Add compatibility of old resident key system with the new one.

Related to #184. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2025-12-18 09:30:04 +08:00 · 2025-09-06 19:14:27 +02:00
parent 1ac628d241
commit 56d5c61044
5 changed files with 14 additions and 5 deletions
--- a/src/fido/cbor_cred_mgmt.c
+++ b/src/fido/cbor_cred_mgmt.c
@@ -259,7 +259,7 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
        }

        Credential cred = { 0 };
-        if (credential_load(file_get_data(cred_ef) + 32 + CRED_RESIDENT_LEN, file_get_size(cred_ef) - 32 - CRED_RESIDENT_LEN, rpIdHash.data, &cred) != 0) {
+        if (credential_load_resident(cred_ef, rpIdHash.data, &cred) != 0) {
            CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
        }

@@ -419,7 +419,7 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
            if (file_has_data(ef) && memcmp(file_get_data(ef) + 32, credentialId.id.data, CRED_RESIDENT_LEN) == 0) {
                Credential cred = { 0 };
                uint8_t *rp_id_hash = file_get_data(ef);
-                if (credential_load(rp_id_hash + 32 + CRED_RESIDENT_LEN, file_get_size(ef) - 32 - CRED_RESIDENT_LEN, rp_id_hash, &cred) != 0) {
+                if (credential_load_resident(ef, rp_id_hash, &cred) != 0) {
                    CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
                }
                if (memcmp(user.id.data, cred.userId.data, MIN(user.id.len, cred.userId.len)) != 0) {
--- a/src/fido/cbor_get_assertion.c
+++ b/src/fido/cbor_get_assertion.c
@@ -302,7 +302,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                            continue;
                        }
                        if (memcmp(file_get_data(ef) + 32, allowList[e].id.data, CRED_RESIDENT_LEN) == 0) {
-                            if (credential_load(file_get_data(ef) + 32 + CRED_RESIDENT_LEN, file_get_size(ef) - 32 - CRED_RESIDENT_LEN, rp_id_hash, &creds[creds_len]) != 0) {
+                            if (credential_load_resident(ef, rp_id_hash, &creds[creds_len]) != 0) {
                                // Should never happen
                                credential_free(&creds[creds_len]);
                                continue;
@@ -347,7 +347,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                if (!file_has_data(ef) || memcmp(file_get_data(ef), rp_id_hash, 32) != 0) {
                    continue;
                }
-                int ret = credential_load(file_get_data(ef) + 32 + CRED_RESIDENT_LEN, file_get_size(ef) - 32 - CRED_RESIDENT_LEN, rp_id_hash, &creds[creds_len]);
+                int ret = credential_load_resident(ef, rp_id_hash, &creds[creds_len]);
                if (ret != 0) {
                    credential_free(&creds[creds_len]);
                }
--- a/src/fido/cbor_make_credential.c
+++ b/src/fido/cbor_make_credential.c
@@ -355,7 +355,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
                }
                uint8_t *cred_idr = file_get_data(ef_cred) + 32;
                if (memcmp(cred_idr, excludeList[e].id.data, CRED_RESIDENT_LEN) == 0) {
-                    if (credential_load(file_get_data(ef_cred) + 32 + CRED_RESIDENT_LEN, file_get_size(ef_cred) - 32 - CRED_RESIDENT_LEN, rp_id_hash, &ecred) == 0 && (ecred.extensions.credProtect != CRED_PROT_UV_REQUIRED || (flags & FIDO2_AUT_FLAG_UV))) {
+                    if (credential_load_resident(ef_cred, rp_id_hash, &ecred) == 0 && (ecred.extensions.credProtect != CRED_PROT_UV_REQUIRED || (flags & FIDO2_AUT_FLAG_UV))) {
                        credential_free(&ecred);
                        CBOR_ERROR(CTAP2_ERR_CREDENTIAL_EXCLUDED);
                    }
--- a/src/fido/credential.c
+++ b/src/fido/credential.c
@@ -440,3 +440,10 @@ int credential_derive_resident(const uint8_t *cred_id, size_t cred_id_len, uint8
 bool credential_is_resident(const uint8_t *cred_id, size_t cred_id_len) {
    return memcmp(cred_id, CRED_PROTO_RESIDENT, CRED_PROTO_RESIDENT_LEN) == 0;
 }
+
+int credential_load_resident(const file_t *ef, const uint8_t *rp_id_hash, Credential *cred) {
+    if (credential_is_resident(file_get_data(ef) + 32, file_get_size(ef) - 32)) {
+        return credential_load(file_get_data(ef) + 32 + CRED_RESIDENT_LEN, file_get_size(ef) - 32 - CRED_RESIDENT_LEN, rp_id_hash, cred);
+    }
+    return credential_load(file_get_data(ef) + 32, file_get_size(ef) - 32, rp_id_hash, cred);
+}
--- a/src/fido/credential.h
+++ b/src/fido/credential.h
@@ -19,6 +19,7 @@
 #define _CREDENTIAL_H_

 #include "ctap2_cbor.h"
+#include "file.h"

 typedef struct CredOptions {
    const bool *rk;
@@ -102,5 +103,6 @@ extern int credential_derive_large_blob_key(const uint8_t *cred_id,
                                            uint8_t *outk);
 extern int credential_derive_resident(const uint8_t *cred_id, size_t cred_id_len, uint8_t *outk);
 extern bool credential_is_resident(const uint8_t *cred_id, size_t cred_id_len);
+extern int credential_load_resident(const file_t *ef, const uint8_t *rp_id_hash, Credential *cred);

 #endif // _CREDENTIAL_H_