From 05c5b1fd0aa5ad1086e4483576d52a180c1a9db5 Mon Sep 17 00:00:00 2001 From: Robin Krahl Date: Tue, 21 Nov 2023 13:31:58 +0100 Subject: [PATCH] fido-authenticator: Add large blobs support This patch updates fido-authenticator to add support for the largeBlobKey extension and the largeBlobs command in the test configuration over USB. See the fido-authenticator PR for more information: https://github.com/Nitrokey/fido-authenticator/pull/41 --- CHANGELOG.md | 5 +++++ Cargo.lock | 10 ++++++---- Cargo.toml | 8 ++++---- components/apps/Cargo.toml | 2 +- components/apps/src/lib.rs | 19 ++++++++++++++++++- runners/embedded/src/lib.rs | 5 ++++- runners/embedded/src/types.rs | 8 +++++++- runners/usbip/src/main.rs | 4 ++++ 8 files changed, 49 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 355d0ddf4..8a16b8cc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,12 @@ # Unreleased +### Features + - Add an SE050 driver and its tests ([#335][]) - Use SE050 entropy to bootstrap the random number generator ([#335][]) +- fido-authenticator: Implement the largeBlobKey extension and the largeBlobs command ([fido-authenticator#38][]) + +[fido-authenticator#38]: https://github.com/Nitrokey/fido-authenticator/issues/38 # 1.6.0 (2023-11-23) diff --git a/Cargo.lock b/Cargo.lock index 88d649ab0..bb555fb48 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -833,7 +833,7 @@ dependencies = [ [[package]] name = "ctap-types" version = "0.1.2" -source = "git+https://github.com/Nitrokey/ctap-types?tag=v0.1.2-nitrokey.4#702b5b5248f88091b22c46c936cb0f99425c0a61" +source = "git+https://github.com/trussed-dev/ctap-types.git?rev=7d4ad69e64ad308944c012aef5b9cfd7654d9be8#7d4ad69e64ad308944c012aef5b9cfd7654d9be8" dependencies = [ "bitflags 1.3.2", "cbor-smol", @@ -1178,7 +1178,7 @@ dependencies = [ [[package]] name = "fido-authenticator" version = "0.1.1" -source = "git+https://github.com/Nitrokey/fido-authenticator.git?tag=v0.1.1-nitrokey.8#f4cf88ae9e32c6da587fa87a67ea1522fbd80cb6" +source = "git+https://github.com/Nitrokey/fido-authenticator.git?rev=162ac6a2e603fb69944ff1679dced9752f0c7cf2#162ac6a2e603fb69944ff1679dced9752f0c7cf2" dependencies = [ "apdu-dispatch", "ctap-types", @@ -1190,7 +1190,9 @@ dependencies = [ "serde", "serde-indexed", "serde_cbor", + "sha2 0.10.8", "trussed", + "trussed-staging", ] [[package]] @@ -3259,7 +3261,7 @@ dependencies = [ [[package]] name = "trussed" version = "0.1.0" -source = "git+https://github.com/trussed-dev/trussed.git?rev=d97c64d0bc5f83ce22b0e0ed034a2b451616b3f9#d97c64d0bc5f83ce22b0e0ed034a2b451616b3f9" +source = "git+https://github.com/trussed-dev/trussed.git?rev=b1781805a2e33615d2d00b8bec80c0b1f5870ca1#b1781805a2e33615d2d00b8bec80c0b1f5870ca1" dependencies = [ "aes", "bitflags 2.4.1", @@ -3347,7 +3349,7 @@ dependencies = [ [[package]] name = "trussed-staging" version = "0.1.0" -source = "git+https://github.com/nitrokey/trussed-staging.git?tag=v0.1.0-nitrokey-hmac256p256.1#cec6260499a246d6ede687ea8ca2a97667295a23" +source = "git+https://github.com/Nitrokey/trussed-staging.git?branch=hmacsha256p256-chunked#a21f11a95254dee81c6534a1260b1318bfac87b5" dependencies = [ "chacha20poly1305", "delog", diff --git a/Cargo.toml b/Cargo.toml index 7ed97ccdf..908f047f7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,17 +13,17 @@ version = "1.6.0" [patch.crates-io] # forked admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-nitrokey.7" } -ctap-types = { git = "https://github.com/Nitrokey/ctap-types", tag = "v0.1.2-nitrokey.4" } -fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.8" } +fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", rev = "162ac6a2e603fb69944ff1679dced9752f0c7cf2" } flexiber = { git = "https://github.com/Nitrokey/flexiber", tag = "0.1.1.nitrokey" } lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" } serde-indexed = { git = "https://github.com/nitrokey/serde-indexed.git", tag = "v0.1.0-nitrokey.2" } # unreleased upstream changes apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch.git", tag = "v0.1.2-nitrokey.2" } +ctap-types = { git = "https://github.com/trussed-dev/ctap-types.git", rev = "7d4ad69e64ad308944c012aef5b9cfd7654d9be8" } ctaphid-dispatch = { git = "https://github.com/Nitrokey/ctaphid-dispatch.git", tag = "v0.1.1-nitrokey.3" } iso7816 = { git = "https://github.com/Nitrokey/iso7816.git", tag = "v0.1.1-nitrokey.2"} -trussed = { git = "https://github.com/trussed-dev/trussed.git", rev = "d97c64d0bc5f83ce22b0e0ed034a2b451616b3f9" } +trussed = { git = "https://github.com/trussed-dev/trussed.git", rev = "b1781805a2e33615d2d00b8bec80c0b1f5870ca1" } usbd-ctaphid = { git = "https://github.com/Nitrokey/usbd-ctaphid.git", tag = "v0.1.0-nitrokey.2" } usbd-ccid = { git = "https://github.com/Nitrokey/usbd-ccid", tag = "v0.2.0-nitrokey.1" } littlefs2 = { git = "https://github.com/trussed-dev/littlefs2", rev = "e6c46e7ba5ae19129e457a2182e40a439c0322fe" } @@ -36,7 +36,7 @@ piv-authenticator = { git = "https://github.com/Nitrokey/piv-authenticator", tag se05x = { git = "https://github.com/Nitrokey/se05x.git", tag = "v0.1.0"} trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "62235294bd63977bbb88eb01e7ac44b8010eb450" } trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "2f51478f0861ff8db19fdd5290f023ab6f4c2fb9" } -trussed-staging = { git = "https://github.com/nitrokey/trussed-staging.git", tag = "v0.1.0-nitrokey-hmac256p256.1" } +trussed-staging = { git = "https://github.com/Nitrokey/trussed-staging.git", branch = "hmacsha256p256-chunked" } trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.3" } trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "v0.1.0-test-driver" } diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml index 0c02bd62f..5fc06ae86 100644 --- a/components/apps/Cargo.toml +++ b/components/apps/Cargo.toml @@ -21,7 +21,7 @@ trussed-staging = { version = "0.1.0", features = ["wrap-key-to-file", "chunked" # apps admin-app = "0.1.0" -fido-authenticator = { version = "0.1.1", features = ["dispatch"], optional = true } +fido-authenticator = { version = "0.1.1", features = ["chunked", "dispatch"], optional = true } ndef-app = { path = "../ndef-app", optional = true } webcrypt = { version = "0.8.0", optional = true } secrets-app = { version = "0.13.0", features = ["apdu-dispatch", "ctaphid"], optional = true } diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index 4248ef6b7..68300e369 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -95,6 +95,7 @@ pub trait Runner { type Se050Timer: 'static; fn uuid(&self) -> [u8; 16]; + fn is_efs_available(&self) -> bool; } pub struct Data { @@ -451,12 +452,20 @@ impl App for FidoApp { type Data = (); type Config = FidoConfig; - fn with_client(_runner: &R, trussed: Client, _: (), config: &Self::Config) -> Self { + fn with_client(runner: &R, trussed: Client, _: (), config: &Self::Config) -> Self { let skip_up_timeout = if config.disable_skip_up_timeout { None } else { Some(core::time::Duration::from_secs(2)) }; + let large_blobs = if cfg!(feature = "test") && runner.is_efs_available() { + Some(fido_authenticator::LargeBlobsConfig { + location: Location::External, + max_size: 4096, + }) + } else { + None + }; fido_authenticator::Authenticator::new( trussed, fido_authenticator::Conforming {}, @@ -464,6 +473,7 @@ impl App for FidoApp { max_msg_size: usbd_ctaphid::constants::MESSAGE_SIZE, skip_up_timeout, max_resident_credential_count: Some(10), + large_blobs, }, ) } @@ -471,6 +481,13 @@ impl App for FidoApp { static INTERRUPT: InterruptFlag = InterruptFlag::new(); Some(&INTERRUPT) } + + fn backends(_runner: &R, _config: &Self::Config) -> &'static [BackendId] { + &[ + BackendId::Custom(Backend::Staging), + BackendId::Core, + ] + } } #[cfg(feature = "webcrypt")] diff --git a/runners/embedded/src/lib.rs b/runners/embedded/src/lib.rs index 56741e274..df442da97 100644 --- a/runners/embedded/src/lib.rs +++ b/runners/embedded/src/lib.rs @@ -275,13 +275,16 @@ pub fn init_apps( } }; + let runner = types::Runner { + is_efs_available: !nfc_powered, + }; let data = apps::Data { admin, #[cfg(feature = "provisioner")] provisioner, _marker: Default::default(), }; - types::Apps::with_service(&types::Runner, trussed, data) + types::Apps::with_service(&runner, trussed, data) } #[cfg(feature = "se050")] diff --git a/runners/embedded/src/types.rs b/runners/embedded/src/types.rs index 1ddacebbe..f79b8e525 100644 --- a/runners/embedded/src/types.rs +++ b/runners/embedded/src/types.rs @@ -69,7 +69,9 @@ pub trait Soc { fn device_uuid() -> &'static Self::UUID; } -pub struct Runner; +pub struct Runner { + pub is_efs_available: bool, +} impl apps::Runner for Runner { type Syscall = RunnerSyscall; @@ -83,6 +85,10 @@ impl apps::Runner for Runner { fn uuid(&self) -> [u8; 16] { *::device_uuid() } + + fn is_efs_available(&self) -> bool { + self.is_efs_available + } } // 8KB of RAM diff --git a/runners/usbip/src/main.rs b/runners/usbip/src/main.rs index 2c15395dd..32a636ac2 100644 --- a/runners/usbip/src/main.rs +++ b/runners/usbip/src/main.rs @@ -120,6 +120,10 @@ impl apps::Runner for Runner { fn uuid(&self) -> [u8; 16] { self.serial } + + fn is_efs_available(&self) -> bool { + true + } } fn main() {