arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-15 19:08:07 +00:00
Code Issues Releases Wiki Activity

core/webauthn: Use basic attestation in FIDO2 MakeCredential responses.

Browse Source
This commit is contained in:
Andrew Kozlik 2019-09-19 20:05:32 +02:00 committed by Pavol Rusnak
parent 8da121ff5c
commit 9efc3b4431
No known key found for this signature in database
GPG Key ID: 91F3B339B9A02A3D
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
core/src/apps/webauthn/__init__.py
View File

@ -200,8 +200,12 @@ _FRAME_CONT_SIZE = 59
_KEY_AGREEMENT_PRIVKEY = nist256p1.generate_secret()
_KEY_AGREEMENT_PUBKEY = nist256p1.publickey(_KEY_AGREEMENT_PRIVKEY, False)
_ALLOW_RESIDENT_CREDENTIALS = True
# FIDO2 configuration.
_ALLOW_FIDO2 = True
_ALLOW_RESIDENT_CREDENTIALS = True
# The attestation type to use in MakeCredential responses. If false, then self attestation will be used.
_USE_BASIC_ATTESTATION = True
def frame_init() -> dict:
@ -1349,7 +1353,10 @@ def cbor_make_credential_sign(
+ extensions
)
# Compute self-attestation signature of the authenticator data.
# Compute the attestation signature of the authenticator data.
if _USE_BASIC_ATTESTATION:
privkey = _U2F_ATT_PRIV_KEY
dig = hashlib.sha256()
dig.update(authenticator_data)
dig.update(client_data_hash)
@ -1357,11 +1364,15 @@ def cbor_make_credential_sign(
sig = der.encode_seq((sig[1:33], sig[33:]))
# Encode the authenticatorMakeCredential response data.
attestation_statement = {"alg": _COSE_ALG_ES256, "sig": sig}
if _USE_BASIC_ATTESTATION:
attestation_statement["x5c"] = [_U2F_ATT_CERT]
return cbor.encode(
{
_MAKECRED_RESP_FMT: "packed",
_MAKECRED_RESP_AUTH_DATA: authenticator_data,
_MAKECRED_RESP_ATT_STMT: {"alg": _COSE_ALG_ES256, "sig": sig},
_MAKECRED_RESP_ATT_STMT: attestation_statement,
}
)