common/tools: Check for collisions between U2F app IDs and WebAuthn RP ID hashes.

4 years ago · 7c66a16bef
parent 7d07161efe
commit 7c66a16bef
1 changed files with 21 additions and 0 deletions
--- a/common/tools/cointool.py
+++ b/common/tools/cointool.py
@ -507,6 +507,27 @@ def check_fido(apps):
        print_log(logging.ERROR, webauthn_str, bucket_str)
        check_passed = False

+    domain_hashes = {}
+    for app in apps:
+        if "webauthn" in app:
+            for domain in app["webauthn"]:
+                domain_hashes[sha256(domain.encode()).digest()] = domain
+    for app in apps:
+        if "u2f" in app:
+            for u2f in app["u2f"]:
+                domain = domain_hashes.get(bytes.fromhex(u2f["app_id"]))
+                if domain:
+                    print_log(
+                        logging.ERROR,
+                        "colliding WebAuthn domain "
+                        + crayon(None, domain, bold=True)
+                        + " and U2F app_id "
+                        + crayon(None, u2f["app_id"], bold=True)
+                        + " for "
+                        + u2f["label"],
+                    )
+                    check_passed = False
+
    for app in apps:
        if "name" not in app:
            print_log(logging.ERROR, app["key"], ": missing name")