Move more customization constants to new file (#459)
* Move DEFAULT_CRED_PROTECT to customization api * Fix format * Remove blank line
This commit is contained in:
hcyang
GitHub
@@ -17,7 +17,31 @@
|
||||
//! If you adapt them, make sure to run the tests before flashing the firmware.
|
||||
//! Our deploy script enforces the invariants.
|
||||
|
||||
use crate::ctap::data_formats::CredentialProtectionPolicy;
|
||||
|
||||
pub trait Customization {
|
||||
// ###########################################################################
|
||||
// Constants for adjusting privacy and protection levels.
|
||||
// ###########################################################################
|
||||
|
||||
/// Changes the default level for the credProtect extension.
|
||||
///
|
||||
/// You can change this value to one of the following for more privacy:
|
||||
/// - CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList
|
||||
/// - CredentialProtectionPolicy::UserVerificationRequired
|
||||
///
|
||||
/// UserVerificationOptionalWithCredentialIdList
|
||||
/// Resident credentials are discoverable with
|
||||
/// - an allowList,
|
||||
/// - an excludeList,
|
||||
/// - user verification.
|
||||
///
|
||||
/// UserVerificationRequired
|
||||
/// Resident credentials are discoverable with user verification only.
|
||||
///
|
||||
/// This can improve privacy, but can make usage less comfortable.
|
||||
fn default_cred_protect(&self) -> Option<CredentialProtectionPolicy>;
|
||||
|
||||
/// Maximum message size send for CTAP commands.
|
||||
///
|
||||
/// The maximum value is 7609, as HID packets can not encode longer messages.
|
||||
@@ -30,12 +54,20 @@ pub trait Customization {
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct CustomizationImpl {
|
||||
pub default_cred_protect: Option<CredentialProtectionPolicy>,
|
||||
pub max_msg_size: usize,
|
||||
}
|
||||
|
||||
pub const DEFAULT_CUSTOMIZATION: CustomizationImpl = CustomizationImpl { max_msg_size: 7609 };
|
||||
pub const DEFAULT_CUSTOMIZATION: CustomizationImpl = CustomizationImpl {
|
||||
default_cred_protect: None,
|
||||
max_msg_size: 7609,
|
||||
};
|
||||
|
||||
impl Customization for CustomizationImpl {
|
||||
fn default_cred_protect(&self) -> Option<CredentialProtectionPolicy> {
|
||||
self.default_cred_protect
|
||||
}
|
||||
|
||||
fn max_msg_size(&self) -> usize {
|
||||
self.max_msg_size
|
||||
}
|
||||
|
||||
@@ -17,30 +17,12 @@
|
||||
//! If you adapt them, make sure to run the tests before flashing the firmware.
|
||||
//! Our deploy script enforces the invariants.
|
||||
|
||||
use crate::ctap::data_formats::{CredentialProtectionPolicy, EnterpriseAttestationMode};
|
||||
use crate::ctap::data_formats::EnterpriseAttestationMode;
|
||||
|
||||
// ###########################################################################
|
||||
// Constants for adjusting privacy and protection levels.
|
||||
// ###########################################################################
|
||||
|
||||
/// Changes the default level for the credProtect extension.
|
||||
///
|
||||
/// You can change this value to one of the following for more privacy:
|
||||
/// - CredentialProtectionPolicy::UserVerificationOptionalWithCredentialIdList
|
||||
/// - CredentialProtectionPolicy::UserVerificationRequired
|
||||
///
|
||||
/// UserVerificationOptionalWithCredentialIdList
|
||||
/// Resident credentials are discoverable with
|
||||
/// - an allowList,
|
||||
/// - an excludeList,
|
||||
/// - user verification.
|
||||
///
|
||||
/// UserVerificationRequired
|
||||
/// Resident credentials are discoverable with user verification only.
|
||||
///
|
||||
/// This can improve privacy, but can make usage less comfortable.
|
||||
pub const DEFAULT_CRED_PROTECT: Option<CredentialProtectionPolicy> = None;
|
||||
|
||||
/// Sets the initial minimum PIN length in code points.
|
||||
///
|
||||
/// # Invariant
|
||||
|
||||
@@ -44,9 +44,9 @@ use self::config_command::process_config;
|
||||
use self::credential_management::process_credential_management;
|
||||
use self::crypto_wrapper::{aes256_cbc_decrypt, aes256_cbc_encrypt};
|
||||
use self::customization::{
|
||||
DEFAULT_CRED_PROTECT, ENTERPRISE_ATTESTATION_MODE, ENTERPRISE_RP_ID_LIST,
|
||||
MAX_CREDENTIAL_COUNT_IN_LIST, MAX_CRED_BLOB_LENGTH, MAX_LARGE_BLOB_ARRAY_SIZE,
|
||||
MAX_RP_IDS_LENGTH, USE_BATCH_ATTESTATION, USE_SIGNATURE_COUNTER,
|
||||
ENTERPRISE_ATTESTATION_MODE, ENTERPRISE_RP_ID_LIST, MAX_CREDENTIAL_COUNT_IN_LIST,
|
||||
MAX_CRED_BLOB_LENGTH, MAX_LARGE_BLOB_ARRAY_SIZE, MAX_RP_IDS_LENGTH, USE_BATCH_ATTESTATION,
|
||||
USE_SIGNATURE_COUNTER,
|
||||
};
|
||||
use self::data_formats::{
|
||||
AuthenticatorTransport, CoseKey, CoseSignature, CredentialProtectionPolicy,
|
||||
@@ -763,11 +763,12 @@ impl CtapState {
|
||||
env.user_presence().check(channel)?;
|
||||
self.client_pin.clear_token_flags();
|
||||
|
||||
let default_cred_protect = env.customization().default_cred_protect();
|
||||
let mut cred_protect_policy = extensions.cred_protect;
|
||||
if cred_protect_policy.unwrap_or(CredentialProtectionPolicy::UserVerificationOptional)
|
||||
< DEFAULT_CRED_PROTECT.unwrap_or(CredentialProtectionPolicy::UserVerificationOptional)
|
||||
< default_cred_protect.unwrap_or(CredentialProtectionPolicy::UserVerificationOptional)
|
||||
{
|
||||
cred_protect_policy = DEFAULT_CRED_PROTECT;
|
||||
cred_protect_policy = default_cred_protect;
|
||||
}
|
||||
let min_pin_length =
|
||||
extensions.min_pin_length && storage::min_pin_length_rp_ids(env)?.contains(&rp_id);
|
||||
|
||||
Reference in New Issue
Block a user