kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'develop' into cose-api

Browse Source
This commit is contained in:
kaczmarczyck
2021-01-12 10:24:15 +01:00
committed by GitHub
parent 6f9f833c0b 499816069e
commit 688d11c6b6
3 changed files with 251 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
src/ctap/mod.rs
View File

@@ -142,7 +142,7 @@ struct AssertionInput {
struct AssertionState {
assertion_input: AssertionInput,
// Sorted by ascending order of creation, so the last element is the most recent one.
next_credentials: Vec<PublicKeyCredentialSource>,
next_credential_keys: Vec<usize>,
}
enum StatefulCommand {
@@ -604,7 +604,7 @@ where
// and returns the correct Get(Next)Assertion response.
fn assertion_response(
&mut self,
credential: PublicKeyCredentialSource,
mut credential: PublicKeyCredentialSource,
assertion_input: AssertionInput,
number_of_credentials: Option<usize>,
) -> Result<ResponseData, Ctap2StatusCode> {
@@ -640,6 +640,12 @@ where
key_id: credential.credential_id,
transports: None, // You can set USB as a hint here.
};
// Remove user identifiable information without uv.
if !has_uv {
credential.user_name = None;
credential.user_display_name = None;
credential.user_icon = None;
}
let user = if !credential.user_handle.is_empty() {
Some(PublicKeyCredentialUserEntity {
user_id: credential.user_handle,
@@ -747,26 +753,35 @@ where
}
let rp_id_hash = Sha256::hash(rp_id.as_bytes());
let mut applicable_credentials = if let Some(allow_list) = allow_list {
if let Some(credential) =
self.get_any_credential_from_allow_list(allow_list, &rp_id, &rp_id_hash, has_uv)?
{
vec![credential]
} else {
vec![]
}
let (credential, next_credential_keys) = if let Some(allow_list) = allow_list {
(
self.get_any_credential_from_allow_list(allow_list, &rp_id, &rp_id_hash, has_uv)?,
vec![],
)
} else {
self.persistent_store.filter_credential(&rp_id, !has_uv)?
let mut iter_result = Ok(());
let iter = self.persistent_store.iter_credentials(&mut iter_result)?;
let mut stored_credentials: Vec<(usize, u64)> = iter
.filter_map(|(key, credential)| {
if credential.rp_id == rp_id && (has_uv || credential.is_discoverable()) {
Some((key, credential.creation_order))
} else {
None
}
})
.collect();
iter_result?;
stored_credentials.sort_unstable_by_key(|&(_key, order)| order);
let mut stored_credentials: Vec<usize> = stored_credentials
.into_iter()
.map(|(key, _order)| key)
.collect();
let credential = stored_credentials
.pop()
.map(|key| self.persistent_store.get_credential(key))
.transpose()?;
(credential, stored_credentials)
};
// Remove user identifiable information without uv.
if !has_uv {
for credential in &mut applicable_credentials {
credential.user_name = None;
credential.user_display_name = None;
credential.user_icon = None;
}
}
applicable_credentials.sort_unstable_by_key(|c| c.creation_order);
// This check comes before CTAP2_ERR_NO_CREDENTIALS in CTAP 2.0.
// For CTAP 2.1, it was moved to a later protocol step.
@@ -774,9 +789,7 @@ where
(self.check_user_presence)(cid)?;
}
let credential = applicable_credentials
.pop()
.ok_or(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS)?;
let credential = credential.ok_or(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS)?;
self.increment_global_signature_counter()?;
@@ -786,15 +799,15 @@ where
hmac_secret_input,
has_uv,
};
let number_of_credentials = if applicable_credentials.is_empty() {
let number_of_credentials = if next_credential_keys.is_empty() {
None
} else {
let number_of_credentials = Some(applicable_credentials.len() + 1);
let number_of_credentials = Some(next_credential_keys.len() + 1);
self.stateful_command_permission =
TimedPermission::granted(now, STATEFUL_COMMAND_TIMEOUT_DURATION);
self.stateful_command_type = Some(StatefulCommand::GetAssertion(AssertionState {
assertion_input: assertion_input.clone(),
next_credentials: applicable_credentials,
next_credential_keys,
}));
number_of_credentials
};
@@ -810,10 +823,11 @@ where
if let Some(StatefulCommand::GetAssertion(assertion_state)) =
&mut self.stateful_command_type
{
let credential = assertion_state
.next_credentials
let credential_key = assertion_state
.next_credential_keys
.pop()
.ok_or(Ctap2StatusCode::CTAP2_ERR_NOT_ALLOWED)?;
let credential = self.persistent_store.get_credential(credential_key)?;
(assertion_state.assertion_input.clone(), credential)
} else {
return Err(Ctap2StatusCode::CTAP2_ERR_NOT_ALLOWED);
@@ -846,13 +860,19 @@ where
CtapState::<R, CheckUserPresence>::PIN_PROTOCOL_VERSION,
]),
max_credential_count_in_list: MAX_CREDENTIAL_COUNT_IN_LIST.map(|c| c as u64),
// #TODO(106) update with version 2.1 of HMAC-secret
// TODO(#106) update with version 2.1 of HMAC-secret
max_credential_id_length: Some(CREDENTIAL_ID_SIZE as u64),
transports: Some(vec![AuthenticatorTransport::Usb]),
algorithms: Some(vec![ES256_CRED_PARAM]),
default_cred_protect: DEFAULT_CRED_PROTECT,
min_pin_length: self.persistent_store.min_pin_length()?,
firmware_version: None,
max_cred_blob_length: None,
// TODO(kaczmarczyck) update when extension is implemented
max_rp_ids_for_set_min_pin_length: None,
remaining_discoverable_credentials: Some(
self.persistent_store.remaining_credentials()? as u64,
),
},
))
}
@@ -1013,7 +1033,7 @@ mod test {
let mut ctap_state = CtapState::new(&mut rng, user_immediately_present, DUMMY_CLOCK_VALUE);
let info_reponse = ctap_state.process_command(&[0x04], DUMMY_CHANNEL_ID, DUMMY_CLOCK_VALUE);
let mut expected_response = vec![0x00, 0xAA, 0x01];
let mut expected_response = vec![0x00, 0xAB, 0x01];
// The version array differs with CTAP1, always including 2.0 and 2.1.
#[cfg(not(feature = "with_ctap1"))]
let version_count = 2;
@@ -1037,7 +1057,7 @@ mod test {
0x65, 0x6E, 0x74, 0x50, 0x69, 0x6E, 0xF4, 0x05, 0x19, 0x04, 0x00, 0x06, 0x81, 0x01,
0x08, 0x18, 0x70, 0x09, 0x81, 0x63, 0x75, 0x73, 0x62, 0x0A, 0x81, 0xA2, 0x63, 0x61,
0x6C, 0x67, 0x26, 0x64, 0x74, 0x79, 0x70, 0x65, 0x6A, 0x70, 0x75, 0x62, 0x6C, 0x69,
0x63, 0x2D, 0x6B, 0x65, 0x79, 0x0D, 0x04,
0x63, 0x2D, 0x6B, 0x65, 0x79, 0x0D, 0x04, 0x14, 0x18, 0x96,
]
.iter(),
);
@@ -1242,12 +1262,14 @@ mod test {
ctap_state.process_make_credential(make_credential_params, DUMMY_CHANNEL_ID);
assert!(make_credential_response.is_ok());
let stored_credential = ctap_state
let mut iter_result = Ok(());
let iter = ctap_state
.persistent_store
.filter_credential("example.com", false)
.unwrap()
.pop()
.iter_credentials(&mut iter_result)
.unwrap();
// There is only 1 credential, so last is good enough.
let (_, stored_credential) = iter.last().unwrap();
iter_result.unwrap();
let credential_id = stored_credential.credential_id;
assert_eq!(stored_credential.cred_protect_policy, Some(test_policy));
@@ -1267,12 +1289,14 @@ mod test {
ctap_state.process_make_credential(make_credential_params, DUMMY_CHANNEL_ID);
assert!(make_credential_response.is_ok());
let stored_credential = ctap_state
let mut iter_result = Ok(());
let iter = ctap_state
.persistent_store
.filter_credential("example.com", false)
.unwrap()
.pop()
.iter_credentials(&mut iter_result)
.unwrap();
// There is only 1 credential, so last is good enough.
let (_, stored_credential) = iter.last().unwrap();
iter_result.unwrap();
let credential_id = stored_credential.credential_id;
assert_eq!(stored_credential.cred_protect_policy, Some(test_policy));