Merge branch 'develop' into attestation_store

2022-07-14 12:37:11 +02:00
parent f528567ce1 4736cc63c4
commit b28f8f6d33
4 changed files with 517 additions and 332 deletions
--- a/src/ctap/ctap1.rs
+++ b/src/ctap/ctap1.rs
@@ -14,7 +14,8 @@

 use super::super::clock::CtapInstant;
 use super::apdu::{Apdu, ApduStatusCode};
-use super::crypto_wrapper::{decrypt_credential_source, encrypt_key_handle, PrivateKey};
+use super::credential_id::{decrypt_credential_id, encrypt_to_credential_id};
+use super::crypto_wrapper::PrivateKey;
 use super::CtapState;
 use crate::api::attestation_store::{self, Attestation, AttestationStore};
 use crate::env::Env;
@@ -250,7 +251,7 @@ impl Ctap1Command {
            .ecdsa_key(env)
            .map_err(|_| Ctap1StatusCode::SW_INTERNAL_EXCEPTION)?;
        let pk = sk.genpk();
-        let key_handle = encrypt_key_handle(env, &private_key, &application)
+        let key_handle = encrypt_to_credential_id(env, &private_key, &application, None)
            .map_err(|_| Ctap1StatusCode::SW_INTERNAL_EXCEPTION)?;
        if key_handle.len() > 0xFF {
            // This is just being defensive with unreachable code.
@@ -310,7 +311,7 @@ impl Ctap1Command {
        flags: Ctap1Flags,
        ctap_state: &mut CtapState,
    ) -> Result<Vec<u8>, Ctap1StatusCode> {
-        let credential_source = decrypt_credential_source(env, key_handle, &application)
+        let credential_source = decrypt_credential_id(env, key_handle, &application, false)
            .map_err(|_| Ctap1StatusCode::SW_WRONG_DATA)?;
        if let Some(credential_source) = credential_source {
            let ecdsa_key = credential_source
@@ -344,7 +345,7 @@ impl Ctap1Command {

 #[cfg(test)]
 mod test {
-    use super::super::crypto_wrapper::ECDSA_CREDENTIAL_ID_SIZE;
+    use super::super::credential_id::CBOR_CREDENTIAL_ID_SIZE;
    use super::super::data_formats::SignatureAlgorithm;
    use super::*;
    use crate::api::customization::Customization;
@@ -380,13 +381,12 @@ mod test {
            flags.into(),
            0x00,
            0x00,
-            0x00,
-            65 + ECDSA_CREDENTIAL_ID_SIZE as u8,
        ];
+        message.extend(&(65 + CBOR_CREDENTIAL_ID_SIZE as u16).to_be_bytes());
        let challenge = [0x0C; 32];
        message.extend(&challenge);
        message.extend(application);
-        message.push(ECDSA_CREDENTIAL_ID_SIZE as u8);
+        message.push(CBOR_CREDENTIAL_ID_SIZE as u8);
        message.extend(key_handle);
        message
    }
@@ -437,15 +437,16 @@ mod test {
            Ctap1Command::process_command(&mut env, &message, &mut ctap_state, CtapInstant::new(0))
                .unwrap();
        assert_eq!(response[0], Ctap1Command::LEGACY_BYTE);
-        assert_eq!(response[66], ECDSA_CREDENTIAL_ID_SIZE as u8);
-        assert!(decrypt_credential_source(
+        assert_eq!(response[66], CBOR_CREDENTIAL_ID_SIZE as u8);
+        assert!(decrypt_credential_id(
            &mut env,
-            response[67..67 + ECDSA_CREDENTIAL_ID_SIZE].to_vec(),
-            &application
+            response[67..67 + CBOR_CREDENTIAL_ID_SIZE].to_vec(),
+            &application,
+            false
        )
        .unwrap()
        .is_some());
-        const CERT_START: usize = 67 + ECDSA_CREDENTIAL_ID_SIZE;
+        const CERT_START: usize = 67 + CBOR_CREDENTIAL_ID_SIZE;
        assert_eq!(
            &response[CERT_START..][..attestation.certificate.len()],
            &attestation.certificate
@@ -500,7 +501,7 @@ mod test {

        let rp_id = "example.com";
        let application = crypto::sha256::Sha256::hash(rp_id.as_bytes());
-        let key_handle = encrypt_key_handle(&mut env, &sk, &application).unwrap();
+        let key_handle = encrypt_to_credential_id(&mut env, &sk, &application, None).unwrap();
        let message = create_authenticate_message(&application, Ctap1Flags::CheckOnly, &key_handle);

        let response =
@@ -518,7 +519,7 @@ mod test {

        let rp_id = "example.com";
        let application = crypto::sha256::Sha256::hash(rp_id.as_bytes());
-        let key_handle = encrypt_key_handle(&mut env, &sk, &application).unwrap();
+        let key_handle = encrypt_to_credential_id(&mut env, &sk, &application, None).unwrap();
        let application = [0x55; 32];
        let message = create_authenticate_message(&application, Ctap1Flags::CheckOnly, &key_handle);

@@ -537,7 +538,7 @@ mod test {

        let rp_id = "example.com";
        let application = crypto::sha256::Sha256::hash(rp_id.as_bytes());
-        let key_handle = encrypt_key_handle(&mut env, &sk, &application).unwrap();
+        let key_handle = encrypt_to_credential_id(&mut env, &sk, &application, None).unwrap();
        let mut message = create_authenticate_message(
            &application,
            Ctap1Flags::DontEnforceUpAndSign,
@@ -575,7 +576,7 @@ mod test {

        let rp_id = "example.com";
        let application = crypto::sha256::Sha256::hash(rp_id.as_bytes());
-        let key_handle = encrypt_key_handle(&mut env, &sk, &application).unwrap();
+        let key_handle = encrypt_to_credential_id(&mut env, &sk, &application, None).unwrap();
        let mut message =
            create_authenticate_message(&application, Ctap1Flags::CheckOnly, &key_handle);
        message[0] = 0xEE;
@@ -595,7 +596,7 @@ mod test {

        let rp_id = "example.com";
        let application = crypto::sha256::Sha256::hash(rp_id.as_bytes());
-        let key_handle = encrypt_key_handle(&mut env, &sk, &application).unwrap();
+        let key_handle = encrypt_to_credential_id(&mut env, &sk, &application, None).unwrap();
        let mut message =
            create_authenticate_message(&application, Ctap1Flags::CheckOnly, &key_handle);
        message[1] = 0xEE;
@@ -615,7 +616,7 @@ mod test {

        let rp_id = "example.com";
        let application = crypto::sha256::Sha256::hash(rp_id.as_bytes());
-        let key_handle = encrypt_key_handle(&mut env, &sk, &application).unwrap();
+        let key_handle = encrypt_to_credential_id(&mut env, &sk, &application, None).unwrap();
        let mut message =
            create_authenticate_message(&application, Ctap1Flags::CheckOnly, &key_handle);
        message[2] = 0xEE;
@@ -643,7 +644,7 @@ mod test {

        let rp_id = "example.com";
        let application = crypto::sha256::Sha256::hash(rp_id.as_bytes());
-        let key_handle = encrypt_key_handle(&mut env, &sk, &application).unwrap();
+        let key_handle = encrypt_to_credential_id(&mut env, &sk, &application, None).unwrap();
        let message =
            create_authenticate_message(&application, Ctap1Flags::EnforceUpAndSign, &key_handle);

@@ -671,7 +672,7 @@ mod test {

        let rp_id = "example.com";
        let application = crypto::sha256::Sha256::hash(rp_id.as_bytes());
-        let key_handle = encrypt_key_handle(&mut env, &sk, &application).unwrap();
+        let key_handle = encrypt_to_credential_id(&mut env, &sk, &application, None).unwrap();
        let message = create_authenticate_message(
            &application,
            Ctap1Flags::DontEnforceUpAndSign,
@@ -697,7 +698,7 @@ mod test {
    #[test]
    fn test_process_authenticate_bad_key_handle() {
        let application = [0x0A; 32];
-        let key_handle = vec![0x00; ECDSA_CREDENTIAL_ID_SIZE];
+        let key_handle = vec![0x00; CBOR_CREDENTIAL_ID_SIZE];
        let message =
            create_authenticate_message(&application, Ctap1Flags::EnforceUpAndSign, &key_handle);

@@ -716,7 +717,7 @@ mod test {
    #[test]
    fn test_process_authenticate_without_up() {
        let application = [0x0A; 32];
-        let key_handle = vec![0x00; ECDSA_CREDENTIAL_ID_SIZE];
+        let key_handle = vec![0x00; CBOR_CREDENTIAL_ID_SIZE];
        let message =
            create_authenticate_message(&application, Ctap1Flags::EnforceUpAndSign, &key_handle);