Arduino/pico-fido
1
0
Fork 1
mirror of https://github.com/polhenarejos/pico-fido.git synced 2025-12-18 09:30:04 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5da2af2c348072c5b667731fcc009d371395d15a
pico-fido/src/fido/cbor_make_credential.c

228 lines
8.7 KiB
C
Raw Normal View History

Refactor CTAP2 file structure. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2022-09-15 14:16:12 +02:00
/*
* This file is part of the Pico FIDO distribution (https://github.com/polhenarejos/pico-fido).
* Copyright (c) 2022 Pol Henarejos.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 3.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "ctap2_cbor.h"
#include "cbor_make_credential.h"
#include "fido.h"
#include "ctap.h"
#include "files.h"
bool credential_verify(CborByteString *cred_id, const uint8_t *rp_id_hash) {
if (cred_id->len < 4+12+16)
return false;
size_t cipher_len = cred_id->len - (4 + 12 + 16);
uint8_t key[32], *iv = cred_id->data + 4, *cipher = cred_id->data + 4 + 12, *tag = cred_id->data - 16, *data = (uint8_t *)calloc(1, cipher_len);
memset(key, 0, sizeof(key));
mbedtls_chachapoly_context chatx;
mbedtls_chachapoly_init(&chatx);
mbedtls_chachapoly_setkey(&chatx, key);
int ret = mbedtls_chachapoly_auth_decrypt(&chatx, cred_id->len - (4 + 12 + 16), iv, rp_id_hash, 32, tag, cipher, data);
free(data);
if (ret == 0)
return true;
return false;
}
int verify(CborByteString *clientDataHash, CborByteString *pinUvAuthParam) {
return CborNoError;
}
int cbor_make_credential(const uint8_t *data, size_t len) {
CborParser parser;
CborValue map;
CborError error = CborNoError;
CborByteString clientDataHash = {0}, pinUvAuthParam = {0};
PublicKeyCredentialRpEntity rp = {0};
PublicKeyCredentialUserEntity user = {0};
PublicKeyCredentialParameters pubKeyCredParams[16] = {0};
size_t pubKeyCredParams_len = 0;
PublicKeyCredentialDescriptor excludeList[16] = {0};
size_t excludeList_len = 0;
CredOptions options = {0};
uint64_t pinUvAuthProtocol = 0, enterpriseAttestation = 0;
CBOR_CHECK(cbor_parser_init(data, len, 0, &parser, &map));
CBOR_PARSE_MAP_START(map, 1) {
uint64_t val_u = 0;
CBOR_FIELD_GET_UINT(val_u, 1);
if (val_u == 0x01) { // clientDataHash
CBOR_FIELD_GET_BYTES(clientDataHash, 1);
}
else if (val_u == 0x02) { // rp
CBOR_PARSE_MAP_START(_f1, 2) {
CBOR_FIELD_GET_KEY_TEXT(2);
CBOR_FIELD_KEY_TEXT_VAL_TEXT(2, "id", rp.id);
CBOR_FIELD_KEY_TEXT_VAL_TEXT(2, "name", rp.parent.name);
}
CBOR_PARSE_MAP_END(_f1, 2);
}
else if (val_u == 0x03) { // user
CBOR_PARSE_MAP_START(_f1, 2) {
CBOR_FIELD_GET_KEY_TEXT(2);
CBOR_FIELD_KEY_TEXT_VAL_BYTES(2, "id", user.id);
CBOR_FIELD_KEY_TEXT_VAL_TEXT(2, "name", user.parent.name);
CBOR_FIELD_KEY_TEXT_VAL_TEXT(2, "displayName", user.displayName);
}
CBOR_PARSE_MAP_END(_f1, 2);
}
else if (val_u == 0x04) { // pubKeyCredParams
CBOR_PARSE_ARRAY_START(_f1, 2) {
PublicKeyCredentialParameters *pk = &pubKeyCredParams[pubKeyCredParams_len];
CBOR_PARSE_MAP_START(_f2, 3) {
CBOR_FIELD_GET_KEY_TEXT(3);
CBOR_FIELD_KEY_TEXT_VAL_TEXT(3, "type", pk->type);
CBOR_FIELD_KEY_TEXT_VAL_INT(3, "alg", pk->alg);
}
CBOR_PARSE_MAP_END(_f2, 3);
pubKeyCredParams_len++;
}
CBOR_PARSE_ARRAY_END(_f1, 2);
}
else if (val_u == 0x05) { // excludeList
CBOR_PARSE_ARRAY_START(_f1, 2) {
PublicKeyCredentialDescriptor *pc = &excludeList[excludeList_len];
CBOR_PARSE_MAP_START(_f1, 3) {
CBOR_FIELD_GET_KEY_TEXT(3);
CBOR_FIELD_KEY_TEXT_VAL_BYTES(3, "id", pc->id);
CBOR_FIELD_KEY_TEXT_VAL_TEXT(3, "type", pc->type);
if (strcmp(_fd3, "transports") == 0) {
CBOR_PARSE_ARRAY_START(_f2, 4) {
CBOR_FIELD_GET_TEXT(pc->transports[pc->transports_len], 4);
pc->transports_len++;
}
CBOR_PARSE_ARRAY_END(_f2, 4);
}
}
CBOR_PARSE_MAP_END(_f1, 3);
excludeList_len++;
}
CBOR_PARSE_ARRAY_END(_f1, 2);
}
else if (val_u == 0x06) { // extensions
CBOR_ADVANCE(1);
}
else if (val_u == 0x07) { // options
options.present = true;
CBOR_PARSE_MAP_START(_f1, 2) {
CBOR_FIELD_GET_KEY_TEXT(2);
CBOR_FIELD_KEY_TEXT_VAL_BOOL(2, "rk", options.rk);
CBOR_FIELD_KEY_TEXT_VAL_BOOL(2, "up", options.up);
CBOR_FIELD_KEY_TEXT_VAL_BOOL(2, "uv", options.uv);
}
CBOR_PARSE_MAP_END(_f1, 2);
}
else if (val_u == 0x08) { // pinUvAuthParam
CBOR_FIELD_GET_BYTES(pinUvAuthParam, 1);
}
else if (val_u == 0x09) { // pinUvAuthProtocol
CBOR_FIELD_GET_UINT(pinUvAuthProtocol, 1);
}
else if (val_u == 0x0A) { // enterpriseAttestation
CBOR_FIELD_GET_UINT(enterpriseAttestation, 1);
}
}
CBOR_PARSE_MAP_END(map, 1);
uint8_t rp_id_hash[32];
mbedtls_sha256((uint8_t *)rp.id.data, rp.id.len, rp_id_hash, 0);
for (int i = 0; i < pubKeyCredParams_len; i++) {
if (strcmp(pubKeyCredParams[i].type.data, "public-key") != 0)
continue;
if (pubKeyCredParams[i].alg != FIDO2_ALG_ES256 && pubKeyCredParams[i].alg != FIDO2_ALG_ES384 && pubKeyCredParams[i].alg != FIDO2_ALG_ES512)
CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_ALGORITHM);
}
if (pinUvAuthParam.len == 0 || pinUvAuthParam.data == NULL) {
if (wait_button_pressed() == true)
CBOR_ERROR(CTAP2_ERR_OPERATION_DENIED);
if (!file_has_data(ef_pin))
CBOR_ERROR(CTAP2_ERR_PIN_NOT_SET);
else
CBOR_ERROR(CTAP2_ERR_PIN_INVALID);
}
else if (pinUvAuthParam.present == true) {
if (pinUvAuthProtocol == 0)
CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
if (pinUvAuthProtocol != 1 && pinUvAuthProtocol != 2)
CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
}
bool *rup = pfalse;
if (options.present) {
if (options.uv == ptrue) { //5.3
CBOR_ERROR(CTAP2_ERR_INVALID_OPTION);
}
if (options.up == pfalse) { //5.6
CBOR_ERROR(CTAP2_ERR_INVALID_OPTION);
}
else if (options.up == NULL) //5.7
rup = ptrue;
}
if (pinUvAuthParam.present == false && options.uv == pfalse && file_has_data(ef_pin)) { //8.1
CBOR_ERROR(CTAP2_ERR_PUAT_REQUIRED);
}
if (enterpriseAttestation > 0) {
if (enterpriseAttestation != 1 && enterpriseAttestation != 2) { //9.2.1
CBOR_ERROR(CTAP2_ERR_INVALID_OPTION);
}
//Unfinished. See 6.1.2.9
}
if (pinUvAuthParam.present == true) { //11.1
int ret = verify(&clientDataHash, &pinUvAuthParam);
if (ret != CborNoError)
CBOR_ERROR(CTAP2_ERR_PIN_AUTH_INVALID);
//Check pinUvAuthToken permissions. See 6.1.2.11
}
for (int e = 0; e < excludeList_len; e++) { //12.1
if (strcmp(excludeList[e].type.data, "public-key") != 0)
continue;
if (credential_verify(&excludeList[e].id, rp_id_hash) == true)
CBOR_ERROR(CTAP2_ERR_CREDENTIAL_EXCLUDED);
}
if (pinUvAuthParam.present && options.up == ptrue) { //14.1
if (wait_button_pressed() == true)
CBOR_ERROR(CTAP2_ERR_OPERATION_DENIED);
rup = ptrue;
}
err:
CBOR_FREE_BYTE_STRING(clientDataHash);
CBOR_FREE_BYTE_STRING(pinUvAuthParam);
CBOR_FREE_BYTE_STRING(rp.id);
CBOR_FREE_BYTE_STRING(rp.parent.name);
CBOR_FREE_BYTE_STRING(user.id);
CBOR_FREE_BYTE_STRING(user.displayName);
CBOR_FREE_BYTE_STRING(user.parent.name);
for (int n = 0; n < pubKeyCredParams_len; n++) {
CBOR_FREE_BYTE_STRING(pubKeyCredParams[n].type);
}
for (int m = 0; m < excludeList_len; m++) {
CBOR_FREE_BYTE_STRING(excludeList[m].type);
CBOR_FREE_BYTE_STRING(excludeList[m].id);
for (int n = 0; n < excludeList[m].transports_len; n++) {
CBOR_FREE_BYTE_STRING(excludeList[m].transports[n]);
}
}
if (error != CborNoError)
return -CTAP2_ERR_INVALID_CBOR;
driver_exec_finished(1);
return 0;
}
Reference in New Issue Copy Permalink