kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #254 from kaczmarczyck/storage-management

Browse Source 
Storage management
This commit is contained in:
kaczmarczyck
2021-01-12 10:23:45 +01:00
committed by GitHub
parent 32d5ff91d4 27a7108328
commit 499816069e
3 changed files with 251 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
src/ctap/mod.rs
View File

@@ -142,7 +142,7 @@ struct AssertionInput {
struct AssertionState { struct AssertionState {
assertion_input: AssertionInput, assertion_input: AssertionInput,
// Sorted by ascending order of creation, so the last element is the most recent one. // Sorted by ascending order of creation, so the last element is the most recent one.
next_credentials: Vec<PublicKeyCredentialSource>, next_credential_keys: Vec<usize>,
} }
enum StatefulCommand { enum StatefulCommand {
@@ -606,7 +606,7 @@ where
// and returns the correct Get(Next)Assertion response. // and returns the correct Get(Next)Assertion response.
fn assertion_response( fn assertion_response(
&mut self, &mut self,
credential: PublicKeyCredentialSource, mut credential: PublicKeyCredentialSource,
assertion_input: AssertionInput, assertion_input: AssertionInput,
number_of_credentials: Option<usize>, number_of_credentials: Option<usize>,
) -> Result<ResponseData, Ctap2StatusCode> { ) -> Result<ResponseData, Ctap2StatusCode> {
@@ -642,6 +642,12 @@ where
key_id: credential.credential_id, key_id: credential.credential_id,
transports: None, // You can set USB as a hint here. transports: None, // You can set USB as a hint here.
}; };
// Remove user identifiable information without uv.
if !has_uv {
credential.user_name = None;
credential.user_display_name = None;
credential.user_icon = None;
}
let user = if !credential.user_handle.is_empty() { let user = if !credential.user_handle.is_empty() {
Some(PublicKeyCredentialUserEntity { Some(PublicKeyCredentialUserEntity {
user_id: credential.user_handle, user_id: credential.user_handle,
@@ -749,26 +755,35 @@ where
} }
let rp_id_hash = Sha256::hash(rp_id.as_bytes()); let rp_id_hash = Sha256::hash(rp_id.as_bytes());
let mut applicable_credentials = if let Some(allow_list) = allow_list { let (credential, next_credential_keys) = if let Some(allow_list) = allow_list {
if let Some(credential) = (
self.get_any_credential_from_allow_list(allow_list, &rp_id, &rp_id_hash, has_uv)? self.get_any_credential_from_allow_list(allow_list, &rp_id, &rp_id_hash, has_uv)?,
{ vec![],
vec![credential] )
} else { } else {
vec![] let mut iter_result = Ok(());
let iter = self.persistent_store.iter_credentials(&mut iter_result)?;
let mut stored_credentials: Vec<(usize, u64)> = iter
.filter_map(|(key, credential)| {
if credential.rp_id == rp_id && (has_uv || credential.is_discoverable()) {
Some((key, credential.creation_order))
} else {
None
} }
} else { })
self.persistent_store.filter_credential(&rp_id, !has_uv)? .collect();
iter_result?;
stored_credentials.sort_unstable_by_key(|&(_key, order)| order);
let mut stored_credentials: Vec<usize> = stored_credentials
.into_iter()
.map(|(key, _order)| key)
.collect();
let credential = stored_credentials
.pop()
.map(|key| self.persistent_store.get_credential(key))
.transpose()?;
(credential, stored_credentials)
}; };
// Remove user identifiable information without uv.
if !has_uv {
for credential in &mut applicable_credentials {
credential.user_name = None;
credential.user_display_name = None;
credential.user_icon = None;
}
}
applicable_credentials.sort_unstable_by_key(|c| c.creation_order);
// This check comes before CTAP2_ERR_NO_CREDENTIALS in CTAP 2.0. // This check comes before CTAP2_ERR_NO_CREDENTIALS in CTAP 2.0.
// For CTAP 2.1, it was moved to a later protocol step. // For CTAP 2.1, it was moved to a later protocol step.
@@ -776,9 +791,7 @@ where
(self.check_user_presence)(cid)?; (self.check_user_presence)(cid)?;
} }
let credential = applicable_credentials let credential = credential.ok_or(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS)?;
.pop()
.ok_or(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS)?;
self.increment_global_signature_counter()?; self.increment_global_signature_counter()?;
@@ -788,15 +801,15 @@ where
hmac_secret_input, hmac_secret_input,
has_uv, has_uv,
}; };
let number_of_credentials = if applicable_credentials.is_empty() { let number_of_credentials = if next_credential_keys.is_empty() {
None None
} else { } else {
let number_of_credentials = Some(applicable_credentials.len() + 1); let number_of_credentials = Some(next_credential_keys.len() + 1);
self.stateful_command_permission = self.stateful_command_permission =
TimedPermission::granted(now, STATEFUL_COMMAND_TIMEOUT_DURATION); TimedPermission::granted(now, STATEFUL_COMMAND_TIMEOUT_DURATION);
self.stateful_command_type = Some(StatefulCommand::GetAssertion(AssertionState { self.stateful_command_type = Some(StatefulCommand::GetAssertion(AssertionState {
assertion_input: assertion_input.clone(), assertion_input: assertion_input.clone(),
next_credentials: applicable_credentials, next_credential_keys,
})); }));
number_of_credentials number_of_credentials
}; };
@@ -812,10 +825,11 @@ where
if let Some(StatefulCommand::GetAssertion(assertion_state)) = if let Some(StatefulCommand::GetAssertion(assertion_state)) =
&mut self.stateful_command_type &mut self.stateful_command_type
{ {
let credential = assertion_state let credential_key = assertion_state
.next_credentials .next_credential_keys
.pop() .pop()
.ok_or(Ctap2StatusCode::CTAP2_ERR_NOT_ALLOWED)?; .ok_or(Ctap2StatusCode::CTAP2_ERR_NOT_ALLOWED)?;
let credential = self.persistent_store.get_credential(credential_key)?;
(assertion_state.assertion_input.clone(), credential) (assertion_state.assertion_input.clone(), credential)
} else { } else {
return Err(Ctap2StatusCode::CTAP2_ERR_NOT_ALLOWED); return Err(Ctap2StatusCode::CTAP2_ERR_NOT_ALLOWED);
@@ -848,13 +862,19 @@ where
CtapState::<R, CheckUserPresence>::PIN_PROTOCOL_VERSION, CtapState::<R, CheckUserPresence>::PIN_PROTOCOL_VERSION,
]), ]),
max_credential_count_in_list: MAX_CREDENTIAL_COUNT_IN_LIST.map(|c| c as u64), max_credential_count_in_list: MAX_CREDENTIAL_COUNT_IN_LIST.map(|c| c as u64),
// #TODO(106) update with version 2.1 of HMAC-secret // TODO(#106) update with version 2.1 of HMAC-secret
max_credential_id_length: Some(CREDENTIAL_ID_SIZE as u64), max_credential_id_length: Some(CREDENTIAL_ID_SIZE as u64),
transports: Some(vec![AuthenticatorTransport::Usb]), transports: Some(vec![AuthenticatorTransport::Usb]),
algorithms: Some(vec![ES256_CRED_PARAM]), algorithms: Some(vec![ES256_CRED_PARAM]),
default_cred_protect: DEFAULT_CRED_PROTECT, default_cred_protect: DEFAULT_CRED_PROTECT,
min_pin_length: self.persistent_store.min_pin_length()?, min_pin_length: self.persistent_store.min_pin_length()?,
firmware_version: None, firmware_version: None,
max_cred_blob_length: None,
// TODO(kaczmarczyck) update when extension is implemented
max_rp_ids_for_set_min_pin_length: None,
remaining_discoverable_credentials: Some(
self.persistent_store.remaining_credentials()? as u64,
),
}, },
)) ))
} }
@@ -1015,7 +1035,7 @@ mod test {
let mut ctap_state = CtapState::new(&mut rng, user_immediately_present, DUMMY_CLOCK_VALUE); let mut ctap_state = CtapState::new(&mut rng, user_immediately_present, DUMMY_CLOCK_VALUE);
let info_reponse = ctap_state.process_command(&[0x04], DUMMY_CHANNEL_ID, DUMMY_CLOCK_VALUE); let info_reponse = ctap_state.process_command(&[0x04], DUMMY_CHANNEL_ID, DUMMY_CLOCK_VALUE);
let mut expected_response = vec![0x00, 0xAA, 0x01]; let mut expected_response = vec![0x00, 0xAB, 0x01];
// The version array differs with CTAP1, always including 2.0 and 2.1. // The version array differs with CTAP1, always including 2.0 and 2.1.
#[cfg(not(feature = "with_ctap1"))] #[cfg(not(feature = "with_ctap1"))]
let version_count = 2; let version_count = 2;
@@ -1039,7 +1059,7 @@ mod test {
0x65, 0x6E, 0x74, 0x50, 0x69, 0x6E, 0xF4, 0x05, 0x19, 0x04, 0x00, 0x06, 0x81, 0x01, 0x65, 0x6E, 0x74, 0x50, 0x69, 0x6E, 0xF4, 0x05, 0x19, 0x04, 0x00, 0x06, 0x81, 0x01,
0x08, 0x18, 0x70, 0x09, 0x81, 0x63, 0x75, 0x73, 0x62, 0x0A, 0x81, 0xA2, 0x63, 0x61, 0x08, 0x18, 0x70, 0x09, 0x81, 0x63, 0x75, 0x73, 0x62, 0x0A, 0x81, 0xA2, 0x63, 0x61,
0x6C, 0x67, 0x26, 0x64, 0x74, 0x79, 0x70, 0x65, 0x6A, 0x70, 0x75, 0x62, 0x6C, 0x69, 0x6C, 0x67, 0x26, 0x64, 0x74, 0x79, 0x70, 0x65, 0x6A, 0x70, 0x75, 0x62, 0x6C, 0x69,
0x63, 0x2D, 0x6B, 0x65, 0x79, 0x0D, 0x04, 0x63, 0x2D, 0x6B, 0x65, 0x79, 0x0D, 0x04, 0x14, 0x18, 0x96,
] ]
.iter(), .iter(),
); );
@@ -1244,12 +1264,14 @@ mod test {
ctap_state.process_make_credential(make_credential_params, DUMMY_CHANNEL_ID); ctap_state.process_make_credential(make_credential_params, DUMMY_CHANNEL_ID);
assert!(make_credential_response.is_ok()); assert!(make_credential_response.is_ok());
let stored_credential = ctap_state let mut iter_result = Ok(());
let iter = ctap_state
.persistent_store .persistent_store
.filter_credential("example.com", false) .iter_credentials(&mut iter_result)
.unwrap()
.pop()
.unwrap(); .unwrap();
// There is only 1 credential, so last is good enough.
let (_, stored_credential) = iter.last().unwrap();
iter_result.unwrap();
let credential_id = stored_credential.credential_id; let credential_id = stored_credential.credential_id;
assert_eq!(stored_credential.cred_protect_policy, Some(test_policy)); assert_eq!(stored_credential.cred_protect_policy, Some(test_policy));
@@ -1269,12 +1291,14 @@ mod test {
ctap_state.process_make_credential(make_credential_params, DUMMY_CHANNEL_ID); ctap_state.process_make_credential(make_credential_params, DUMMY_CHANNEL_ID);
assert!(make_credential_response.is_ok()); assert!(make_credential_response.is_ok());
let stored_credential = ctap_state let mut iter_result = Ok(());
let iter = ctap_state
.persistent_store .persistent_store
.filter_credential("example.com", false) .iter_credentials(&mut iter_result)
.unwrap()
.pop()
.unwrap(); .unwrap();
// There is only 1 credential, so last is good enough.
let (_, stored_credential) = iter.last().unwrap();
iter_result.unwrap();
let credential_id = stored_credential.credential_id; let credential_id = stored_credential.credential_id;
assert_eq!(stored_credential.cred_protect_policy, Some(test_policy)); assert_eq!(stored_credential.cred_protect_policy, Some(test_policy));

19
src/ctap/response.rs
View File

@@ -107,7 +107,6 @@ impl From<AuthenticatorGetAssertionResponse> for cbor::Value {
#[cfg_attr(test, derive(PartialEq))] #[cfg_attr(test, derive(PartialEq))]
#[cfg_attr(any(test, feature = "debug_ctap"), derive(Debug))] #[cfg_attr(any(test, feature = "debug_ctap"), derive(Debug))]
pub struct AuthenticatorGetInfoResponse { pub struct AuthenticatorGetInfoResponse {
// TODO(kaczmarczyck) add maxAuthenticatorConfigLength and defaultCredProtect
pub versions: Vec<String>, pub versions: Vec<String>,
pub extensions: Option<Vec<String>>, pub extensions: Option<Vec<String>>,
pub aaguid: [u8; 16], pub aaguid: [u8; 16],
@@ -121,6 +120,9 @@ pub struct AuthenticatorGetInfoResponse {
pub default_cred_protect: Option<CredentialProtectionPolicy>, pub default_cred_protect: Option<CredentialProtectionPolicy>,
pub min_pin_length: u8, pub min_pin_length: u8,
pub firmware_version: Option<u64>, pub firmware_version: Option<u64>,
pub max_cred_blob_length: Option<u64>,
pub max_rp_ids_for_set_min_pin_length: Option<u64>,
pub remaining_discoverable_credentials: Option<u64>,
} }
impl From<AuthenticatorGetInfoResponse> for cbor::Value { impl From<AuthenticatorGetInfoResponse> for cbor::Value {
@@ -139,6 +141,9 @@ impl From<AuthenticatorGetInfoResponse> for cbor::Value {
default_cred_protect, default_cred_protect,
min_pin_length, min_pin_length,
firmware_version, firmware_version,
max_cred_blob_length,
max_rp_ids_for_set_min_pin_length,
remaining_discoverable_credentials,
} = get_info_response; } = get_info_response;
let options_cbor: Option<cbor::Value> = options.map(|options| { let options_cbor: Option<cbor::Value> = options.map(|options| {
@@ -163,6 +168,9 @@ impl From<AuthenticatorGetInfoResponse> for cbor::Value {
0x0C => default_cred_protect.map(|p| p as u64), 0x0C => default_cred_protect.map(|p| p as u64),
0x0D => min_pin_length as u64, 0x0D => min_pin_length as u64,
0x0E => firmware_version, 0x0E => firmware_version,
0x0F => max_cred_blob_length,
0x10 => max_rp_ids_for_set_min_pin_length,
0x14 => remaining_discoverable_credentials,
} }
} }
} }
@@ -285,6 +293,9 @@ mod test {
default_cred_protect: None, default_cred_protect: None,
min_pin_length: 4, min_pin_length: 4,
firmware_version: None, firmware_version: None,
max_cred_blob_length: None,
max_rp_ids_for_set_min_pin_length: None,
remaining_discoverable_credentials: None,
}; };
let response_cbor: Option<cbor::Value> = let response_cbor: Option<cbor::Value> =
ResponseData::AuthenticatorGetInfo(get_info_response).into(); ResponseData::AuthenticatorGetInfo(get_info_response).into();
@@ -314,6 +325,9 @@ mod test {
default_cred_protect: Some(CredentialProtectionPolicy::UserVerificationRequired), default_cred_protect: Some(CredentialProtectionPolicy::UserVerificationRequired),
min_pin_length: 4, min_pin_length: 4,
firmware_version: Some(0), firmware_version: Some(0),
max_cred_blob_length: Some(1024),
max_rp_ids_for_set_min_pin_length: Some(8),
remaining_discoverable_credentials: Some(150),
}; };
let response_cbor: Option<cbor::Value> = let response_cbor: Option<cbor::Value> =
ResponseData::AuthenticatorGetInfo(get_info_response).into(); ResponseData::AuthenticatorGetInfo(get_info_response).into();
@@ -331,6 +345,9 @@ mod test {
0x0C => CredentialProtectionPolicy::UserVerificationRequired as u64, 0x0C => CredentialProtectionPolicy::UserVerificationRequired as u64,
0x0D => 4, 0x0D => 4,
0x0E => 0, 0x0E => 0,
0x0F => 1024,
0x10 => 8,
0x14 => 150,
}; };
assert_eq!(response_cbor, Some(expected_cbor)); assert_eq!(response_cbor, Some(expected_cbor));
} }

270
src/ctap/storage.rs
View File

@@ -16,6 +16,7 @@ mod key;
use crate::ctap::data_formats::{ use crate::ctap::data_formats::{
extract_array, extract_text_string, CredentialProtectionPolicy, PublicKeyCredentialSource, extract_array, extract_text_string, CredentialProtectionPolicy, PublicKeyCredentialSource,
PublicKeyCredentialUserEntity,
}; };
use crate::ctap::key_material; use crate::ctap::key_material;
use crate::ctap::pin_protocol_v1::PIN_AUTH_LENGTH; use crate::ctap::pin_protocol_v1::PIN_AUTH_LENGTH;
@@ -116,6 +117,47 @@ impl PersistentStore {
Ok(()) Ok(())
} }
/// Returns the credential at the given key.
///
/// # Errors
///
/// Returns `CTAP2_ERR_VENDOR_INTERNAL_ERROR` if the key does not hold a valid credential.
pub fn get_credential(&self, key: usize) -> Result<PublicKeyCredentialSource, Ctap2StatusCode> {
let min_key = key::CREDENTIALS.start;
if key < min_key || key >= min_key + MAX_SUPPORTED_RESIDENTIAL_KEYS {
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
}
let credential_entry = self
.store
.find(key)?
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)?;
deserialize_credential(&credential_entry)
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)
}
/// Finds the key and value for a given credential ID.
///
/// # Errors
///
/// Returns `CTAP2_ERR_NO_CREDENTIALS` if the credential is not found.
fn find_credential_item(
&self,
credential_id: &[u8],
) -> Result<(usize, PublicKeyCredentialSource), Ctap2StatusCode> {
let mut iter_result = Ok(());
let iter = self.iter_credentials(&mut iter_result)?;
let mut credentials: Vec<(usize, PublicKeyCredentialSource)> = iter
.filter(|(_, credential)| credential.credential_id == credential_id)
.collect();
iter_result?;
if credentials.len() > 1 {
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
}
credentials
.pop()
.ok_or(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS)
}
/// Returns the first matching credential. /// Returns the first matching credential.
/// ///
/// Returns `None` if no credentials are matched or if `check_cred_protect` is set and the first /// Returns `None` if no credentials are matched or if `check_cred_protect` is set and the first
@@ -126,22 +168,17 @@ impl PersistentStore {
credential_id: &[u8], credential_id: &[u8],
check_cred_protect: bool, check_cred_protect: bool,
) -> Result<Option<PublicKeyCredentialSource>, Ctap2StatusCode> { ) -> Result<Option<PublicKeyCredentialSource>, Ctap2StatusCode> {
let mut iter_result = Ok(()); let credential = match self.find_credential_item(credential_id) {
let iter = self.iter_credentials(&mut iter_result)?; Err(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS) => return Ok(None),
// We don't check whether there is more than one matching credential to be able to exit Err(e) => return Err(e),
// early. Ok((_key, credential)) => credential,
let result = iter.map(|(_, credential)| credential).find(|credential| { };
credential.rp_id == rp_id && credential.credential_id == credential_id let is_protected = credential.cred_protect_policy
});
iter_result?;
if let Some(cred) = &result {
let user_verification_required = cred.cred_protect_policy
== Some(CredentialProtectionPolicy::UserVerificationRequired); == Some(CredentialProtectionPolicy::UserVerificationRequired);
if check_cred_protect && user_verification_required { if credential.rp_id != rp_id || (check_cred_protect && is_protected) {
return Ok(None); return Ok(None);
} }
} Ok(Some(credential))
Ok(result)
} }
/// Stores or updates a credential. /// Stores or updates a credential.
@@ -196,32 +233,35 @@ impl PersistentStore {
Ok(()) Ok(())
} }
/// Returns the list of matching credentials. /// Deletes a credential.
/// ///
/// Does not return credentials that are not discoverable if `check_cred_protect` is set. /// # Errors
pub fn filter_credential( ///
&self, /// Returns `CTAP2_ERR_NO_CREDENTIALS` if the credential is not found.
rp_id: &str, pub fn _delete_credential(&mut self, credential_id: &[u8]) -> Result<(), Ctap2StatusCode> {
check_cred_protect: bool, let (key, _) = self.find_credential_item(credential_id)?;
) -> Result<Vec<PublicKeyCredentialSource>, Ctap2StatusCode> { Ok(self.store.remove(key)?)
let mut iter_result = Ok(());
let iter = self.iter_credentials(&mut iter_result)?;
let result = iter
.filter_map(|(_, credential)| {
if credential.rp_id == rp_id {
Some(credential)
} else {
None
} }
})
.filter(|cred| !check_cred_protect || cred.is_discoverable()) /// Updates a credential's user information.
.collect(); ///
iter_result?; /// # Errors
Ok(result) ///
/// Returns `CTAP2_ERR_NO_CREDENTIALS` if the credential is not found.
pub fn _update_credential(
&mut self,
credential_id: &[u8],
user: PublicKeyCredentialUserEntity,
) -> Result<(), Ctap2StatusCode> {
let (key, mut credential) = self.find_credential_item(credential_id)?;
credential.user_name = user.user_name;
credential.user_display_name = user.user_display_name;
credential.user_icon = user.user_icon;
let value = serialize_credential(credential)?;
Ok(self.store.insert(key, &value)?)
} }
/// Returns the number of credentials. /// Returns the number of credentials.
#[cfg(test)]
pub fn count_credentials(&self) -> Result<usize, Ctap2StatusCode> { pub fn count_credentials(&self) -> Result<usize, Ctap2StatusCode> {
let mut iter_result = Ok(()); let mut iter_result = Ok(());
let iter = self.iter_credentials(&mut iter_result)?; let iter = self.iter_credentials(&mut iter_result)?;
@@ -230,10 +270,17 @@ impl PersistentStore {
Ok(result) Ok(result)
} }
/// Returns the estimated number of credentials that can still be stored.
pub fn remaining_credentials(&self) -> Result<usize, Ctap2StatusCode> {
MAX_SUPPORTED_RESIDENTIAL_KEYS
.checked_sub(self.count_credentials()?)
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)
}
/// Iterates through the credentials. /// Iterates through the credentials.
/// ///
/// If an error is encountered during iteration, it is written to `result`. /// If an error is encountered during iteration, it is written to `result`.
fn iter_credentials<'a>( pub fn iter_credentials<'a>(
&'a self, &'a self,
result: &'a mut Result<(), Ctap2StatusCode>, result: &'a mut Result<(), Ctap2StatusCode>,
) -> Result<IterCredentials<'a>, Ctap2StatusCode> { ) -> Result<IterCredentials<'a>, Ctap2StatusCode> {
@@ -494,7 +541,7 @@ impl From<persistent_store::StoreError> for Ctap2StatusCode {
} }
/// Iterator for credentials. /// Iterator for credentials.
struct IterCredentials<'a> { pub struct IterCredentials<'a> {
/// The store being iterated. /// The store being iterated.
store: &'a persistent_store::Store<Storage>, store: &'a persistent_store::Store<Storage>,
@@ -629,6 +676,66 @@ mod test {
assert!(persistent_store.count_credentials().unwrap() > 0); assert!(persistent_store.count_credentials().unwrap() > 0);
} }
#[test]
fn test_delete_credential() {
let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng);
assert_eq!(persistent_store.count_credentials().unwrap(), 0);
let mut credential_ids = vec![];
for i in 0..MAX_SUPPORTED_RESIDENTIAL_KEYS {
let user_handle = i.to_ne_bytes().to_vec();
let credential_source = create_credential_source(&mut rng, "example.com", user_handle);
credential_ids.push(credential_source.credential_id.clone());
assert!(persistent_store.store_credential(credential_source).is_ok());
assert_eq!(persistent_store.count_credentials().unwrap(), i + 1);
}
let mut count = persistent_store.count_credentials().unwrap();
for credential_id in credential_ids {
assert!(persistent_store._delete_credential(&credential_id).is_ok());
count -= 1;
assert_eq!(persistent_store.count_credentials().unwrap(), count);
}
}
#[test]
fn test_update_credential() {
let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng);
let user = PublicKeyCredentialUserEntity {
// User ID is ignored.
user_id: vec![0x00],
user_name: Some("name".to_string()),
user_display_name: Some("display_name".to_string()),
user_icon: Some("icon".to_string()),
};
assert_eq!(
persistent_store._update_credential(&[0x1D], user.clone()),
Err(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS)
);
let credential_source = create_credential_source(&mut rng, "example.com", vec![0x1D]);
let credential_id = credential_source.credential_id.clone();
assert!(persistent_store.store_credential(credential_source).is_ok());
let stored_credential = persistent_store
.find_credential("example.com", &credential_id, false)
.unwrap()
.unwrap();
assert_eq!(stored_credential.user_name, None);
assert_eq!(stored_credential.user_display_name, None);
assert_eq!(stored_credential.user_icon, None);
assert!(persistent_store
._update_credential(&credential_id, user.clone())
.is_ok());
let stored_credential = persistent_store
.find_credential("example.com", &credential_id, false)
.unwrap()
.unwrap();
assert_eq!(stored_credential.user_name, user.user_name);
assert_eq!(stored_credential.user_display_name, user.user_display_name);
assert_eq!(stored_credential.user_icon, user.user_icon);
}
#[test] #[test]
fn test_credential_order() { fn test_credential_order() {
let mut rng = ThreadRng256 {}; let mut rng = ThreadRng256 {};
@@ -645,17 +752,14 @@ mod test {
} }
#[test] #[test]
#[allow(clippy::assertions_on_constants)]
fn test_fill_store() { fn test_fill_store() {
let mut rng = ThreadRng256 {}; let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng); let mut persistent_store = PersistentStore::new(&mut rng);
assert_eq!(persistent_store.count_credentials().unwrap(), 0); assert_eq!(persistent_store.count_credentials().unwrap(), 0);
// To make this test work for bigger storages, implement better int -> Vec conversion.
assert!(MAX_SUPPORTED_RESIDENTIAL_KEYS < 256);
for i in 0..MAX_SUPPORTED_RESIDENTIAL_KEYS { for i in 0..MAX_SUPPORTED_RESIDENTIAL_KEYS {
let credential_source = let user_handle = i.to_ne_bytes().to_vec();
create_credential_source(&mut rng, "example.com", vec![i as u8]); let credential_source = create_credential_source(&mut rng, "example.com", user_handle);
assert!(persistent_store.store_credential(credential_source).is_ok()); assert!(persistent_store.store_credential(credential_source).is_ok());
assert_eq!(persistent_store.count_credentials().unwrap(), i + 1); assert_eq!(persistent_store.count_credentials().unwrap(), i + 1);
} }
@@ -675,7 +779,6 @@ mod test {
} }
#[test] #[test]
#[allow(clippy::assertions_on_constants)]
fn test_overwrite() { fn test_overwrite() {
let mut rng = ThreadRng256 {}; let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng); let mut persistent_store = PersistentStore::new(&mut rng);
@@ -683,7 +786,8 @@ mod test {
// These should have different IDs. // These should have different IDs.
let credential_source0 = create_credential_source(&mut rng, "example.com", vec![0x00]); let credential_source0 = create_credential_source(&mut rng, "example.com", vec![0x00]);
let credential_source1 = create_credential_source(&mut rng, "example.com", vec![0x00]); let credential_source1 = create_credential_source(&mut rng, "example.com", vec![0x00]);
let expected_credential = credential_source1.clone(); let credential_id0 = credential_source0.credential_id.clone();
let credential_id1 = credential_source1.credential_id.clone();
assert!(persistent_store assert!(persistent_store
.store_credential(credential_source0) .store_credential(credential_source0)
@@ -692,18 +796,19 @@ mod test {
.store_credential(credential_source1) .store_credential(credential_source1)
.is_ok()); .is_ok());
assert_eq!(persistent_store.count_credentials().unwrap(), 1); assert_eq!(persistent_store.count_credentials().unwrap(), 1);
assert_eq!( assert!(persistent_store
&persistent_store .find_credential("example.com", &credential_id0, false)
.filter_credential("example.com", false) .unwrap()
.unwrap(), .is_none());
&[expected_credential] assert!(persistent_store
); .find_credential("example.com", &credential_id1, false)
.unwrap()
.is_some());
// To make this test work for bigger storages, implement better int -> Vec conversion. let mut persistent_store = PersistentStore::new(&mut rng);
assert!(MAX_SUPPORTED_RESIDENTIAL_KEYS < 256);
for i in 0..MAX_SUPPORTED_RESIDENTIAL_KEYS { for i in 0..MAX_SUPPORTED_RESIDENTIAL_KEYS {
let credential_source = let user_handle = i.to_ne_bytes().to_vec();
create_credential_source(&mut rng, "example.com", vec![i as u8]); let credential_source = create_credential_source(&mut rng, "example.com", user_handle);
assert!(persistent_store.store_credential(credential_source).is_ok()); assert!(persistent_store.store_credential(credential_source).is_ok());
assert_eq!(persistent_store.count_credentials().unwrap(), i + 1); assert_eq!(persistent_store.count_credentials().unwrap(), i + 1);
} }
@@ -723,64 +828,21 @@ mod test {
} }
#[test] #[test]
fn test_filter() { fn test_get_credential() {
let mut rng = ThreadRng256 {}; let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng); let mut persistent_store = PersistentStore::new(&mut rng);
assert_eq!(persistent_store.count_credentials().unwrap(), 0);
let credential_source0 = create_credential_source(&mut rng, "example.com", vec![0x00]); let credential_source0 = create_credential_source(&mut rng, "example.com", vec![0x00]);
let credential_source1 = create_credential_source(&mut rng, "example.com", vec![0x01]); let credential_source1 = create_credential_source(&mut rng, "example.com", vec![0x01]);
let credential_source2 = let credential_source2 =
create_credential_source(&mut rng, "another.example.com", vec![0x02]); create_credential_source(&mut rng, "another.example.com", vec![0x02]);
let id0 = credential_source0.credential_id.clone(); let credential_sources = vec![credential_source0, credential_source1, credential_source2];
let id1 = credential_source1.credential_id.clone(); for credential_source in credential_sources.into_iter() {
assert!(persistent_store let cred_id = credential_source.credential_id.clone();
.store_credential(credential_source0) assert!(persistent_store.store_credential(credential_source).is_ok());
.is_ok()); let (key, _) = persistent_store.find_credential_item(&cred_id).unwrap();
assert!(persistent_store let cred = persistent_store.get_credential(key).unwrap();
.store_credential(credential_source1) assert_eq!(&cred_id, &cred.credential_id);
.is_ok());
assert!(persistent_store
.store_credential(credential_source2)
.is_ok());
let filtered_credentials = persistent_store
.filter_credential("example.com", false)
.unwrap();
assert_eq!(filtered_credentials.len(), 2);
assert!(
(filtered_credentials[0].credential_id == id0
&& filtered_credentials[1].credential_id == id1)
|| (filtered_credentials[1].credential_id == id0
&& filtered_credentials[0].credential_id == id1)
);
} }
#[test]
fn test_filter_with_cred_protect() {
let mut rng = ThreadRng256 {};
let mut persistent_store = PersistentStore::new(&mut rng);
assert_eq!(persistent_store.count_credentials().unwrap(), 0);
let private_key = crypto::ecdsa::SecKey::gensk(&mut rng);
let credential = PublicKeyCredentialSource {
key_type: PublicKeyCredentialType::PublicKey,
credential_id: rng.gen_uniform_u8x32().to_vec(),
private_key,
rp_id: String::from("example.com"),
user_handle: vec![0x00],
user_display_name: None,
cred_protect_policy: Some(
CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList,
),
creation_order: 0,
user_name: None,
user_icon: None,
};
assert!(persistent_store.store_credential(credential).is_ok());
let no_credential = persistent_store
.filter_credential("example.com", true)
.unwrap();
assert_eq!(no_credential, vec![]);
} }
#[test] #[test]