35 Commits

Author SHA1 Message Date
Robin Krahl 92f3642345 Add tests for signature counter 2026-05-31 17:00:48 +02:00
Emanuele Cesena de69cd1ffc ctap2: accept up=true on MakeCredential; LargeBlobs Set accepts both PIN protocols 2026-05-28 22:56:20 +02:00
Emanuele Cesena d64976c5da ctap2.3: getinfo advertises FIDO_2_3 2026-05-28 22:56:08 +02:00
Emanuele Cesena e91fb4779f ctap2.3: advertise smart-card transport when CCID is enabled 2026-05-28 22:07:03 +02:00
Emanuele Cesena bcec723f1b ctap2.2: implement hmac-secret-mc extension at MakeCredential time
Fixes: https://github.com/trussed-dev/fido-authenticator/issues/52
2026-05-28 21:58:18 +02:00
Emanuele Cesena a7e869b8c5 ctap2.1: test user field in RK allowlist GetAssertion response 2026-05-28 19:24:40 +02:00
Emanuele Cesena e3c79dfd85 ctap2.1: §6.5.5 PIN management — code-point validation + reject same-PIN under forcePINChange + align setPin/getPinToken error codes
Fixes: https://github.com/trussed-dev/fido-authenticator/issues/43
2026-05-28 19:23:29 +02:00
Emanuele Cesena 96a96316f0 ctap2.1: alwaysUv + toggleAlwaysUv (CTAP 2.1 §6.4, §6.11.2, §7.2) — full implementation 2026-05-28 19:11:04 +02:00
Emanuele Cesena 3daba7d8a3 ctap2.1: setMinPINLength (§6.11.4) + minPinLength extension at MakeCredential (§10.1.2.1) 2026-05-28 19:02:26 +02:00
Robin Krahl 94c439d726 Add tests for credBlob extension 2026-05-22 16:53:27 +02:00
Robin Krahl 4554cb866e make_credential: Support non-discoverable credentials without PIN
Currently, we always require the PIN to be used for make_credential
operations if it is set.  This patch implements the makeCredUvNotRqd
option that allows non-discoverable credentials to be created without
using the PIN according to § 6.1.2 Step 6 of the specification, see:

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-makeCred-authnr-alg
https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#getinfo-makecreduvnotrqd

Fixes: https://github.com/Nitrokey/fido-authenticator/issues/34
2025-05-07 22:20:20 +02:00
Robin Krahl 223bc11eec Always reject uv = true in make_credential and get_assertion
This changes the error code if uv = true to InvalidOption even if a PIN
is set.  Previously, we returned PinRequired if a PIN is set.  The new
implementation follows § 6.1.2 Step 5 of the specification more closely.

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-makeCred-authnr-alg
2025-05-07 21:57:44 +02:00
Robin Krahl 7ff0518b68 hmac-secret: Forbid up=false
Fixes: https://github.com/Nitrokey/fido-authenticator/issues/19
2025-05-07 16:04:44 +02:00
Robin Krahl 91a57756c0 tests: Use hmac-secret extension in TestGetAssertion 2025-05-07 15:54:54 +02:00
Robin Krahl fed17e9b35 tests: Remove exhaustive dependency 2025-02-19 12:34:23 +01:00
Robin Krahl 2c8efe16c2 tests: Inspect filesystem after test runs 2025-02-19 12:34:22 +01:00
Robin Krahl dfcaf94096 tests: Add getNextAssertion tests 2025-02-18 10:46:12 +01:00
Robin Krahl f3679b8dd5 tests: Add changePin tests 2025-02-18 10:46:11 +01:00
Robin Krahl fd6fc9b8a8 tests: Extend setPin tests 2025-02-18 10:46:11 +01:00
Robin Krahl 726ce464be tests: Add getPinRetries tests 2025-02-18 10:46:11 +01:00
Robin Krahl add1cebd26 tests: Extend getPinToken tests 2025-02-18 10:46:11 +01:00
Robin Krahl 9e4cd65e54 tests: Extend getAssertion tests 2025-02-18 10:46:11 +01:00
Robin Krahl 10b0334fed tests: Extend makeCredential tests 2025-02-18 10:46:11 +01:00
Robin Krahl 83477813bf tests: Add helper trait and use exhaustive 2025-02-18 10:46:09 +01:00
Robin Krahl d0885e1ccb Extend credential management tests
This patch adds tests for deleting discoverable credentials and for
updating the user information for existing credentials.
2025-01-21 10:23:25 +01:00