From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 2E9AA20EC7F for ; Tue, 23 Apr 2024 13:19:52 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 07A061FC43; Tue, 23 Apr 2024 13:19:57 +0200 (CEST) From: Maximiliano Sandoval To: pbs-devel@lists.proxmox.com Date: Tue, 23 Apr 2024 13:19:53 +0200 Message-Id: <20240423111953.323890-1-m.sandoval@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -2.738 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years KAM_SOMETLD_ARE_BAD_TLD 5 .bar, .beauty, .buzz, .cam, .casa, .cfd, .club, .date, .guru, .link, .live, .monster, .online, .press, .pw, .quest, .rest, .sbs, .shop, .stream, .top, .trade, .wiki, .work, .xyz TLD abuse SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [rfc-editor.org, webauthn.rs, whatwg.org, foo.bar] Subject: [pbs-devel] [PATCH proxmox] tfa: webauthn: serialize OriginUrl following RFC6454 X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" We serialize `OriginUrl` using the ASCII serialization mentioned at [RFC6454] section 6.2 or [1]. Note that the unicode serialization is not used widely adopted [2]. Note that `url::Url` serialize with a trailign slash, e.g. https://foo.bar serializes as https://foo.bar/ which is not the origin for this domain. [RFC6454] https://www.rfc-editor.org/rfc/rfc6454 [1] https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin [2] https://html.spec.whatwg.org/multipage/browsers.html#unicode-serialisation-of-an-origin Signed-off-by: Maximiliano Sandoval --- I tested that existing hardware keys would still unlock the user after installing this patch. proxmox-tfa/src/api/webauthn.rs | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/proxmox-tfa/src/api/webauthn.rs b/proxmox-tfa/src/api/webauthn.rs index 0f908229..4c854011 100644 --- a/proxmox-tfa/src/api/webauthn.rs +++ b/proxmox-tfa/src/api/webauthn.rs @@ -10,10 +10,19 @@ use proxmox_schema::{api, Updater, UpdaterType}; use super::IsExpired; -#[derive(Clone, Deserialize, Serialize)] +#[derive(Clone, Deserialize)] /// Origin URL for WebauthnConfig pub struct OriginUrl(Url); +impl serde::Serialize for OriginUrl { + fn serialize(&self, serializer: S) -> Result + where + S: serde::Serializer, + { + serializer.serialize_str(&self.to_string()) + } +} + #[cfg(feature = "api-types")] impl UpdaterType for OriginUrl { type Updater = Option; @@ -27,23 +36,15 @@ impl std::str::FromStr for OriginUrl { } } -impl std::ops::Deref for OriginUrl { - type Target = Url; - - fn deref(&self) -> &Url { - &self.0 - } -} - -impl std::ops::DerefMut for OriginUrl { - fn deref_mut(&mut self) -> &mut Url { - &mut self.0 +impl From for String { + fn from(url: OriginUrl) -> String { + url.to_string() } } -impl From for String { - fn from(url: OriginUrl) -> String { - url.0.into() +impl OriginUrl { + fn to_string(&self) -> String { + self.0.origin().ascii_serialization() } } @@ -90,7 +91,7 @@ impl WebauthnConfig { pub fn digest(&self) -> [u8; 32] { let mut data = format!("rp={:?}\nid={:?}\n", self.rp, self.id,); if let Some(origin) = &self.origin { - data.push_str(&format!("origin={:?}\n", origin.as_str())); + data.push_str(&format!("origin={}\n", origin.to_string())); } openssl::sha::sha256(data.as_bytes()) } -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel