sshkey_attest/

lib.rs

//! This module contains the function that allows attestation of ssh sk keys which
//! are created by FIDO2 devices.

#![cfg_attr(docsrs, feature(doc_cfg))]
#![deny(warnings)]
#![warn(unused_extern_crates)]
#![warn(missing_docs)]
#![deny(clippy::todo)]
#![deny(clippy::unimplemented)]
#![deny(clippy::unwrap_used)]
// #![deny(clippy::expect_used)]
#![deny(clippy::panic)]
#![deny(clippy::unreachable)]
#![deny(clippy::await_holding_lock)]
#![deny(clippy::needless_pass_by_value)]
#![deny(clippy::trivially_copy_pass_by_ref)]

#[macro_use]
extern crate tracing;

pub mod proto;

use uuid::Uuid;
pub use webauthn_rs_core::error::WebauthnError;
use webauthn_rs_core::{
    attestation::{
        assert_packed_attest_req, validate_extension, verify_attestation_ca_chain, FidoGenCeAaguid,
    },
    crypto::{compute_sha256, verify_signature},
    internals::AuthenticatorData,
    proto::{
        AttestationCaList, AttestationFormat, AttestationMetadata, COSEAlgorithm, COSEKey,
        COSEKeyType, CredentialProtectionPolicy, ExtnState, ParsedAttestation,
        ParsedAttestationData, RegisteredExtensions, Registration,
    },
};

use nom::{
    bytes::complete::{tag, take},
    number::complete::be_u32,
};

use openssl::{bn, ec, nid, x509};

use sshkeys::{Curve, EcdsaPublicKey, KeyType, KeyTypeKind, PublicKey, PublicKeyKind};

use crate::proto::AttestedPublicKey;

/// Given an attestation generated by ssh-keygen, parse and validate it's content
/// returning an attested public key structure that contains metadata and the ssh
/// public key.
///
/// You can create an attested sk key with:
/// ```shell
///  dd if=/dev/urandom of=/Users/username/.ssh/id_ecdsa_sk.chal bs=16 count=1
///  ssh-keygen -t ecdsa-sk -O challenge=/Users/username/.ssh/id_ecdsa_sk.chal \\
///    -O write-attestation=/Users/username/.ssh/id_ecdsa_sk.attest -f /Users/username/.ssh/id_ecdsa_sk
/// ```
///
/// The contents of `id_ecdsa_sk.attest` and `id_ecdsa_sk.chal` correspond to the
/// `attestation` and `challenge` parameters respectively.
pub fn verify_fido_sk_ssh_attestation(
    attestation: &[u8],
    challenge: &[u8],
    attestation_cas: &AttestationCaList,
    danger_disable_certificate_time_checks: bool,
) -> Result<AttestedPublicKey, WebauthnError> {
    if attestation_cas.is_empty() {
        return Err(WebauthnError::MissingAttestationCaList);
    }

    let alg = COSEAlgorithm::ES256;

    let ssh_sk_attest = SshSkAttestation::try_from(attestation)?;

    let acd = ssh_sk_attest
        .auth_data
        .acd
        .as_ref()
        .ok_or(WebauthnError::MissingAttestationCredentialData)?;

    let attestation_format = AttestationFormat::Packed;

    // Ssh simply uses the challenge as the client data hash.
    let client_data_hash = compute_sha256(challenge);

    trace!(?ssh_sk_attest);

    let verification_data: Vec<u8> = ssh_sk_attest
        .auth_data_bytes
        .iter()
        .chain(client_data_hash.iter())
        .copied()
        .collect();

    let is_valid_signature = verify_signature(
        alg,
        &ssh_sk_attest.att_cert,
        &ssh_sk_attest.sig,
        &verification_data,
    )?;

    if !is_valid_signature {
        return Err(WebauthnError::AttestationStatementSigInvalid);
    }

    // Verify that attestnCert meets the requirements in § 8.2.1 Packed Attestation
    // Statement Certificate Requirements.
    // https://w3c.github.io/webauthn/#sctn-packed-attestation-cert-requirements

    assert_packed_attest_req(&ssh_sk_attest.att_cert)?;

    // If attestnCert contains an extension with OID 1.3.6.1.4.1.45724.1.1.4
    // (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid
    // in authenticatorData.

    validate_extension::<FidoGenCeAaguid>(&ssh_sk_attest.att_cert, &acd.aaguid)?;

    // In the future if ssh changes their attest format we can provide the full chain here.
    let att_x509 = vec![ssh_sk_attest.att_cert.clone()];

    let attestation = ParsedAttestation {
        data: ParsedAttestationData::Basic(att_x509),
        metadata: AttestationMetadata::Packed {
            aaguid: Uuid::from_bytes(acd.aaguid),
        },
    };

    let ca_crt = verify_attestation_ca_chain(
        &attestation.data,
        attestation_cas,
        danger_disable_certificate_time_checks,
    )?;

    // It may seem odd to unwrap the option and make this not verified at this point,
    // but in this case because we have the ca_list and none was the result (which happens)
    // in some cases, we need to map that through. But we need verify_attesation_ca_chain
    // to still return these option types due to re-attestation in the future.
    let ca_crt = ca_crt.ok_or(WebauthnError::AttestationNotVerifiable)?;

    match &attestation.metadata {
        AttestationMetadata::Packed { aaguid } | AttestationMetadata::Tpm { aaguid, .. } => {
            // If not present, fail.
            if !ca_crt.aaguids().contains_key(aaguid) {
                error!(?aaguid, "aaguid not trusted by this CA");
                return Err(WebauthnError::AttestationUntrustedAaguid);
            }
        }
        _ => {
            error!("this attestation format does not contain an aaguid and can not proceed");
            return Err(WebauthnError::AttestationFormatMissingAaguid);
        }
    };

    let cred_protect = match ssh_sk_attest.auth_data.extensions.cred_protect.as_ref() {
        Some(credprotect) => {
            if credprotect.0 == CredentialProtectionPolicy::UserVerificationRequired
                && !ssh_sk_attest.auth_data.user_verified
            {
                return Err(WebauthnError::SshPublicKeyInconsistentUserVerification);
            }
            ExtnState::Set(credprotect.0)
        }
        None => ExtnState::NotRequested,
    };

    let extensions = RegisteredExtensions {
        cred_protect,
        ..Default::default()
    };

    // Assert that the key is not backup-eligible and not backed up.

    if ssh_sk_attest.auth_data.backup_eligible || ssh_sk_attest.auth_data.backup_state {
        error!("Fido ssh sk keys may not be backed up or backup eligible");
        return Err(WebauthnError::SshPublicKeyBackupState);
    }

    // If attestation passes, extract the public key from the attestation.
    //
    // https://github.com/openssh/openssh-portable/blob/c46f6fed419167c1671e4227459e108036c760f8/ssh-sk.c#L291
    let ck = COSEKey::try_from(&acd.credential_pk).map_err(|e| {
        if matches!(e, WebauthnError::COSEKeyEDUnsupported) {
            WebauthnError::SshPublicKeyEDUnsupported
        } else {
            e
        }
    })?;
    trace!(?ck);

    let pubkey = to_ssh_pubkey(&ck)?;

    Ok(AttestedPublicKey {
        pubkey,
        extensions,
        attestation,
        attestation_format,
    })
}

macro_rules! cbor_try_bytes {
    (
        $v:expr
    ) => {{
        match $v {
            serde_cbor_2::Value::Bytes(m) => Ok(m),
            _ => Err(WebauthnError::COSEKeyInvalidCBORValue),
        }
    }};
}

#[derive(Debug)]
struct SshSkAttestation {
    att_cert: x509::X509,
    sig: Vec<u8>,
    auth_data_bytes: Vec<u8>,
    auth_data: AuthenticatorData<Registration>,
}

struct SshSkAttestationRaw<'a> {
    // This is the x5c cbor per https://developers.yubico.com/libfido2/Manuals/fido_cred_x5c_ptr.html
    att_cert_raw: &'a [u8],
    // Likely a cbor slice?
    sig_raw: &'a [u8],
    // cbor auth data. Could just be serde slice?
    auth_data_raw: &'a [u8],
}

impl TryFrom<&[u8]> for SshSkAttestation {
    type Error = WebauthnError;

    fn try_from(data: &[u8]) -> Result<SshSkAttestation, WebauthnError> {
        // There doesn't seem to be much in the way of docs about the format of
        // the ssh attestation binary, but reading the source, we see it is setup
        // per: https://github.com/openssh/openssh-portable/blob/master/ssh-sk.c#L436
        //
        // Update: There are docs, but they are hard to find :(
        // https://github.com/openssh/openssh-portable/blob/2709809fd616a0991dc18e3a58dea10fb383c3f0/PROTOCOL.u2f#L151-L174
        let sk_raw = parse_ssh_sk_attestation(data)
            .map_err(|e| {
                error!(?e, "try_from parse_ssh_sk_attestation");
                WebauthnError::ParseNOMFailure
            })
            // Discard the remaining bytes.
            .map(|(_, ad)| ad)?;

        // Convert raw fields to parsed ones.

        let sig = sk_raw.sig_raw.to_vec();

        let att_cert =
            x509::X509::from_der(sk_raw.att_cert_raw).map_err(WebauthnError::OpenSSLError)?;

        let auth_data_bytes = serde_cbor_2::from_slice(sk_raw.auth_data_raw)
            .map_err(|e| {
                error!(?e, "invalid auth data cbor");
                WebauthnError::ParseNOMFailure
            })
            .and_then(|value| cbor_try_bytes!(value))?;

        let auth_data: AuthenticatorData<Registration> =
            AuthenticatorData::try_from(auth_data_bytes.as_slice()).map_err(|e| {
                error!(?e, "invalid auth data structure");
                WebauthnError::ParseNOMFailure
            })?;

        Ok(SshSkAttestation {
            att_cert,
            sig,
            // Probably need auth_data raw.
            auth_data_bytes,
            auth_data,
        })
    }
}

fn parse_ssh_sk_attestation(i: &[u8]) -> nom::IResult<&[u8], SshSkAttestationRaw<'_>> {
    // Starts with a 4 byte u32 for the len of the header.

    let (i, _tag_len) = tag([0, 0, 0, 17])(i)?;
    let (i, _tag) = tag("ssh-sk-attest-v01")(i)?;

    let (i, att_cert_len) = be_u32(i)?;
    let (i, att_cert_raw) = take(att_cert_len as usize)(i)?;

    let (i, sig_len) = be_u32(i)?;
    let (i, sig_raw) = take(sig_len as usize)(i)?;

    let (i, auth_data_len) = be_u32(i)?;
    let (i, auth_data_raw) = take(auth_data_len as usize)(i)?;

    let (i, _resvd_flags) = be_u32(i)?;
    let (i, _resvd) = be_u32(i)?;

    Ok((
        i,
        SshSkAttestationRaw {
            att_cert_raw,
            sig_raw,
            auth_data_raw,
        },
    ))
}

fn to_ssh_pubkey(cose: &COSEKey) -> Result<PublicKey, WebauthnError> {
    match &cose.key {
        COSEKeyType::EC_EC2(_ec2k) => {
            let pubkey = cose.get_openssl_pkey()?;
            let key = pubkey
                .ec_key()
                .and_then(|ec| {
                    let mut ctx = bn::BigNumContext::new()?;
                    let c_nid = nid::Nid::X9_62_PRIME256V1; // NIST P-256 curve
                    let group = ec::EcGroup::from_curve_name(c_nid)?;

                    ec.public_key().to_bytes(
                        &group,
                        ec::PointConversionForm::UNCOMPRESSED,
                        &mut ctx,
                    )
                })
                .map_err(WebauthnError::OpenSSLError)?;

            let kind = PublicKeyKind::Ecdsa(EcdsaPublicKey {
                curve: Curve::from_identifier("nistp256").map_err(|_| {
                    error!("Invalid curve identifier");
                    WebauthnError::SshPublicKeyInvalidCurve
                })?,
                key,
                sk_application: Some("ssh:".to_string()),
            });

            Ok(PublicKey {
                key_type: KeyType {
                    name: "sk-ecdsa-sha2-nistp256@openssh.com",
                    short_name: "ECDSA-SK",
                    is_cert: false,
                    is_sk: true,
                    kind: KeyTypeKind::EcdsaSk,
                    plain: "sk-ecdsa-sha2-nistp256@openssh.com",
                },
                kind,
                comment: None,
            })
        }
        _ => {
            error!("ed25519 or ed448 public keys are not supported");
            Err(WebauthnError::SshPublicKeyEDUnsupported)
        }
    }
}

#[cfg(test)]
mod tests {
    use super::{verify_fido_sk_ssh_attestation, WebauthnError};
    use base64::{engine::general_purpose::STANDARD, Engine};
    use webauthn_rs_core::proto::{
        AttestationCaList, AttestationCaListBuilder, CredentialProtectionPolicy, ExtnState,
    };
    use webauthn_rs_device_catalog::data::yubico::YUBICO_U2F_ROOT_CA_SERIAL_457200631_PEM;

    #[test]
    fn test_ssh_ecdsa_sk_attest() {
        let _ = tracing_subscriber::fmt::try_init();

        // Create with:
        //  dd if=/dev/urandom of=/Users/william/.ssh/id_ecdsa_sk.chal bs=16 count=1
        //  ssh-keygen -t ecdsa-sk -O challenge=/Users/william/.ssh/id_ecdsa_sk.chal -O write-attestation=/Users/william/.ssh/id_ecdsa_sk.attest -f /Users/william/.ssh/id_ecdsa_sk

        let attest = STANDARD.decode("AAAAEXNzaC1zay1hdHRlc3QtdjAxAAACwTCCAr0wggGloAMCAQICBBisRsAwDQYJKoZIhvcNAQELBQAwLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMG4xCzAJBgNVBAYTAlNFMRIwEAYDVQQKDAlZdWJpY28gQUIxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xJzAlBgNVBAMMHll1YmljbyBVMkYgRUUgU2VyaWFsIDQxMzk0MzQ4ODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHnqOyx8SXAQYiMM0j/rYOUpMXHUg/EAvoWdaw+DlwMBtUbN1G7PyuPj8w+B6e1ivSaNTB69N7O8vpKowq7rTjqjbDBqMCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS43MBMGCysGAQQBguUcAgEBBAQDAgUgMCEGCysGAQQBguUcAQEEBBIEEMtpSB6P90A5k+wKJymhVKgwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAl50Dl9hg+C7hXTEceW66+yL6p+CE2bq0xhu7V/PmtMGKSDe4XDxO2+SDQ/TWpdmxztqK4f7UkSkhcwWOXuHL3WvawHVXxqDo02gluhWef7WtjNr4BIaM+Q6PH4rqF8AWtVwqetSXyJT7cddT15uaSEtsN21yO5mNLh1DBr8QM7Wu+Myly7JWi2kkIm0io1irfYfkrF8uCRqnFXnzpWkJSX1y9U4GusHDtEE7ul6vlMO2TzT566Qay2rig3dtNkZTeEj+6IS93fWxuleYVM/9zrrDRAWVJ+Vt1Zj49WZxWr5DAd0ZETDmufDGQDkSU+IpgD867ydL7b/eP8u9QurWeQAAAEYwRAIgeYp6mYVsuaj0NpHps1qkGkJYroyurnuCKdSYWUCCsVgCIAhFdmhNWGG0cY5l3sZUhjmrwCHpuQ1A0QXbhuEtjM7sAAAAxljE4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb9FAAALNMtpSB6P90A5k+wKJymhVKgAQPQVE6m4sayalwAfqHVZBGEP32y5ju2Vo7U3k1zPFKQGLDhpA0dRHWvYbsvTPmqVzSGuxSyRW/ugWzPqsveALlSlAQIDJiABIVggQ25tmKStvyG74d5VF1nSmn9UCTaq/gkNu4mG8PTI11YiWCAMvZ7dwFsRGIN40+RbHnxDitWfGRtXV9rwTbBpG1P3XAAAAAAAAAAA")
            .expect("Failed to decode attestation");

        let challenge = STANDARD
            .decode("VzCkpMNVYVgXHBuDP74v9A==")
            .expect("Failed to decode attestation");

        let pubkey = "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBENubZikrb8hu+HeVRdZ0pp/VAk2qv4JDbuJhvD0yNdWDL2e3cBbERiDeNPkWx58Q4rVnxkbV1fa8E2waRtT91wAAAAEc3NoOg== william@hostname";
        let mut key = sshkeys::PublicKey::from_string(pubkey).unwrap();
        // Blank the comment
        key.comment = None;

        let mut att_ca_builder = AttestationCaListBuilder::new();
        att_ca_builder
            .insert_device_pem(
                YUBICO_U2F_ROOT_CA_SERIAL_457200631_PEM,
                uuid::uuid!("cb69481e-8ff7-4039-93ec-0a2729a154a8"),
                "yk 5 nano".to_string(),
                Default::default(),
            )
            .expect("Failed to build att ca list");
        let att_ca_list: AttestationCaList = att_ca_builder.build();

        // Parse
        let att = verify_fido_sk_ssh_attestation(
            attest.as_slice(),
            challenge.as_slice(),
            &att_ca_list,
            false,
        )
        .expect("Failed to parse attestation");

        trace!("key {:?}", key);
        trace!("att {:?}", att.pubkey);
        trace!("att full {:?}", att);

        // Check the supplied pubkey and the attested pubkey are the same.
        assert_eq!(att.pubkey, key);

        // Assert that cred protect isn't set.
        assert!(matches!(
            att.extensions.cred_protect,
            ExtnState::NotRequested
        ));
    }

    #[test]
    fn test_ssh_ecdsa_sk_credprotect_attest() {
        let _ = tracing_subscriber::fmt::try_init();

        // Create with:
        //  dd if=/dev/urandom of=/Users/william/.ssh/id_ecdsa_sk.chal bs=16 count=1
        //  ssh-keygen -t ecdsa-sk -O verify-required -O challenge=/Users/william/.ssh/id_ecdsa_sk.chal -O write-attestation=/Users/william/.ssh/id_ecdsa_sk_uv.attest -f /Users/william/.ssh/id_ecdsa_sk_uv

        let attest = STANDARD.decode("AAAAEXNzaC1zay1hdHRlc3QtdjAxAAAC8DCCAuwwggHUoAMCAQICCQCIobnFT2wgvjANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowbzELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1YmljbyBBQjEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEoMCYGA1UEAwwfWXViaWNvIFUyRiBFRSBTZXJpYWwgMTE2OTc5MzQxNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABP3N+hZ2qRVyajtVRGx/tdK/YAcNNGY++kDoDODSHk4cAqXSZ7jZepIkLdQXk7JP2dD0gVMpP5WzOJpEv8J6tRejgZQwgZEwEwYKKwYBBAGCxAoNAQQFBAMFBAMwEAYJKwYBBAGCxAoMBAMCAQcwIgYJKwYBBAGCxAoCBBUxLjMuNi4xLjQuMS40MTQ4Mi4xLjcwEwYLKwYBBAGC5RwCAQEEBAMCBSAwIQYLKwYBBAGC5RwBAQQEEgQQc7sM1OUCSbicb7WURb9yCzAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA8JczOIP9yDzuYizYwoJwGCwmYbUWNuokPu/NOMRLKTHvRfZRhf5LRHX7WjD0kJwifo725l/O7b+G4Y+3w9a1tK00wBGCMxw3F/oGcxsn+Tg6zWQZW3HXN8Qxfb5vtnX7lK5omugUPyq7XBqiBqFi2oqHFxjPjZSYFqQLE1DxDfJVtxXysvG1q/tkTkRagkAaqLb59SitNKsSXJ14Y9aG6liaFpSL8q+BeIe6XBHZ8NGxGhZdnhOu6qzYcTpSXlYHjeUoVF2/crpnQocjl59cgarJgS2aJV/jlSWnyZVhKbq14up6YUg0UsO60+UYm5rKuxS5OvAsvgKbl+71jhxCSAAAASDBGAiEA0tN1SoFM6y25G1MAqiogh9YrxC3xXAjq5PqSLfpEiBMCIQCzlf2HkoQxzw26d/H54qG7usJxGqjI7ar5QTPTmyPiPAAAANRY0uMGEOihYhFZYP4ewiPmUpyfS26AIA3LXlwyHIrx4rG/xQAAAANzuwzU5QJJuJxvtZRFv3ILAEDSkcmqMSeSNIZeeun9OR70HsiBGZv4Z487AIxLcDGlygV+x8o0pcXuQLBt5qkyLgbjHz9AG8VnoG89Xsqc7FDNpQECAyYgASFYIMD4M0oQcZZURp0PhmabT3X+rvYak+JdnMwDTlJ/zBzZIlggrec0hNPMTEy2/BSWTiX/LCtOIuxSUAzRFG07JAwxxTyha2NyZWRQcm90ZWN0AwAAAAAAAAAA")
            .expect("Failed to decode attestation");
        let challenge = STANDARD
            .decode("VzCkpMNVYVgXHBuDP74v9A==")
            .expect("Failed to decode attestation");

        let pubkey = "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBMD4M0oQcZZURp0PhmabT3X+rvYak+JdnMwDTlJ/zBzZrec0hNPMTEy2/BSWTiX/LCtOIuxSUAzRFG07JAwxxTwAAAAEc3NoOg== william@hostname";
        let mut key = sshkeys::PublicKey::from_string(pubkey).unwrap();
        // Blank the comment
        key.comment = None;

        let mut att_ca_builder = AttestationCaListBuilder::new();
        att_ca_builder
            .insert_device_pem(
                YUBICO_U2F_ROOT_CA_SERIAL_457200631_PEM,
                uuid::uuid!("73bb0cd4-e502-49b8-9c6f-b59445bf720b"),
                "yk 5 fips".to_string(),
                Default::default(),
            )
            .expect("Failed to build att ca list");
        let att_ca_list: AttestationCaList = att_ca_builder.build();

        // Parse
        let att = verify_fido_sk_ssh_attestation(
            attest.as_slice(),
            challenge.as_slice(),
            &att_ca_list,
            false,
        )
        .expect("Failed to parse attestation");

        trace!("key {:?}", key);
        trace!("att {:?}", att.pubkey);
        trace!("att full {:?}", att);

        // Check the supplied pubkey and the attested pubkey are the same.
        assert_eq!(att.pubkey, key);

        // Assert that cred protect is present.
        assert!(matches!(
            att.extensions.cred_protect,
            ExtnState::Set(CredentialProtectionPolicy::UserVerificationRequired)
        ));
    }

    #[test]
    fn test_ssh_ed25519_sk_attest() {
        let _ = tracing_subscriber::fmt::try_init();

        // Create with:
        // dd if=/dev/urandom of=/tmp/id_ed25519_sk.chal bs=16 count=1
        // ssh-keygen -t ed25519-sk  -O challenge=/tmp/id_ed25519_sk.chal -O write-attestation=/tmp/id_ed25519_sk.attest -f /tmp/id_ed25519_sk

        let attest = STANDARD.decode("AAAAEXNzaC1zay1hdHRlc3QtdjAxAAAC8DCCAuwwggHUoAMCAQICCQCIobnFT2wgvjANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowbzELMAkGA1UEBhMCU0UxEjAQBgNVBAoMCVl1YmljbyBBQjEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEoMCYGA1UEAwwfWXViaWNvIFUyRiBFRSBTZXJpYWwgMTE2OTc5MzQxNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABP3N+hZ2qRVyajtVRGx/tdK/YAcNNGY++kDoDODSHk4cAqXSZ7jZepIkLdQXk7JP2dD0gVMpP5WzOJpEv8J6tRejgZQwgZEwEwYKKwYBBAGCxAoNAQQFBAMFBAMwEAYJKwYBBAGCxAoMBAMCAQcwIgYJKwYBBAGCxAoCBBUxLjMuNi4xLjQuMS40MTQ4Mi4xLjcwEwYLKwYBBAGC5RwCAQEEBAMCBSAwIQYLKwYBBAGC5RwBAQQEEgQQc7sM1OUCSbicb7WURb9yCzAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA8JczOIP9yDzuYizYwoJwGCwmYbUWNuokPu/NOMRLKTHvRfZRhf5LRHX7WjD0kJwifo725l/O7b+G4Y+3w9a1tK00wBGCMxw3F/oGcxsn+Tg6zWQZW3HXN8Qxfb5vtnX7lK5omugUPyq7XBqiBqFi2oqHFxjPjZSYFqQLE1DxDfJVtxXysvG1q/tkTkRagkAaqLb59SitNKsSXJ14Y9aG6liaFpSL8q+BeIe6XBHZ8NGxGhZdnhOu6qzYcTpSXlYHjeUoVF2/crpnQocjl59cgarJgS2aJV/jlSWnyZVhKbq14up6YUg0UsO60+UYm5rKuxS5OvAsvgKbl+71jhxCSAAAARzBFAiEA9wvGXR0jdmlx41KiDgVnHng/u+aABcL0T7Mcla5RY1cCIG3w7FmnUCC9cN4OTsF0YIUKREVl7YZ/ULpgG9r3gbGcAAAA41jh4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb9FAAAAAnO7DNTlAkm4nG+1lEW/cgsAgOlyrDirl7wov1VQfV/0peGGSiOf4dfQ/MwcKRxhWA7OIEczExGaaoiNJZBKyVUnte5FWF4xz+g2yY1LA9DYizkHRyuH3V6nOqaBl56+pImD7oJA2sMGgFaK7OawkNInLrZn+kK1KwDwAuqGyraYxUwOimcyj3iO0cmnx8Kl3VsbpAEBAycgBiFYIJrDpo9OvZ479Kr/+2n9IY88++eEu1g+RqRgrNsGWyCLAAAAAAAAAAA=")
            .expect("Failed to decode attestation");

        let challenge = STANDARD
            .decode("aAqBnywP0Vbv3SUgqmnMRQ==")
            .expect("Failed to decode attestation");

        let mut att_ca_builder = AttestationCaListBuilder::new();
        att_ca_builder
            .insert_device_pem(
                YUBICO_U2F_ROOT_CA_SERIAL_457200631_PEM,
                uuid::uuid!("73bb0cd4-e502-49b8-9c6f-b59445bf720b"),
                "yk 5 fips".to_string(),
                Default::default(),
            )
            .expect("Failed to build att ca list");
        let att_ca_list: AttestationCaList = att_ca_builder.build();

        // Parse
        let att = verify_fido_sk_ssh_attestation(
            attest.as_slice(),
            challenge.as_slice(),
            &att_ca_list,
            false,
        );

        trace!("att full {:?}", att);

        assert!(matches!(att, Err(WebauthnError::SshPublicKeyEDUnsupported)));

        /*
        trace!("key {:?}", key);
        trace!("att {:?}", att.pubkey);
        trace!("att full {:?}", att);

        // Check the supplied pubkey and the attested pubkey are the same.
        assert_eq!(att.pubkey, key);

        // Assert that cred protect isn't set.
        assert!(matches!(
            att.extensions.cred_protect,
            ExtnState::NotRequested
        ));
        */
    }

    #[test]
    fn test_ssh_ecdsa_sk_reject_attest_aaguid() {
        let _ = tracing_subscriber::fmt::try_init();

        // Create with:
        //  dd if=/dev/urandom of=/Users/william/.ssh/id_ecdsa_sk.chal bs=16 count=1
        //  ssh-keygen -t ecdsa-sk -O challenge=/Users/william/.ssh/id_ecdsa_sk.chal -O write-attestation=/Users/william/.ssh/id_ecdsa_sk.attest -f /Users/william/.ssh/id_ecdsa_sk

        let attest = STANDARD.decode("AAAAEXNzaC1zay1hdHRlc3QtdjAxAAACwTCCAr0wggGloAMCAQICBBisRsAwDQYJKoZIhvcNAQELBQAwLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMG4xCzAJBgNVBAYTAlNFMRIwEAYDVQQKDAlZdWJpY28gQUIxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xJzAlBgNVBAMMHll1YmljbyBVMkYgRUUgU2VyaWFsIDQxMzk0MzQ4ODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHnqOyx8SXAQYiMM0j/rYOUpMXHUg/EAvoWdaw+DlwMBtUbN1G7PyuPj8w+B6e1ivSaNTB69N7O8vpKowq7rTjqjbDBqMCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS43MBMGCysGAQQBguUcAgEBBAQDAgUgMCEGCysGAQQBguUcAQEEBBIEEMtpSB6P90A5k+wKJymhVKgwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAl50Dl9hg+C7hXTEceW66+yL6p+CE2bq0xhu7V/PmtMGKSDe4XDxO2+SDQ/TWpdmxztqK4f7UkSkhcwWOXuHL3WvawHVXxqDo02gluhWef7WtjNr4BIaM+Q6PH4rqF8AWtVwqetSXyJT7cddT15uaSEtsN21yO5mNLh1DBr8QM7Wu+Myly7JWi2kkIm0io1irfYfkrF8uCRqnFXnzpWkJSX1y9U4GusHDtEE7ul6vlMO2TzT566Qay2rig3dtNkZTeEj+6IS93fWxuleYVM/9zrrDRAWVJ+Vt1Zj49WZxWr5DAd0ZETDmufDGQDkSU+IpgD867ydL7b/eP8u9QurWeQAAAEYwRAIgeYp6mYVsuaj0NpHps1qkGkJYroyurnuCKdSYWUCCsVgCIAhFdmhNWGG0cY5l3sZUhjmrwCHpuQ1A0QXbhuEtjM7sAAAAxljE4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb9FAAALNMtpSB6P90A5k+wKJymhVKgAQPQVE6m4sayalwAfqHVZBGEP32y5ju2Vo7U3k1zPFKQGLDhpA0dRHWvYbsvTPmqVzSGuxSyRW/ugWzPqsveALlSlAQIDJiABIVggQ25tmKStvyG74d5VF1nSmn9UCTaq/gkNu4mG8PTI11YiWCAMvZ7dwFsRGIN40+RbHnxDitWfGRtXV9rwTbBpG1P3XAAAAAAAAAAA")
            .expect("Failed to decode attestation");

        let challenge = STANDARD
            .decode("VzCkpMNVYVgXHBuDP74v9A==")
            .expect("Failed to decode attestation");

        // The device signature above is from a yk5nano, however we have an attestation policy
        // to only allow the yk5 fips.
        let mut att_ca_builder = AttestationCaListBuilder::new();
        att_ca_builder
            .insert_device_pem(
                YUBICO_U2F_ROOT_CA_SERIAL_457200631_PEM,
                uuid::uuid!("73bb0cd4-e502-49b8-9c6f-b59445bf720b"),
                "yk 5 fips".to_string(),
                Default::default(),
            )
            .expect("Failed to build att ca list");
        let att_ca_list: AttestationCaList = att_ca_builder.build();

        // Parse
        let att = verify_fido_sk_ssh_attestation(
            attest.as_slice(),
            challenge.as_slice(),
            &att_ca_list,
            false,
        );

        trace!("att full {:?}", att);

        assert!(matches!(
            att,
            Err(WebauthnError::AttestationUntrustedAaguid)
        ));
    }

    #[test]
    fn test_ssh_ecdsa_sk_reject_attest_ca() {
        let _ = tracing_subscriber::fmt::try_init();

        // Create with:
        //  dd if=/dev/urandom of=/Users/william/.ssh/id_ecdsa_sk.chal bs=16 count=1
        //  ssh-keygen -t ecdsa-sk -O challenge=/Users/william/.ssh/id_ecdsa_sk.chal -O write-attestation=/Users/william/.ssh/id_ecdsa_sk.attest -f /Users/william/.ssh/id_ecdsa_sk

        let attest = STANDARD.decode("AAAAEXNzaC1zay1hdHRlc3QtdjAxAAADGzCCAxcwggK+oAMCAQICCQDFabHRsxYpGTAKBggqhkjOPQQDAjCBnDELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEQMA4GA1UEBwwHVmVyc29peDEPMA0GA1UECgwGVE9LRU4yMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMRMwEQYDVQQDDAp0b2tlbjIuY29tMSAwHgYJKoZIhvcNAQkBFhFvZmZpY2VAdG9rZW4yLmNvbTAeFw0xOTEyMDQwNzAyMjJaFw0zOTExMjkwNzAyMjJaMF4xCzAJBgNVBAYTAkNIMQ8wDQYDVQQKDAZUT0tFTjIxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xGjAYBgNVBAMMEW9mZmljZUB0b2tlbjIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC/l7QJNMxtrBu91XScVYjFlqTFza0N/9RRYWPItzgmppWvjUPwyCres27Lo3Waf7OVMdmc5ML5HB+eECnVWqg6OCASQwggEgMAkGA1UdEwQCMAAwHQYDVR0OBBYEFFCysnSFvKuvrSVyB3ToAQshmMpjMIG7BgNVHSMEgbMwgbChgaKkgZ8wgZwxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIDAZHZW5ldmExEDAOBgNVBAcMB1ZlcnNvaXgxDzANBgNVBAoMBlRPS0VOMjEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjETMBEGA1UEAwwKdG9rZW4yLmNvbTEgMB4GCSqGSIb3DQEJARYRb2ZmaWNlQHRva2VuMi5jb22CCQCv1vlqKeW5ejATBgsrBgEEAYLlHAIBAQQEAwIFIDAhBgsrBgEEAYLlHAEBBAQSBBCrMvDGIjmvu8Rw0u9OJU23MAoGCCqGSM49BAMCA0cAMEQCIGgzWHRCvlMLEPA+qAk+33KwVVyvTKnBxC7jESc0vSV1AiBXPi/VVvaIiDh0vtnBmMSP1WCUGHhY7RReYNm9cbe8swAAAEYwRAIgfxtWfDli/pqS0/DqyaXvLn5C4BNRXoHx1ofpU4WZqfICIEzUSXKUI4/DezfU9MtW3t5ua5fhgL7EoMdaXBRGmNnLAAAA5ljk4wYQ6KFiEVlg/h7CI+ZSnJ9LboAgDcteXDIcivHisb9FAAADIasy8MYiOa+7xHDS704lTbcAYCnb4hHUYvEK9Dp4gjgJer+Wtcj0GglGtd5ubraTzUc19amoIyg/+/lNKrntsFSalESwu7fNNRPjWldzr2zyueB9MyJZDXkOrkP1iK/B836pudmGcJq6vfV1Da2Bieks16UBAgMmIAEhWCAe32mzSUWbouK4KOykaK3dGczNTUoTqBjengeoL6DhyCJYIIogmo+NOwfBZgF5xEORNffCk+4dA+preNaQE9mSv506AAAAAAAAAAA=")
            .expect("Failed to decode attestation");

        let challenge = STANDARD
            .decode("aAqBnywP0Vbv3SUgqmnMRQ==")
            .expect("Failed to decode attestation");

        // The device signature above is from a token 2 however we have an attestation policy
        // to only allow the yk5 fips.

        let mut att_ca_builder = AttestationCaListBuilder::new();
        att_ca_builder
            .insert_device_pem(
                YUBICO_U2F_ROOT_CA_SERIAL_457200631_PEM,
                uuid::uuid!("73bb0cd4-e502-49b8-9c6f-b59445bf720b"),
                "yk 5 fips".to_string(),
                Default::default(),
            )
            .expect("Failed to build att ca list");
        let att_ca_list: AttestationCaList = att_ca_builder.build();

        // Parse
        let att = verify_fido_sk_ssh_attestation(
            attest.as_slice(),
            challenge.as_slice(),
            &att_ca_list,
            false,
        );

        trace!("att full {:?}", att);

        assert!(matches!(
            att,
            Err(WebauthnError::AttestationChainNotTrusted(_))
        ));
    }
}