commit 6bb23febb3c82952087b49b6b7a97b2cb2647619 Author: FabianLars Date: Wed May 3 07:03:41 2023 +0000 Rename dev branch to v1 and next branch to v2 Committed via a GitHub action: https://github.com/tauri-apps/plugins-workspace/actions/runs/4869194441 Co-authored-by: FabianLars diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b512c09 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +node_modules \ No newline at end of file diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..007e63f --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,27 @@ +[package] +name = "tauri-plugin-authenticator" +version = "0.0.0" +description = "Use hardware security-keys in your Tauri App." +authors.workspace = true +license.workspace = true +edition.workspace = true +rust-version.workspace = true + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +serde.workspace = true +serde_json.workspace = true +tauri.workspace = true +log.workspace = true +thiserror.workspace = true +authenticator = "0.3.1" +once_cell = "1" +sha2 = "0.10" +base64 = "0.21" +u2f = "0.2" +chrono = "0.4" + +[dev-dependencies] +rand = "0.8" +rusty-fork = "0.3" diff --git a/LICENSE.spdx b/LICENSE.spdx new file mode 100644 index 0000000..cdd0df5 --- /dev/null +++ b/LICENSE.spdx @@ -0,0 +1,20 @@ +SPDXVersion: SPDX-2.1 +DataLicense: CC0-1.0 +PackageName: tauri +DataFormat: SPDXRef-1 +PackageSupplier: Organization: The Tauri Programme in the Commons Conservancy +PackageHomePage: https://tauri.app +PackageLicenseDeclared: Apache-2.0 +PackageLicenseDeclared: MIT +PackageCopyrightText: 2019-2022, The Tauri Programme in the Commons Conservancy +PackageSummary: Tauri is a rust project that enables developers to make secure +and small desktop applications using a web frontend. + +PackageComment: The package includes the following libraries; see +Relationship information. + +Created: 2019-05-20T09:00:00Z +PackageDownloadLocation: git://github.com/tauri-apps/tauri +PackageDownloadLocation: git+https://github.com/tauri-apps/tauri.git +PackageDownloadLocation: git+ssh://github.com/tauri-apps/tauri.git +Creator: Person: Daniel Thompson-Yvetot \ No newline at end of file diff --git a/LICENSE_APACHE-2.0 b/LICENSE_APACHE-2.0 new file mode 100644 index 0000000..4947287 --- /dev/null +++ b/LICENSE_APACHE-2.0 @@ -0,0 +1,177 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS \ No newline at end of file diff --git a/LICENSE_MIT b/LICENSE_MIT new file mode 100644 index 0000000..4d75472 --- /dev/null +++ b/LICENSE_MIT @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 - Present Tauri Apps Contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..89fa6e2 --- /dev/null +++ b/README.md @@ -0,0 +1,110 @@ +![plugin-authenticator](banner.png) + +Use hardware security-keys in your Tauri App. + +## Install + +_This plugin requires a Rust version of at least **1.64**_ + +There are three general methods of installation that we can recommend. + +1. Use crates.io and npm (easiest, and requires you to trust that our publishing pipeline worked) +2. Pull sources directly from Github using git tags / revision hashes (most secure) +3. Git submodule install this repo in your tauri project and then use file protocol to ingest the source (most secure, but inconvenient to use) + +Install the Core plugin by adding the following to your `Cargo.toml` file: + +`src-tauri/Cargo.toml` + +```toml +[dependencies] +tauri-plugin-authenticator = "0.1" +# or through git +tauri-plugin-authenticator = { git = "https://github.com/tauri-apps/plugins-workspace", branch = "v1" } +``` + +You can install the JavaScript Guest bindings using your preferred JavaScript package manager: + +> Note: Since most JavaScript package managers are unable to install packages from git monorepos we provide read-only mirrors of each plugin. This makes installation option 2 more ergonomic to use. + +```sh +pnpm add https://github.com/tauri-apps/tauri-plugin-authenticator +# or +npm add https://github.com/tauri-apps/tauri-plugin-authenticator +# or +yarn add https://github.com/tauri-apps/tauri-plugin-authenticator +``` + +## Usage + +First you need to register the core plugin with Tauri: + +`src-tauri/src/main.rs` + +```rust +fn main() { + tauri::Builder::default() + .plugin(tauri_plugin_authenticator::init()) + .run(tauri::generate_context!()) + .expect("error while running tauri application"); +} +``` + +Afterwards all the plugin's APIs are available through the JavaScript guest bindings: + +```javascript +import { Authenticator } from "tauri-plugin-authenticator-api"; + +const auth = new Authenticator(); +auth.init(); // initialize transports + +// generate a 32-bytes long random challenge +const arr = new Uint32Array(32); +window.crypto.getRandomValues(arr); +const b64 = btoa(String.fromCharCode.apply(null, arr)); +// web-safe base64 +const challenge = b64.replace(/\+/g, "-").replace(/\//g, "_"); + +const domain = "https://tauri.app"; + +// attempt to register with the security key +const json = await auth.register(challenge, domain); +const registerResult = JSON.parse(json); + +// verify te registration was successfull +const r2 = await auth.verifyRegistration( + challenge, + app, + registerResult.registerData, + registerResult.clientData +); +const j2 = JSON.parse(r2); + +// sign some data +const json = await auth.sign(challenge, app, keyHandle); +const signData = JSON.parse(json); + +// verify the signature again +const counter = await auth.verifySignature( + challenge, + app, + signData.signData, + clientData, + keyHandle, + pubkey +); + +if (counter && counter > 0) { + console.log("SUCCESS!"); +} +``` + +## Contributing + +PRs accepted. Please make sure to read the Contributing Guide before making a pull request. + +## License + +Code: (c) 2015 - Present - The Tauri Programme within The Commons Conservancy. + +MIT or MIT/Apache 2.0 where applicable. diff --git a/banner.png b/banner.png new file mode 100644 index 0000000..405dc60 Binary files /dev/null and b/banner.png differ diff --git a/dist-js/index.d.ts b/dist-js/index.d.ts new file mode 100644 index 0000000..15a751b --- /dev/null +++ b/dist-js/index.d.ts @@ -0,0 +1,7 @@ +export declare class Authenticator { + init(): Promise; + register(challenge: string, application: string): Promise; + verifyRegistration(challenge: string, application: string, registerData: string, clientData: string): Promise; + sign(challenge: string, application: string, keyHandle: string): Promise; + verifySignature(challenge: string, application: string, signData: string, clientData: string, keyHandle: string, pubkey: string): Promise; +} diff --git a/dist-js/index.min.js b/dist-js/index.min.js new file mode 100644 index 0000000..29a7a99 --- /dev/null +++ b/dist-js/index.min.js @@ -0,0 +1,45 @@ +var d=Object.defineProperty;var e=(c,a)=>{for(var b in a)d(c,b,{get:a[b],enumerable:!0});}; + +var f={};e(f,{convertFileSrc:()=>w,invoke:()=>c,transformCallback:()=>s});function u(){return window.crypto.getRandomValues(new Uint32Array(1))[0]}function s(e,r=!1){let n=u(),t=`_${n}`;return Object.defineProperty(window,t,{value:o=>(r&&Reflect.deleteProperty(window,t),e==null?void 0:e(o)),writable:!1,configurable:!0}),n}async function c(e,r={}){return new Promise((n,t)=>{let o=s(i=>{n(i),Reflect.deleteProperty(window,`_${a}`);},!0),a=s(i=>{t(i),Reflect.deleteProperty(window,`_${o}`);},!0);window.__TAURI_IPC__({cmd:e,callback:o,error:a,...r});})}function w(e,r="asset"){let n=encodeURIComponent(e);return navigator.userAgent.includes("Windows")?`https://${r}.localhost/${n}`:`${r}://localhost/${n}`} + +class Authenticator { + async init() { + return await c("plugin:authenticator|init_auth"); + } + async register(challenge, application) { + return await c("plugin:authenticator|register", { + timeout: 10000, + challenge, + application, + }); + } + async verifyRegistration(challenge, application, registerData, clientData) { + return await c("plugin:authenticator|verify_registration", { + challenge, + application, + registerData, + clientData, + }); + } + async sign(challenge, application, keyHandle) { + return await c("plugin:authenticator|sign", { + timeout: 10000, + challenge, + application, + keyHandle, + }); + } + async verifySignature(challenge, application, signData, clientData, keyHandle, pubkey) { + return await c("plugin:authenticator|verify_signature", { + challenge, + application, + signData, + clientData, + keyHandle, + pubkey, + }); + } +} + +export { Authenticator }; +//# sourceMappingURL=index.min.js.map diff --git a/dist-js/index.min.js.map b/dist-js/index.min.js.map new file mode 100644 index 0000000..5ad57e3 --- /dev/null +++ b/dist-js/index.min.js.map @@ -0,0 +1 @@ +{"version":3,"file":"index.min.js","sources":["../../../node_modules/.pnpm/@tauri-apps+api@1.2.0/node_modules/@tauri-apps/api/chunk-FEIY7W7S.js","../../../node_modules/.pnpm/@tauri-apps+api@1.2.0/node_modules/@tauri-apps/api/chunk-RCPA6UVN.js","../guest-js/index.ts"],"sourcesContent":["var d=Object.defineProperty;var e=(c,a)=>{for(var b in a)d(c,b,{get:a[b],enumerable:!0})};export{e as a};\n","import{a as d}from\"./chunk-FEIY7W7S.js\";var f={};d(f,{convertFileSrc:()=>w,invoke:()=>c,transformCallback:()=>s});function u(){return window.crypto.getRandomValues(new Uint32Array(1))[0]}function s(e,r=!1){let n=u(),t=`_${n}`;return Object.defineProperty(window,t,{value:o=>(r&&Reflect.deleteProperty(window,t),e==null?void 0:e(o)),writable:!1,configurable:!0}),n}async function c(e,r={}){return new Promise((n,t)=>{let o=s(i=>{n(i),Reflect.deleteProperty(window,`_${a}`)},!0),a=s(i=>{t(i),Reflect.deleteProperty(window,`_${o}`)},!0);window.__TAURI_IPC__({cmd:e,callback:o,error:a,...r})})}function w(e,r=\"asset\"){let n=encodeURIComponent(e);return navigator.userAgent.includes(\"Windows\")?`https://${r}.localhost/${n}`:`${r}://localhost/${n}`}export{s as a,c as b,w as c,f as d};\n",null],"names":["d","invoke"],"mappings":"AAAA,IAAI,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAC,CAAC;;ACAjD,IAAI,CAAC,CAAC,EAAE,CAACA,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,OAAO,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,OAAO,SAAS,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;;MCEztB,aAAa,CAAA;AACxB,IAAA,MAAM,IAAI,GAAA;AACR,QAAA,OAAO,MAAMC,CAAM,CAAC,gCAAgC,CAAC,CAAC;KACvD;AAED,IAAA,MAAM,QAAQ,CAAC,SAAiB,EAAE,WAAmB,EAAA;AACnD,QAAA,OAAO,MAAMA,CAAM,CAAC,+BAA+B,EAAE;AACnD,YAAA,OAAO,EAAE,KAAK;YACd,SAAS;YACT,WAAW;AACZ,SAAA,CAAC,CAAC;KACJ;IAED,MAAM,kBAAkB,CACtB,SAAiB,EACjB,WAAmB,EACnB,YAAoB,EACpB,UAAkB,EAAA;AAElB,QAAA,OAAO,MAAMA,CAAM,CAAC,0CAA0C,EAAE;YAC9D,SAAS;YACT,WAAW;YACX,YAAY;YACZ,UAAU;AACX,SAAA,CAAC,CAAC;KACJ;AAED,IAAA,MAAM,IAAI,CACR,SAAiB,EACjB,WAAmB,EACnB,SAAiB,EAAA;AAEjB,QAAA,OAAO,MAAMA,CAAM,CAAC,2BAA2B,EAAE;AAC/C,YAAA,OAAO,EAAE,KAAK;YACd,SAAS;YACT,WAAW;YACX,SAAS;AACV,SAAA,CAAC,CAAC;KACJ;AAED,IAAA,MAAM,eAAe,CACnB,SAAiB,EACjB,WAAmB,EACnB,QAAgB,EAChB,UAAkB,EAClB,SAAiB,EACjB,MAAc,EAAA;AAEd,QAAA,OAAO,MAAMA,CAAM,CAAC,uCAAuC,EAAE;YAC3D,SAAS;YACT,WAAW;YACX,QAAQ;YACR,UAAU;YACV,SAAS;YACT,MAAM;AACP,SAAA,CAAC,CAAC;KACJ;AACF;;;;","x_google_ignoreList":[0,1]} \ No newline at end of file diff --git a/dist-js/index.mjs b/dist-js/index.mjs new file mode 100644 index 0000000..258234d --- /dev/null +++ b/dist-js/index.mjs @@ -0,0 +1,43 @@ +import { invoke } from '@tauri-apps/api/tauri'; + +class Authenticator { + async init() { + return await invoke("plugin:authenticator|init_auth"); + } + async register(challenge, application) { + return await invoke("plugin:authenticator|register", { + timeout: 10000, + challenge, + application, + }); + } + async verifyRegistration(challenge, application, registerData, clientData) { + return await invoke("plugin:authenticator|verify_registration", { + challenge, + application, + registerData, + clientData, + }); + } + async sign(challenge, application, keyHandle) { + return await invoke("plugin:authenticator|sign", { + timeout: 10000, + challenge, + application, + keyHandle, + }); + } + async verifySignature(challenge, application, signData, clientData, keyHandle, pubkey) { + return await invoke("plugin:authenticator|verify_signature", { + challenge, + application, + signData, + clientData, + keyHandle, + pubkey, + }); + } +} + +export { Authenticator }; +//# sourceMappingURL=index.mjs.map diff --git a/dist-js/index.mjs.map b/dist-js/index.mjs.map new file mode 100644 index 0000000..7c9ebfb --- /dev/null +++ b/dist-js/index.mjs.map @@ -0,0 +1 @@ +{"version":3,"file":"index.mjs","sources":["../guest-js/index.ts"],"sourcesContent":[null],"names":[],"mappings":";;MAEa,aAAa,CAAA;AACxB,IAAA,MAAM,IAAI,GAAA;AACR,QAAA,OAAO,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAC;KACvD;AAED,IAAA,MAAM,QAAQ,CAAC,SAAiB,EAAE,WAAmB,EAAA;AACnD,QAAA,OAAO,MAAM,MAAM,CAAC,+BAA+B,EAAE;AACnD,YAAA,OAAO,EAAE,KAAK;YACd,SAAS;YACT,WAAW;AACZ,SAAA,CAAC,CAAC;KACJ;IAED,MAAM,kBAAkB,CACtB,SAAiB,EACjB,WAAmB,EACnB,YAAoB,EACpB,UAAkB,EAAA;AAElB,QAAA,OAAO,MAAM,MAAM,CAAC,0CAA0C,EAAE;YAC9D,SAAS;YACT,WAAW;YACX,YAAY;YACZ,UAAU;AACX,SAAA,CAAC,CAAC;KACJ;AAED,IAAA,MAAM,IAAI,CACR,SAAiB,EACjB,WAAmB,EACnB,SAAiB,EAAA;AAEjB,QAAA,OAAO,MAAM,MAAM,CAAC,2BAA2B,EAAE;AAC/C,YAAA,OAAO,EAAE,KAAK;YACd,SAAS;YACT,WAAW;YACX,SAAS;AACV,SAAA,CAAC,CAAC;KACJ;AAED,IAAA,MAAM,eAAe,CACnB,SAAiB,EACjB,WAAmB,EACnB,QAAgB,EAChB,UAAkB,EAClB,SAAiB,EACjB,MAAc,EAAA;AAEd,QAAA,OAAO,MAAM,MAAM,CAAC,uCAAuC,EAAE;YAC3D,SAAS;YACT,WAAW;YACX,QAAQ;YACR,UAAU;YACV,SAAS;YACT,MAAM;AACP,SAAA,CAAC,CAAC;KACJ;AACF;;;;"} \ No newline at end of file diff --git a/guest-js/index.ts b/guest-js/index.ts new file mode 100644 index 0000000..8b4a533 --- /dev/null +++ b/guest-js/index.ts @@ -0,0 +1,60 @@ +import { invoke } from "@tauri-apps/api/tauri"; + +export class Authenticator { + async init(): Promise { + return await invoke("plugin:authenticator|init_auth"); + } + + async register(challenge: string, application: string): Promise { + return await invoke("plugin:authenticator|register", { + timeout: 10000, + challenge, + application, + }); + } + + async verifyRegistration( + challenge: string, + application: string, + registerData: string, + clientData: string + ): Promise { + return await invoke("plugin:authenticator|verify_registration", { + challenge, + application, + registerData, + clientData, + }); + } + + async sign( + challenge: string, + application: string, + keyHandle: string + ): Promise { + return await invoke("plugin:authenticator|sign", { + timeout: 10000, + challenge, + application, + keyHandle, + }); + } + + async verifySignature( + challenge: string, + application: string, + signData: string, + clientData: string, + keyHandle: string, + pubkey: string + ): Promise { + return await invoke("plugin:authenticator|verify_signature", { + challenge, + application, + signData, + clientData, + keyHandle, + pubkey, + }); + } +} diff --git a/package.json b/package.json new file mode 100644 index 0000000..7374695 --- /dev/null +++ b/package.json @@ -0,0 +1,33 @@ +{ + "name": "tauri-plugin-authenticator-api", + "version": "0.0.0", + "description": "Use hardware security-keys in your Tauri App.", + "license": "MIT or APACHE-2.0", + "authors": [ + "Tauri Programme within The Commons Conservancy" + ], + "type": "module", + "browser": "dist-js/index.min.js", + "module": "dist-js/index.mjs", + "types": "dist-js/index.d.ts", + "exports": { + "import": "./dist-js/index.mjs", + "types": "./dist-js/index.d.ts", + "browser": "./dist-js/index.min.js" + }, + "scripts": { + "build": "rollup -c" + }, + "files": [ + "dist-js", + "!dist-js/**/*.map", + "README.md", + "LICENSE" + ], + "devDependencies": { + "tslib": "^2.5.0" + }, + "dependencies": { + "@tauri-apps/api": "^1.2.0" + } +} diff --git a/rollup.config.mjs b/rollup.config.mjs new file mode 100644 index 0000000..6555e98 --- /dev/null +++ b/rollup.config.mjs @@ -0,0 +1,11 @@ +import { readFileSync } from "fs"; + +import { createConfig } from "../../shared/rollup.config.mjs"; + +export default createConfig({ + input: "guest-js/index.ts", + pkg: JSON.parse( + readFileSync(new URL("./package.json", import.meta.url), "utf8") + ), + external: [/^@tauri-apps\/api/], +}); diff --git a/src/auth.rs b/src/auth.rs new file mode 100644 index 0000000..c334173 --- /dev/null +++ b/src/auth.rs @@ -0,0 +1,212 @@ +// Copyright 2021 Tauri Programme within The Commons Conservancy +// SPDX-License-Identifier: Apache-2.0 +// SPDX-License-Identifier: MIT + +use authenticator::{ + authenticatorservice::AuthenticatorService, statecallback::StateCallback, + AuthenticatorTransports, KeyHandle, RegisterFlags, SignFlags, StatusUpdate, +}; +use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; +use once_cell::sync::Lazy; +use serde::Serialize; +use sha2::{Digest, Sha256}; +use std::io; +use std::sync::mpsc::channel; +use std::{convert::Into, sync::Mutex}; + +static MANAGER: Lazy> = Lazy::new(|| { + let manager = AuthenticatorService::new().expect("The auth service should initialize safely"); + Mutex::new(manager) +}); + +pub fn init_usb() { + let mut manager = MANAGER.lock().unwrap(); + // theres also "add_detected_transports()" in the docs? + manager.add_u2f_usb_hid_platform_transports(); +} + +#[derive(Serialize, Clone)] +#[serde(rename_all = "camelCase")] +pub struct Registration { + pub key_handle: String, + pub pubkey: String, + pub register_data: String, + pub client_data: String, +} + +pub fn register(application: String, timeout: u64, challenge: String) -> crate::Result { + let (chall_bytes, app_bytes, client_data_string) = + format_client_data(application.as_str(), challenge.as_str()); + + // log the status rx? + let (status_tx, _status_rx) = channel::(); + + let mut manager = MANAGER.lock().unwrap(); + + let (register_tx, register_rx) = channel(); + let callback = StateCallback::new(Box::new(move |rv| { + register_tx.send(rv).unwrap(); + })); + + let res = manager.register( + RegisterFlags::empty(), + timeout, + chall_bytes, + app_bytes, + vec![], + status_tx, + callback, + ); + + match res { + Ok(_r) => { + let register_result = register_rx + .recv() + .expect("Problem receiving, unable to continue"); + + if let Err(e) = register_result { + return Err(e.into()); + } + + let (register_data, device_info) = register_result.unwrap(); // error already has been checked + + // println!("Register result: {}", base64::encode(®ister_data)); + println!("Device info: {}", &device_info); + + let (key_handle, public_key) = + _u2f_get_key_handle_and_public_key_from_register_response(®ister_data).unwrap(); + let key_handle_base64 = URL_SAFE_NO_PAD.encode(key_handle); + let public_key_base64 = URL_SAFE_NO_PAD.encode(public_key); + let register_data_base64 = URL_SAFE_NO_PAD.encode(®ister_data); + println!("Key Handle: {}", &key_handle_base64); + println!("Public Key: {}", &public_key_base64); + + // Ok(base64::encode(®ister_data)) + // Ok(key_handle_base64) + let res = serde_json::to_string(&Registration { + key_handle: key_handle_base64, + pubkey: public_key_base64, + register_data: register_data_base64, + client_data: client_data_string, + })?; + Ok(res) + } + Err(e) => Err(e.into()), + } +} + +#[derive(Serialize, Clone)] +#[serde(rename_all = "camelCase")] +pub struct Signature { + pub key_handle: String, + pub sign_data: String, +} + +pub fn sign( + application: String, + timeout: u64, + challenge: String, + key_handle: String, +) -> crate::Result { + let credential = match URL_SAFE_NO_PAD.decode(key_handle) { + Ok(v) => v, + Err(e) => { + return Err(e.into()); + } + }; + let key_handle = KeyHandle { + credential, + transports: AuthenticatorTransports::empty(), + }; + + let (chall_bytes, app_bytes, _) = format_client_data(application.as_str(), challenge.as_str()); + + let (sign_tx, sign_rx) = channel(); + let callback = StateCallback::new(Box::new(move |rv| { + sign_tx.send(rv).unwrap(); + })); + + // log the status rx? + let (status_tx, _status_rx) = channel::(); + + let mut manager = MANAGER.lock().unwrap(); + + let res = manager.sign( + SignFlags::empty(), + timeout, + chall_bytes, + vec![app_bytes], + vec![key_handle], + status_tx, + callback, + ); + match res { + Ok(_v) => { + let sign_result = sign_rx + .recv() + .expect("Problem receiving, unable to continue"); + + if let Err(e) = sign_result { + return Err(e.into()); + } + + let (_, handle_used, sign_data, device_info) = sign_result.unwrap(); + + let sig = URL_SAFE_NO_PAD.encode(sign_data); + + println!("Sign result: {sig}"); + println!("Key handle used: {}", URL_SAFE_NO_PAD.encode(&handle_used)); + println!("Device info: {}", &device_info); + println!("Done."); + + let res = serde_json::to_string(&Signature { + sign_data: sig, + key_handle: URL_SAFE_NO_PAD.encode(&handle_used), + })?; + Ok(res) + } + Err(e) => Err(e.into()), + } +} + +fn format_client_data(application: &str, challenge: &str) -> (Vec, Vec, String) { + let d = + format!(r#"{{"challenge": "{challenge}", "version": "U2F_V2", "appId": "{application}"}}"#); + let mut challenge = Sha256::new(); + challenge.update(d.as_bytes()); + let chall_bytes = challenge.finalize().to_vec(); + + let mut app = Sha256::new(); + app.update(application.as_bytes()); + let app_bytes = app.finalize().to_vec(); + + (chall_bytes, app_bytes, d) +} + +fn _u2f_get_key_handle_and_public_key_from_register_response( + register_response: &[u8], +) -> io::Result<(Vec, Vec)> { + if register_response[0] != 0x05 { + return Err(io::Error::new( + io::ErrorKind::InvalidData, + "Reserved byte not set correctly", + )); + } + + // 1: reserved + // 65: public key + // 1: key handle length + // key handle + // x.509 cert + // sig + + let key_handle_len = register_response[66] as usize; + let mut public_key = register_response.to_owned(); + let mut key_handle = public_key.split_off(67); + let _attestation = key_handle.split_off(key_handle_len); + + // remove fist (reserved) and last (handle len) bytes + let pk: Vec = public_key[1..public_key.len() - 1].to_vec(); + + Ok((key_handle, pk)) +} diff --git a/src/error.rs b/src/error.rs new file mode 100644 index 0000000..87a393d --- /dev/null +++ b/src/error.rs @@ -0,0 +1,22 @@ +use serde::{Serialize, Serializer}; + +#[derive(Debug, thiserror::Error)] +pub enum Error { + #[error(transparent)] + Base64Decode(#[from] base64::DecodeError), + #[error(transparent)] + JSON(#[from] serde_json::Error), + #[error(transparent)] + U2F(#[from] u2f::u2ferror::U2fError), + #[error(transparent)] + Auth(#[from] authenticator::errors::AuthenticatorError), +} + +impl Serialize for Error { + fn serialize(&self, serializer: S) -> std::result::Result + where + S: Serializer, + { + serializer.serialize_str(self.to_string().as_ref()) + } +} diff --git a/src/lib.rs b/src/lib.rs new file mode 100644 index 0000000..ef889e2 --- /dev/null +++ b/src/lib.rs @@ -0,0 +1,76 @@ +// Copyright 2021 Tauri Programme within The Commons Conservancy +// SPDX-License-Identifier: Apache-2.0 +// SPDX-License-Identifier: MIT + +mod auth; +mod error; +mod u2f; + +use tauri::{ + plugin::{Builder as PluginBuilder, TauriPlugin}, + Runtime, +}; + +pub use error::Error; +type Result = std::result::Result; + +#[tauri::command] +fn init_auth() { + auth::init_usb(); +} + +#[tauri::command] +fn register(timeout: u64, challenge: String, application: String) -> crate::Result { + auth::register(application, timeout, challenge) +} + +#[tauri::command] +fn verify_registration( + challenge: String, + application: String, + register_data: String, + client_data: String, +) -> crate::Result { + u2f::verify_registration(application, challenge, register_data, client_data) +} + +#[tauri::command] +fn sign( + timeout: u64, + challenge: String, + application: String, + key_handle: String, +) -> crate::Result { + auth::sign(application, timeout, challenge, key_handle) +} + +#[tauri::command] +fn verify_signature( + challenge: String, + application: String, + sign_data: String, + client_data: String, + key_handle: String, + pubkey: String, +) -> crate::Result { + u2f::verify_signature( + application, + challenge, + sign_data, + client_data, + key_handle, + pubkey, + ) +} + +pub fn init() -> TauriPlugin { + PluginBuilder::new("authenticator") + .invoke_handler(tauri::generate_handler![ + init_auth, + register, + verify_registration, + sign, + verify_signature + ]) + .build() +} diff --git a/src/u2f.rs b/src/u2f.rs new file mode 100644 index 0000000..e8bd5de --- /dev/null +++ b/src/u2f.rs @@ -0,0 +1,105 @@ +// Copyright 2021 Tauri Programme within The Commons Conservancy +// SPDX-License-Identifier: Apache-2.0 +// SPDX-License-Identifier: MIT + +use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; +use chrono::prelude::*; +use serde::Serialize; +use std::convert::Into; +use u2f::messages::*; +use u2f::protocol::*; +use u2f::register::*; + +static VERSION: &str = "U2F_V2"; + +pub fn make_challenge(app_id: &str, challenge_bytes: Vec) -> Challenge { + let utc: DateTime = Utc::now(); + Challenge { + challenge: URL_SAFE_NO_PAD.encode(challenge_bytes), + timestamp: format!("{utc:?}"), + app_id: app_id.to_string(), + } +} + +#[derive(Serialize, Clone)] +#[serde(rename_all = "camelCase")] +pub struct RegistrationVerification { + pub key_handle: String, + pub pubkey: String, + pub device_name: Option, +} + +pub fn verify_registration( + app_id: String, + challenge: String, + register_data: String, + client_data: String, +) -> crate::Result { + let challenge_bytes = URL_SAFE_NO_PAD.decode(challenge)?; + let challenge = make_challenge(&app_id, challenge_bytes); + let client_data_bytes: Vec = client_data.as_bytes().into(); + let client_data_base64 = URL_SAFE_NO_PAD.encode(client_data_bytes); + let client = U2f::new(app_id); + match client.register_response( + challenge, + RegisterResponse { + registration_data: register_data, + client_data: client_data_base64, + version: VERSION.to_string(), + }, + ) { + Ok(v) => { + let rv = RegistrationVerification { + key_handle: URL_SAFE_NO_PAD.encode(&v.key_handle), + pubkey: URL_SAFE_NO_PAD.encode(&v.pub_key), + device_name: v.device_name, + }; + Ok(serde_json::to_string(&rv)?) + } + Err(e) => Err(e.into()), + } +} + +#[derive(Serialize, Clone)] +#[serde(rename_all = "camelCase")] +pub struct SignatureVerification { + pub counter: u8, +} + +pub fn verify_signature( + app_id: String, + challenge: String, + sign_data: String, + client_data: String, + key_handle: String, + pub_key: String, +) -> crate::Result { + let challenge_bytes = URL_SAFE_NO_PAD.decode(challenge)?; + let chal = make_challenge(&app_id, challenge_bytes); + let client_data_bytes: Vec = client_data.as_bytes().into(); + let client_data_base64 = URL_SAFE_NO_PAD.encode(client_data_bytes); + let key_handle_bytes = URL_SAFE_NO_PAD.decode(&key_handle)?; + let pubkey_bytes = URL_SAFE_NO_PAD.decode(pub_key)?; + let client = U2f::new(app_id); + let mut _counter: u32 = 0; + match client.sign_response( + chal, + Registration { + // here only needs pubkey and keyhandle + key_handle: key_handle_bytes, + pub_key: pubkey_bytes, + attestation_cert: None, + device_name: None, + }, + SignResponse { + // here needs client data and sig data and key_handle + signature_data: sign_data, + client_data: client_data_base64, + key_handle, + }, + _counter, + ) { + Ok(v) => Ok(v), + Err(e) => Err(e.into()), + } +} diff --git a/tsconfig.json b/tsconfig.json new file mode 120000 index 0000000..7cd38da --- /dev/null +++ b/tsconfig.json @@ -0,0 +1 @@ +../../shared/tsconfig.json \ No newline at end of file