* Persist/parse slot_id in/from credential
Persist slot_id into credential_id or the resident credential record
during MakeCredential, and parse it during GetAssertion. Add related
unittests.
* Fix styles
* Move enable_pin_uv back to ctap/mod.rs
* Parse slot_id in use from token state
Support switching to multi-PIN feature and making the default slots 8.
But the command to switch to multi-PIN isn't exposed yet because the
implementation isn't ready.
Main change of this commit is to cache the slot_id in use inside token
state, and retrieve it from token state when needed.
* Fix once_cell dependency (#548)
* fixed version of once_cell
* fixes comments
* removes unnecessary fuzz dependency
* Fix styles
Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
* Add basic setup for multi-PIN
- Reserve the storage keys for maximum of 8 user slots.
- Modify the storage functions to take a slot_id parameter.
- Add the slot_count() customization.
- Assume slot_id as a parameter when needed except these places:
- Entrance functions of command processing that directly takes the
command parameter structure. slot_id is set as 0, and will be
parsed from the parameters when we enable the feature.
- MakeCredential/GetAssertion/AuthenticatorConfig will take the
slot_id from active token state when we enable the feature,
resulting in an `Option<usize>`. Below code will act on the option
value correctly. When the feature isn't enabled, we're always
referring to the only PIN slot so set slot_id as Some(0).
- GetInfo returns verdict of whether PIN is supported and enabled, and
whether PIN needs to be forced changed. There will be new fields to
represent those values when the feature is enabled, and the old
fields will not be populated. So when the feature isn't enabled, we
can treat slot_id as 0.
Not covered in this commit:
- Unittests for other slots. The existing tests all pass and I plan to
add unittests for multi-slot case after the codebase allows enabling
the feature.
- Persisting and checking the slot_id in credentials. This is planned to
come in the next commit.
* Fix storage and some other style
* Add support for concatenated values
* Switch some storage entries back to multi-entry
* Set bumpalo version for fuzzing (#532)
* maximum working bumpalo version
* explicit comment to explain version locking
* removes incorrect comment
* moves serde version lock to dev dependencies
* removes serde dependencies
* reverts serde removal in crypto library
* Make PIN_PROPERTIES use concatenated storage entry
* Fix bumpalo issue
* Use concatenated storage entry for force_pin_change too
* Fix cargofmt
Co-authored-by: Julien Cretin <cretin@google.com>
Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
* Support credBlob for non-resident credentials
- Add a upper limit of max_cred_blob_length
- Add test cases for cred_blob in non-resident flows
- Modify the test helper functions in ctap/mod.rs a bit
* Fix some styles in credential_id.rs
Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
* Duplicate the credential management command as a vendor command
This permits to work with libfido2 and thus ssh-add. Fix#526.
* fix deploy_partition script
* Support configure via the Vendor interface
* Adjust tests now that GetInfo is supported on vendor_hid
* Add test for vendor_hid not supporting FIDO command
* Interleave sending and receiving of packets to reduce latency in receiving of packets
* Add patch to CtapUsbSyscallDriver
* Minor tweaks from review
* Log when overwritting an existing reply
* Only log when 'debug_ctap' is enabled
* Make ctap mod public, as per review
* Rename send_or_recv to send_and_maybe_recv
* fix typo
* Don't process packets on other transport while doing keepalive
* Don't process packets on other transport while doing keepalive
* More accurately determine if reply has finished
* Move comment closer to appropriate location
* Add tests for canceling keepalive packets
* Added a TODO for kaczmarczyck re ctap module being public
* remove the unnecessary sleep()s
* undo messed up commit
* address pylint warnings
* Fix merge mess up, and patch fido2 Usage Page
* Fix up completely borked merge
* Remove patch to FIDO usage, after #523.
* remove obsolete aspects to diff
Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
* Fix user presence by not overwriting error with OK()
* revert debugging change to TOUCH_TIMEOUT_MS
* fix up incomplete merge
* rename variable to more understandable name
* Add tests to test user_presence
* Move out check credProtectPolicy logic
Move the credProtectPolicy check outside credential ID decryption &
discoverable credential finding. Modify the unit tests, and add unit
tests for credProtectPolicy checking in non resident flows that were
originally missing.
* Add CBOR credential ID type
Update the format of the credential ID we generated to extend the
encrypted portion from only private_key + rp_id_hash to a flexible CBOR
map. This way we can persist more data into the key handle in the future
without need of a new version.
We add credProtectPolicy to the persisted data in this commit too, so we
can correctly check the credProtectPolicy for non-discoverable
credentials in follow-up commits.
* Fixed some style problems.
* Fix cargo clippy warning
* Check credProtectPolicy for non-discoverable credentials.
* Remove support of old v1, v2 key handles
- And changed some style problems
* Style changes
* Add missing `alloc` use
* Common duration type for ctap library independent of TockOS
* Implement Env-specific ctap-hid channels for I/O
Common I/O Status, Error and Result types
* Move common user presence checking code to ctap library
* Move CtapHidChannel and UserPresence traits, with their accompanying
types to separate API mods. Remove Default implementations of methods
in these traits, to keep all implementation details inside of concrete
Env types.
Rename methods in UserPresence trait, for better readability.
Remove duplicate code for finding appropriate HID channel for given
transport.
Rework check_user_presence() function so that there's no more need for
quick_check() method in UserPresence trait. To short-circuit user
presence check, Env implementation may use wait_with_timeout() method.
* Fix button press wait with zero timeout for TockEnv
* Fix formatting
* Remove type for duration, use embedded_time::duration::Milliseconds
directly, for better readability.
Treat any unconfirmed result of user presence check as an error, which
maps more naturally to CTAP spec status codes.
Remove unneeded underscores in trait definition.
Store usb endpoint directly, in TockEnv channels, to avoid unneeded
conversions.
* No need for separate error type for send_keepalive_up_needed()
* Document UserPresence trait and types.
Remove unused parameters in UserPresence trait's methods.
Add conversion function from UserPresence errors to Ctap2 status codes.
Do not check button status when tock user presence wait is called with
zero timeout.
* Make test environment always report success sending data
* Rename CtapHidChannel to HidConnection, rename *_hid_channel ->
*_hid_connection, for clarity. Use "Channel" to refer to the logical
connection from authenticator to one client, and use "Connection" to
refer to physical connection of authenticator to platform, on which
clients run.
Remove channel parameter from user presence API, it's not needed.
* Remove duplicate comments.
Co-authored-by: kaczmarczyck <43844792+kaczmarczyck@users.noreply.github.com>
We shouldn't compare private keys in prod for side-channel resilience. Ideally
we shouldn't clone too. We currently do for storage. Fixing this would probably
require to serialize the private key in the credential struct.
ed25519-dalek does not implement Clone and Eq for secret keys, and
relevant PR in its repository wait for merge from long time ago, leading
to potential problems with maintainability
