Commit Graph

53 Commits

Author SHA1 Message Date
Emanuele Cesena 4bd3629b66 ctap2.3: long-touch reset (§6.11.5, §7.7) 2026-06-03 09:35:29 +02:00
Robin Krahl 9fa9c6d1d9 Reduce number of generated tests
This patch selects the test cases to run more carefully to reduce the
test execution time. Instead of testing all possible combinations in
one test case, the patch splits the tests into multiple test cases
where each test case covers one field exhaustively. The other fields
are either limited to all sensible values (if they seem relevant) or
chosen randomly (if they don’t seem relevant).
2026-06-02 23:17:39 +02:00
Robin Krahl f82effbf79 Make firmware version configurable depending on credential ID version 2026-06-01 13:26:07 +02:00
Robin Krahl b7becd0020 Make credential ID version configurable
This patch adds the credential_id_version field to Config, making it
possible to select the credential ID version for new credentials. To
avoid invalidating existing credentials, this value is only used on the
first boot or after a factory reset.
2026-06-01 13:18:44 +02:00
Robin Krahl 92f3642345 Add tests for signature counter 2026-05-31 17:00:48 +02:00
Emanuele Cesena de69cd1ffc ctap2: accept up=true on MakeCredential; LargeBlobs Set accepts both PIN protocols 2026-05-28 22:56:20 +02:00
Emanuele Cesena d64976c5da ctap2.3: getinfo advertises FIDO_2_3 2026-05-28 22:56:08 +02:00
Emanuele Cesena e91fb4779f ctap2.3: advertise smart-card transport when CCID is enabled 2026-05-28 22:07:03 +02:00
Emanuele Cesena bcec723f1b ctap2.2: implement hmac-secret-mc extension at MakeCredential time
Fixes: https://github.com/trussed-dev/fido-authenticator/issues/52
2026-05-28 21:58:18 +02:00
Emanuele Cesena a7e869b8c5 ctap2.1: test user field in RK allowlist GetAssertion response 2026-05-28 19:24:40 +02:00
Emanuele Cesena e3c79dfd85 ctap2.1: §6.5.5 PIN management — code-point validation + reject same-PIN under forcePINChange + align setPin/getPinToken error codes
Fixes: https://github.com/trussed-dev/fido-authenticator/issues/43
2026-05-28 19:23:29 +02:00
Emanuele Cesena 96a96316f0 ctap2.1: alwaysUv + toggleAlwaysUv (CTAP 2.1 §6.4, §6.11.2, §7.2) — full implementation 2026-05-28 19:11:04 +02:00
Emanuele Cesena 3daba7d8a3 ctap2.1: setMinPINLength (§6.11.4) + minPinLength extension at MakeCredential (§10.1.2.1) 2026-05-28 19:02:26 +02:00
Robin Krahl 94c439d726 Add tests for credBlob extension 2026-05-22 16:53:27 +02:00
Emanuele Cesena 01a4be28c4 ctap: getinfo advertises algorithms, firmwareVersion, remainingDiscoverableCredentials 2026-05-22 13:08:44 +02:00
Sosthène Guédon 4e118bba70 Update to heapless 0.9 and trussed-core 0.2 2026-03-25 18:34:39 +01:00
Robin Krahl 01a2653c37 Update trussed to use new virtual store 2025-05-15 11:52:59 +02:00
Robin Krahl 4554cb866e make_credential: Support non-discoverable credentials without PIN
Currently, we always require the PIN to be used for make_credential
operations if it is set.  This patch implements the makeCredUvNotRqd
option that allows non-discoverable credentials to be created without
using the PIN according to § 6.1.2 Step 6 of the specification, see:

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-makeCred-authnr-alg
https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#getinfo-makecreduvnotrqd

Fixes: https://github.com/Nitrokey/fido-authenticator/issues/34
2025-05-07 22:20:20 +02:00
Robin Krahl 223bc11eec Always reject uv = true in make_credential and get_assertion
This changes the error code if uv = true to InvalidOption even if a PIN
is set.  Previously, we returned PinRequired if a PIN is set.  The new
implementation follows § 6.1.2 Step 5 of the specification more closely.

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-makeCred-authnr-alg
2025-05-07 21:57:44 +02:00
Robin Krahl 7ff0518b68 hmac-secret: Forbid up=false
Fixes: https://github.com/Nitrokey/fido-authenticator/issues/19
2025-05-07 16:04:44 +02:00
Robin Krahl 91a57756c0 tests: Use hmac-secret extension in TestGetAssertion 2025-05-07 15:54:54 +02:00
Sosthène Guédon 443eca1787 Make credential: change the path of rks to rp_id_hash.credential_id_hash from rp_id_hash/credential_id_hash
The goal is to make credential storage more efficient, by making use of littlefs's
ability to inline file contents into the directory metadata when the file is small.
2025-02-20 13:44:22 +01:00
Robin Krahl fed17e9b35 tests: Remove exhaustive dependency 2025-02-19 12:34:23 +01:00
Robin Krahl 2c8efe16c2 tests: Inspect filesystem after test runs 2025-02-19 12:34:22 +01:00
Robin Krahl dfcaf94096 tests: Add getNextAssertion tests 2025-02-18 10:46:12 +01:00