trezorctl: Implement credential management command.

python/docs/OPTIONS.rst

@@ -82,4 +82,7 @@ Use the following command to see all options:
     tezos-sign-tx                   Sign Tezos transaction.
     verify-message                  Verify message.
     version                         Show version of trezorctl/trezorlib.
+    webauthn-add-credential         Add the credential with the given ID as a resident credential.
+    webauthn-list-credentials       List all resident credentials on the device.
+    webauthn-remove-credential      Remove the resident credential at the given index.
     wipe-device                     Reset device to factory defaults and remove all private data.

python/src/trezorlib/cli/trezorctl.py

@@ -54,6 +54,7 @@ from trezorlib import (
     tezos,
     tools,
     ui,
+    webauthn,
 )
 from trezorlib.client import TrezorClient
 from trezorlib.transport import enumerate_devices, get_transport
@@ -1929,6 +1930,58 @@ def binance_sign_tx(connect, address, file):
     return binance.sign_tx(client, address_n, json.load(file))
 
 
+#
+# WebAuthn functions
+#
+
+
+@cli.command(help="List all resident credentials on the device.")
+@click.pass_obj
+def webauthn_list_credentials(connect):
+    creds = webauthn.list_credentials(connect())
+    for cred in creds:
+        click.echo("")
+        click.echo("WebAuthn credential at index {}:".format(cred.index))
+        if cred.rp_id is not None:
+            click.echo("  Relying party ID:     {}".format(cred.rp_id))
+        if cred.rp_name is not None:
+            click.echo("  Relying party name:   {}".format(cred.rp_name))
+        if cred.user_id is not None:
+            click.echo("  User ID:              {}".format(cred.user_id.hex()))
+        if cred.user_name is not None:
+            click.echo("  User name:            {}".format(cred.user_name))
+        if cred.user_display_name is not None:
+            click.echo("  User display name:    {}".format(cred.user_display_name))
+        if cred.creation_time is not None:
+            click.echo("  Creation time:        {}".format(cred.creation_time))
+        if cred.hmac_secret is not None:
+            click.echo("  hmac-secret enabled:  {}".format(cred.hmac_secret))
+        click.echo("  Credential ID:        {}".format(cred.id.hex()))
+
+    if not creds:
+        click.echo("There are no resident credentials stored on the device.")
+
+
+@cli.command()
+@click.argument("hex_credential_id")
+@click.pass_obj
+def webauthn_add_credential(connect, hex_credential_id):
+    """Add the credential with the given ID as a resident credential.
+
+    HEX_CREDENTIAL_ID is the credential ID as a hexadecimal string.
+    """
+    return webauthn.add_credential(connect(), bytes.fromhex(hex_credential_id))
+
+
+@cli.command(help="Remove the resident credential at the given index.")
+@click.option(
+    "-i", "--index", required=True, type=click.IntRange(0, 15), help="Credential index."
+)
+@click.pass_obj
+def webauthn_remove_credential(connect, index):
+    return webauthn.remove_credential(connect(), index)
+
+
 #
 # Main
 #

python/src/trezorlib/webauthn.py

@@ -0,0 +1,34 @@
+# This file is part of the Trezor project.
+#
+# Copyright (C) 2019 SatoshiLabs and contributors
+#
+# This library is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License version 3
+# as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the License along with this library.
+# If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.
+
+
+from . import messages as proto
+from .tools import expect
+
+
+@expect(proto.WebAuthnCredentials, field="credentials")
+def list_credentials(client):
+    return client.call(proto.WebAuthnListResidentCredentials())
+
+
+@expect(proto.Success, field="message")
+def add_credential(client, credential_id):
+    return client.call(proto.WebAuthnAddResidentCredential(credential_id))
+
+
+@expect(proto.Success, field="message")
+def remove_credential(client, index):
+    return client.call(proto.WebAuthnRemoveResidentCredential(index))