arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-07-15 02:58:12 +00:00
Code Issues Releases Wiki Activity

core/webauthn: Add maxCredentialCountInList and maxCredentialIdLength to authenticatorGetInfo response.

Browse Source
This commit is contained in:
Andrew Kozlik 2020-03-14 20:20:59 +01:00 committed by Andrew Kozlik
parent 0af0e06d5b
commit cda9de8dd1
2 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
core/src/apps/webauthn/credential.py
View File

@ -15,9 +15,13 @@ if False:
# Credential ID values # Credential ID values
_CRED_ID_VERSION = b"\xf1\xd0\x02\x00" _CRED_ID_VERSION = b"\xf1\xd0\x02\x00"
_CRED_ID_MIN_LENGTH = const(33) CRED_ID_MIN_LENGTH = const(33)
CRED_ID_MAX_LENGTH = const(1024)
_KEY_HANDLE_LENGTH = const(64) _KEY_HANDLE_LENGTH = const(64)
# Maximum user handle length in bytes.
_USER_ID_MAX_LENGTH = const(64)
# Maximum supported length of the RP name, user name or user displayName in bytes. # Maximum supported length of the RP name, user name or user displayName in bytes.
# Note: The WebAuthn spec allows authenticators to truncate to 64 bytes or more. # Note: The WebAuthn spec allows authenticators to truncate to 64 bytes or more.
NAME_MAX_LENGTH = const(100) NAME_MAX_LENGTH = const(100)
@ -151,11 +155,14 @@ class Fido2Credential(Credential):
tag = ctx.finish() tag = ctx.finish()
self.id = _CRED_ID_VERSION + iv + ciphertext + tag self.id = _CRED_ID_VERSION + iv + ciphertext + tag
if len(self.id) > CRED_ID_MAX_LENGTH:
raise AssertionError
@classmethod @classmethod
def from_cred_id( def from_cred_id(
cls, cred_id: bytes, rp_id_hash: Optional[bytes] cls, cred_id: bytes, rp_id_hash: Optional[bytes]
) -> "Fido2Credential": ) -> "Fido2Credential":
if len(cred_id) < _CRED_ID_MIN_LENGTH or cred_id[0:4] != _CRED_ID_VERSION: if len(cred_id) < CRED_ID_MIN_LENGTH or cred_id[0:4] != _CRED_ID_VERSION:
raise ValueError # invalid length or version raise ValueError # invalid length or version
key = seed.derive_slip21_node_without_passphrase( key = seed.derive_slip21_node_without_passphrase(
@ -228,6 +235,7 @@ class Fido2Credential(Credential):
return ( return (
self.rp_id is not None self.rp_id is not None
and self.user_id is not None and self.user_id is not None
and len(self.user_id) <= _USER_ID_MAX_LENGTH
and self.creation_time is not None and self.creation_time is not None
) )

14
core/src/apps/webauthn/fido2.py
View File

@ -15,7 +15,12 @@ from trezor.ui.text import Text
from apps.common import cbor from apps.common import cbor
from apps.webauthn import common from apps.webauthn import common
from apps.webauthn.confirm import ConfirmContent, ConfirmInfo from apps.webauthn.confirm import ConfirmContent, ConfirmInfo
from apps.webauthn.credential import Credential, Fido2Credential, U2fCredential from apps.webauthn.credential import (
CRED_ID_MAX_LENGTH,
Credential,
Fido2Credential,
U2fCredential,
)
from apps.webauthn.resident_credentials import ( from apps.webauthn.resident_credentials import (
find_by_rp_id_hash, find_by_rp_id_hash,
store_resident_credential, store_resident_credential,
@ -98,6 +103,8 @@ _GETINFO_RESP_EXTENSIONS = const(0x02) # array of str, optional
_GETINFO_RESP_AAGUID = const(0x03) # bytes(16), required _GETINFO_RESP_AAGUID = const(0x03) # bytes(16), required
_GETINFO_RESP_OPTIONS = const(0x04) # map, optional _GETINFO_RESP_OPTIONS = const(0x04) # map, optional
_GETINFO_RESP_PIN_PROTOCOLS = const(0x06) # list of unsigned integers, optional _GETINFO_RESP_PIN_PROTOCOLS = const(0x06) # list of unsigned integers, optional
_GETINFO_RESP_MAX_CRED_COUNT_IN_LIST = const(0x07) # int, optional
_GETINFO_RESP_MAX_CRED_ID_LEN = const(0x08) # int, optional
# CBOR ClientPin command parameter keys # CBOR ClientPin command parameter keys
_CLIENTPIN_CMD_PIN_PROTOCOL = const(0x01) # unsigned int, required _CLIENTPIN_CMD_PIN_PROTOCOL = const(0x01) # unsigned int, required
@ -211,6 +218,9 @@ _DEFAULT_USE_SELF_ATTESTATION = True
# The default value of the use_sign_count flag for newly created credentials. # The default value of the use_sign_count flag for newly created credentials.
_DEFAULT_USE_SIGN_COUNT = True _DEFAULT_USE_SIGN_COUNT = True
# The maximum number of credential IDs that can be supplied in the GetAssertion allow list.
_MAX_CRED_COUNT_IN_LIST = const(10)
# The CID of the last WINK command. Used to ensure that we do only one WINK at a time on any given CID. # The CID of the last WINK command. Used to ensure that we do only one WINK at a time on any given CID.
_last_wink_cid = 0 _last_wink_cid = 0
@ -1747,6 +1757,8 @@ def cbor_get_info(req: Cmd) -> Cmd:
"uv": True, "uv": True,
}, },
_GETINFO_RESP_PIN_PROTOCOLS: [1], _GETINFO_RESP_PIN_PROTOCOLS: [1],
_GETINFO_RESP_MAX_CRED_COUNT_IN_LIST: _MAX_CRED_COUNT_IN_LIST,
_GETINFO_RESP_MAX_CRED_ID_LEN: CRED_ID_MAX_LENGTH,
} }
return Cmd(req.cid, _CMD_CBOR, bytes([_ERR_NONE]) + cbor.encode(response_data)) return Cmd(req.cid, _CMD_CBOR, bytes([_ERR_NONE]) + cbor.encode(response_data))