Transport/Token AuthenticatorBackend for CTAP 2.0/2.1

[micolous]

Targeting FIDOv2 tokens.

The goal is to build base functionality, similar to the existing Windows support in #204; but it will require implementing a bunch of other "support things" like PIN management and fingerprint support.

What this PR adds:

• Adds a AuthenticatorBackend ontop of Transport / Token. This supports core FIDO 2.0 and 2.1 functionality, with some exceptions
• Refactors Transport to be async
• Adds UiCallback to provide a UI for things the library needs
• Adds key_manager example, which can use new library features
• Pretty much rewrites all the existing CTAP 2.0 code (that was broken)
• Make CTAP, NFC and USB-layer errors a first class error type
• Removes hack_make_cred (we can do it for reals now)
• Fixes support for USB HID tokens on Linux
• Gates raw NFC access behind nfc_raw_transmit feature (needed for conformance example)

Current TODO list (which will change):

• Fix CBOR serialisation bugs
• Propagate CTAP errors across transports
• Selection (CTAP v2.1 only; this doesn't handle the broader issue of handling multiple tokens, it's complex so I'm dropping that for now)
  • authenticatorSelection Request
  • authenticatorSelection Response
  • selecting a token based on authenticatorSelection (only CTAPv2.1)
• MakeCredential / Registration
  • Request
  • Response
  • Convert CTAP style CBOR response into WebAuthn style CBOR response
  • Fix the tests
• GetAssertion / Authenticate
  • Request
  • Response
• ClientPin
  • Auth tokens
    • No PIN/UV authorization
    • PIN with getPinToken
    • PIN with getPinUvAuthTokenUsingPinWithPermissions
    • UV with getPinUvAuthTokenUsingUvWithPermissions
  • PIN handshake protocols
    • Protocol 1
    • Protocol 2
    • Select best protocol automatically
  • PIN UI trait
    • PIN UI for CLI usage
  • PIN management
    • Set a new PIN
    • Change an existing PIN
• BioEnrollment
  • Get bio modality
  • Get fingerprint sensor info
  • Enroll a fingerprint
  • Enumerate enrolments
  • Set friendly name
  • Remove enrolment
• Authenticator configuration (subset)
  • Always require user verification
  • Minimum PIN length
• Factory reset (authenticatorReset)
• Split this PR up a bit where reasonable:
  • Common code changes from transport-auth (#215) #225
  • Improve OpenSSL error handling, and pull sha256 function into util #226

Platform tests needed:

• Linux
• macOS
• Windows, as Administrator

Transport tests needed:

• NFC
• USB HID

Things that will be considered out of scope for this PR, and are to be addressed later for #214 :

• CTAP v1 / U2F, including automatic fall-back
• CTAP v2.1-pre fall-back
• discoverable credentials (authenticatorCredentialManagement)
• large blobs (authenticatorLargeBlobs)
• enterprise attestation
• Bluetooth Low Energy authenticators
• MakeCredential / GetAssertion extensions
• cancellations
• Handling selection for multiple authenticators. authenticatorSelection only works in CTAP 2.1, so need something else:
  • come up with another strategy for MakeCredential/GetAssertion with multiple tokens
  • Handle user interaction with a selected token
  • handle multiple PC/SC readers
  • handle composite PC/SC devices (eg: ACR 123U)
  • handle connecting or disconnecting an authenticator while a prompt is in progress
  • handle connecting or disconnecting a PC/SC reader while a prompt is in progress
  • handle when there are no tokens connected (ie: wait_for_token)
• improved session handling (find a nice place to stash pin_uv_auth_token and iface)
• PIN / UV retry limits

#214

• cargo fmt has been run
• cargo test has been run and passes
• documentation has been updated with relevant examples (if relevant)

[micolous]

This is now in a feature-complete state, and I'm not planning to add any more significant features to this PR.

Right now it needs some eyes over it to make sure this is all reasonable, and needs some testing with real devices and different platforms to what I've been using.

[micolous]

It'd also be good to test this (and the win10 stuff) against whatever kanidm is using the library for:

https://github.com/kanidm/kanidm/blob/40dd911d1062d10849164dc2aa57ec77b7535914/kanidm_tools/Cargo.toml#L47

[Firstyear]

It'd also be good to test this (and the win10 stuff) against whatever kanidm is using the library for:

https://github.com/kanidm/kanidm/blob/40dd911d1062d10849164dc2aa57ec77b7535914/kanidm_tools/Cargo.toml#L47

we just use it in the kanidm_tools binaries for CLI admin. It's not in the main server.

[Firstyear]

@micolous Is this in a mergeable state?

[micolous]

@micolous Is this in a mergeable state?

This can be merged as-is.

However, I intend to change the API again for caBLE (it's weird) -- but that's still some ways off.