diff options
| author |  vnugent <public@vaughnnugent.com> | 2023-03-19 16:39:03 -0400 |
|---|---|---|
| committer | vnugent <public@vaughnnugent.com> | 2023-03-19 16:39:03 -0400 |
| commit | e8af88efdae6ff3ef4780627430f31dca9cc665b (patch) | |
| tree | afef9edb1c4345f7dc03eb6d1a3d88f7e62fae68 | |
Initial commit
| -rw-r--r-- | .gitattributes | 63 | ||||
| -rw-r--r-- | .gitignore | 367 | ||||
| -rw-r--r-- | LICENSE.txt | 346 | ||||
| -rw-r--r-- | README.md | 59 | ||||
| -rw-r--r-- | src/HardwareAuthenticator.cs | 281 | ||||
| -rw-r--r-- | src/IAuthenticator.cs | 40 | ||||
| -rw-r--r-- | src/PkiAuthenticator.csproj | 34 | ||||
| -rw-r--r-- | src/ProcessArguments.cs | 35 | ||||
| -rw-r--r-- | src/Program.cs | 203 | ||||
| -rw-r--r-- | src/SoftwareAuthenticator.cs | 254 | ||||
| -rw-r--r-- | src/Statics.cs | 378 |
11 files changed, 2060 insertions, 0 deletions
diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..1ff0c42 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,63 @@ +############################################################################### +# Set default behavior to automatically normalize line endings. +############################################################################### +* text=auto + +############################################################################### +# Set default behavior for command prompt diff. +# +# This is need for earlier builds of msysgit that does not have it on by +# default for csharp files. +# Note: This is only used by command line +############################################################################### +#*.cs diff=csharp + +############################################################################### +# Set the merge driver for project and solution files +# +# Merging from the command prompt will add diff markers to the files if there +# are conflicts (Merging from VS is not affected by the settings below, in VS +# the diff markers are never inserted). Diff markers may cause the following +# file extensions to fail to load in VS. An alternative would be to treat +# these files as binary and thus will always conflict and require user +# intervention with every merge. To do so, just uncomment the entries below +############################################################################### +#*.sln merge=binary +#*.csproj merge=binary +#*.vbproj merge=binary +#*.vcxproj merge=binary +#*.vcproj merge=binary +#*.dbproj merge=binary +#*.fsproj merge=binary +#*.lsproj merge=binary +#*.wixproj merge=binary +#*.modelproj merge=binary +#*.sqlproj merge=binary +#*.wwaproj merge=binary + +############################################################################### +# behavior for image files +# +# image files are treated as binary by default. +############################################################################### +#*.jpg binary +#*.png binary +#*.gif binary + +############################################################################### +# diff behavior for common document formats +# +# Convert binary document formats to text before diffing them. This feature +# is only available from the command line. Turn it on by uncommenting the +# entries below. +############################################################################### +#*.doc diff=astextplain +#*.DOC diff=astextplain +#*.docx diff=astextplain +#*.DOCX diff=astextplain +#*.dot diff=astextplain +#*.DOT diff=astextplain +#*.pdf diff=astextplain +#*.PDF diff=astextplain +#*.rtf diff=astextplain +#*.RTF diff=astextplain diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ffb8274 --- /dev/null +++ b/.gitignore @@ -0,0 +1,367 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Oo]ut/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +*.sln +/src/bin +/src/Properties diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..2848520 --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,346 @@ +The software in this repository is licensed under the GNU GPL version 2.0 (or any later version). + +SPDX-License-Identifier: GPL-2.0-or-later + +License-Text: + +GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + VNLib.Hashing.Portable is a compact .NET managed cryptographic operation + utilities library. + Copyright (C) 2022 Vaughn Nugent + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License.
\ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..1276bf6 --- /dev/null +++ b/README.md @@ -0,0 +1,59 @@ +# PKIAuthenticator (aka vauth) + +*A command line tool for generating certificate-based, signed, One-Time-Passwords for web/service authentication, with YubiKey support by default* + +## What is Vauth? +This repository contains code for a .NET/6.0 command-line tool used to generate certificate-backed One-Time-Passwords (OTP) for client authentication. This method is a single (1) factor authentication based on a username (usually an email address) stored in a JsonWebToken (JWT) claim, that will be submitted to a server's PKI endpoint to authenticate your client. Extremely simple and most secure methods by default is the design goal of this tool. + +### Hardware support +This tool currently uses the Yubico core sdk for using PIV enabled YubiKey devices. Since certificate based authentication is required, your YubiKey device must be PIV enabled. This is the recommended way to generate OTPs (assuming you own a YubiKey). By default the 0x9A PIV is slot is used to sign OTPs, but you my override the slot number. (see `--help` for more info) If your slot is PIN protected, you will be prompted to enter it when required, but you my also specify it as an argument **not recommended**, or via an environment variable, to inline the authentication process. (see `--help` for more info) + +### Software support +This tool also supports software certificates/keys with the `--software cert.pem --private-key priv.pem` flags. This tool does not generate certificates/keys, you must use a tool such as OpenSSL to generate your certificates. Your certificate private keys must be PEM encoded x509 format, and your private key must be stored in plain text PEM, or may be encrypted PEM format. If your private key file is encrypted, you must specify the `--password` argument, this will cause a prompt for your encryption password, the `--password` flag my be followed by your plaintext password **not recommended**, or set via an environment variable. (see `--help` for more info) + +## Usage +### OTP generation (hardware) +In hardware mode (default) by running `.\vauth.exe` will connect to the first *PIV enabled* YubiKey connected to your machine, and use it's 0x9A authentication slot to sign your newly created OTP credential. If you do not specify a username, the CN subject field is used as your `sub` field for the OTP (required for PKI authentication endpoints to know who you are). It also sets the required `keyid` field to the sha1 hash of the certificate stored in the 0x9A slot. (see `--help` for how to set a username). *Note:* the `keyid` field must match the public key id that was initially loaded under your username, otherwise the authentication will fail. + +### OTP generation (software) +`--software cert.pem --private-key key.pem` + +In software mode, your x509 certificate file is loaded, along with your private key file (may be password protected). If valid, an OTP is generated and signed by your private key. Again, your certificate subject CN is used as your username if no `--username` flag is set. + +**Implementation notes** +To make a common hardware/software abstraction, software mode only supports RSA 1024/2048, and Elliptic curves nistP256/nistP384 for signing. In RSA mode OTP use the RS256 standard of sha256 with PKS1 padding. In EC mode, uses ES256 when using nistP256, or ES384 when using nist384 curves. + +### Public Key Export +`--export` (for JWK encoding) +`--export pem` (for pem encoding) + +This tool only supports exporting your public key in JWK format or in PEM encoding, it does not export the entire certificate. When exporting your public key as a JWK, the kid is set to the certificate hash, and the custom `"serial":` field is set to the certificate's hex encoded serial number. + +### List devices (hardware Only) +Lists all hardware implementation devices connected to your machine. Currently only supports YubiKey devices, which prints all devices detected by the Yubico SDK regardless of their PIV support. + +<hr> +## Licensing +This project is licensed to you under the GNU GPL V2+. See LICENSE.txt for more information + +## Builds +Linux-x64, win-x64 and osx-x64 are builds are available for download on my [website](https://www.vaughnnugent.com/resources/software). Build packages will be tar +gzipped (except for nuget packages). + +*All downloads will contain a sha384 hash of the file by adding a .sha384 to the desired file download, eg: debug.tgz.sha384* +*PGP signed downloads will be available eventually* + +- Project source code (src.tgz) +- Nuget package (where applicable), debug w/ symbols & source + release (pkg/buildType/projName.version.nupkg) +- Debug build w/ symbols & xml docs (debug.tgz) +- Release build (release.tgz) + +## From source +This project uses internal and external project dependencies, all via NuGet. **However,** the internal libraries are only available from my public NuGet feeds for now. You may find the debug and release feeds from my [website](https://www.vaughnnugent.com/resources/software/modules). You will only need to add those feeds (you should consider adding it anyway :smiley:) + +Tools, you will need the .NET >= 6.0 sdk installed, msbuild/dotnet build tool, along with NuGet package manager installed. + +1. Git clone +2. Add my NuGet feed from my [website](https://www.vaughnnugent.com/resources/software/modules) +3. dotnet build + +If you do not wish to use the NuGet feeds, you may download the assemblies from my website, and reference the assemblies, in the project file instead of their NuGet packages references. The .tar archives include all of the required dependencies.
\ No newline at end of file diff --git a/src/HardwareAuthenticator.cs b/src/HardwareAuthenticator.cs new file mode 100644 index 0000000..1f0f0b2 --- /dev/null +++ b/src/HardwareAuthenticator.cs @@ -0,0 +1,281 @@ +using System; +using System.Linq; +using System.Text; +using System.Buffers; +using System.Formats.Asn1; +using System.Globalization; +using System.Collections.Generic; +using System.Security.Cryptography.X509Certificates; + +using Yubico.YubiKey; +using Yubico.YubiKey.Piv; + +using VNLib.Utils; +using VNLib.Utils.Logging; +using VNLib.Utils.Extensions; +using VNLib.Hashing; +using VNLib.Hashing.IdentityUtility; + +using static PkiAuthenticator.Statics; + +namespace PkiAuthenticator +{ + /// <summary> + /// Implements a hardware backed authenticator device using YubiKey's + /// </summary> + public sealed class HardwareAuthenticator : VnDisposeable, IAuthenticator + { + + /* + * Determines the piv slot the user may manually select + * the slot nuber (in hex) or the default + * Authentication slot + */ + + private static byte PivSlot + { + get + { + //Check for slot cli flag + string? slotArg = CliArgs.GetArg("--piv-slot"); + //Try hase from hex, otherwise default to the authentication slot + return byte.TryParse(slotArg, NumberStyles.HexNumber, null, out byte slotNum) ? slotNum : Yubico.YubiKey.Piv.PivSlot.Authentication; + } + } + + private PivSession? _session; + + ///<inheritdoc/> + public PivAlgorithm KeyAlgorithm { get; private set; } + + public int RequiredBufferSize { get; } + + ///<inheritdoc/> + public bool Initialize() + { + IYubiKeyDevice? device; + + //User may select the serial of the specific key to use + if (CliArgs.HasArg("--key") && int.TryParse(CliArgs.GetArg("--key"), out int serial)) + { + Log.Debug("Loading device {d}", serial); + + //Get device by serial number + device = YubiKeyDevice.FindAll() + .Where(d => d.SerialNumber == serial && d.HasFeature(YubiKeyFeature.PivApplication)) + .FirstOrDefault(); + } + else + { + Log.Debug("Connecting to first discovered PIV supported yubikey"); + + //Get first piv device + device = YubiKeyDevice.FindAll() + .Where(static d => d.HasFeature(YubiKeyFeature.PivApplication)) + .FirstOrDefault(); + } + + if (device == null) + { + return false; + } + try + { + //Init PIV session + _session = new(device) + { + KeyCollector = GetUserPinInput + }; + + Log.Debug("Connected to device {id}", device.SerialNumber!); + + //Store the key algorithm + KeyAlgorithm = _session.GetMetadata(PivSlot).Algorithm; + + return true; + } + catch (Exception ex) + { + if (Log.IsEnabled(LogLevel.Debug)) + { + Log.Error(ex); + } + else + { + Log.Error("Failed to initialize your hardware authenticator. Reason {r}", ex.Message); + } + + return false; + } + } + + ///<inheritdoc/> + public int ListDevices() + { + Log.Debug("Discovering hardware devices..."); + + IEnumerable<IYubiKeyDevice> devices = YubiKeyDevice.FindAll(); + + string[] devIds = devices + .Select(d => $"Serial: {d.SerialNumber}, Firmware {d.FirmwareVersion}, Formfactor: {d.FormFactor}, PIV support?: {d.HasFeature(YubiKeyFeature.PivApplication)}") + .ToArray(); + + Log.Information("Found devices\n {dev}", devIds); + + return 0; + } + + ///<inheritdoc/> + public X509Certificate2 GetCertificate() => + _session?.GetCertificate(PivSlot) + ?? throw new InvalidOperationException("The PIV session has not been successfully initialized"); + + protected override void Free() + { + _session?.Dispose(); + } + + static bool GetUserPinInput(KeyEntryData keyData) + { + //Method may be called more than once during pin operation, we only need to prompt for pins + if (keyData.Request != KeyEntryRequest.VerifyPivPin) + { + return false; + } + + string? input; + + //Check if the user issued the pin as cli arg + if (CliArgs.HasArg("--pin")) + { + //No retires allowed during cli, we dont want the device to lock out + if (keyData.IsRetry) + { + return false; + } + + input = CliArgs.GetArg("--pin"); + } + //Check for environment variable + else if (Environment.GetEnvironmentVariable(Program.YUBIKEY_PIN_ENV_VAR_NAME) != null) + { + //No retires allowed during env, we dont want the device to lock out + if (keyData.IsRetry) + { + return false; + } + input = Environment.GetEnvironmentVariable(Program.YUBIKEY_PIN_ENV_VAR_NAME); + } + //If the silent flag is set, a pin cli or env must be set, since we cannot write to STDOUT + else if (CliArgs.Silent) + { + return false; + } + else + { + Log.Information("Please enter your device pin, you have {t} attempts remaining, press enter to cancel", keyData.RetriesRemaining); + + input = Console.ReadLine(); + } + + if (string.IsNullOrWhiteSpace(input)) + { + return false; + } + + byte[] pinData = Encoding.UTF8.GetBytes(input); + + //Submit pin + keyData.SubmitValue(pinData); + return true; + } + + private static ERRNO ConvertFromBer(Span<byte> berData) + { + static ReadOnlySpan<byte> GetSequence(ReadOnlySpan<byte> bytes) + { + //Parse the initial sequence + AsnDecoder.ReadSequence(bytes, AsnEncodingRules.DER, out int seqStart, out int seqLen, out _, Asn1Tag.Sequence); + + //Return the discovered sequence + return bytes.Slice(seqStart, seqLen); + } + + //Read the initial sequence + ReadOnlySpan<byte> seq = GetSequence(berData); + + //Reat the r integer value first + ReadOnlySpan<byte> r = AsnDecoder.ReadIntegerBytes(seq, AsnEncodingRules.DER, out int read); + + //Get s after r + ReadOnlySpan<byte> s = AsnDecoder.ReadIntegerBytes(seq[read..], AsnEncodingRules.DER, out _); + + int rlen = 0, slen = 0; + + //trim leading whitespace + while (r[0] == 0x00) + { + r = r[1..]; + } + while (s[0] == 0x00) + { + s = s[1..]; + } + + rlen = r.Length; + slen = s.Length; + + //Concat buffer must be 2* the size of the largest value, so we can add padding + Span<byte> concatBuffer = stackalloc byte[Math.Max(rlen, slen) * 2]; + + if (rlen > slen) + { + //Write r first + r.CopyTo(concatBuffer); + + //Write s to the end of the buffer, zero padding exists from stackalloc + s.CopyTo(concatBuffer[rlen..][(rlen - slen)..]); + + Console.WriteLine("r larger"); + } + else if (rlen < slen) + { + //offset the begining of the buffer for leading r padding + r.CopyTo(concatBuffer[(slen - rlen)..]); + + //Write s to the end of the buffer, zero padding exists from stackalloc + s.CopyTo(concatBuffer[slen..]); + + Console.WriteLine("s larger"); + } + else + { + r.CopyTo(concatBuffer); + + s.CopyTo(concatBuffer[rlen..]); + } + + //Write back to output buffer + concatBuffer.CopyTo(berData); + + //Return number written + return concatBuffer.Length; + } + + public ERRNO ComputeSignatureFromHash(ReadOnlySpan<byte> hash, Span<byte> outputBuffer) + { + Log.Debug("Signing authentication data using YubiKey..."); + + //Get the current jwt state as a binary buffer + byte[] signature = _session!.Sign(PivSlot, hash.ToArray()); + + //Covert from BER encoding to IEEE fixed/concat signature data for jwt + ERRNO count = ConvertFromBer(signature); + + //Copy to output buffer + signature[..(int)count].CopyTo(outputBuffer); + + return count; + } + } +} diff --git a/src/IAuthenticator.cs b/src/IAuthenticator.cs new file mode 100644 index 0000000..440a69f --- /dev/null +++ b/src/IAuthenticator.cs @@ -0,0 +1,40 @@ + +using System; +using System.Security.Cryptography.X509Certificates; + +using Yubico.YubiKey.Piv; + +using VNLib.Hashing.IdentityUtility; + +namespace PkiAuthenticator +{ + /// <summary> + /// Represents an authenticaion device, backed by hardware or software keys. + /// </summary> + public interface IAuthenticator : IJwtSignatureProvider, IDisposable + { + /// <summary> + /// The signature algorithm the devices/keys support. + /// </summary> + PivAlgorithm KeyAlgorithm { get; } + + /// <summary> + /// Gets the public/key certificate for the authenticator + /// </summary> + /// <returns>The certificate</returns> + X509Certificate2 GetCertificate(); + + /// <summary> + /// Initialies the authenticator's assets required for performing + /// authentication functions. + /// </summary> + /// <returns>True if the authenticator was successfully initialized.</returns> + bool Initialize(); + + /// <summary> + /// Writes the internal devices to the log output + /// </summary> + /// <returns>The exit code for the process, 0 if successful, non-zero if the operation failed</returns> + int ListDevices(); + } +}
\ No newline at end of file diff --git a/src/PkiAuthenticator.csproj b/src/PkiAuthenticator.csproj new file mode 100644 index 0000000..ad0c21d --- /dev/null +++ b/src/PkiAuthenticator.csproj @@ -0,0 +1,34 @@ +<Project Sdk="Microsoft.NET.Sdk"> + + <PropertyGroup> + <OutputType>Exe</OutputType> + <TargetFramework>net6.0</TargetFramework> + <AssemblyName>vauth</AssemblyName> + <Nullable>enable</Nullable> + <RootNamespace>PkiAuthenticator</RootNamespace> + <ProduceReferenceAssembly>True</ProduceReferenceAssembly> + <GenerateDocumentationFile>True</GenerateDocumentationFile> + </PropertyGroup> + + <PropertyGroup> + <PackageId>PkiAuthenticator</PackageId> + <Authors>Vaughn Nugent</Authors> + <Company>Vaughn Nugent</Company> + <Product>PkiAuthenticator aka vauth</Product> + <Description> + A command line tool for generating certificate-based, signed, One-Time-Passwords for web/service authentication, with YubiKey support by default. + </Description> + <Copyright>Copyright © 2023 Vaughn Nugent</Copyright> + <PackageProjectUrl>https://www.vaughnnugent.com/resources/software/modules/vauth</PackageProjectUrl> + <RepositoryUrl>https://github.com/VnUgE/</RepositoryUrl> + </PropertyGroup> + + <ItemGroup> + <PackageReference Include="Serilog" Version="2.12.0" /> + <PackageReference Include="Serilog.Sinks.Console" Version="4.1.0" /> + <PackageReference Include="VNLib.Hashing.Portable" Version="0.1.0-ci0030" /> + <PackageReference Include="VNLib.Utils" Version="0.1.0-ci0030" /> + <PackageReference Include="Yubico.YubiKey" Version="1.6.1" /> + </ItemGroup> + +</Project> diff --git a/src/ProcessArguments.cs b/src/ProcessArguments.cs new file mode 100644 index 0000000..df683e5 --- /dev/null +++ b/src/ProcessArguments.cs @@ -0,0 +1,35 @@ +using System; +using System.Linq; +using System.Collections.Generic; + +namespace PkiAuthenticator +{ + internal class ProcessArguments + { + private readonly List<string> _args; + + public ProcessArguments(string[] args) => _args = args.ToList(); + + public bool HasArg(string arg) => _args.Contains(arg, StringComparer.OrdinalIgnoreCase); + + public bool Verbose => HasArg("-v") || HasArg("--verbose"); + public bool Debug => HasArg("-d") || HasArg("--debug"); + public bool Silent => HasArg("-s") || HasArg("--silent"); + public bool RpMalloc => HasArg("--rpmalloc"); + public bool DoubleVerbose => Verbose && HasArg("-vv"); + + public bool LogHttp => HasArg("--log-http"); + + /// <summary> + /// Gets the value following the specified argument, or + /// null no value follows the specified argument + /// </summary> + /// <param name="arg"></param> + /// <returns></returns> + public string? GetArg(string arg) + { + int index = _args.IndexOf(arg); + return index == -1 || index + 1 >= _args.Count ? null : _args[index + 1]; + } + } +} diff --git a/src/Program.cs b/src/Program.cs new file mode 100644 index 0000000..230f950 --- /dev/null +++ b/src/Program.cs @@ -0,0 +1,203 @@ +using System; + +using VNLib.Utils.Logging; + +using static PkiAuthenticator.Statics; + +namespace PkiAuthenticator +{ + internal class Program + { + public const string JWK_EXPORT_TEMPLATE = "You may copy your JWK public key\n\n{pk}\n"; + public const string TOKEN_PRINT_TEMPLATE = "You may copy your authentication token \n\n{tk}\n"; + public const string YUBIKEY_PIN_ENV_VAR_NAME = "YUBIKEY_PIN"; + public const string SOFTWARE_PASSWORD_VAR_NAME = "CERT_PASSWORD"; + public const string PEM_EXPORT_TEMPLATE = "You may copy your public key\n\n{cert}\n"; + + const string HELP_MESSAGE = +@$" VAuth Copyright (c) Vaughn Nugent + Usage: vauth.exe <args> + + No args: Connects to the first PIV enabled YubiKey and requests slot 0x9a + sign a new authentication message for the default usename (cert CN), + prompts the user for a pin (if enabled on device) and prints the + signed JWT authentication token to STDOUT. + + Command flags: + + none/default Genereates a signed OTP (one time password) Json Web Token + for authentication. + + -e, --export <pem> Writes the public key to the screen as a JWK, or optionally + PEM encoded by using the 'pem' keyword following -e. + + --list-devices Lists the device information of all connected YubiKey devices. + (Ignores the --key flag) + + -h, --help Prints this help message. + + Global flags: + + -u, --user <uid> The user-id (or email address) to specify during for + authenticating. If not specified, uses the certificates CN + subject value. + + --software <cert file> Runs the process using a software authenticator instead of + a YubiKey hardware authenticator. The cert file must be a + a valid x509 certificate with the public key. You must also + set the private key file path. + + --private-key <file> The path to the private key file, may be password protected. + This flag is only required in software mode. + + --password <password?> The password string (utf8 decoded) used to decrypt the PEM + private key file. WARNING! You should avoid using this flag + unless you have cli history disabled, otherwise your password + may be recovered from your history file. This allows you to + automate the authentication process. NOTE: consider setting the + {SOFTWARE_PASSWORD_VAR_NAME} environment variable before starting the + process instead. + + --key <serial> Allows you to specify the serial number (int32) of the exact + YubiKey to connect to if multiple keys are connected. (PIV must + be enabled on the device) + + --pin <device pin> Allows you to specify your device's pin as an argument. + WARNING! You should avoid using this flag unless you have cli + history disabled, otherwise your pin may be recovered from your + history file. This allows you to automate the authentication + process. NOTE: consider setting the {YUBIKEY_PIN_ENV_VAR_NAME} environment + variable before starting the process instead. + + --piv-slot <slot> The hexadecimal YubiKey PIV slot number override to use, defaults + to authentication (9a) slot. + + -s, --silent Silences logs, only operation output is written to STDOUT. For pin- + required operations, a --pin flag must be set, or set the {YUBIKEY_PIN_ENV_VAR_NAME} + env variable. If an op error occurs, an exit code is returned. + + -v, --verbose Enables verbose logging to be writtento STDOUT, is overridden + by silent mode, and will override -d debug mode. + + -d, --debug Enables debug logging to be written to STDOUT, is overridden by + silent mode. + + Environment Variables + {SOFTWARE_PASSWORD_VAR_NAME} The password used to decrypt the PEM encoded private key file in software mode + + {YUBIKEY_PIN_ENV_VAR_NAME} Your secret pin used for protected yubikey operations + + + This tool was created to quickly generate short lived One-Time-Passwords (OTP) or signed + authentication tokens (JWT) for authenticating aginst PKI endpoints, using your YubiKey's + authentication slot (0x9a). You may use this tool to automate a login process by using the + -s flag and specifying a pin with --pin (not recommended!), or setting the {YUBIKEY_PIN_ENV_VAR_NAME} + environment variable. + + A software, x509 certificate file backed, mode is also supported by using the --software flag. + The certificate file must be a PEM encoded certificate. You must also specify a PEM encoded private + key file using the --private-key flag. This file may be encrypted, and you must specify a --password + flag. You may wait for a prompt, set the {SOFTWARE_PASSWORD_VAR_NAME} environment variable, or write it after + the --password argument: '--password my_unsecure_password'. + + Examples: + + OTP: + vauth.exe # default cert CN usename + vauth.exe -u 'name@example.com' # specify username + vauth.exe --key 1111111 # specify hardware key serial numer + vauth.exe -s > token.txt # write token to a text file + vauth.exe --piv-slot 9C # specify a differnt PIV slot on the yubikey (in hex) + + #software mode + vauth.exe --software 'cert.pem' --private-key 'priv.pem' + vauth.exe --software 'cert.pem' --private-ke 'priv.pem' --password 'mypassword' + + Export public key: + vauth.exe --export # for JWK output + vauth.exe --export pem # for pem encoding + + #software + vauth.exe --software cert.pem --export pem + + List devices: + vauth.exe --list-devices # only supported in hardware mode +"; + + static int Main(string[] args) + { + if (CliArgs.HasArg("-h") || CliArgs.HasArg("--help")) + { + Console.WriteLine(HELP_MESSAGE); + return 0; + } + + Log.Information("vauth (c) 2023 Vaughn Nugent"); + + int exitCode = 1; + try + { + //Get software or hardware authenticator + using IAuthenticator authenticator = CliArgs.HasArg("--software") ? new SoftwareAuthenticator() : new HardwareAuthenticator(); + + //initialze the authenticator + if (authenticator.Initialize()) + { + //Only continue if authenticator successfully initialized + if (CliArgs.HasArg("--list-devices")) + { + //List devices flag + exitCode = authenticator.ListDevices(); + } + else if (CliArgs.HasArg("-e") || CliArgs.HasArg("--export")) + { + //Check for pem encoding flag + if (CliArgs.HasArg("pem")) + { + string pem = authenticator.ExportPem(); + Log.Information(PEM_EXPORT_TEMPLATE, pem); + exitCode = 0; + } + else + { + //Print jwk + string? pupKey = authenticator.ExportJwk(); + + //May be null if the alg is not supported + if (pupKey == null) + { + Log.Error("The certificate does not use a supported algorithm"); + } + else + { + //Print + Log.Information(JWK_EXPORT_TEMPLATE, pupKey); + exitCode = 0; + } + } + } + else + { + //Authenticate + exitCode = authenticator.GenerateOtp(); + } + } + } + catch(Exception ex) + { + if (Log.IsEnabled(LogLevel.Debug)) + { + Log.Error(ex); + } + else + { + Log.Error("Operation failed. Reason: {ex}", ex.Message); + } + } + + Log.Information("Exiting..."); + + return exitCode; + } + } +}
\ No newline at end of file diff --git a/src/SoftwareAuthenticator.cs b/src/SoftwareAuthenticator.cs new file mode 100644 index 0000000..0972373 --- /dev/null +++ b/src/SoftwareAuthenticator.cs @@ -0,0 +1,254 @@ +using System; +using System.Security.Cryptography; +using System.Security.Cryptography.X509Certificates; + +using VNLib.Hashing; +using VNLib.Utils; +using VNLib.Utils.IO; +using VNLib.Utils.Logging; +using VNLib.Utils.Memory; + +using Yubico.YubiKey.Piv; + +using static PkiAuthenticator.Statics; + +namespace PkiAuthenticator +{ + /// <summary> + /// Provies a certificate/private key software based authenticator + /// </summary> + public sealed class SoftwareAuthenticator : VnDisposeable, IAuthenticator + { + private X509Certificate2? _certFile; + private byte[]? _certFileData; + + ///<inheritdoc/> + public PivAlgorithm KeyAlgorithm { get; private set; } + public int RequiredBufferSize + { + get + { + return KeyAlgorithm switch + { + PivAlgorithm.Rsa1024 => 128, + PivAlgorithm.Rsa2048 => 256, + PivAlgorithm.EccP256 => 128, + PivAlgorithm.EccP384 => 256, + _ => 128, + }; + } + } + + ///<inheritdoc/> + public bool Initialize() + { + //try to import the certificate file + string? cerFilePath = CliArgs.GetArg("--software"); + if(cerFilePath == null) + { + Log.Error("You must specify a file path following the --software flag"); + return false; + } + + //Check if the file exists + if (!FileOperations.FileExists(cerFilePath)) + { + Log.Error("The certificate file does not exist"); + return false; + } + + string? privateKeyFile = CliArgs.GetArg("--private-key"); + + if(privateKeyFile == null) + { + Log.Error("You must specify a private key pem file using the --private-key 'priv.pem' flag"); + return false; + } + + //Confirm private key file exists + if(!FileOperations.FileExists(privateKeyFile)) + { + Log.Error("The private key file does not exist"); + return false; + } + + ReadOnlySpan<char> password = null; + + //See if password is required + if (CliArgs.HasArg("--password")) + { + //encryption is required, get from arg, or from env var + string? pass = CliArgs.GetArg("--password") ?? Environment.GetEnvironmentVariable(Program.SOFTWARE_PASSWORD_VAR_NAME); + + if (pass == null) + { + //if silent, we cant read the key, so we need to bail; + if (CliArgs.Silent) + { + return false; + } + + //Read key from stdin + Log.Information("Please enter your private key password"); + pass = Console.ReadLine(); + } + + password = pass; + } + + //file is a pem certificate + try + { + //file is encrypted + if (password.IsEmpty) + { + Log.Debug("Importing raw pem/private key x509 certificate file"); + + //Non encrypted + _certFile = X509Certificate2.CreateFromPemFile(cerFilePath, privateKeyFile); + } + else + { + Log.Debug("Importing encyrpted pem/private key x509 certificate file"); + + //load and decrypt + _certFile = X509Certificate2.CreateFromEncryptedPemFile(cerFilePath, password, privateKeyFile); + } + + //Get the raw file data + _certFileData = _certFile.GetRawCertData(); + + //Try get rsa key, just get pubkey to discover alg info + using(RSA? alg = _certFile.GetRSAPublicKey()) + { + if (alg != null) + { + switch (alg.KeySize) + { + case 1024: + KeyAlgorithm = PivAlgorithm.Rsa1024; + break; + case 2048: + KeyAlgorithm = PivAlgorithm.Rsa2048; + break; + default: + Log.Error("The certificate uses an unspported keyalgorithm"); + return false; + } + } + } + + //Try get ecdsa alg + using(ECDsa? alg = _certFile.GetECDsaPublicKey()) + { + if (alg != null) + { + switch (alg.KeySize) + { + case 256: + KeyAlgorithm = PivAlgorithm.EccP256; + break; + case 384: + KeyAlgorithm = PivAlgorithm.EccP384; + break; + default: + Log.Error("The certificate uses an unspported keyalgorithm"); + return false; + } + } + } + + return true; + } + catch(Exception ex) + { + //Write the entire stack trace to the log if in debug mode + if (Log.IsEnabled(LogLevel.Debug)) + { + Log.Error(ex); + } + else + { + Log.Error("Failed to import the certificate file, reason {r}", ex.Message); + } + } + + return false; + } + + ///<inheritdoc/> + public X509Certificate2 GetCertificate() + { + Check(); + return new(_certFileData); + } + + ///<inheritdoc/> + public int ListDevices() + { + Log.Error("List devices is not supported in software mode"); + return -1; + } + + protected override void Free() + { + //Dispose cert file + _certFile?.Dispose(); + + //Zero the cert file data buffer + MemoryUtil.InitializeBlock(_certFileData.AsSpan()); + } + + HashAlgorithmName GetAlgName() + { + return KeyAlgorithm switch + { + PivAlgorithm.Rsa1024 => HashAlgorithmName.SHA256,//PS256 + PivAlgorithm.Rsa2048 => HashAlgorithmName.SHA256,//PS256 + PivAlgorithm.EccP256 => HashAlgorithmName.SHA256,//ES256 + PivAlgorithm.EccP384 => HashAlgorithmName.SHA384,//ES384 + _ => throw new NotSupportedException("Hash algorithim is not supported by this key"), + }; + } + + ///<inheritdoc/> + public ERRNO ComputeSignatureFromHash(ReadOnlySpan<byte> hash, Span<byte> outputBuffer) + { + Check(); + + switch (KeyAlgorithm) + { + case PivAlgorithm.Rsa1024: + case PivAlgorithm.Rsa2048: + { + //Try load private keys from cert + using RSA rsa = _certFile.GetRSAPrivateKey()!; + + //Signs the data using sha256 + if (!rsa.TrySignHash(hash, outputBuffer, GetAlgName(), RSASignaturePadding.Pkcs1, out int written)) + { + throw new InternalBufferTooSmallException(""); + } + + return written; + } + break; + case PivAlgorithm.EccP256: + case PivAlgorithm.EccP384: + { + using ECDsa ecc = _certFile.GetECDsaPrivateKey()!; + + //Sign the digest + if (!ecc!.TrySignHash(hash, outputBuffer, DSASignatureFormat.IeeeP1363FixedFieldConcatenation, out int written)) + { + throw new InternalBufferTooSmallException(""); + } + return written; + } + //This case should never be hit + default: + throw new CryptographicException("Cannot sign data, the algorithm is unsupported"); + } + } + } +} diff --git a/src/Statics.cs b/src/Statics.cs new file mode 100644 index 0000000..56e3e25 --- /dev/null +++ b/src/Statics.cs @@ -0,0 +1,378 @@ +using System; +using System.Linq; +using System.Text; +using System.Buffers; +using System.Text.Json; +using System.Buffers.Text; +using System.Runtime.CompilerServices; +using System.Collections.Generic; +using System.Security.Cryptography; +using System.Security.Cryptography.X509Certificates; + +using Serilog; +using Serilog.Core; +using Serilog.Events; + +using Yubico.YubiKey.Piv; + +using VNLib.Utils; +using VNLib.Utils.Logging; +using VNLib.Utils.Memory; +using VNLib.Utils.Extensions; +using VNLib.Hashing; +using VNLib.Hashing.IdentityUtility; + +namespace PkiAuthenticator +{ + + internal static class Statics + { + public static ProcessArguments CliArgs { get; } = new(Environment.GetCommandLineArgs()); + + public static ILogProvider Log { get; } = GetLog(); + + private static ILogProvider GetLog() + { + LoggerConfiguration config = new(); + + //Set min level from cli flags + if(CliArgs.Verbose) + { + config.MinimumLevel.Verbose(); + } + else if (CliArgs.Debug) + { + config.MinimumLevel.Debug(); + } + else + { + config.MinimumLevel.Information(); + } + + //Make sure the silent flag is not set + if(!CliArgs.Silent) + { + //Write to console for now + config.WriteTo.Console(); + } + + //Init new log + return new VLogProvider(config); + } + + /// <summary> + /// Generats a signed VNLib authentication toke, used to authenticate against + /// web applications using the YubiKey + /// </summary> + /// <param name="session"></param> + /// <returns>The process exit code returning the status of the operation.</returns> + public static int GenerateOtp(this IAuthenticator authenticator) + { + string? uid = CliArgs.GetArg("-u"); + uid ??= CliArgs.GetArg("--user"); + + HashAlg digest; + + //Init the jwt header + Dictionary<string, string> jwtHeader = new() + { + ["typ"] = "jwt" + }; + + Log.Verbose("Recovering the device metadata..."); + + switch (authenticator.KeyAlgorithm) + { + case PivAlgorithm.Rsa1024: + case PivAlgorithm.Rsa2048: + //Use rsa256 for all rsa operations + digest = HashAlg.SHA256; + jwtHeader["alg"] = "RS256"; + break; + case PivAlgorithm.EccP256: + digest = HashAlg.SHA256; + jwtHeader["alg"] = "ES256"; + break; + case PivAlgorithm.EccP384: + digest = HashAlg.SHA384; + jwtHeader["alg"] = "ES384"; + break; + default: + Log.Error("The key's authentication slot contains an unsupported algorithm"); + return -5; + } + + //Build the login jwt + using JsonWebToken jwt = new(); + + jwt.WriteHeader(jwtHeader); + + Log.Verbose("Recovering the x509 certificate from the key"); + + //Get the auth certificate + using (X509Certificate2 cert = authenticator.GetCertificate()) + { + //Default uid is the subjet name + uid ??= cert.SubjectName.Name.AsSpan().SliceAfterParam("=").ToString(); + + //Get random nonce for entropy + string nonce = RandomHash.GetRandomBase32(16); + + jwt.InitPayloadClaim() + .AddClaim("sub", uid) + .AddClaim("n", nonce) + .AddClaim("iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds()) + //Keyid is the hex sha1 of the certificate + .AddClaim("keyid", Convert.ToHexString(cert.GetCertHash(HashAlgorithmName.SHA1))) + .AddClaim("serial", cert.SerialNumber) + .CommitClaims(); + } + + Log.Verbose("Signing authentication token..."); + + try + { + //Sign the token + jwt.Sign(authenticator, digest); + + Log.Information(Program.TOKEN_PRINT_TEMPLATE, jwt.Compile()); + + //If silent mode is enabled, write credential directly to stdout + if (CliArgs.Silent) + { + Console.Write(jwt.Compile()); + } + + return 0; + } + catch (OperationCanceledException) + { + Log.Error("The operation has been cancelled"); + return -1; + } + } + + /// <summary> + /// Base64url encodes the data buffer and returns a utf8 string from + /// the encoded results. + /// </summary> + /// <param name="data">The binary buffer to encode</param> + /// <returns>The encoded string</returns> + public static string ToBase64Url(ReadOnlySpan<byte> data) + { + int base64 = Base64.GetMaxEncodedToUtf8Length(data.Length); + + //Alloc buffer + using UnsafeMemoryHandle<byte> buffer = MemoryUtil.UnsafeAllocNearestPage<byte>(base64); + + int written = ToBase64Url(data, buffer.Span); + + return Encoding.UTF8.GetString(buffer.Span[..written]); + } + + /// <summary> + /// Base64url encodes the data buffer and writes the output to the <paramref name="writer"/> + /// argument. + /// </summary> + /// <param name="data">The binary data to base64url encode</param> + /// <param name="writer">A referrence to the <see cref="ForwardOnlyWriter{T}"/></param> + /// <exception cref="Exception"></exception> + public static void ToUrlSafe(ReadOnlySpan<byte> data, ref ForwardOnlyWriter<byte> writer) + { + int base64Size = Base64.GetMaxEncodedToUtf8Length(data.Length); + + //Alloc buffer + using UnsafeMemoryHandle<byte> buffer = MemoryUtil.UnsafeAllocNearestPage<byte>(base64Size); + + //Convert the data to base64url safe + int written = ToBase64Url(data, buffer.Span); + + if(written == ERRNO.E_FAIL) + { + throw new Exception($"Failed to encode the binary data due to a base64 encoding failure"); + } + + //Write encoded data to writer + writer.Append(buffer.Span[..written]); + } + + /// <summary> + /// Base64url encodes the data buffer and writes the output to the output buffer. + /// </summary> + /// <param name="data"></param> + /// <param name="buffer">The output buffer to write the base64url encoded utf8 bytes</param> + /// <returns>The number of bytes written to the output buffer, or 0/false if the operation failed</returns> + /// <exception cref="Exception"></exception> + public static ERRNO ToBase64Url(ReadOnlySpan<byte> data, Span<byte> buffer) + { + //Encode the data to base64 + OperationStatus status = Base64.EncodeToUtf8(data, buffer, out _, out int written, true); + + if (status != OperationStatus.Done) + { + return ERRNO.E_FAIL; + } + + //Url encode + VnEncoding.Base64ToUrlSafeInPlace(buffer[..written]); + + //Remove trailing padding bytes + while (buffer[written - 1] == (byte)'=') + { + written--; + } + + return written; + } + + /// <summary> + /// Writes the public key information for the current session, using the + /// configured slot, to a JWK, setting the key-id (kid) as the as the + /// hex encoded hash of the certificate. + /// </summary> + /// <param name="authenticator"></param> + /// <returns>The process exit code, 0 if successful, non-zero if a failure occured</returns> + public static string? ExportJwk(this IAuthenticator authenticator) + { + static void WriteEcParams(X509Certificate2 cert, IDictionary<string, string> jwk) + { + using ECDsa alg = cert.GetECDsaPublicKey()!; + + //recover params + ECParameters p = alg.ExportParameters(false); + + //Write public key elements + jwk["x"] = ToBase64Url(p.Q.X); + jwk["y"] = ToBase64Url(p.Q.Y); + } + + static void WriteRsaParams(X509Certificate2 cert, IDictionary<string, string> jwk) + { + using RSA rSA = cert.GetRSAPublicKey()!; + + RSAParameters p = rSA.ExportParameters(false); + + jwk["e"] = ToBase64Url(p.Exponent); + jwk["n"] = ToBase64Url(p.Modulus); + } + + Dictionary<string, string> jwkObj = new() + { + { "use", "sig" } + }; + + //Get key certificate + using X509Certificate2 cert = authenticator.GetCertificate(); + + //Write cert hash to the kid + jwkObj["kid"] = Convert.ToHexString(cert.GetCertHash(HashAlgorithmName.SHA1)); + + //Write cert serial number + jwkObj["serial"] = cert.SerialNumber; + + switch (authenticator.KeyAlgorithm) + { + case PivAlgorithm.EccP256: + jwkObj["kty"] = "EC"; + jwkObj["crv"] = "P-256"; + jwkObj["alg"] = "ES256"; + + //write the ec params to jwk + WriteEcParams(cert, jwkObj); + break; + case PivAlgorithm.EccP384: + jwkObj["kty"] = "EC"; + jwkObj["crv"] = "P-384"; + jwkObj["alg"] = "ES384"; + + //write the ec params to jwk + WriteEcParams(cert, jwkObj); + break; + + case PivAlgorithm.Rsa1024: + case PivAlgorithm.Rsa2048: + jwkObj["kty"] = "RSA"; + jwkObj["alg"] = "RS256"; + + //Rsa print + WriteRsaParams(cert, jwkObj); + break; + + default: + return null; + } + + //Write jwk to std out + return JsonSerializer.Serialize(jwkObj); + } + + /// <summary> + /// Writes the public key information for the current session, using the + /// configured slot, using PEM encoding. + /// </summary> + /// <param name="authenticator"></param> + /// <returns>The process exit code, 0 if successful, non-zero if a failure occured</returns> + public static string ExportPem(this IAuthenticator authenticator) + { + //Get key certificate + using X509Certificate2 cert = authenticator.GetCertificate(); + + byte[] pubkey = cert.PublicKey.ExportSubjectPublicKeyInfo(); + + //Sb for printing cert data + StringBuilder builder = new (); + builder.AppendLine("-----BEGIN PUBLIC KEY-----"); + builder.AppendLine(Convert.ToBase64String(pubkey, Base64FormattingOptions.InsertLineBreaks)); + builder.AppendLine("-----END PUBLIC KEY-----"); + + return builder.ToString(); + } + + private sealed class VLogProvider : VnDisposeable, ILogProvider + { + private readonly Logger LogCore; + + public VLogProvider(LoggerConfiguration config) + { + LogCore = config.CreateLogger(); + } + public void Flush() { } + + public object GetLogProvider() => LogCore; + + [MethodImpl(MethodImplOptions.AggressiveInlining)] + public bool IsEnabled(LogLevel level) => LogCore.IsEnabled((LogEventLevel)level); + + [MethodImpl(MethodImplOptions.AggressiveInlining)] + public void Write(LogLevel level, string value) + { + LogCore.Write((LogEventLevel)level, value); + } + + [MethodImpl(MethodImplOptions.AggressiveInlining)] + public void Write(LogLevel level, Exception exception, string value = "") + { + LogCore.Write((LogEventLevel)level, exception, value); + } + + [MethodImpl(MethodImplOptions.AggressiveInlining)] + public void Write(LogLevel level, string value, params object[] args) + { + LogCore.Write((LogEventLevel)level, value, args); + } + + [MethodImpl(MethodImplOptions.AggressiveInlining)] + public void Write(LogLevel level, string value, params ValueType[] args) + { + //Serilog logger supports passing valuetypes to avoid boxing objects + if (LogCore.IsEnabled((LogEventLevel)level)) + { + object[] ar = args.Select(a => (object)a).ToArray(); + LogCore.Write((LogEventLevel)level, value, ar); + } + } + + protected override void Free() => LogCore.Dispose(); + } + } +} |