introduces customization for PIN protcol v1 (#559)

src/ctap/client_pin.rs

@@ -21,6 +21,7 @@ use super::pin_protocol::{verify_pin_uv_auth_token, PinProtocol, SharedSecret};
 use super::response::{AuthenticatorClientPinResponse, ResponseData};
 use super::status_code::Ctap2StatusCode;
 use super::token_state::PinUvAuthTokenState;
+use crate::api::customization::Customization;
 use crate::ctap::storage;
 use crate::env::Env;
 use alloc::boxed::Box;
@@ -390,6 +391,11 @@ impl ClientPin {
         client_pin_params: AuthenticatorClientPinParameters,
         now: CtapInstant,
     ) -> Result<ResponseData, Ctap2StatusCode> {
+        if !env.customization().allows_pin_protocol_v1()
+            && client_pin_params.pin_uv_auth_protocol == PinUvAuthProtocol::V1
+        {
+            return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
+        }
         let response = match client_pin_params.sub_command {
             ClientPinSubCommand::GetPinRetries => Some(self.process_get_pin_retries(env)?),
             ClientPinSubCommand::GetKeyAgreement => {
@@ -872,6 +878,20 @@ mod test {
         test_helper_process_get_key_agreement(PinUvAuthProtocol::V2);
     }
 
+    #[test]
+    fn test_process_get_key_agreement_v1_not_allowed() {
+        let (mut client_pin, params) = create_client_pin_and_parameters(
+            PinUvAuthProtocol::V1,
+            ClientPinSubCommand::GetKeyAgreement,
+        );
+        let mut env = TestEnv::new();
+        env.customization_mut().set_allows_pin_protocol_v1(false);
+        assert_eq!(
+            client_pin.process_command(&mut env, params, CtapInstant::new(0)),
+            Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER)
+        );
+    }
+
     fn test_helper_process_set_pin(pin_uv_auth_protocol: PinUvAuthProtocol) {
         let (mut client_pin, params) =
             create_client_pin_and_parameters(pin_uv_auth_protocol, ClientPinSubCommand::SetPin);

src/ctap/mod.rs

@@ -1264,6 +1264,10 @@ impl CtapState {
             (String::from("setMinPINLength"), true),
             (String::from("makeCredUvNotRqd"), !has_always_uv),
         ]);
+        let mut pin_protocols = vec![PinUvAuthProtocol::V2 as u64];
+        if env.customization().allows_pin_protocol_v1() {
+            pin_protocols.push(PinUvAuthProtocol::V1 as u64);
+        }
 
         Ok(ResponseData::AuthenticatorGetInfo(
             AuthenticatorGetInfoResponse {
@@ -1279,10 +1283,7 @@ impl CtapState {
                 options: Some(options),
                 max_msg_size: Some(env.customization().max_msg_size() as u64),
                 // The order implies preference. We favor the new V2.
-                pin_protocols: Some(vec![
-                    PinUvAuthProtocol::V2 as u64,
-                    PinUvAuthProtocol::V1 as u64,
-                ]),
+                pin_protocols: Some(pin_protocols),
                 max_credential_count_in_list: env
                     .customization()
                     .max_credential_count_in_list()
@@ -1581,6 +1582,23 @@ mod test {
         assert_eq!(info_reponse, response_cbor);
     }
 
+    #[test]
+    fn test_get_info_no_pin_protocol_v1() {
+        let mut env = TestEnv::new();
+        env.customization_mut().set_allows_pin_protocol_v1(false);
+        let ctap_state = CtapState::new(&mut env, CtapInstant::new(0));
+        let info_response = ctap_state.process_get_info(&mut env).unwrap();
+        match info_response {
+            ResponseData::AuthenticatorGetInfo(response) => {
+                assert_eq!(
+                    response.pin_protocols,
+                    Some(vec![PinUvAuthProtocol::V2 as u64])
+                );
+            }
+            _ => panic!("Invalid response type"),
+        }
+    }
+
     fn create_minimal_make_credential_parameters() -> AuthenticatorMakeCredentialParameters {
         let client_data_hash = vec![0xCD];
         let rp = PublicKeyCredentialRpEntity {