Emanuele Cesena
4bd3629b66
ctap2.3: long-touch reset (§6.11.5, §7.7)
2026-06-03 09:35:29 +02:00
Robin Krahl
9fa9c6d1d9
Reduce number of generated tests
...
This patch selects the test cases to run more carefully to reduce the
test execution time. Instead of testing all possible combinations in
one test case, the patch splits the tests into multiple test cases
where each test case covers one field exhaustively. The other fields
are either limited to all sensible values (if they seem relevant) or
chosen randomly (if they don’t seem relevant).
2026-06-02 23:17:39 +02:00
Robin Krahl
f82effbf79
Make firmware version configurable depending on credential ID version
2026-06-01 13:26:07 +02:00
Robin Krahl
b7becd0020
Make credential ID version configurable
...
This patch adds the credential_id_version field to Config, making it
possible to select the credential ID version for new credentials. To
avoid invalidating existing credentials, this value is only used on the
first boot or after a factory reset.
2026-06-01 13:18:44 +02:00
Robin Krahl
92f3642345
Add tests for signature counter
2026-05-31 17:00:48 +02:00
Emanuele Cesena
de69cd1ffc
ctap2: accept up=true on MakeCredential; LargeBlobs Set accepts both PIN protocols
2026-05-28 22:56:20 +02:00
Emanuele Cesena
d64976c5da
ctap2.3: getinfo advertises FIDO_2_3
2026-05-28 22:56:08 +02:00
Emanuele Cesena
e91fb4779f
ctap2.3: advertise smart-card transport when CCID is enabled
2026-05-28 22:07:03 +02:00
Emanuele Cesena
bcec723f1b
ctap2.2: implement hmac-secret-mc extension at MakeCredential time
...
Fixes: https://github.com/trussed-dev/fido-authenticator/issues/52
2026-05-28 21:58:18 +02:00
Emanuele Cesena
a7e869b8c5
ctap2.1: test user field in RK allowlist GetAssertion response
2026-05-28 19:24:40 +02:00
Emanuele Cesena
e3c79dfd85
ctap2.1: §6.5.5 PIN management — code-point validation + reject same-PIN under forcePINChange + align setPin/getPinToken error codes
...
Fixes: https://github.com/trussed-dev/fido-authenticator/issues/43
2026-05-28 19:23:29 +02:00
Emanuele Cesena
96a96316f0
ctap2.1: alwaysUv + toggleAlwaysUv (CTAP 2.1 §6.4, §6.11.2, §7.2) — full implementation
2026-05-28 19:11:04 +02:00
Emanuele Cesena
3daba7d8a3
ctap2.1: setMinPINLength (§6.11.4) + minPinLength extension at MakeCredential (§10.1.2.1)
2026-05-28 19:02:26 +02:00
Robin Krahl
94c439d726
Add tests for credBlob extension
2026-05-22 16:53:27 +02:00
Emanuele Cesena
01a4be28c4
ctap: getinfo advertises algorithms, firmwareVersion, remainingDiscoverableCredentials
2026-05-22 13:08:44 +02:00
Sosthène Guédon
4e118bba70
Update to heapless 0.9 and trussed-core 0.2
2026-03-25 18:34:39 +01:00
Robin Krahl
01a2653c37
Update trussed to use new virtual store
2025-05-15 11:52:59 +02:00
Robin Krahl
4554cb866e
make_credential: Support non-discoverable credentials without PIN
...
Currently, we always require the PIN to be used for make_credential
operations if it is set. This patch implements the makeCredUvNotRqd
option that allows non-discoverable credentials to be created without
using the PIN according to § 6.1.2 Step 6 of the specification, see:
https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-makeCred-authnr-alg
https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#getinfo-makecreduvnotrqd
Fixes: https://github.com/Nitrokey/fido-authenticator/issues/34
2025-05-07 22:20:20 +02:00
Robin Krahl
223bc11eec
Always reject uv = true in make_credential and get_assertion
...
This changes the error code if uv = true to InvalidOption even if a PIN
is set. Previously, we returned PinRequired if a PIN is set. The new
implementation follows § 6.1.2 Step 5 of the specification more closely.
https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-makeCred-authnr-alg
2025-05-07 21:57:44 +02:00
Robin Krahl
7ff0518b68
hmac-secret: Forbid up=false
...
Fixes: https://github.com/Nitrokey/fido-authenticator/issues/19
2025-05-07 16:04:44 +02:00
Robin Krahl
91a57756c0
tests: Use hmac-secret extension in TestGetAssertion
2025-05-07 15:54:54 +02:00
Sosthène Guédon
443eca1787
Make credential: change the path of rks to rp_id_hash.credential_id_hash from rp_id_hash/credential_id_hash
...
The goal is to make credential storage more efficient, by making use of littlefs's
ability to inline file contents into the directory metadata when the file is small.
2025-02-20 13:44:22 +01:00
Robin Krahl
fed17e9b35
tests: Remove exhaustive dependency
2025-02-19 12:34:23 +01:00
Robin Krahl
2c8efe16c2
tests: Inspect filesystem after test runs
2025-02-19 12:34:22 +01:00
Robin Krahl
dfcaf94096
tests: Add getNextAssertion tests
2025-02-18 10:46:12 +01:00