mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-12-16 11:28:14 +00:00
core/webauthn: In GetAssertion do not return user ID for server resident credentials.
This commit is contained in:
parent
4ec7e203d5
commit
eaf63fff45
@ -735,6 +735,7 @@ class Fido2ConfirmGetAssertion(Fido2State, ConfirmInfo, Pageable):
|
|||||||
client_data_hash: bytes,
|
client_data_hash: bytes,
|
||||||
creds: List[Credential],
|
creds: List[Credential],
|
||||||
hmac_secret: Optional[dict],
|
hmac_secret: Optional[dict],
|
||||||
|
resident: bool,
|
||||||
user_verification: bool,
|
user_verification: bool,
|
||||||
) -> None:
|
) -> None:
|
||||||
Fido2State.__init__(self, cid, iface)
|
Fido2State.__init__(self, cid, iface)
|
||||||
@ -743,6 +744,7 @@ class Fido2ConfirmGetAssertion(Fido2State, ConfirmInfo, Pageable):
|
|||||||
self._client_data_hash = client_data_hash
|
self._client_data_hash = client_data_hash
|
||||||
self._creds = creds
|
self._creds = creds
|
||||||
self._hmac_secret = hmac_secret
|
self._hmac_secret = hmac_secret
|
||||||
|
self._resident = resident
|
||||||
self._user_verification = user_verification
|
self._user_verification = user_verification
|
||||||
self.load_icon(self._creds[0].rp_id_hash)
|
self.load_icon(self._creds[0].rp_id_hash)
|
||||||
|
|
||||||
@ -777,6 +779,7 @@ class Fido2ConfirmGetAssertion(Fido2State, ConfirmInfo, Pageable):
|
|||||||
cred.rp_id_hash,
|
cred.rp_id_hash,
|
||||||
cred,
|
cred,
|
||||||
self._hmac_secret,
|
self._hmac_secret,
|
||||||
|
self._resident,
|
||||||
True,
|
True,
|
||||||
self._user_verification,
|
self._user_verification,
|
||||||
)
|
)
|
||||||
@ -804,7 +807,9 @@ class Fido2ConfirmNoCredentials(Fido2ConfirmGetAssertion):
|
|||||||
def __init__(self, cid: int, iface: io.HID, rp_id: str) -> None:
|
def __init__(self, cid: int, iface: io.HID, rp_id: str) -> None:
|
||||||
cred = Fido2Credential()
|
cred = Fido2Credential()
|
||||||
cred.rp_id = rp_id
|
cred.rp_id = rp_id
|
||||||
super().__init__(cid, iface, b"", [cred], {}, user_verification=False)
|
super().__init__(
|
||||||
|
cid, iface, b"", [cred], {}, resident=False, user_verification=False
|
||||||
|
)
|
||||||
|
|
||||||
async def on_confirm(self) -> None:
|
async def on_confirm(self) -> None:
|
||||||
cmd = cbor_error(self.cid, _ERR_NO_CREDENTIALS)
|
cmd = cbor_error(self.cid, _ERR_NO_CREDENTIALS)
|
||||||
@ -1400,10 +1405,12 @@ def cbor_get_assertion(req: Cmd, dialog_mgr: DialogManager) -> Optional[Cmd]:
|
|||||||
if cred.rp_id is None:
|
if cred.rp_id is None:
|
||||||
cred.rp_id = rp_id
|
cred.rp_id = rp_id
|
||||||
cred_list.append(cred)
|
cred_list.append(cred)
|
||||||
|
resident = False
|
||||||
else:
|
else:
|
||||||
# Allow list is empty. Get resident credentials.
|
# Allow list is empty. Get resident credentials.
|
||||||
if _ALLOW_RESIDENT_CREDENTIALS:
|
if _ALLOW_RESIDENT_CREDENTIALS:
|
||||||
cred_list = get_resident_credentials(rp_id_hash)
|
cred_list = get_resident_credentials(rp_id_hash)
|
||||||
|
resident = True
|
||||||
|
|
||||||
# Sort credentials by time of creation.
|
# Sort credentials by time of creation.
|
||||||
cred_list.sort()
|
cred_list.sort()
|
||||||
@ -1461,6 +1468,7 @@ def cbor_get_assertion(req: Cmd, dialog_mgr: DialogManager) -> Optional[Cmd]:
|
|||||||
rp_id_hash,
|
rp_id_hash,
|
||||||
cred_list[0],
|
cred_list[0],
|
||||||
hmac_secret,
|
hmac_secret,
|
||||||
|
resident,
|
||||||
user_presence,
|
user_presence,
|
||||||
user_verification,
|
user_verification,
|
||||||
)
|
)
|
||||||
@ -1476,6 +1484,7 @@ def cbor_get_assertion(req: Cmd, dialog_mgr: DialogManager) -> Optional[Cmd]:
|
|||||||
client_data_hash,
|
client_data_hash,
|
||||||
cred_list,
|
cred_list,
|
||||||
hmac_secret,
|
hmac_secret,
|
||||||
|
resident,
|
||||||
user_verification,
|
user_verification,
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
@ -1536,6 +1545,7 @@ def cbor_get_assertion_sign(
|
|||||||
rp_id_hash: bytes,
|
rp_id_hash: bytes,
|
||||||
cred: Credential,
|
cred: Credential,
|
||||||
hmac_secret: Optional[dict],
|
hmac_secret: Optional[dict],
|
||||||
|
resident: bool,
|
||||||
user_presence: bool,
|
user_presence: bool,
|
||||||
user_verification: bool,
|
user_verification: bool,
|
||||||
) -> bytes:
|
) -> bytes:
|
||||||
@ -1585,7 +1595,7 @@ def cbor_get_assertion_sign(
|
|||||||
_GETASSERT_RESP_SIGNATURE: sig,
|
_GETASSERT_RESP_SIGNATURE: sig,
|
||||||
}
|
}
|
||||||
|
|
||||||
if user_presence and cred.user_id is not None:
|
if resident and user_presence and cred.user_id is not None:
|
||||||
response[_GETASSERT_RESP_USER] = {"id": cred.user_id}
|
response[_GETASSERT_RESP_USER] = {"id": cred.user_id}
|
||||||
|
|
||||||
return cbor.encode(response)
|
return cbor.encode(response)
|
||||||
|
Loading…
Reference in New Issue
Block a user