Add largeBlobKey to stripped credential

If a resident credential is passed in the allowlist, we don’t deserialize the full credential. This means that we previously did not have access to the largeBlobKey in that case. Therefore, this patch adds the largeBlobKey to the StrippedCredential so that we can always access it. The downside is that this inceases the size of the credential ID. So a better alternative would be to load the full credential from the filesystem instead.
Nitrokey · Nov 28, 2023 · 019a5d1 · 019a5d1
1 parent aa9bb35
commit 019a5d1
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/src/credential.rs b/src/credential.rs
@@ -450,6 +450,9 @@ pub struct StrippedCredential {
     pub hmac_secret: Option<bool>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub cred_protect: Option<CredentialProtectionPolicy>,
+    // TODO: HACK -- remove
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub large_blob_key: Option<Bytes<32>>,
 }
 
 impl StrippedCredential {
@@ -484,6 +487,7 @@ impl From<&FullCredential> for StrippedCredential {
             nonce: credential.nonce.clone(),
             hmac_secret: credential.data.hmac_secret,
             cred_protect: credential.data.cred_protect,
+            large_blob_key: credential.data.large_blob_key.clone(),
         }
     }
 }

diff --git a/src/ctap1.rs b/src/ctap1.rs
@@ -90,6 +90,7 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
             nonce,
             hmac_secret: None,
             cred_protect: None,
+            large_blob_key: None,
         };
 
         // info!("made credential {:?}", &credential);

diff --git a/src/ctap2.rs b/src/ctap2.rs
@@ -1652,7 +1652,7 @@ impl<UP: UserPresence, T: TrussedRequirements> crate::Authenticator<UP, T> {
 
         // User with empty IDs are ignored for compatibility
         if is_rk {
-            if let Credential::Full(credential) = credential {
+            if let Credential::Full(credential) = &credential {
                 if !credential.user.id.is_empty() {
                     let mut user = credential.user.clone();
                     // User identifiable information (name, DisplayName, icon) MUST not
@@ -1665,10 +1665,14 @@ impl<UP: UserPresence, T: TrussedRequirements> crate::Authenticator<UP, T> {
                     }
                     response.user = Some(user);
                 }
+            }
 
-                if large_blob_key_requested {
-                    response.large_blob_key = credential.large_blob_key.clone();
-                }
+            if large_blob_key_requested {
+                debug!("Sending largeBlobKey in getAssertion");
+                response.large_blob_key = match credential {
+                    Credential::Stripped(stripped) => stripped.large_blob_key,
+                    Credential::Full(full) => full.data.large_blob_key,
+                };
             }
         }