+        bytes[4] = data.len() as u8;
+
+        bytes[5..5 + data.len()].copy_from_slice(data);
+
+        Ok(bytes)
+    }
+
+    pub fn deserialize(mut data: Vec<u8>) -> io::Result<(Vec<u8>, [u8; 2])> {
+        if data.len() < 2 {
+            return Err(io_err("unexpected response"));
+        }
+
+        let split_at = data.len() - 2;
+        let status = data.split_off(split_at);
+
+        Ok((data, [status[0], status[1]]))
+    }
+}

src/authenticatorservice.rs

@@ -71,6 +71,9 @@ impl AuthenticatorService {
     /// Add any detected platform transports
     pub fn add_detected_transports(&mut self) {
         self.add_u2f_usb_hid_platform_transports();
+
+        #[cfg(feature = "nfc")]
+        self.add_u2f_nfc_transports();
     }
 
     fn add_transport(&mut self, boxed_token: Box<dyn AuthenticatorTransport + Send>) {
@@ -95,6 +98,11 @@ impl AuthenticatorService {
         }
     }
 
+    #[cfg(feature = "nfc")]
+    pub fn add_u2f_nfc_transports(&mut self) {
+        self.add_transport(Box::new(crate::NFCManager::new()));
+    }
+
     pub fn register(
         &mut self,
         flags: crate::RegisterFlags,

src/consts.rs

@@ -78,3 +78,12 @@ pub const SW_NO_ERROR: [u8; 2] = [0x90, 0x00];
 pub const SW_CONDITIONS_NOT_SATISFIED: [u8; 2] = [0x69, 0x85];
 pub const SW_WRONG_DATA: [u8; 2] = [0x6A, 0x80];
 pub const SW_WRONG_LENGTH: [u8; 2] = [0x67, 0x00];
+
+// U2F-over-NFC constants
+// TODO: naming, some are also ISO 7816-4 ??
+// The're mostly APDU-specific?
+pub const U2F_AID: [u8; 8] = [0xA0, 0x00, 0x00, 0x06, 0x47, 0x2F, 0x00, 0x01];
+pub const U2F_SELECT_FILE: u8 = 0xA4;
+pub const U2F_SELECT_DIRECT: u8 = 0x04;
+pub const U2F_GET_RESPONSE: u8 = 0xC0;
+pub const U2F_MORE_DATA: u8 = 0x61;

src/freebsd/device.rs

@@ -11,7 +11,7 @@ use std::os::unix::prelude::*;
 
 use crate::consts::{CID_BROADCAST, MAX_HID_RPT_SIZE};
 use crate::platform::uhid;
-use crate::u2ftypes::{U2FDevice, U2FDeviceInfo};
+use crate::u2ftypes::{U2FDevice, U2FDeviceInfo, U2FInfoQueryable};
 use crate::util::from_unix_result;
 
 #[derive(Debug)]
@@ -100,13 +100,15 @@ impl U2FDevice for Device {
         Err(io::Error::new(io::ErrorKind::Other, "Not implemented"))
     }
 
+    fn set_device_info(&mut self, dev_info: U2FDeviceInfo) {
+        self.dev_info = Some(dev_info);
+    }
+}
+
+impl U2FInfoQueryable for Device {
     fn get_device_info(&self) -> U2FDeviceInfo {
         // unwrap is okay, as dev_info must have already been set, else
         // a programmer error
         self.dev_info.clone().unwrap()
     }
-
-    fn set_device_info(&mut self, dev_info: U2FDeviceInfo) {
-        self.dev_info = Some(dev_info);
-    }
 }

src/lib.rs

@@ -52,6 +52,13 @@ pub mod platform;
 #[path = "stub/mod.rs"]
 pub mod platform;
 
+#[cfg(feature = "nfc")]
+extern crate pcsc;
+#[cfg(feature = "nfc")]
+mod nfc;
+#[cfg(feature = "nfc")]
+pub use crate::nfc::NFCManager;
+
 extern crate libc;
 #[macro_use]
 extern crate log;
@@ -61,6 +68,7 @@ extern crate runloop;
 #[macro_use]
 extern crate bitflags;
 
+mod apdu;
 pub mod authenticatorservice;
 mod consts;
 mod statemachine;