trussed/fido-authenticator
0
0
Fork 0
mirror of https://github.com/trussed-dev/fido-authenticator.git synced 2026-03-11 16:36:21 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
fido-authenticator/src/ctap2.rs
Robin Krahl 5ebb4a4830 clientPin: Support getRetries without PIN protocol 
This fixes compatibility with CTAP 2.1.

Fixes: https://github.com/Nitrokey/fido-authenticator/issues/118
2025-05-12 17:42:26 +02:00

2086 lines
78 KiB
Rust
Raw Permalink Blame History

//! The `ctap_types::ctap2::Authenticator` implementation.
use credential_management::CredentialManagement;
use ctap_types::{
ctap2::{
self, client_pin::Permissions, AttestationFormatsPreference, AttestationStatement,
AttestationStatementFormat, Authenticator, NoneAttestationStatement,
PackedAttestationStatement, VendorOperation,
},
heapless::{String, Vec},
heapless_bytes::Bytes,
sizes,
webauthn::PublicKeyCredentialUserEntity,
ByteArray, Error,
};
use littlefs2_core::{path, Path, PathBuf};
use sha2::{Digest as _, Sha256};
use trussed_core::{
syscall, try_syscall,
types::{KeyId, Location, Mechanism, MediumData, Message, StorageAttributes},
};
use crate::{
constants::{self, MAX_RESIDENT_CREDENTIALS_GUESSTIMATE},
credential::{self, Credential, FullCredential, Key, StrippedCredential},
format_hex, state, Result, SigningAlgorithm, TrussedRequirements, UserPresence,
};
#[allow(unused_imports)]
use crate::msp;
pub mod credential_management;
pub mod large_blobs;
pub mod pin;
use pin::{PinProtocol, PinProtocolVersion, RpScope, SharedSecret};
pub const RK_DIR: &Path = path!("rk");
/// Implement `ctap2::Authenticator` for our Authenticator.
impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenticator<UP, T> {
#[inline(never)]
fn get_info(&mut self) -> ctap2::get_info::Response {
use ctap2::get_info::{Extension, Transport, Version};
debug_now!("remaining stack size: {} bytes", msp() - 0x2000_0000);
let mut versions = Vec::new();
versions.push(Version::U2fV2).unwrap();
versions.push(Version::Fido2_0).unwrap();
versions.push(Version::Fido2_1).unwrap();
let mut extensions = Vec::new();
extensions.push(Extension::CredProtect).unwrap();
extensions.push(Extension::HmacSecret).unwrap();
if self.config.supports_large_blobs() {
extensions.push(Extension::LargeBlobKey).unwrap();
}
extensions.push(Extension::ThirdPartyPayment).unwrap();
let mut pin_protocols = Vec::new();
for pin_protocol in self.pin_protocols() {
pin_protocols.push(u8::from(*pin_protocol)).unwrap();
}
let mut options = ctap2::get_info::CtapOptions::default();
options.rk = true;
options.up = true;
options.plat = Some(false);
options.cred_mgmt = Some(true);
options.client_pin = match self.state.persistent.pin_is_set() {
true => Some(true),
false => Some(false),
};
options.large_blobs = Some(self.config.supports_large_blobs());
options.pin_uv_auth_token = Some(true);
options.make_cred_uv_not_rqd = Some(true);
let mut transports = Vec::new();
if self.config.nfc_transport {
transports.push(Transport::Nfc).unwrap();
}
transports.push(Transport::Usb).unwrap();
let mut attestation_formats = Vec::new();
attestation_formats
.push(AttestationStatementFormat::Packed)
.unwrap();
attestation_formats
.push(AttestationStatementFormat::None)
.unwrap();
let (_, aaguid) = self.state.identity.attestation(&mut self.trussed);
let mut response = ctap2::get_info::Response::default();
response.versions = versions;
response.extensions = Some(extensions);
response.aaguid = Bytes::from_slice(&aaguid).unwrap();
response.options = Some(options);
response.transports = Some(transports);
// 1200
response.max_msg_size = Some(self.config.max_msg_size);
response.pin_protocols = Some(pin_protocols);
response.max_creds_in_list = Some(ctap_types::sizes::MAX_CREDENTIAL_COUNT_IN_LIST);
response.max_cred_id_length = Some(ctap_types::sizes::MAX_CREDENTIAL_ID_LENGTH);
response.attestation_formats = Some(attestation_formats);
response
}
#[inline(never)]
fn get_next_assertion(&mut self) -> Result<ctap2::get_assertion::Response> {
// 3. previous GA/GNA >30s ago -> discard stat
// this is optional over NFC
if false {
self.state.runtime.clear_credential_cache();
self.state.runtime.active_get_assertion = None;
return Err(Error::NotAllowed);
}
//
// 1./2. don't remember / don't have left any credentials
// 4. select credential
// let data = syscall!(self.trussed.read_file(
// timestamp_hash.location,
// timestamp_hash.path,
// )).data;
if self.state.runtime.active_get_assertion.is_none() {
return Err(Error::NotAllowed);
}
let credential = self
.state
.runtime
.pop_credential(&mut self.trussed)
.ok_or(Error::NotAllowed)?;
// 5. suppress PII if no UV was performed in original GA
// 6. sign
// 7. reset timer
// 8. increment credential counter (not applicable)
self.assert_with_credential(None, Credential::Full(credential))
}
#[inline(never)]
fn make_credential(
&mut self,
parameters: &ctap2::make_credential::Request,
) -> Result<ctap2::make_credential::Response> {
let rp_id_hash = self.hash(parameters.rp.id.as_ref());
// 1-4.
if let Some(options) = parameters.options.as_ref() {
// up option is not valid for make_credential
if options.up.is_some() {
return Err(Error::InvalidOption);
}
}
if parameters.enterprise_attestation.is_some() {
return Err(Error::InvalidParameter);
}
let uv_performed = self.pin_prechecks(
&parameters.options,
parameters.pin_auth.map(AsRef::as_ref),
parameters.pin_protocol,
parameters.client_data_hash.as_ref(),
Permissions::MAKE_CREDENTIAL,
&parameters.rp.id,
)?;
// 5. "persist credProtect value for this credential"
// --> seems out of place here, see 9.
// 6. excludeList present, contains credential ID on this authenticator bound to RP?
// --> wait for UP, error CredentialExcluded
if let Some(exclude_list) = &parameters.exclude_list {
for descriptor in exclude_list.iter() {
let result = Credential::try_from(self, &rp_id_hash, descriptor);
if let Ok(excluded_cred) = result {
use credential::CredentialProtectionPolicy;
// If UV is not performed, than CredProtectRequired credentials should not be visibile.
if !(excluded_cred.cred_protect() == Some(CredentialProtectionPolicy::Required))
|| uv_performed
{
info_now!("Excluded!");
self.up
.user_present(&mut self.trussed, constants::FIDO2_UP_TIMEOUT)?;
return Err(Error::CredentialExcluded);
}
}
}
}
// 7. check pubKeyCredParams algorithm is valid + supported COSE identifier
let mut algorithm: Option<SigningAlgorithm> = None;
for param in parameters.pub_key_cred_params.0.iter() {
match param.alg {
-7 => {
if algorithm.is_none() {
algorithm = Some(SigningAlgorithm::P256);
}
}
-8 => {
algorithm = Some(SigningAlgorithm::Ed25519);
}
_ => {}
}
}
let algorithm = algorithm.ok_or(Error::UnsupportedAlgorithm)?;
info_now!("algo: {:?}", algorithm as i32);
// 8. process options; on known but unsupported error UnsupportedOption
let mut rk_requested = false;
// TODO: why is this unused?
let mut _uv_requested = false;
let _up_requested = true; // can't be toggled
info_now!("MC options: {:?}", &parameters.options);
if let Some(ref options) = &parameters.options {
if Some(true) == options.rk {
rk_requested = true;
}
if Some(true) == options.uv {
_uv_requested = true;
}
}
// 9. process extensions
let mut hmac_secret_requested = None;
// let mut cred_protect_requested = CredentialProtectionPolicy::Optional;
let mut cred_protect_requested = None;
let mut large_blob_key_requested = false;
let mut third_party_payment_requested = false;
if let Some(extensions) = &parameters.extensions {
hmac_secret_requested = extensions.hmac_secret;
if let Some(policy) = &extensions.cred_protect {
cred_protect_requested =
Some(credential::CredentialProtectionPolicy::try_from(*policy)?);
}
if self.config.supports_large_blobs() {
if let Some(large_blob_key) = extensions.large_blob_key {
if large_blob_key {
if !rk_requested {
// the largeBlobKey extension is only available for resident keys
return Err(Error::InvalidOption);
}
large_blob_key_requested = true;
} else {
// large_blob_key must be Some(true) or omitted, Some(false) is invalid
return Err(Error::InvalidOption);
}
}
}
third_party_payment_requested = extensions.third_party_payment.unwrap_or_default();
}
// debug_now!("hmac-secret = {:?}, credProtect = {:?}", hmac_secret_requested, cred_protect_requested);
// 10. get UP, if denied error OperationDenied
self.up
.user_present(&mut self.trussed, constants::FIDO2_UP_TIMEOUT)?;
// 11. generate credential keypair
let location = match rk_requested {
true => Location::Internal,
false => Location::Volatile,
};
let private_key = algorithm.generate_private_key(&mut self.trussed, location);
let cose_public_key = algorithm.derive_public_key(&mut self.trussed, private_key);
// 12. if `rk` is set, store or overwrite key pair, if full error KeyStoreFull
// 12.a generate credential
let key_parameter = match rk_requested {
true => Key::ResidentKey(private_key),
false => {
// WrappedKey version
let wrapping_key = self.state.persistent.key_wrapping_key(&mut self.trussed)?;
let wrapped_key = syscall!(self.trussed.wrap_key_chacha8poly1305(
wrapping_key,
private_key,
&[],
None
))
.wrapped_key;
// 32B key, 12B nonce, 16B tag + some info on algorithm (P256/Ed25519)
// Turns out it's size 92 (enum serialization not optimized yet...)
// let mut wrapped_key = Bytes::<60>::new();
// wrapped_key.extend_from_slice(&wrapped_key_msg).unwrap();
Key::WrappedKey(wrapped_key.to_bytes().map_err(|_| Error::Other)?)
}
};
// injecting this is a bit mehhh..
let nonce = self.nonce();
info_now!("nonce = {:?}", &nonce);
// 12.b generate credential ID { = AEAD(Serialize(Credential)) }
let kek = self
.state
.persistent
.key_encryption_key(&mut self.trussed)?;
// store it.
// TODO: overwrite, error handling with KeyStoreFull
let large_blob_key = if large_blob_key_requested {
let key = syscall!(self.trussed.random_bytes(32)).bytes;
Some(ByteArray::new(key.as_slice().try_into().unwrap()))
} else {
None
};
let credential = FullCredential::new(
credential::CtapVersion::Fido21Pre,
&parameters.rp,
&parameters.user,
algorithm as i32,
key_parameter,
self.state.persistent.timestamp(&mut self.trussed)?,
hmac_secret_requested,
cred_protect_requested,
large_blob_key,
third_party_payment_requested.then_some(true),
nonce,
);
// note that this does the "stripping" of OptionalUI etc.
let credential_id =
StrippedCredential::from(&credential).id(&mut self.trussed, kek, &rp_id_hash)?;
if rk_requested {
// serialization with all metadata
let serialized_credential = credential.serialize()?;
// first delete any other RK cred with same RP + UserId if there is one.
self.delete_resident_key_by_user_id(&rp_id_hash, credential.user.id())
.ok();
let mut key_store_full = self.can_fit(serialized_credential.len()) == Some(false)
|| CredentialManagement::new(self).count_credentials()?
>= self
.config
.max_resident_credential_count
.unwrap_or(MAX_RESIDENT_CREDENTIALS_GUESSTIMATE);
if !key_store_full {
// then store key, making it resident
let credential_id_hash = self.hash(credential_id.0.as_ref());
let result = try_syscall!(self.trussed.write_file(
Location::Internal,
rk_path(&rp_id_hash, &credential_id_hash),
serialized_credential,
// user attribute for later easy lookup
// Some(rp_id_hash.clone()),
None,
));
key_store_full = result.is_err();
}
if key_store_full {
return Err(Error::KeyStoreFull);
}
}
// 13. generate and return attestation statement using clientDataHash
// 13.a AuthenticatorData and its serialization
use ctap2::AuthenticatorDataFlags as Flags;
info_now!("MC created cred id");
let (attestation_maybe, aaguid) = self.state.identity.attestation(&mut self.trussed);
let authenticator_data = ctap2::make_credential::AuthenticatorData {
rp_id_hash: &rp_id_hash,
flags: {
let mut flags = Flags::USER_PRESENCE;
if uv_performed {
flags |= Flags::USER_VERIFIED;
}
if true {
flags |= Flags::ATTESTED_CREDENTIAL_DATA;
}
if hmac_secret_requested.is_some() || cred_protect_requested.is_some() {
flags |= Flags::EXTENSION_DATA;
}
flags
},
sign_count: self.state.persistent.timestamp(&mut self.trussed)?,
attested_credential_data: {
// debug_now!("acd in, cid len {}, pk len {}", credential_id.0.len(), cose_public_key.len());
let attested_credential_data = ctap2::make_credential::AttestedCredentialData {
aaguid: &aaguid,
credential_id: &credential_id.0,
credential_public_key: &cose_public_key,
};
// debug_now!("cose PK = {:?}", &attested_credential_data.credential_public_key);
Some(attested_credential_data)
},
extensions: {
if hmac_secret_requested.is_some() || cred_protect_requested.is_some() {
let mut extensions = ctap2::make_credential::Extensions::default();
extensions.cred_protect = parameters.extensions.as_ref().unwrap().cred_protect;
extensions.hmac_secret = parameters.extensions.as_ref().unwrap().hmac_secret;
Some(extensions)
} else {
None
}
},
};
// debug_now!("authData = {:?}", &authenticator_data);
let serialized_auth_data = authenticator_data.serialize()?;
// select attestation format or use packed attestation as default
let att_stmt_fmt = parameters
.attestation_formats_preference
.as_ref()
.map(SupportedAttestationFormat::select)
.unwrap_or(Some(SupportedAttestationFormat::Packed));
let att_stmt = if let Some(format) = att_stmt_fmt {
match format {
SupportedAttestationFormat::None => {
Some(AttestationStatement::None(NoneAttestationStatement {}))
}
SupportedAttestationFormat::Packed => {
let mut commitment = Bytes::<1024>::new();
commitment
.extend_from_slice(&serialized_auth_data)
.map_err(|_| Error::Other)?;
commitment
.extend_from_slice(parameters.client_data_hash)
.map_err(|_| Error::Other)?;
let (attestation_key, attestation_algorithm) = attestation_maybe
.as_ref()
.map(|attestation| (attestation.0, SigningAlgorithm::P256))
.unwrap_or((private_key, algorithm));
let signature =
attestation_algorithm.sign(&mut self.trussed, attestation_key, &commitment);
let packed = PackedAttestationStatement {
alg: attestation_algorithm.into(),
sig: signature.to_bytes().map_err(|_| Error::Other)?,
x5c: attestation_maybe.as_ref().map(|attestation| {
// See: https://www.w3.org/TR/webauthn-2/#sctn-packed-attestation-cert-requirements
let cert = attestation.1.clone();
let mut x5c = Vec::new();
x5c.push(cert).ok();
x5c
}),
};
Some(AttestationStatement::Packed(packed))
}
}
} else {
None
};
if !rk_requested {
let _success = syscall!(self.trussed.delete(private_key)).success;
info_now!("deleted private credential key: {}", _success);
}
let mut attestation_object = ctap2::make_credential::ResponseBuilder {
fmt: att_stmt_fmt
.map(From::from)
.unwrap_or(AttestationStatementFormat::None),
auth_data: serialized_auth_data,
}
.build();
attestation_object.att_stmt = att_stmt;
attestation_object.large_blob_key = large_blob_key;
Ok(attestation_object)
}
#[inline(never)]
fn reset(&mut self) -> Result<()> {
// 1. >10s after bootup -> NotAllowed
let uptime = syscall!(self.trussed.uptime()).uptime;
debug_now!("uptime: {:?}", uptime);
if uptime.as_secs() > 10 {
#[cfg(not(feature = "disable-reset-time-window"))]
return Err(Error::NotAllowed);
}
// 2. check for user presence
// denied -> OperationDenied
// timeout -> UserActionTimeout
self.up
.user_present(&mut self.trussed, constants::FIDO2_UP_TIMEOUT)?;
// Delete resident keys
syscall!(self.trussed.delete_all(Location::Internal));
syscall!(self
.trussed
.remove_dir_all(Location::Internal, RK_DIR.into()));
// Delete large-blob array
large_blobs::reset(&mut self.trussed);
// b. delete persistent state
self.state.persistent.reset(&mut self.trussed)?;
// c. Reset runtime state
self.state.runtime.reset(&mut self.trussed);
Ok(())
}
fn selection(&mut self) -> Result<()> {
self.up
.user_present(&mut self.trussed, constants::FIDO2_UP_TIMEOUT)
}
#[inline(never)]
fn client_pin(
&mut self,
parameters: &ctap2::client_pin::Request<'_>,
) -> Result<ctap2::client_pin::Response> {
use ctap2::client_pin::PinV1Subcommand as Subcommand;
debug_now!("CTAP2.PIN...");
// info_now!("{:?}", parameters);
let pin_protocol = parameters
.pin_protocol
.ok_or(Error::MissingParameter)
.and_then(|pin_protocol| self.parse_pin_protocol(pin_protocol));
let mut response = ctap2::client_pin::Response::default();
match parameters.sub_command {
Subcommand::GetRetries => {
debug_now!("CTAP2.Pin.GetRetries");
response.retries = Some(self.state.persistent.retries());
}
Subcommand::GetKeyAgreement => {
debug_now!("CTAP2.Pin.GetKeyAgreement");
let pin_protocol = pin_protocol?;
response.key_agreement = Some(self.pin_protocol(pin_protocol).key_agreement_key());
}
Subcommand::SetPin => {
debug_now!("CTAP2.Pin.SetPin");
// 1. check mandatory parameters
let platform_kek = match parameters.key_agreement.as_ref() {
Some(key) => key,
None => {
return Err(Error::MissingParameter);
}
};
let new_pin_enc = match parameters.new_pin_enc.as_ref() {
Some(pin) => pin,
None => {
return Err(Error::MissingParameter);
}
};
let pin_auth = match parameters.pin_auth.as_ref() {
Some(auth) => auth,
None => {
return Err(Error::MissingParameter);
}
};
let pin_protocol = pin_protocol?;
// 2. is pin already set
if self.state.persistent.pin_is_set() {
return Err(Error::NotAllowed);
}
// 3. generate shared secret
let mut pin_protocol = self.pin_protocol(pin_protocol);
let shared_secret = pin_protocol.shared_secret(platform_kek)?;
// TODO: there are moar early returns!!
// - implement Drop?
// - do garbage collection outside of this?
// 4. verify pinAuth
pin_protocol.verify_pin_auth(&shared_secret, new_pin_enc, pin_auth)?;
// 5. decrypt and verify new PIN
let new_pin = self.decrypt_pin_check_length(&shared_secret, new_pin_enc)?;
shared_secret.delete(&mut self.trussed);
// 6. store LEFT(SHA-256(newPin), 16), set retries to 8
self.hash_store_pin(&new_pin)?;
self.state
.reset_retries(&mut self.trussed)
.map_err(|_| Error::Other)?;
}
Subcommand::ChangePin => {
debug_now!("CTAP2.Pin.ChangePin");
// 1. check mandatory parameters
let platform_kek = match parameters.key_agreement.as_ref() {
Some(key) => key,
None => {
return Err(Error::MissingParameter);
}
};
let pin_hash_enc = match parameters.pin_hash_enc.as_ref() {
Some(hash) => hash,
None => {
return Err(Error::MissingParameter);
}
};
let new_pin_enc = match parameters.new_pin_enc.as_ref() {
Some(pin) => pin,
None => {
return Err(Error::MissingParameter);
}
};
let pin_auth = match parameters.pin_auth.as_ref() {
Some(auth) => auth,
None => {
return Err(Error::MissingParameter);
}
};
let pin_protocol = pin_protocol?;
// 2. fail if no retries left
self.state.pin_blocked()?;
// 3. generate shared secret
let mut pin_protocol_impl = self.pin_protocol(pin_protocol);
let shared_secret = pin_protocol_impl.shared_secret(platform_kek)?;
// 4. verify pinAuth
let mut data = MediumData::new();
data.extend_from_slice(new_pin_enc)
.map_err(|_| Error::InvalidParameter)?;
data.extend_from_slice(pin_hash_enc)
.map_err(|_| Error::InvalidParameter)?;
pin_protocol_impl.verify_pin_auth(&shared_secret, &data, pin_auth)?;
// 5. decrement retries
self.state.decrement_retries(&mut self.trussed)?;
// 6. decrypt pinHashEnc, compare with stored
self.decrypt_pin_hash_and_maybe_escalate(
pin_protocol,
&shared_secret,
pin_hash_enc,
)?;
// 7. reset retries
self.state.reset_retries(&mut self.trussed)?;
// 8. decrypt and verify new PIN
let new_pin = self.decrypt_pin_check_length(&shared_secret, new_pin_enc)?;
shared_secret.delete(&mut self.trussed);
// 9. store hashed PIN
self.hash_store_pin(&new_pin)?;
self.pin_protocol(pin_protocol).reset_pin_tokens();
}
// § 6.5.5.7.1 No 4
Subcommand::GetPinToken => {
debug_now!("CTAP2.Pin.GetPinToken");
// 1. Check mandatory parameters
let key_agreement = parameters
.key_agreement
.as_ref()
.ok_or(Error::MissingParameter)?;
let pin_hash_enc = parameters
.pin_hash_enc
.as_ref()
.ok_or(Error::MissingParameter)?;
// 2. Check PIN protocol
let pin_protocol = pin_protocol?;
// 3. + 4. Check invalid parameters
if parameters.permissions.is_some() || parameters.rp_id.is_some() {
return Err(Error::InvalidParameter);
}
// 5. Check PIN retries
self.state.pin_blocked()?;
// 6. Obtain shared secret
let shared_secret = self
.pin_protocol(pin_protocol)
.shared_secret(key_agreement)?;
// 7. Request user consent using display -- skipped
// 8. Decrement PIN retries
self.state.decrement_retries(&mut self.trussed)?;
// 9. Check PIN
self.decrypt_pin_hash_and_maybe_escalate(
pin_protocol,
&shared_secret,
pin_hash_enc,
)?;
// 10. Reset PIN retries
self.state.reset_retries(&mut self.trussed)?;
// 11. Check forcePINChange -- skipped
// 12. Reset all PIN tokens
// 13. Call beginUsingPinUvAuthToken
let mut pin_protocol = self.pin_protocol(pin_protocol);
let mut pin_token = pin_protocol.reset_and_begin_using_pin_token(false);
// 14. Assign the default permissions
let mut permissions = Permissions::empty();
permissions.insert(Permissions::MAKE_CREDENTIAL);
permissions.insert(Permissions::GET_ASSERTION);
pin_token.restrict(permissions, None);
// 15. Return PIN token
response.pin_token = Some(pin_token.encrypt(&shared_secret)?);
shared_secret.delete(&mut self.trussed);
}
// § 6.5.5.7.2 No 4
Subcommand::GetPinUvAuthTokenUsingPinWithPermissions => {
debug_now!("CTAP2.Pin.GetPinUvAuthTokenUsingPinWithPermissions");
// 1. Check mandatory parameters
let key_agreement = parameters
.key_agreement
.as_ref()
.ok_or(Error::MissingParameter)?;
let pin_hash_enc = parameters
.pin_hash_enc
.as_ref()
.ok_or(Error::MissingParameter)?;
let permissions = parameters.permissions.ok_or(Error::MissingParameter)?;
// 2. Check PIN protocol
let pin_protocol = pin_protocol?;
// 3. Check that permissions are not empty
let permissions = Permissions::from_bits_truncate(permissions);
if permissions.is_empty() {
return Err(Error::InvalidParameter);
}
// 4. Check that all requested permissions are supported
let mut unauthorized_permissions = Permissions::empty();
unauthorized_permissions.insert(Permissions::BIO_ENROLLMENT);
if !self.config.supports_large_blobs() {
unauthorized_permissions.insert(Permissions::LARGE_BLOB_WRITE);
}
unauthorized_permissions.insert(Permissions::AUTHENTICATOR_CONFIGURATION);
if permissions.intersects(unauthorized_permissions) {
return Err(Error::UnauthorizedPermission);
}
// 5. Check PIN retries
self.state.pin_blocked()?;
// 6. Obtain shared secret
let shared_secret = self
.pin_protocol(pin_protocol)
.shared_secret(key_agreement)?;
// 7. Request user consent using display -- skipped
// 8. Decrement PIN retries
self.state.decrement_retries(&mut self.trussed)?;
// 9. Check PIN
self.decrypt_pin_hash_and_maybe_escalate(
pin_protocol,
&shared_secret,
pin_hash_enc,
)?;
// 10. Reset PIN retries
self.state.reset_retries(&mut self.trussed)?;
// 11. Check forcePINChange -- skipped
// 12. Reset all PIN tokens
// 13. Call beginUsingPinUvAuthToken
let mut pin_protocol = self.pin_protocol(pin_protocol);
let mut pin_token = pin_protocol.reset_and_begin_using_pin_token(false);
// 14. Assign the requested permissions
// 15. Assign the requested RP id
let rp_id = parameters
.rp_id
.map(TryInto::try_into)
.transpose()
.map_err(|_| Error::InvalidParameter)?;
pin_token.restrict(permissions, rp_id);
// 16. Return PIN token
response.pin_token = Some(pin_token.encrypt(&shared_secret)?);
shared_secret.delete(&mut self.trussed);
}
Subcommand::GetPinUvAuthTokenUsingUvWithPermissions | Subcommand::GetUVRetries => {
// todo!("not implemented yet")
return Err(Error::InvalidParameter);
}
_ => {
return Err(Error::InvalidParameter);
}
}
Ok(response)
}
#[inline(never)]
fn credential_management(
&mut self,
parameters: &ctap2::credential_management::Request<'_>,
) -> Result<ctap2::credential_management::Response> {
use credential_management as cm;
use ctap2::credential_management::Subcommand;
self.verify_credential_management_pin_auth(parameters)?;
let mut cred_mgmt = cm::CredentialManagement::new(self);
let sub_parameters = &parameters.sub_command_params;
// TODO: use custom enum of known commands
match parameters.sub_command {
// 0x1
Subcommand::GetCredsMetadata => cred_mgmt.get_creds_metadata(),
// 0x2
Subcommand::EnumerateRpsBegin => cred_mgmt.first_relying_party(),
// 0x3
Subcommand::EnumerateRpsGetNextRp => cred_mgmt.next_relying_party(),
// 0x4
Subcommand::EnumerateCredentialsBegin => {
let sub_parameters = sub_parameters.as_ref().ok_or(Error::MissingParameter)?;
cred_mgmt.first_credential(
sub_parameters
.rp_id_hash
.as_ref()
.ok_or(Error::MissingParameter)?,
)
}
// 0x5
Subcommand::EnumerateCredentialsGetNextCredential => cred_mgmt.next_credential(),
// 0x6
Subcommand::DeleteCredential => {
let sub_parameters = sub_parameters.as_ref().ok_or(Error::MissingParameter)?;
cred_mgmt.delete_credential(
sub_parameters
.credential_id
.as_ref()
.ok_or(Error::MissingParameter)?,
)
}
// 0x7
Subcommand::UpdateUserInformation => {
let sub_parameters = sub_parameters.as_ref().ok_or(Error::MissingParameter)?;
let credential_id = sub_parameters
.credential_id
.as_ref()
.ok_or(Error::MissingParameter)?;
let user = sub_parameters
.user
.as_ref()
.ok_or(Error::MissingParameter)?;
cred_mgmt.update_user_information(credential_id, user)
}
_ => Err(Error::InvalidParameter),
}
}
#[inline(never)]
fn vendor(&mut self, op: VendorOperation) -> Result<()> {
info_now!("hello VO {:?}", &op);
match op.into() {
0x79 => syscall!(self.trussed.debug_dump_store()),
_ => return Err(Error::InvalidCommand),
};
Ok(())
}
#[inline(never)]
fn get_assertion(
&mut self,
parameters: &ctap2::get_assertion::Request,
) -> Result<ctap2::get_assertion::Response> {
debug_now!("remaining stack size: {} bytes", msp() - 0x2000_0000);
let rp_id_hash = self.hash(parameters.rp_id.as_ref());
// 1-4.
let uv_performed = match self.pin_prechecks(
&parameters.options,
parameters.pin_auth.map(AsRef::as_ref),
parameters.pin_protocol,
parameters.client_data_hash.as_ref(),
Permissions::GET_ASSERTION,
parameters.rp_id,
) {
Ok(b) => b,
Err(Error::PinRequired) => {
// UV is optional for get_assertion
false
}
Err(err) => return Err(err),
};
// 5. Locate eligible credentials
//
// Note: If allowList is passed, credential is Some(credential)
// If no allowList is passed, credential is None and the retrieved credentials
// are stored in state.runtime.credential_heap
let (credential, num_credentials) = self
.prepare_credentials(&rp_id_hash, &parameters.allow_list, uv_performed)?
.ok_or(Error::NoCredentials)?;
info_now!("found {:?} applicable credentials", num_credentials);
info_now!("{:?}", &credential);
// 6. process any options present
// RK is not supported in get_assertion
if parameters
.options
.as_ref()
.and_then(|options| options.rk)
.is_some()
{
return Err(Error::InvalidOption);
}
// UP occurs by default, but option could specify not to.
let do_up = if let Some(options) = parameters.options.as_ref() {
options.up.unwrap_or(true)
} else {
true
};
// 7. collect user presence
let up_performed = if do_up {
if !self.skip_up_check() {
info_now!("asking for up");
self.up
.user_present(&mut self.trussed, constants::FIDO2_UP_TIMEOUT)?;
}
true
} else {
info_now!("not asking for up");
false
};
let multiple_credentials = num_credentials > 1;
self.state.runtime.active_get_assertion = Some(state::ActiveGetAssertionData {
rp_id_hash: {
let mut buf = [0u8; 32];
buf.copy_from_slice(&rp_id_hash);
buf
},
client_data_hash: {
let mut buf = [0u8; 32];
buf.copy_from_slice(parameters.client_data_hash);
buf
},
uv_performed,
up_performed,
multiple_credentials,
extensions: parameters.extensions.clone(),
attestation_formats_preference: parameters.attestation_formats_preference.clone(),
});
let num_credentials = match num_credentials {
1 => None,
n => Some(n),
};
self.assert_with_credential(num_credentials, credential)
}
#[inline(never)]
fn large_blobs(
&mut self,
request: &ctap2::large_blobs::Request,
) -> Result<ctap2::large_blobs::Response> {
let Some(config) = self.config.large_blobs else {
return Err(Error::InvalidCommand);
};
// 1. offset is validated by serde
// 2.-3. Exactly one of get or set must be present
match (request.get, request.set) {
(None, None) | (Some(_), Some(_)) => Err(Error::InvalidParameter),
// 4. Implement get subcommand
(Some(get), None) => self.large_blobs_get(request, config, get),
// 5. Implement set subcommand
(None, Some(set)) => self.large_blobs_set(request, config, set),
}
}
}
// impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenticator<UP, T>
impl<UP: UserPresence, T: TrussedRequirements> crate::Authenticator<UP, T> {
fn parse_pin_protocol(&self, version: impl TryInto<u8>) -> Result<PinProtocolVersion> {
if let Ok(version) = version.try_into() {
for pin_protocol in self.pin_protocols() {
if u8::from(*pin_protocol) == version {
return Ok(*pin_protocol);
}
}
}
Err(Error::InvalidParameter)
}
// This is the single source of truth for the supported PIN protocols.
fn pin_protocols(&self) -> &'static [PinProtocolVersion] {
&[PinProtocolVersion::V2, PinProtocolVersion::V1]
}
fn pin_protocol(&mut self, pin_protocol: PinProtocolVersion) -> PinProtocol<'_, T> {
let state = self.state.runtime.pin_protocol(&mut self.trussed);
PinProtocol::new(&mut self.trussed, state, pin_protocol)
}
#[inline(never)]
fn check_credential_applicable(
&mut self,
credential: &Credential,
allowlist_passed: bool,
uv_performed: bool,
) -> bool {
if !self.check_key_exists(credential.algorithm(), credential.key()) {
return false;
}
if !{
use credential::CredentialProtectionPolicy as Policy;
debug_now!("CredentialProtectionPolicy {:?}", credential.cred_protect());
match credential.cred_protect() {
None | Some(Policy::Optional) => true,
Some(Policy::OptionalWithCredentialIdList) => allowlist_passed || uv_performed,
Some(Policy::Required) => uv_performed,
}
} {
return false;
}
true
}
#[inline(never)]
fn prepare_credentials(
&mut self,
rp_id_hash: &[u8; 32],
allow_list: &Option<ctap2::get_assertion::AllowList>,
uv_performed: bool,
) -> Result<Option<(Credential, u32)>> {
debug_now!("remaining stack size: {} bytes", msp() - 0x2000_0000);
self.state.runtime.clear_credential_cache();
self.state.runtime.active_get_assertion = None;
// NB: CTAP 2.1 specifies to return the first applicable credential, and set
// numberOfCredentials to None.
// However, CTAP 2.0 says to send numberOfCredentials that are applicable,
// which implies we'd have to respond to GetNextAssertion.
//
// We are using CTAP 2.1 behaviour here, as it allows us not to cache the (length)
// credential IDs. Presumably, most clients use this to just get any old signatures,
// but we did change the github.com/solokeys/fido2-tests to accommodate this change
// of behaviour.
if let Some(allow_list) = allow_list {
debug_now!("Allowlist of len {} passed, filtering", allow_list.len());
// we will have at most one credential, and an empty cache.
// client is not supposed to send Some(empty list):
// <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#:~:text=A%20platform%20MUST%20NOT%20send%20an%20empty%20allowList%E2%80%94if%20it%20would%20be%20empty%20it%20MUST%20be%20omitted>
// but some still do (and CTAP 2.0 does not rule it out).
// they probably meant to send None.
if !allow_list.is_empty() {
for credential_id in allow_list {
let credential = match Credential::try_from(self, rp_id_hash, credential_id) {
Ok(credential) => credential,
_ => continue,
};
if !self.check_credential_applicable(&credential, true, uv_performed) {
continue;
}
return Ok(Some((credential, 1)));
}
// we don't recognize any credentials in the allowlist
return Ok(None);
}
}
// we are only dealing with discoverable credentials.
debug_now!("Allowlist not passed, fetching RKs");
self.prepare_cache(rp_id_hash, uv_performed)?;
let num_credentials = self.state.runtime.remaining_credentials();
let credential = self.state.runtime.pop_credential(&mut self.trussed);
Ok(credential.map(|credential| (Credential::Full(credential), num_credentials)))
}
/// Populate the cache with the RP credentials.
#[inline(never)]
fn prepare_cache(&mut self, rp_id_hash: &[u8; 32], uv_performed: bool) -> Result<()> {
use crate::state::CachedCredential;
use core::str::FromStr;
let file_name_prefix = rp_file_name_prefix(rp_id_hash);
let mut maybe_entry = syscall!(self.trussed.read_dir_first_alphabetical(
Location::Internal,
PathBuf::from(RK_DIR),
Some(file_name_prefix.clone())
))
.entry;
while let Some(entry) = maybe_entry.take() {
if !entry
.file_name()
.as_ref()
.starts_with(file_name_prefix.as_ref())
{
// We got past all credentials for the relevant RP
break;
}
if entry.file_name() == &*file_name_prefix {
debug_assert!(entry.metadata().is_dir());
error!("Migration missing");
return Err(Error::Other);
}
let credential_data = syscall!(self
.trussed
.read_file(Location::Internal, entry.path().into(),))
.data;
let credential = FullCredential::deserialize(&credential_data).map_err(|_err| {
error!("Failed to deserialize credential: {_err:?}");
Error::Other
})?;
let timestamp = credential.creation_time;
let credential = Credential::Full(credential);
if self.check_credential_applicable(&credential, false, uv_performed) {
self.state.runtime.push_credential(CachedCredential {
timestamp,
path: String::from_str(entry.path().as_str_ref_with_trailing_nul())
.map_err(|_| Error::Other)?,
});
}
maybe_entry = syscall!(self.trussed.read_dir_next()).entry;
}
Ok(())
}
fn decrypt_pin_hash_and_maybe_escalate(
&mut self,
pin_protocol: PinProtocolVersion,
shared_secret: &SharedSecret,
pin_hash_enc: &[u8],
) -> Result<()> {
let pin_hash = shared_secret
.decrypt(&mut self.trussed, pin_hash_enc)
.ok_or(Error::Other)?;
let stored_pin_hash = match self.state.persistent.pin_hash() {
Some(hash) => hash,
None => {
return Err(Error::PinNotSet);
}
};
if pin_hash != stored_pin_hash {
// I) generate new KEK
self.pin_protocol(pin_protocol).regenerate();
self.state.pin_blocked()?;
return Err(Error::PinInvalid);
}
Ok(())
}
fn hash_store_pin(&mut self, pin: &Message) -> Result<()> {
let pin_hash_32 = syscall!(self.trussed.hash_sha256(pin)).hash;
let pin_hash: [u8; 16] = pin_hash_32[..16].try_into().unwrap();
self.state
.persistent
.set_pin_hash(&mut self.trussed, pin_hash)
.unwrap();
Ok(())
}
fn decrypt_pin_check_length(
&mut self,
shared_secret: &SharedSecret,
pin_enc: &[u8],
) -> Result<Message> {
// pin is expected to be filled with null bytes to length at least 64
if pin_enc.len() < 64 {
// correct error?
return Err(Error::PinPolicyViolation);
}
let mut pin = shared_secret
.decrypt(&mut self.trussed, pin_enc)
.ok_or(Error::Other)?;
// // temp
// let pin_length = pin.iter().position(|&b| b == b'\0').unwrap_or(pin.len());
// info_now!("pin.len() = {}, pin_length = {}, = {:?}",
// pin.len(), pin_length, &pin);
// chop off null bytes
let pin_length = pin.iter().position(|&b| b == b'\0').unwrap_or(pin.len());
if !(4..64).contains(&pin_length) {
return Err(Error::PinPolicyViolation);
}
pin.resize_default(pin_length).unwrap();
Ok(pin)
}
fn verify_credential_management_pin_auth(
&mut self,
parameters: &ctap2::credential_management::Request,
) -> Result<()> {
use ctap2::credential_management::Subcommand;
let rp_scope = match parameters.sub_command {
Subcommand::EnumerateCredentialsBegin => {
let rp_id_hash = parameters
.sub_command_params
.as_ref()
.and_then(|subparams| subparams.rp_id_hash)
.ok_or(Error::MissingParameter)?;
RpScope::RpIdHash(rp_id_hash)
}
Subcommand::DeleteCredential | Subcommand::UpdateUserInformation => {
// TODO: determine RP ID from credential ID
RpScope::All
}
_ => RpScope::All,
};
match parameters.sub_command {
Subcommand::GetCredsMetadata
| Subcommand::EnumerateRpsBegin
| Subcommand::EnumerateCredentialsBegin
| Subcommand::DeleteCredential
| Subcommand::UpdateUserInformation => {
// check pinProtocol
let pin_protocol = parameters.pin_protocol.ok_or(Error::MissingParameter)?;
let pin_protocol = self.parse_pin_protocol(pin_protocol)?;
// check pinAuth
let mut data: Bytes<{ sizes::MAX_CREDENTIAL_ID_LENGTH_PLUS_256 }> =
Bytes::from_slice(&[parameters.sub_command as u8]).unwrap();
let len = 1 + match parameters.sub_command {
Subcommand::EnumerateCredentialsBegin
| Subcommand::DeleteCredential
| Subcommand::UpdateUserInformation => {
data.resize_to_capacity();
// ble, need to reserialize
ctap_types::serde::cbor_serialize(
&parameters
.sub_command_params
.as_ref()
.ok_or(Error::MissingParameter)?,
&mut data[1..],
)
.map_err(|_| Error::LimitExceeded)?
.len()
}
_ => 0,
};
let pin_auth = parameters
.pin_auth
.as_ref()
.ok_or(Error::MissingParameter)?;
let mut pin_protocol = self.pin_protocol(pin_protocol);
if let Ok(pin_token) = pin_protocol.verify_pin_token(&data[..len], pin_auth) {
info_now!("passed pinauth");
pin_token.require_permissions(Permissions::CREDENTIAL_MANAGEMENT)?;
pin_token.require_valid_for_rp(rp_scope)?;
Ok(())
} else {
info_now!("failed pinauth!");
self.state.decrement_retries(&mut self.trussed)?;
let maybe_blocked = self.state.pin_blocked();
if maybe_blocked.is_err() {
info_now!("blocked");
maybe_blocked
} else {
info_now!("pinAuthInvalid");
Err(Error::PinAuthInvalid)
}
}
}
// don't need the PIN auth, they're continuations
// of already checked CredMgmt subcommands
Subcommand::EnumerateRpsGetNextRp
| Subcommand::EnumerateCredentialsGetNextCredential => Ok(()),
_ => Err(Error::InvalidParameter),
}
}
/// Returns whether UV was performed.
fn pin_prechecks(
&mut self,
options: &Option<ctap2::AuthenticatorOptions>,
pin_auth: Option<&[u8]>,
pin_protocol: Option<u32>,
data: &[u8],
permissions: Permissions,
rp_id: &str,
) -> Result<bool> {
// 1. pinAuth zero length -> wait for user touch, then
// return PinNotSet if not set, PinInvalid if set
//
// the idea is for multi-authnr scenario where platform
// wants to enforce PIN and needs to figure out which authnrs support PIN
if let Some(pin_auth) = pin_auth {
if pin_auth.is_empty() {
self.up
.user_present(&mut self.trussed, constants::FIDO2_UP_TIMEOUT)?;
if !self.state.persistent.pin_is_set() {
return Err(Error::PinNotSet);
} else {
return Err(Error::PinAuthInvalid);
}
}
}
// 2. check PIN protocol is 1 if pinAuth was sent
let pin_protocol = if pin_auth.is_some() {
let pin_protocol = pin_protocol.ok_or(Error::MissingParameter)?;
let pin_protocol = self.parse_pin_protocol(pin_protocol)?;
Some(pin_protocol)
} else {
None
};
// 3. if no PIN is set (we have no other form of UV),
// and platform sent `uv` or `pinAuth`, return InvalidOption
if !self.state.persistent.pin_is_set() {
if let Some(ref options) = &options {
if Some(true) == options.uv {
return Err(Error::InvalidOption);
}
}
if pin_auth.is_some() {
return Err(Error::InvalidOption);
}
}
// 4. If authenticator is protected by som form of user verification, do it
// Reject uv = true as we do not support built-in user verification
if pin_auth.is_none() && options.as_ref().and_then(|options| options.uv) == Some(true) {
return Err(Error::InvalidOption);
}
if self.state.persistent.pin_is_set() {
// let mut uv_performed = false;
if let Some(pin_auth) = pin_auth {
// seems a bit redundant to check here in light of 2.
// I guess the CTAP spec writers aren't implementers :D
if let Some(pin_protocol) = pin_protocol {
// 5. if pinAuth is present and pinProtocol = 1, verify
// success --> set uv = 1
// error --> PinAuthInvalid
let mut pin_protocol = self.pin_protocol(pin_protocol);
let pin_token = pin_protocol.verify_pin_token(data, pin_auth)?;
pin_token.require_permissions(permissions)?;
pin_token.require_valid_for_rp(RpScope::RpId(rp_id))?;
return Ok(true);
} else {
// 7. pinAuth present + pinProtocol != 1 --> error PinAuthInvalid
return Err(Error::PinAuthInvalid);
}
} else {
// 6. pinAuth not present + clientPin set + rk = true --> error PinRequired
if options.as_ref().and_then(|options| options.rk) == Some(true) {
return Err(Error::PinRequired);
}
}
}
Ok(false)
}
#[inline(never)]
fn check_key_exists(&mut self, alg: i32, key: &Key) -> bool {
match key {
// TODO: should check if wrapped key is valid AEAD
// On the other hand, we already decrypted a valid AEAD
Key::WrappedKey(_) => true,
Key::ResidentKey(key) => {
debug_now!("checking if ResidentKey {:?} exists", key);
SigningAlgorithm::try_from(alg)
.map(|alg| syscall!(self.trussed.exists(alg.mechanism(), *key)).exists)
.unwrap_or_default()
}
}
}
#[inline(never)]
fn process_assertion_extensions(
&mut self,
get_assertion_state: &state::ActiveGetAssertionData,
extensions: &ctap2::get_assertion::ExtensionsInput,
credential: &Credential,
credential_key: KeyId,
) -> Result<Option<ctap2::get_assertion::ExtensionsOutput>> {
let mut output = ctap2::get_assertion::ExtensionsOutput::default();
if let Some(hmac_secret) = &extensions.hmac_secret {
let pin_protocol = hmac_secret
.pin_protocol
.map(|i| self.parse_pin_protocol(i))
.transpose()?
.unwrap_or(PinProtocolVersion::V1);
if !get_assertion_state.up_performed {
return Err(Error::UnsupportedOption);
}
// We derive credRandom as an hmac of the existing private key.
// UV is used as input data since credRandom should depend UV
// i.e. credRandom = HMAC(private_key, uv)
let cred_random = syscall!(self.trussed.derive_key(
Mechanism::HmacSha256,
credential_key,
Some(Bytes::from_slice(&[get_assertion_state.uv_performed as u8]).unwrap()),
StorageAttributes::new().set_persistence(Location::Volatile)
))
.key;
// Verify the auth tag, which uses the same process as the pinAuth
let mut pin_protocol = self.pin_protocol(pin_protocol);
let shared_secret = pin_protocol.shared_secret(&hmac_secret.key_agreement)?;
pin_protocol.verify_pin_auth(
&shared_secret,
&hmac_secret.salt_enc,
&hmac_secret.salt_auth,
)?;
// decrypt input salt_enc to get salt1 or (salt1 || salt2)
let salts = shared_secret
.decrypt(&mut self.trussed, &hmac_secret.salt_enc)
.ok_or(Error::InvalidOption)?;
if salts.len() != 32 && salts.len() != 64 {
debug_now!("invalid hmac-secret length");
return Err(Error::InvalidLength);
}
let mut salt_output: Bytes<64> = Bytes::new();
// output1 = hmac_sha256(credRandom, salt1)
let output1 =
syscall!(self.trussed.sign_hmacsha256(cred_random, &salts[0..32])).signature;
salt_output.extend_from_slice(&output1).unwrap();
if salts.len() == 64 {
// output2 = hmac_sha256(credRandom, salt2)
let output2 =
syscall!(self.trussed.sign_hmacsha256(cred_random, &salts[32..64])).signature;
salt_output.extend_from_slice(&output2).unwrap();
}
syscall!(self.trussed.delete(cred_random));
// output_enc = aes256-cbc(sharedSecret, IV=0, output1 || output2)
let output_enc = shared_secret.encrypt(&mut self.trussed, &salt_output);
shared_secret.delete(&mut self.trussed);
output.hmac_secret = Some(Bytes::from_slice(&output_enc).unwrap());
}
if extensions.third_party_payment.unwrap_or_default() {
output.third_party_payment = Some(credential.third_party_payment().unwrap_or_default());
}
Ok(output.is_set().then_some(output))
}
#[inline(never)]
fn assert_with_credential(
&mut self,
num_credentials: Option<u32>,
credential: Credential,
) -> Result<ctap2::get_assertion::Response> {
let data = self.state.runtime.active_get_assertion.clone().unwrap();
let rp_id_hash = &data.rp_id_hash;
let (key, is_rk) = match credential.key().clone() {
Key::ResidentKey(key) => (key, true),
Key::WrappedKey(bytes) => {
let wrapping_key = self.state.persistent.key_wrapping_key(&mut self.trussed)?;
// info_now!("unwrapping {:?} with wrapping key {:?}", &bytes, &wrapping_key);
let key_result = syscall!(self.trussed.unwrap_key_chacha8poly1305(
wrapping_key,
&bytes,
&[],
Location::Volatile,
))
.key;
// debug_now!("key result: {:?}", &key_result);
info_now!("key result");
match key_result {
Some(key) => (key, false),
None => {
return Err(Error::Other);
}
}
}
};
// 8. process any extensions present
let mut large_blob_key_requested = false;
let extensions_output = if let Some(extensions) = &data.extensions {
if self.config.supports_large_blobs() {
if extensions.large_blob_key == Some(false) {
// large_blob_key must be Some(true) or omitted
return Err(Error::InvalidOption);
}
large_blob_key_requested = extensions.large_blob_key == Some(true);
}
self.process_assertion_extensions(&data, extensions, &credential, key)?
} else {
None
};
// 9./10. sign clientDataHash || authData with "first" credential
// info_now!("signing with credential {:?}", &credential);
let kek = self
.state
.persistent
.key_encryption_key(&mut self.trussed)?;
let credential_id = credential.id(&mut self.trussed, kek, rp_id_hash)?;
use ctap2::AuthenticatorDataFlags as Flags;
let sig_count = self.state.persistent.timestamp(&mut self.trussed)?;
let authenticator_data = ctap2::get_assertion::AuthenticatorData {
rp_id_hash,
flags: {
let mut flags = Flags::empty();
if data.up_performed {
flags |= Flags::USER_PRESENCE;
}
if data.uv_performed {
flags |= Flags::USER_VERIFIED;
}
if extensions_output.is_some() {
flags |= Flags::EXTENSION_DATA;
}
flags
},
sign_count: sig_count,
attested_credential_data: None,
extensions: extensions_output,
};
let serialized_auth_data = authenticator_data.serialize()?;
let mut commitment = Bytes::<1024>::new();
commitment
.extend_from_slice(&serialized_auth_data)
.map_err(|_| Error::Other)?;
commitment
.extend_from_slice(&data.client_data_hash)
.map_err(|_| Error::Other)?;
let signing_algorithm =
SigningAlgorithm::try_from(credential.algorithm()).map_err(|_| Error::Other)?;
let signature = signing_algorithm
.sign(&mut self.trussed, key, &commitment)
.to_bytes()
.unwrap();
// select preferred format or skip attestation statement
let att_stmt_fmt = data
.attestation_formats_preference
.as_ref()
.and_then(SupportedAttestationFormat::select);
let att_stmt = if let Some(format) = att_stmt_fmt {
match format {
SupportedAttestationFormat::None => {
Some(AttestationStatement::None(NoneAttestationStatement {}))
}
SupportedAttestationFormat::Packed => {
let (attestation_maybe, _) = self.state.identity.attestation(&mut self.trussed);
let (signature, attestation_algorithm) = {
if let Some(attestation) = attestation_maybe.as_ref() {
let signing_algorithm = SigningAlgorithm::P256;
let signature = signing_algorithm.sign(
&mut self.trussed,
attestation.0,
&commitment,
);
(
signature.to_bytes().map_err(|_| Error::Other)?,
signing_algorithm.into(),
)
} else {
(signature.clone(), credential.algorithm())
}
};
let packed = PackedAttestationStatement {
alg: attestation_algorithm,
sig: signature,
x5c: attestation_maybe.as_ref().map(|attestation| {
// See: https://www.w3.org/TR/webauthn-2/#sctn-packed-attestation-cert-requirements
let cert = attestation.1.clone();
let mut x5c = Vec::new();
x5c.push(cert).ok();
x5c
}),
};
Some(AttestationStatement::Packed(packed))
}
}
} else {
None
};
if !is_rk {
syscall!(self.trussed.delete(key));
}
let mut response = ctap2::get_assertion::ResponseBuilder {
credential: credential_id.into(),
auth_data: serialized_auth_data,
signature,
}
.build();
response.number_of_credentials = num_credentials;
response.att_stmt = att_stmt;
// User with empty IDs are ignored for compatibility
if is_rk {
if let Credential::Full(credential) = &credential {
if !credential.user.id().is_empty() {
let mut user: PublicKeyCredentialUserEntity = credential.user.clone().into();
// User identifiable information (name, DisplayName, icon) MUST not
// be returned if user verification is not done by the authenticator.
// For single account per RP case, authenticator returns "id" field.
if !data.uv_performed || !data.multiple_credentials {
user.icon = None;
user.name = None;
user.display_name = None;
}
response.user = Some(user);
}
}
if large_blob_key_requested {
debug!("Sending largeBlobKey in getAssertion");
response.large_blob_key = match credential {
Credential::Stripped(stripped) => stripped.large_blob_key,
Credential::Full(full) => full.data.large_blob_key,
};
}
}
Ok(response)
}
#[inline(never)]
fn delete_resident_key_by_user_id(
&mut self,
rp_id_hash: &[u8; 32],
user_id: &Bytes<64>,
) -> Result<()> {
// Prepare to iterate over all credentials associated to RP.
let file_name_prefix = rp_file_name_prefix(rp_id_hash);
let mut maybe_entry = syscall!(self.trussed.read_dir_first_alphabetical(
Location::Internal,
PathBuf::from(RK_DIR),
Some(file_name_prefix.clone())
))
.entry;
while let Some(entry) = maybe_entry.take() {
if !entry
.file_name()
.as_ref()
.starts_with(file_name_prefix.as_ref())
{
// We got past all credentials for the relevant RP
break;
}
if entry.file_name() == &*file_name_prefix {
debug_assert!(entry.metadata().is_dir());
error!("Migration missing");
return Err(Error::Other);
}
info_now!("this may be an RK: {:?}", &entry);
let rk_path = PathBuf::from(entry.path());
info_now!("checking RK {:?} for userId ", &rk_path);
let credential_data =
syscall!(self.trussed.read_file(Location::Internal, rk_path.clone(),)).data;
let credential_maybe = FullCredential::deserialize(&credential_data);
if let Ok(old_credential) = credential_maybe {
if old_credential.user.id() == user_id {
match old_credential.key {
credential::Key::ResidentKey(key) => {
info_now!(":: deleting resident key");
syscall!(self.trussed.delete(key));
}
_ => {
warn_now!(":: WARNING: unexpected server credential in rk.");
}
}
syscall!(self.trussed.remove_file(Location::Internal, rk_path,));
info_now!("Overwriting previous rk tied to this userId.");
break;
}
} else {
warn_now!("WARNING: Could not read RK.");
}
// prepare for next loop iteration
maybe_entry = syscall!(self.trussed.read_dir_next()).entry;
}
Ok(())
}
#[inline(never)]
pub(crate) fn delete_resident_key_by_path(&mut self, rk_path: &Path) -> Result<()> {
info_now!("deleting RK {:?}", &rk_path);
let credential_data = syscall!(self
.trussed
.read_file(Location::Internal, PathBuf::from(rk_path),))
.data;
let credential_maybe = FullCredential::deserialize(&credential_data);
// info_now!("deleting credential {:?}", &credential);
if let Ok(credential) = credential_maybe {
match credential.key {
credential::Key::ResidentKey(key) => {
info_now!(":: deleting resident key");
syscall!(self.trussed.delete(key));
}
credential::Key::WrappedKey(_) => {}
}
} else {
// If for some reason there becomes a corrupt credential,
// we can still at least orphan the key rather then crash.
info_now!("Warning! Orpaning a key.");
}
info_now!(":: deleting RK file {:?} itself", &rk_path);
syscall!(self
.trussed
.remove_file(Location::Internal, PathBuf::from(rk_path),));
Ok(())
}
fn large_blobs_get(
&mut self,
request: &ctap2::large_blobs::Request,
config: large_blobs::Config,
length: u32,
) -> Result<ctap2::large_blobs::Response> {
debug!(
"large_blobs_get: length = {length}, offset = {}",
request.offset
);
// 1.-2. Validate parameters
if request.length.is_some()
|| request.pin_uv_auth_param.is_some()
|| request.pin_uv_auth_protocol.is_some()
{
error!("length/pin set");
return Err(Error::InvalidParameter);
}
// 3. Validate length
let Ok(length) = usize::try_from(length) else {
return Err(Error::InvalidLength);
};
if length > self.config.max_msg_size.saturating_sub(64) {
return Err(Error::InvalidLength);
}
// 4. Validate offset
let Ok(offset) = usize::try_from(request.offset) else {
error!("offset too large");
return Err(Error::InvalidParameter);
};
let stored_length = large_blobs::size(&mut self.trussed, config.location)?;
if offset > stored_length {
error!("offset: {offset}, stored_length: {stored_length}");
return Err(Error::InvalidParameter);
};
// 5. Return requested data
info!("Reading large-blob array from offset {offset}");
let data = large_blobs::read_chunk(&mut self.trussed, config.location, offset, length)?;
let mut response = ctap2::large_blobs::Response::default();
response.config = Some(data);
Ok(response)
}
fn large_blobs_set(
&mut self,
request: &ctap2::large_blobs::Request,
config: large_blobs::Config,
data: &[u8],
) -> Result<ctap2::large_blobs::Response> {
debug!(
"large_blobs_set: |data| = {}, offset = {}, length = {:?}",
data.len(),
request.offset,
request.length
);
// 1. Validate data
if data.len() > self.config.max_msg_size.saturating_sub(64) {
return Err(Error::InvalidLength);
}
if request.offset == 0 {
// 2. Calculate expected length and offset
// 2.1. Require length
let Some(length) = request.length else {
return Err(Error::InvalidParameter);
};
// 2.2. Check that length is not too big
let Ok(length) = usize::try_from(length) else {
return Err(Error::LargeBlobStorageFull);
};
if length > config.max_size() {
return Err(Error::LargeBlobStorageFull);
}
// 2.3. Check that length is not too small
if length < large_blobs::MIN_SIZE {
return Err(Error::InvalidParameter);
}
// 2.4-5. Set expected length and offset
self.state.runtime.large_blobs.expected_length = length;
self.state.runtime.large_blobs.expected_next_offset = 0;
} else {
// 3. Validate parameters
if request.length.is_some() {
return Err(Error::InvalidParameter);
}
}
// 4. Validate offset
let Ok(offset) = usize::try_from(request.offset) else {
return Err(Error::InvalidSeq);
};
if offset != self.state.runtime.large_blobs.expected_next_offset {
return Err(Error::InvalidSeq);
}
// 5. Perform uv
// TODO: support alwaysUv
if self.state.persistent.pin_is_set() {
let Some(pin_uv_auth_param) = request.pin_uv_auth_param else {
return Err(Error::PinRequired);
};
let Some(pin_uv_auth_protocol) = request.pin_uv_auth_protocol else {
return Err(Error::PinRequired);
};
if pin_uv_auth_protocol != 1 {
return Err(Error::PinAuthInvalid);
}
let pin_protocol = self.parse_pin_protocol(pin_uv_auth_protocol)?;
// TODO: check pinUvAuthToken
let pin_auth: [u8; 16] = pin_uv_auth_param
.as_ref()
.try_into()
.map_err(|_| Error::PinAuthInvalid)?;
let mut auth_data: Bytes<70> = Bytes::new();
// 32x 0xff
auth_data.resize(32, 0xff).unwrap();
// h'0c00'
auth_data.push(0x0c).unwrap();
auth_data.push(0x00).unwrap();
// uint32LittleEndian(offset)
auth_data
.extend_from_slice(&request.offset.to_le_bytes())
.unwrap();
// SHA-256(data)
auth_data.extend_from_slice(&Sha256::digest(data)).unwrap();
let mut pin_protocol = self.pin_protocol(pin_protocol);
let pin_token = pin_protocol.verify_pin_token(&pin_auth, &auth_data)?;
pin_token.require_permissions(Permissions::LARGE_BLOB_WRITE)?;
}
// 6. Validate data length
if offset + data.len() > self.state.runtime.large_blobs.expected_length {
return Err(Error::InvalidParameter);
}
// 7.-11. Write the buffer
info!("Writing large-blob array to offset {offset}");
large_blobs::write_chunk(
&mut self.trussed,
&mut self.state.runtime.large_blobs,
config.location,
data,
)?;
Ok(ctap2::large_blobs::Response::default())
}
}
#[derive(Clone, Copy, Debug)]
enum SupportedAttestationFormat {
None,
Packed,
}
impl SupportedAttestationFormat {
fn select(preference: &AttestationFormatsPreference) -> Option<Self> {
if preference.known_formats() == [AttestationStatementFormat::None]
&& !preference.includes_unknown_formats()
{
// platform requested only None --> omit attestation statement
return None;
}
// use first known and supported format, or default to packed format
let format = preference
.known_formats()
.iter()
.copied()
.flat_map(Self::try_from)
.next()
.unwrap_or(Self::Packed);
Some(format)
}
}
impl From<SupportedAttestationFormat> for AttestationStatementFormat {
fn from(format: SupportedAttestationFormat) -> Self {
match format {
SupportedAttestationFormat::None => Self::None,
SupportedAttestationFormat::Packed => Self::Packed,
}
}
}
impl TryFrom<AttestationStatementFormat> for SupportedAttestationFormat {
type Error = Error;
fn try_from(format: AttestationStatementFormat) -> core::result::Result<Self, Self::Error> {
match format {
AttestationStatementFormat::None => Ok(Self::None),
AttestationStatementFormat::Packed => Ok(Self::Packed),
_ => Err(Error::Other),
}
}
}
// The new path scheme for disvoerable credentials (= resident keys) is:
// rk/<rp_id_hash>.<credential_id_hash>
// The hashes are truncated to the first eight bytes and formatted as hex strings.
// We use the following terms for the components:
// rk_path: rk/<rp_id_hash>.<credential_id_hash>
// rp_file_name_prefix: <rp_id_hash>
fn rp_file_name_prefix(rp_id_hash: &[u8; 32]) -> PathBuf {
let mut hex = [b'0'; 16];
super::format_hex(&rp_id_hash[..8], &mut hex);
PathBuf::try_from(&hex).unwrap()
}
fn rk_path(rp_id_hash: &[u8; 32], credential_id_hash: &[u8; 32]) -> PathBuf {
// 16 bytes per hash + dot + trailing zero = 34
let mut buf = [0; 34];
buf[16] = b'.';
format_hex(&rp_id_hash[..8], &mut buf[..16]);
format_hex(&credential_id_hash[..8], &mut buf[17..33]);
let mut path = PathBuf::from(RK_DIR);
path.push(Path::from_bytes_with_nul(&buf).unwrap());
path
}
#[cfg(test)]
mod tests {
use super::{rk_path, rp_file_name_prefix};
const TEST_HASH: &[u8; 32] = &[
134, 54, 157, 96, 10, 28, 233, 79, 219, 59, 195, 125, 165, 251, 120, 14, 49, 152, 212, 191,
114, 137, 180, 207, 255, 177, 187, 106, 173, 1, 203, 171,
];
const TEST_HASH_HEX: &str = "86369d600a1ce94f";
#[test]
fn test_rp_file_name_prefix() {
assert_eq!(rp_file_name_prefix(&[0; 32]).as_str(), "0000000000000000");
assert_eq!(rp_file_name_prefix(TEST_HASH).as_str(), TEST_HASH_HEX);
}
#[test]
fn test_rk_path() {
fn test(rp_id_hash: &[u8; 32], credential_id_hash: &[u8; 32], expected: &str) {
println!("rp_id_hash: {rp_id_hash:?}");
println!("credential_id_hash: {credential_id_hash:?}");
let actual = rk_path(rp_id_hash, credential_id_hash);
assert_eq!(actual.as_str(), expected);
}
let input_zero = &[0; 32];
let output_zero = "0000000000000000";
let input_nonzero = TEST_HASH;
let output_nonzero = TEST_HASH_HEX;
test(
input_zero,
input_zero,
&format!("rk/{output_zero}.{output_zero}"),
);
test(
input_zero,
input_nonzero,
&format!("rk/{output_zero}.{output_nonzero}"),
);
test(
input_nonzero,
input_zero,
&format!("rk/{output_nonzero}.{output_zero}"),
);
test(
input_nonzero,
input_nonzero,
&format!("rk/{output_nonzero}.{output_nonzero}"),
);
}
}
Reference in New Issue View Git Blame Copy Permalink