Despite it is described in the spec 2.1, do not return epAtt if is false, return only when it's true. It fixes a bug with Firefox and Linux that blocked the possibility to make credentials.

Fixes #129. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2025-12-19 02:48:04 +08:00 · 2025-03-30 18:12:59 +02:00
parent fdd4afb993
commit 64f371e6e5
1 changed files with 12 additions and 3 deletions
--- a/src/fido/cbor_make_credential.c
+++ b/src/fido/cbor_make_credential.c
@@ -502,7 +502,14 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
    }

    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_CBOR_PAYLOAD, 0);
-    CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, extensions.largeBlobKey == ptrue && options.rk == ptrue ? 5 : 4));
+    uint8_t lparams = 3;
+    if (enterpriseAttestation == 2) {
+        lparams++;
+    }
+    if (extensions.largeBlobKey == ptrue && options.rk == ptrue) {
+        lparams++;
+    }
+    CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, lparams));

    CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
    CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder, "packed"));
@@ -531,8 +538,10 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
    }
    CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2));

+    if (enterpriseAttestation == 2) {
        CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x04));
-    CBOR_CHECK(cbor_encode_boolean(&mapEncoder, enterpriseAttestation == 2));
+        CBOR_CHECK(cbor_encode_boolean(&mapEncoder, true));
+    }

    if (extensions.largeBlobKey == ptrue && options.rk == ptrue) {
        CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x05));