kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Address first round of comments.

Browse Source
This commit is contained in:
Jean-Michel Picod
2020-12-11 12:58:26 +01:00
parent ca0606a557
commit 7213c4ee99
7 changed files with 157 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
src/ctap/command.rs
View File

@@ -400,10 +400,10 @@ impl TryFrom<cbor::Value> for AuthenticatorAttestationMaterial {
2 => private_key,
} = extract_map(cbor_value)?;
}
let certificate = certificate.map(extract_byte_string).transpose()?.unwrap();
let private_key = private_key.map(extract_byte_string).transpose()?.unwrap();
let certificate = extract_byte_string(ok_or_missing(certificate)?)?;
let private_key = extract_byte_string(ok_or_missing(private_key)?)?;
if private_key.len() != key_material::ATTESTATION_PRIVATE_KEY_LENGTH {
return Err(Ctap2StatusCode::CTAP2_ERR_INVALID_CBOR);
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
let private_key = array_ref!(private_key, 0, key_material::ATTESTATION_PRIVATE_KEY_LENGTH);
Ok(AuthenticatorAttestationMaterial {
@@ -638,4 +638,83 @@ mod test {
let command = Command::deserialize(&cbor_bytes);
assert_eq!(command, Ok(Command::AuthenticatorSelection));
}
#[test]
fn test_vendor_configure() {
// Incomplete command
let mut cbor_bytes = vec![Command::AUTHENTICATOR_VENDOR_CONFIGURE];
let command = Command::deserialize(&cbor_bytes);
assert_eq!(command, Err(Ctap2StatusCode::CTAP2_ERR_INVALID_CBOR));
cbor_bytes.extend(&[0xA1, 0x01, 0xF5]);
let command = Command::deserialize(&cbor_bytes);
assert_eq!(
command,
Ok(Command::AuthenticatorVendorConfigure(
AuthenticatorVendorConfigureParameters {
lockdown: true,
attestation_material: None
}
))
);
let dummy_cert = [0xddu8; 20];
let dummy_pkey = [0x41u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH];
// Attestation key is too short.
let cbor_value = cbor_map! {
1 => false,
2 => cbor_map! {
1 => dummy_cert,
2 => dummy_pkey[..key_material::ATTESTATION_PRIVATE_KEY_LENGTH - 1]
}
};
assert_eq!(
AuthenticatorVendorConfigureParameters::try_from(cbor_value),
Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER)
);
// Missing private key
let cbor_value = cbor_map! {
1 => false,
2 => cbor_map! {
1 => dummy_cert
}
};
assert_eq!(
AuthenticatorVendorConfigureParameters::try_from(cbor_value),
Err(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)
);
// Missing certificate
let cbor_value = cbor_map! {
1 => false,
2 => cbor_map! {
2 => dummy_pkey
}
};
assert_eq!(
AuthenticatorVendorConfigureParameters::try_from(cbor_value),
Err(Ctap2StatusCode::CTAP2_ERR_MISSING_PARAMETER)
);
// Valid
let cbor_value = cbor_map! {
1 => false,
2 => cbor_map! {
1 => dummy_cert,
2 => dummy_pkey
}
};
assert_eq!(
AuthenticatorVendorConfigureParameters::try_from(cbor_value),
Ok(AuthenticatorVendorConfigureParameters {
lockdown: false,
attestation_material: Some(AuthenticatorAttestationMaterial {
certificate: dummy_cert.to_vec(),
private_key: dummy_pkey
})
})
);
}
}

91
src/ctap/mod.rs
View File

@@ -931,22 +931,64 @@ where
(self.check_user_presence)(cid)?;
// Sanity checks
let has_priv_key = self.persistent_store.attestation_private_key()?.is_some();
let has_cert = self.persistent_store.attestation_certificate()?.is_some();
let current_priv_key = self.persistent_store.attestation_private_key()?;
let current_cert = self.persistent_store.attestation_certificate()?;
if params.attestation_material.is_some() {
let response = if params.attestation_material.is_some() {
let data = params.attestation_material.unwrap();
if !has_cert {
self.persistent_store
.set_attestation_certificate(&data.certificate)?;
match (current_cert, current_priv_key) {
(Some(_), Some(_)) => {
// Device is fully programmed.
// We don't compare values to avoid giving an oracle
// about the private key.
AuthenticatorVendorResponse {
cert_programmed: true,
pkey_programmed: true,
}
}
// Device is not programmed.
(None, None) => {
self.persistent_store
.set_attestation_certificate(&data.certificate)?;
self.persistent_store
.set_attestation_private_key(&data.private_key)?;
AuthenticatorVendorResponse {
cert_programmed: true,
pkey_programmed: true,
}
}
// Device is partially programmed. Ensure the programmed value
// matched the given one before programming anything.
(Some(cert), None) => {
if cert != data.certificate {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
self.persistent_store
.set_attestation_private_key(&data.private_key)?;
AuthenticatorVendorResponse {
cert_programmed: true,
pkey_programmed: true,
}
}
(None, Some(key)) => {
if key != data.private_key {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
self.persistent_store
.set_attestation_certificate(&data.certificate)?;
AuthenticatorVendorResponse {
cert_programmed: true,
pkey_programmed: true,
}
}
}
if !has_priv_key {
self.persistent_store
.set_attestation_private_key(&data.private_key)?;
} else {
AuthenticatorVendorResponse {
cert_programmed: current_cert.is_some(),
pkey_programmed: current_priv_key.is_some(),
}
};
let has_priv_key = self.persistent_store.attestation_private_key()?.is_some();
let has_cert = self.persistent_store.attestation_certificate()?.is_some();
if params.lockdown {
// To avoid bricking the authenticator, we only allow lockdown
// to happen if both values are programmed or if both U2F/CTAP1 and
@@ -956,28 +998,13 @@ where
#[cfg(not(feature = "with_ctap1"))]
let need_certificate = USE_BATCH_ATTESTATION;
if (need_certificate && !(has_priv_key && has_cert))
if (need_certificate && !(response.pkey_programmed && response.cert_programmed))
|| libtock_drivers::crp::protect().is_err()
{
Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)
} else {
Ok(ResponseData::AuthenticatorVendor(
AuthenticatorVendorResponse {
cert_programmed: has_cert,
pkey_programmed: has_priv_key,
lockdown_enabled: true,
},
))
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
}
} else {
Ok(ResponseData::AuthenticatorVendor(
AuthenticatorVendorResponse {
cert_programmed: has_cert,
pkey_programmed: has_priv_key,
lockdown_enabled: false,
},
))
}
Ok(ResponseData::AuthenticatorVendor(response))
}
pub fn generate_auth_data(
@@ -2135,7 +2162,6 @@ mod test {
AuthenticatorVendorResponse {
cert_programmed: false,
pkey_programmed: false,
lockdown_enabled: false
}
))
);
@@ -2159,7 +2185,6 @@ mod test {
AuthenticatorVendorResponse {
cert_programmed: true,
pkey_programmed: true,
lockdown_enabled: false
}
))
);
@@ -2180,7 +2205,7 @@ mod test {
dummy_key
);
// Try to inject other dummy values and check that intial values are retained.
// Try to inject other dummy values and check that initial values are retained.
let other_dummy_key = [0x44u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH];
let response = ctap_state.process_vendor_configure(
AuthenticatorVendorConfigureParameters {
@@ -2198,7 +2223,6 @@ mod test {
AuthenticatorVendorResponse {
cert_programmed: true,
pkey_programmed: true,
lockdown_enabled: false
}
))
);
@@ -2233,7 +2257,6 @@ mod test {
AuthenticatorVendorResponse {
cert_programmed: true,
pkey_programmed: true,
lockdown_enabled: true
}
))
);

3
src/ctap/response.rs
View File

@@ -238,7 +238,6 @@ impl From<AuthenticatorClientPinResponse> for cbor::Value {
pub struct AuthenticatorVendorResponse {
pub cert_programmed: bool,
pub pkey_programmed: bool,
pub lockdown_enabled: bool,
}
impl From<AuthenticatorVendorResponse> for cbor::Value {
@@ -246,13 +245,11 @@ impl From<AuthenticatorVendorResponse> for cbor::Value {
let AuthenticatorVendorResponse {
cert_programmed,
pkey_programmed,
lockdown_enabled,
} = vendor_response;
cbor_map_options! {
1 => cert_programmed,
2 => pkey_programmed,
3 => lockdown_enabled,
}
}
}

3
src/ctap/storage.rs
View File

@@ -964,8 +964,7 @@ mod test {
.unwrap()
.is_none());
// Make sure the persistent keys are initialized.
// Put dummy values
// Make sure the persistent keys are initialized to dummy values.
let dummy_key = [0x41u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH];
let dummy_cert = [0xddu8; 20];
persistent_store