Merge pull request #41 from Nitrokey/large-blobs

Add support for the largeBlobKeys extension and the largeBlobs command

CHANGELOG.md

@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Allow three instead of two PIN retries per boot ([#35][])
 - Reduce ID length for new credentials ([#37][])
 - Update apdu-dispatch and reject calls to `select` ([#40][])
+- Implement the `largeBlobKey` extension and the `largeBlobs` command ([#38][])
 
 [#26]: https://github.com/solokeys/fido-authenticator/issues/26
 [#28]: https://github.com/solokeys/fido-authenticator/issues/28
@@ -23,6 +24,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#35]: https://github.com/solokeys/fido-authenticator/issues/35
 [#37]: https://github.com/solokeys/fido-authenticator/issues/37
 [#40]: https://github.com/nitrokey/fido-authenticator/pull/40
+[#38]: https://github.com/Nitrokey/fido-authenticator/issues/38
 
 ## [0.1.1] - 2022-08-22
 - Fix bug that treated U2F payloads as APDU over APDU in NFC transport @conorpp

Cargo.toml

@@ -45,7 +45,7 @@ trussed = { version = "0.1", features = ["virt"] }
 features = ["dispatch"]
 
 [patch.crates-io]
-ctap-types = { git = "https://github.com/nitrokey/ctap-types.git", tag = "v0.1.2-nitrokey.4" }
+ctap-types = { git = "https://github.com/trussed-dev/ctap-types.git", rev = "785bcc52720ce2e2054ae32034a2a24c500e1043" }
 ctaphid-dispatch = { git = "https://github.com/trussed-dev/ctaphid-dispatch.git", rev = "57cb3317878a8593847595319aa03ef17c29ec5b" }
 apdu-dispatch = { git = "https://github.com/trussed-dev/apdu-dispatch.git", rev = "915fc237103fcecc29d0f0b73391f19abf6576de" }
 trussed = { git = "https://github.com/trussed-dev/trussed.git", rev = "51e68500d7601d04f884f5e95567d14b9018a6cb" }

src/credential.rs

@@ -226,6 +226,8 @@ pub struct CredentialData {
     pub hmac_secret: Option<bool>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub cred_protect: Option<CredentialProtectionPolicy>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub large_blob_key: Option<Bytes<32>>,
     // TODO: add `sig_counter: Option<CounterId>`,
     // and grant RKs a per-credential sig-counter.
 
@@ -327,6 +329,7 @@ impl FullCredential {
         timestamp: u32,
         hmac_secret: Option<bool>,
         cred_protect: Option<CredentialProtectionPolicy>,
+        large_blob_key: Option<Bytes<32>>,
         nonce: [u8; 12],
     ) -> Self {
         info!("credential for algorithm {}", algorithm);
@@ -341,6 +344,7 @@ impl FullCredential {
 
             hmac_secret,
             cred_protect,
+            large_blob_key,
 
             use_short_id: Some(true),
         };
@@ -446,6 +450,9 @@ pub struct StrippedCredential {
     pub hmac_secret: Option<bool>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub cred_protect: Option<CredentialProtectionPolicy>,
+    // TODO: HACK -- remove
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub large_blob_key: Option<Bytes<32>>,
 }
 
 impl StrippedCredential {
@@ -480,6 +487,7 @@ impl From<&FullCredential> for StrippedCredential {
             nonce: credential.nonce.clone(),
             hmac_secret: credential.data.hmac_secret,
             cred_protect: credential.data.cred_protect,
+            large_blob_key: credential.data.large_blob_key.clone(),
         }
     }
 }

src/ctap1.rs

@@ -90,6 +90,7 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
             nonce,
             hmac_secret: None,
             cred_protect: None,
+            large_blob_key: None,
         };
 
         // info!("made credential {:?}", &credential);