From 315016f55265621cc7448c31817b41e66b694e49 Mon Sep 17 00:00:00 2001
From: Fabian Kaczmarczyck <kaczmarczyck@google.com>
Date: Fri, 20 Nov 2020 02:50:47 +0100
Subject: [PATCH] unwraps credentials in the exclude list

---
 src/ctap/mod.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/ctap/mod.rs b/src/ctap/mod.rs
index 1a98ce5..66ef234 100644
--- a/src/ctap/mod.rs
+++ b/src/ctap/mod.rs
@@ -392,12 +392,16 @@ where
         let has_extension_output = use_hmac_extension || cred_protect_policy.is_some();
 
         let rp_id = rp.rp_id;
+        let rp_id_hash = Sha256::hash(rp_id.as_bytes());
         if let Some(exclude_list) = exclude_list {
             for cred_desc in exclude_list {
                 if self
                     .persistent_store
                     .find_credential(&rp_id, &cred_desc.key_id, pin_uv_auth_param.is_none())?
                     .is_some()
+                    || self
+                        .decrypt_credential_source(cred_desc.key_id, &rp_id_hash)?
+                        .is_some()
                 {
                     // Perform this check, so bad actors can't brute force exclude_list
                     // without user interaction.
@@ -446,7 +450,6 @@ where
         let sk = crypto::ecdsa::SecKey::gensk(self.rng);
         let pk = sk.genpk();
 
-        let rp_id_hash = Sha256::hash(rp_id.as_bytes());
         let credential_id = if options.rk {
             let random_id = self.rng.gen_uniform_u8x32().to_vec();
             let credential_source = PublicKeyCredentialSource {