Access the persistent keys through the store
This permits to set them using a vendor command and thus not embed their value in the application.
This commit is contained in:
Julien Cretin
@@ -37,7 +37,6 @@ use self::data_formats::{
|
||||
PublicKeyCredentialType, PublicKeyCredentialUserEntity, SignatureAlgorithm,
|
||||
};
|
||||
use self::hid::ChannelID;
|
||||
use self::key_material::{AAGUID, ATTESTATION_CERTIFICATE, ATTESTATION_PRIVATE_KEY};
|
||||
use self::response::{
|
||||
AuthenticatorClientPinResponse, AuthenticatorGetAssertionResponse,
|
||||
AuthenticatorGetInfoResponse, AuthenticatorMakeCredentialResponse, ResponseData,
|
||||
@@ -509,7 +508,7 @@ where
|
||||
};
|
||||
|
||||
let mut auth_data = self.generate_auth_data(&rp_id_hash, flags);
|
||||
auth_data.extend(AAGUID);
|
||||
auth_data.extend(self.persistent_store.aaguid()?);
|
||||
// The length is fixed to 0x20 or 0x70 and fits one byte.
|
||||
if credential_id.len() > 0xFF {
|
||||
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_RESPONSE_TOO_LONG);
|
||||
@@ -534,10 +533,11 @@ where
|
||||
signature_data.extend(client_data_hash);
|
||||
let (signature, x5c) = if USE_BATCH_ATTESTATION {
|
||||
let attestation_key =
|
||||
crypto::ecdsa::SecKey::from_bytes(ATTESTATION_PRIVATE_KEY).unwrap();
|
||||
crypto::ecdsa::SecKey::from_bytes(self.persistent_store.attestation_private_key()?)
|
||||
.unwrap();
|
||||
(
|
||||
attestation_key.sign_rfc6979::<crypto::sha256::Sha256>(&signature_data),
|
||||
Some(vec![ATTESTATION_CERTIFICATE.to_vec()]),
|
||||
Some(vec![self.persistent_store.attestation_certificate()?]),
|
||||
)
|
||||
} else {
|
||||
(
|
||||
@@ -769,7 +769,7 @@ where
|
||||
String::from(FIDO2_VERSION_STRING),
|
||||
],
|
||||
extensions: Some(vec![String::from("hmac-secret")]),
|
||||
aaguid: *AAGUID,
|
||||
aaguid: *self.persistent_store.aaguid()?,
|
||||
options: Some(options_map),
|
||||
max_msg_size: Some(1024),
|
||||
pin_protocols: Some(vec![
|
||||
@@ -1124,7 +1124,7 @@ mod test {
|
||||
0x02, 0x81, 0x6B, 0x68, 0x6D, 0x61, 0x63, 0x2D, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74,
|
||||
0x03, 0x50,
|
||||
]);
|
||||
expected_response.extend(AAGUID);
|
||||
expected_response.extend(ctap_state.persistent_store.aaguid().unwrap());
|
||||
expected_response.extend(&[
|
||||
0x04, 0xA3, 0x62, 0x72, 0x6B, 0xF5, 0x62, 0x75, 0x70, 0xF5, 0x69, 0x63, 0x6C, 0x69,
|
||||
0x65, 0x6E, 0x74, 0x50, 0x69, 0x6E, 0xF4, 0x05, 0x19, 0x04, 0x00, 0x06, 0x81, 0x01,
|
||||
@@ -1197,7 +1197,7 @@ mod test {
|
||||
0x34, 0xE2, 0x75, 0x1E, 0x68, 0x2F, 0xAB, 0x9F, 0x2D, 0x30, 0xAB, 0x13, 0xD2,
|
||||
0x12, 0x55, 0x86, 0xCE, 0x19, 0x47, 0x41, 0x00, 0x00, 0x00, 0x00,
|
||||
];
|
||||
expected_auth_data.extend(AAGUID);
|
||||
expected_auth_data.extend(ctap_state.persistent_store.aaguid().unwrap());
|
||||
expected_auth_data.extend(&[0x00, 0x20]);
|
||||
assert_eq!(
|
||||
auth_data[0..expected_auth_data.len()],
|
||||
@@ -1234,7 +1234,7 @@ mod test {
|
||||
0x34, 0xE2, 0x75, 0x1E, 0x68, 0x2F, 0xAB, 0x9F, 0x2D, 0x30, 0xAB, 0x13, 0xD2,
|
||||
0x12, 0x55, 0x86, 0xCE, 0x19, 0x47, 0x41, 0x00, 0x00, 0x00, 0x00,
|
||||
];
|
||||
expected_auth_data.extend(AAGUID);
|
||||
expected_auth_data.extend(ctap_state.persistent_store.aaguid().unwrap());
|
||||
expected_auth_data.extend(&[0x00, ENCRYPTED_CREDENTIAL_ID_SIZE as u8]);
|
||||
assert_eq!(
|
||||
auth_data[0..expected_auth_data.len()],
|
||||
@@ -1330,7 +1330,7 @@ mod test {
|
||||
0x34, 0xE2, 0x75, 0x1E, 0x68, 0x2F, 0xAB, 0x9F, 0x2D, 0x30, 0xAB, 0x13, 0xD2,
|
||||
0x12, 0x55, 0x86, 0xCE, 0x19, 0x47, 0xC1, 0x00, 0x00, 0x00, 0x00,
|
||||
];
|
||||
expected_auth_data.extend(AAGUID);
|
||||
expected_auth_data.extend(ctap_state.persistent_store.aaguid().unwrap());
|
||||
expected_auth_data.extend(&[0x00, 0x20]);
|
||||
assert_eq!(
|
||||
auth_data[0..expected_auth_data.len()],
|
||||
|
||||
Reference in New Issue
Block a user