From 64f371e6e5a49a4b75c0f3b699f861c9ca103732 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Sun, 30 Mar 2025 18:12:59 +0200 Subject: [PATCH] Despite it is described in the spec 2.1, do not return epAtt if is false, return only when it's true. It fixes a bug with Firefox and Linux that blocked the possibility to make credentials. Fixes #129. Signed-off-by: Pol Henarejos --- src/fido/cbor_make_credential.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/fido/cbor_make_credential.c b/src/fido/cbor_make_credential.c index 35a9770..8ccc301 100644 --- a/src/fido/cbor_make_credential.c +++ b/src/fido/cbor_make_credential.c @@ -502,7 +502,14 @@ int cbor_make_credential(const uint8_t *data, size_t len) { } cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_CBOR_PAYLOAD, 0); - CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, extensions.largeBlobKey == ptrue && options.rk == ptrue ? 5 : 4)); + uint8_t lparams = 3; + if (enterpriseAttestation == 2) { + lparams++; + } + if (extensions.largeBlobKey == ptrue && options.rk == ptrue) { + lparams++; + } + CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, lparams)); CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01)); CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "packed")); @@ -531,8 +538,10 @@ int cbor_make_credential(const uint8_t *data, size_t len) { } CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2)); - CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x04)); - CBOR_CHECK(cbor_encode_boolean(&mapEncoder, enterpriseAttestation == 2)); + if (enterpriseAttestation == 2) { + CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x04)); + CBOR_CHECK(cbor_encode_boolean(&mapEncoder, true)); + } if (extensions.largeBlobKey == ptrue && options.rk == ptrue) { CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x05));