From 7c66a16bef2518b1273b0244e8fb86a49f691411 Mon Sep 17 00:00:00 2001 From: Andrew Kozlik Date: Thu, 30 Jul 2020 12:16:49 +0200 Subject: [PATCH] common/tools: Check for collisions between U2F app IDs and WebAuthn RP ID hashes. --- common/tools/cointool.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/common/tools/cointool.py b/common/tools/cointool.py index 92bce0490c..cf6b69de2d 100755 --- a/common/tools/cointool.py +++ b/common/tools/cointool.py @@ -507,6 +507,27 @@ def check_fido(apps): print_log(logging.ERROR, webauthn_str, bucket_str) check_passed = False + domain_hashes = {} + for app in apps: + if "webauthn" in app: + for domain in app["webauthn"]: + domain_hashes[sha256(domain.encode()).digest()] = domain + for app in apps: + if "u2f" in app: + for u2f in app["u2f"]: + domain = domain_hashes.get(bytes.fromhex(u2f["app_id"])) + if domain: + print_log( + logging.ERROR, + "colliding WebAuthn domain " + + crayon(None, domain, bold=True) + + " and U2F app_id " + + crayon(None, u2f["app_id"], bold=True) + + " for " + + u2f["label"], + ) + check_passed = False + for app in apps: if "name" not in app: print_log(logging.ERROR, app["key"], ": missing name")