1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-16 11:28:14 +00:00

core/webauthn: In GetAssertion do not return user ID for server resident credentials.

This commit is contained in:
Andrew Kozlik 2019-09-23 15:48:50 +02:00
parent 4ec7e203d5
commit eaf63fff45

View File

@ -735,6 +735,7 @@ class Fido2ConfirmGetAssertion(Fido2State, ConfirmInfo, Pageable):
client_data_hash: bytes, client_data_hash: bytes,
creds: List[Credential], creds: List[Credential],
hmac_secret: Optional[dict], hmac_secret: Optional[dict],
resident: bool,
user_verification: bool, user_verification: bool,
) -> None: ) -> None:
Fido2State.__init__(self, cid, iface) Fido2State.__init__(self, cid, iface)
@ -743,6 +744,7 @@ class Fido2ConfirmGetAssertion(Fido2State, ConfirmInfo, Pageable):
self._client_data_hash = client_data_hash self._client_data_hash = client_data_hash
self._creds = creds self._creds = creds
self._hmac_secret = hmac_secret self._hmac_secret = hmac_secret
self._resident = resident
self._user_verification = user_verification self._user_verification = user_verification
self.load_icon(self._creds[0].rp_id_hash) self.load_icon(self._creds[0].rp_id_hash)
@ -777,6 +779,7 @@ class Fido2ConfirmGetAssertion(Fido2State, ConfirmInfo, Pageable):
cred.rp_id_hash, cred.rp_id_hash,
cred, cred,
self._hmac_secret, self._hmac_secret,
self._resident,
True, True,
self._user_verification, self._user_verification,
) )
@ -804,7 +807,9 @@ class Fido2ConfirmNoCredentials(Fido2ConfirmGetAssertion):
def __init__(self, cid: int, iface: io.HID, rp_id: str) -> None: def __init__(self, cid: int, iface: io.HID, rp_id: str) -> None:
cred = Fido2Credential() cred = Fido2Credential()
cred.rp_id = rp_id cred.rp_id = rp_id
super().__init__(cid, iface, b"", [cred], {}, user_verification=False) super().__init__(
cid, iface, b"", [cred], {}, resident=False, user_verification=False
)
async def on_confirm(self) -> None: async def on_confirm(self) -> None:
cmd = cbor_error(self.cid, _ERR_NO_CREDENTIALS) cmd = cbor_error(self.cid, _ERR_NO_CREDENTIALS)
@ -1400,10 +1405,12 @@ def cbor_get_assertion(req: Cmd, dialog_mgr: DialogManager) -> Optional[Cmd]:
if cred.rp_id is None: if cred.rp_id is None:
cred.rp_id = rp_id cred.rp_id = rp_id
cred_list.append(cred) cred_list.append(cred)
resident = False
else: else:
# Allow list is empty. Get resident credentials. # Allow list is empty. Get resident credentials.
if _ALLOW_RESIDENT_CREDENTIALS: if _ALLOW_RESIDENT_CREDENTIALS:
cred_list = get_resident_credentials(rp_id_hash) cred_list = get_resident_credentials(rp_id_hash)
resident = True
# Sort credentials by time of creation. # Sort credentials by time of creation.
cred_list.sort() cred_list.sort()
@ -1461,6 +1468,7 @@ def cbor_get_assertion(req: Cmd, dialog_mgr: DialogManager) -> Optional[Cmd]:
rp_id_hash, rp_id_hash,
cred_list[0], cred_list[0],
hmac_secret, hmac_secret,
resident,
user_presence, user_presence,
user_verification, user_verification,
) )
@ -1476,6 +1484,7 @@ def cbor_get_assertion(req: Cmd, dialog_mgr: DialogManager) -> Optional[Cmd]:
client_data_hash, client_data_hash,
cred_list, cred_list,
hmac_secret, hmac_secret,
resident,
user_verification, user_verification,
) )
) )
@ -1536,6 +1545,7 @@ def cbor_get_assertion_sign(
rp_id_hash: bytes, rp_id_hash: bytes,
cred: Credential, cred: Credential,
hmac_secret: Optional[dict], hmac_secret: Optional[dict],
resident: bool,
user_presence: bool, user_presence: bool,
user_verification: bool, user_verification: bool,
) -> bytes: ) -> bytes:
@ -1585,7 +1595,7 @@ def cbor_get_assertion_sign(
_GETASSERT_RESP_SIGNATURE: sig, _GETASSERT_RESP_SIGNATURE: sig,
} }
if user_presence and cred.user_id is not None: if resident and user_presence and cred.user_id is not None:
response[_GETASSERT_RESP_USER] = {"id": cred.user_id} response[_GETASSERT_RESP_USER] = {"id": cred.user_id}
return cbor.encode(response) return cbor.encode(response)