- Generated by
1.16.1
|
CDC Badge OS
Firmware for the CDC Badge v1.0 hardware security key
|
CTAP2/FIDO2 command processing and ClientPIN implementation. More...
#include "mod_fido2/ctap2.h"#include "mod_fido2/cbor_helpers.h"#include "mod_fido2/fido2.h"#include "mod_fido2/fido2_storage.h"#include "mod_fido2/fido2_common.h"#include "mod_fido2/ctaphid.h"#include "mod_fido2/u2f.h"#include "cdc_log.h"#include "cdc_core/PinManager.h"#include "cdc_hal/ISecureElement.h"#include <esp_system.h>#include <esp_random.h>#include <mbedtls/ecdsa.h>#include <mbedtls/ecp.h>#include <mbedtls/ecdh.h>#include <mbedtls/md.h>#include <mbedtls/sha256.h>#include <mbedtls/aes.h>#include "cdc_core/pin_storage_c.h"#include <freertos/FreeRTOS.h>#include <freertos/task.h>#include <esp_attr.h>#include <string.h>Go to the source code of this file.
Classes | |
| struct | cdc::mod_fido2::MakeCredentialParams |
| Parsed parameters for authenticatorMakeCredential. More... | |
| struct | cdc::mod_fido2::GetAssertionParams |
| Parsed parameters for authenticatorGetAssertion. More... | |
| struct | cdc::mod_fido2::AssertionCredentials |
| Credential-selection result used to build assertion responses. More... | |
Namespaces | |
| namespace | cdc |
| namespace | cdc::mod_fido2 |
Macros | |
| #define | CTAP2_DEBUG 0 |
| Debug configuration flags (overrideable via build flags). | |
| #define | CTAP2_DEBUG_COMMANDS 0 |
| #define | USER_PRESENCE_TIMEOUT_MS 30000 |
| #define | PIN_PROTOCOL_VERSION 2 |
| ClientPIN constants and state for PIN protocol support. | |
| #define | PIN_TOKEN_SIZE 32 |
| #define | PIN_RETRIES_MAX 8 |
| #define | PIN_UV_RETRIES_MAX 3 |
| #define | PIN_CMD_GET_RETRIES 0x01 |
| ClientPIN subcommand identifiers. | |
| #define | PIN_CMD_GET_KEY_AGREEMENT 0x02 |
| #define | PIN_CMD_SET_PIN 0x03 |
| #define | PIN_CMD_CHANGE_PIN 0x04 |
| #define | PIN_CMD_GET_PIN_TOKEN 0x05 |
| #define | PIN_CMD_GET_PIN_UV_TOKEN 0x09 |
| #define | PIN_PERM_MAKE_CREDENTIAL 0x01 |
| pinUvAuthToken permission flags (CTAP 2.1). | |
| #define | PIN_PERM_GET_ASSERTION 0x02 |
| #define | PIN_PERM_CRED_MGMT 0x04 |
| #define | PIN_PERM_BIO_ENROLLMENT 0x08 |
| #define | PIN_PERM_LARGE_BLOB_WRITE 0x10 |
| #define | PIN_PERM_AUTHN_CONFIG 0x20 |
| #define | CRED_MGMT_GET_CREDS_METADATA 0x01 |
| Credential management constants and enumeration state. | |
| #define | CRED_MGMT_ENUMERATE_RPS_BEGIN 0x02 |
| #define | CRED_MGMT_ENUMERATE_RPS_GET_NEXT 0x03 |
| #define | CRED_MGMT_ENUMERATE_CREDS_BEGIN 0x04 |
| #define | CRED_MGMT_ENUMERATE_CREDS_GET_NEXT 0x05 |
| #define | CRED_MGMT_DELETE_CREDENTIAL 0x06 |
| #define | CTAP2_ECP_GRP(k) |
| #define | CTAP2_ECP_Q(k) |
Functions | |
| static void | secure_random_fill (uint8_t *out, size_t len) |
| Fills a buffer with cryptographically secure random bytes. | |
| static uint8_t | build_authenticator_data (const uint8_t *rp_id_hash, uint8_t flags, uint32_t sign_count, const uint8_t *attested_cred_data, uint16_t attested_cred_len, const uint8_t *ext_data, uint16_t ext_len, uint8_t *out, uint16_t *out_len) |
| Builds raw authenticatorData structure. | |
| static int | ctap2_random (void *ctx, unsigned char *out, size_t len) |
| mbedTLS RNG callback backed by secure random source. | |
| static bool | ctap2_build_attested_cred (const uint8_t *cred_id, uint16_t cred_id_len, const uint8_t *pubkey, uint8_t curve, uint8_t *out, size_t out_size, uint16_t *out_len) |
| Builds attested credential data (AAGUID, credential ID, COSE key). | |
| static uint16_t | ctap2_build_cred_protect_extension (uint8_t level, uint8_t *out, size_t out_size) |
| Builds CBOR payload for the credProtect extension. | |
| static bool | ctap2_build_auth_data_for_cred (const uint8_t *rp_id_hash, const uint8_t *attested_cred, uint16_t attested_len, uint8_t cred_protect, uint8_t *auth_data, uint16_t *auth_data_len) |
| Builds authenticator data for makeCredential with optional credProtect extension. | |
| static uint16_t | ctap2_build_appid_extension (uint8_t *out, size_t out_size) |
| Builds CBOR payload for appid extension in assertions. | |
| static uint8_t | ctap2_build_make_credential_response_packed (const uint8_t *auth_data, uint16_t auth_data_len, const uint8_t *sig, uint8_t sig_len, const uint8_t *cert, uint16_t cert_len, uint8_t *response, uint16_t *response_len) |
| Builds packed-attestation makeCredential response CBOR payload. | |
| static bool | ctap2_generate_ephemeral_keypair (mbedtls_ecp_keypair *key, uint8_t pubkey[64]) |
| Generates ephemeral P-256 key pair and exports 64-byte X||Y public key. | |
| static bool | ctap2_sign_with_keypair (mbedtls_ecp_keypair *key, const uint8_t *msg, size_t msg_len, uint8_t *sig, size_t sig_size, size_t *sig_len) |
| Signs message using provided keypair (ECDSA over SHA-256). | |
| static bool | wait_for_user_presence (const char *rp_id, fido2_action_t action, const char *user_name) |
| Requests user-presence confirmation through platform callback. | |
| static void | encode_info_versions (cbor_writer_t *w) |
| Encodes the supported FIDO/U2F versions into the getInfo CBOR map. | |
| static void | encode_info_extensions (cbor_writer_t *w) |
| Encodes the supported CTAP extensions, sorted for CBOR canonical form. | |
| static void | encode_info_aaguid (cbor_writer_t *w) |
| Encodes the authenticator AAGUID into the getInfo CBOR map. | |
| static void | encode_info_options (cbor_writer_t *w) |
| Encodes the supported authenticator options, keys sorted by length. | |
| static void | encode_info_max_msg_size (cbor_writer_t *w) |
| Encodes the maxMsgSize entry into the getInfo CBOR map. | |
| static void | encode_info_pin_uv_auth_protocols (cbor_writer_t *w) |
| Encodes the supported pinUvAuthProtocols list. | |
| static void | encode_info_max_cred_count (cbor_writer_t *w) |
| Encodes the maxCredentialCountInList entry. | |
| static void | encode_info_max_cred_id_length (cbor_writer_t *w) |
| Encodes the maxCredentialIdLength entry. | |
| static void | encode_info_transports (cbor_writer_t *w) |
| Encodes the supported transports list. | |
| static void | encode_info_algorithms (cbor_writer_t *w) |
| Encodes the supported algorithms array (PublicKeyCredentialParameters). | |
| uint8_t | ctap2_get_info (uint8_t *response, uint16_t *response_len) |
| Handles CTAP2 authenticatorGetInfo (0x04). | |
| static bool | cdc::mod_fido2::parse_rp_map (cbor_reader_t *r, MakeCredentialParams *p) |
| Parses the RP map from a makeCredential CBOR request. | |
| static bool | cdc::mod_fido2::parse_user_map (cbor_reader_t *r, MakeCredentialParams *p) |
| Parses the user map from a makeCredential CBOR request. | |
| static bool | cdc::mod_fido2::parse_pubkey_cred_params (cbor_reader_t *r, MakeCredentialParams *p) |
| Parses pubKeyCredParams and selects a supported algorithm. | |
| static bool | cdc::mod_fido2::parse_extensions_map (cbor_reader_t *r, MakeCredentialParams *p) |
| Parses makeCredential extensions map from CBOR. | |
| static bool | cdc::mod_fido2::parse_options_map (cbor_reader_t *r, MakeCredentialParams *p) |
| Parses makeCredential options map from CBOR. | |
| static uint8_t | cdc::mod_fido2::parse_make_credential_params (const uint8_t *data, uint16_t data_len, MakeCredentialParams *p) |
| Parses complete makeCredential request map from CBOR payload. | |
| static uint8_t | cdc::mod_fido2::verify_pin_uv_auth (const MakeCredentialParams *p) |
| Verifies pinUvAuthParam for makeCredential. | |
| static uint8_t | cdc::mod_fido2::check_appid_exclude (const MakeCredentialParams *p) |
| Validates the appidExclude extension against existing credentials. | |
| static uint8_t | cdc::mod_fido2::handle_browser_probe (const MakeCredentialParams *p, uint8_t *response, uint16_t *response_len) |
| Handles browser probe RP IDs by returning a synthetic attested response. | |
| static bool | cdc::mod_fido2::is_browser_probe (const char *rp_id) |
| Detects known browser probe RP IDs. | |
| static uint8_t | cdc::mod_fido2::mc_rollback_credential (uint8_t slot, uint8_t *response, uint16_t *response_len) |
| Deletes a just-created credential and reports CTAP2_ERR_OTHER. | |
| static uint8_t | cdc::mod_fido2::create_credential_and_respond (const MakeCredentialParams *p, uint8_t curve, uint8_t *response, uint16_t *response_len) |
| Creates credential, signs attestation statement, and builds response. | |
| uint8_t | cdc::mod_fido2::ctap2_make_credential (const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len) |
| Handles CTAP2 authenticatorMakeCredential (0x01). | |
| static bool | ga_parse_allow_list_credential (cbor_reader_t *r, uint8_t *cred_id, size_t *cred_id_len) |
| Parses one allowList credential descriptor and extracts credential ID. | |
| static uint8_t | ga_parse_allow_list (cbor_reader_t *r, GetAssertionParams *p) |
| Parses getAssertion allowList (map key 0x03). | |
| static uint8_t | ga_parse_extensions (cbor_reader_t *r, GetAssertionParams *p) |
| Parses getAssertion extensions (map key 0x04). | |
| static uint8_t | ga_parse_options (cbor_reader_t *r, GetAssertionParams *p) |
| Parses getAssertion options (map key 0x05). | |
| static uint8_t | ga_parse_params (const uint8_t *params, uint16_t params_len, GetAssertionParams *p) |
| Parses complete getAssertion request map from CBOR payload. | |
| static uint8_t | ga_verify_pin_auth (const GetAssertionParams *p, bool *uv_verified) |
| Verifies getAssertion pinUvAuthParam via HMAC. | |
| static void | ga_find_credentials (GetAssertionParams *p, AssertionCredentials *creds) |
| Finds credentials matching RP/allowList and appid extension rules. | |
| static uint8_t | ga_sign_assertion (uint8_t slot, const uint8_t *auth_data, uint16_t auth_data_len, const uint8_t *client_data_hash, uint8_t *signature, uint8_t *sig_len) |
| Signs assertion message (authData || clientDataHash) for one credential slot. | |
| static uint8_t | ga_build_response (const uint8_t *cred_id, const uint8_t *auth_data, uint16_t auth_data_len, const uint8_t *signature, uint8_t sig_len, const fido2_credential_info_t *cred, bool include_user, uint8_t total_creds, uint8_t *response, uint16_t *response_len) |
| Builds CBOR response payload for getAssertion/getNextAssertion. | |
| uint8_t | ctap2_get_assertion (const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len) |
| Handles CTAP2 authenticatorGetAssertion (0x02). | |
| uint8_t | ctap2_get_next_assertion (uint8_t *response, uint16_t *response_len) |
| Handles CTAP2 authenticatorGetNextAssertion (0x08). | |
| static bool | client_pin_init_ecdh (void) |
| ClientPIN command implementation helpers. | |
| static bool | client_pin_compute_shared_secret (const uint8_t *platform_key_x, const uint8_t *platform_key_y, uint8_t pin_protocol, uint8_t *shared_secret) |
| Computes ClientPIN shared secret from platform ECDH public key. | |
| static bool | aes_256_cbc_decrypt_iv (const uint8_t *key, const uint8_t *iv, const uint8_t *input, size_t len, uint8_t *output) |
| Decrypts data using AES-256-CBC with caller-provided IV. | |
| static bool | aes_256_cbc_decrypt (const uint8_t *key, const uint8_t *input, size_t len, uint8_t *output) |
| Decrypts Protocol-1 PIN payload (AES-256-CBC with zero IV). | |
| static bool | aes_256_cbc_encrypt (const uint8_t *key, const uint8_t *input, size_t len, uint8_t *output) |
| Encrypts Protocol-1 PIN payload (AES-256-CBC with zero IV). | |
| static bool | aes_256_cbc_encrypt_p2 (const uint8_t *key, const uint8_t *input, size_t len, uint8_t *output) |
| Encrypts Protocol-2 PIN payload and prefixes random IV (IV || ciphertext). | |
| static uint8_t | client_pin_get_retries (uint8_t *response, uint16_t *response_len) |
| Handles ClientPIN subcommand getPINRetries (0x01). | |
| static uint8_t | client_pin_get_key_agreement (uint8_t *response, uint16_t *response_len) |
| Handles ClientPIN subcommand getKeyAgreement (0x02). | |
| static uint8_t | client_pin_get_pin_token (const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len) |
| Handles ClientPIN subcommand getPinToken (0x05). | |
| static uint8_t | client_pin_get_pin_uv_auth_token (const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len) |
| Handles ClientPIN subcommand getPinUvAuthTokenUsingPinWithPermissions (0x09). | |
| uint8_t | ctap2_client_pin (const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len) |
| Handles CTAP2 authenticatorClientPIN (0x06). | |
| uint8_t | ctap2_reset (uint8_t *response, uint16_t *response_len) |
| Handles CTAP2 authenticatorReset (0x07). | |
| static bool | cred_mgmt_slot_has_key (uint8_t slot) |
| Credential-management helper and command implementation. | |
| static uint8_t | cred_mgmt_count_unique_rps (void) |
| Counts unique RP IDs among resident credentials. | |
| static uint8_t | cred_mgmt_find_creds_for_rp (const uint8_t *rp_id_hash) |
| Collects resident credentials for the given RP ID hash. | |
| static bool | cred_mgmt_encode_rp (cbor_writer_t *w, uint8_t slot, bool include_total) |
| Encodes a credential-management RP response entry. | |
| static bool | cred_mgmt_encode_credential (cbor_writer_t *w, uint8_t slot, bool include_total) |
| Encodes a credential-management credential response entry. | |
| uint8_t | ctap2_cred_management (const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len) |
| Handles CTAP2 authenticatorCredentialManagement (0x0A). | |
| uint8_t | ctap2_selection (uint8_t *response, uint16_t *response_len) |
| Handles CTAP2 authenticatorSelection (0x0B). | |
| bool | ctap2_init (void) |
| Initializes CTAP2 runtime state. | |
| uint8_t | ctap2_process_command (const uint8_t *cmd, uint16_t cmd_len, uint8_t *response, uint16_t *response_len) |
| Dispatches one CTAP2 command and writes response payload. | |
| void | ctap2_send_keepalive (uint8_t status) |
| Sends CTAPHID keepalive for currently active channel. | |
| void | ctap2_cancel (void) |
| Marks current CTAP2 operation as cancelled. | |
| void | ctap2_clear_cancel (void) |
| Clears any latched cancel flag. Called at the start of a new CTAPHID channel (INIT) so a cancel from a previous channel does not abort responses on the new one. | |
| bool | ctap2_is_cancelled (void) |
| Returns true if the current CTAP2 operation has been cancelled. | |
| void | sha256 (const uint8_t *data, size_t len, uint8_t out[32]) |
| void | sha256_str (const char *str, uint8_t out[32]) |
Variables | |
| static const char * | TAG = "CTAP2" |
| static const char * | TAG_PIN = "PIN" |
| static const uint8_t | AAGUID [16] |
| Authenticator Attestation GUID for this authenticator model. | |
| static const char * | INFO_TRANSPORTS [] = {"usb"} |
| Device info strings reported by authenticatorGetInfo. | |
| struct { | |
| bool initialized | |
| bool operation_pending | |
| bool cancelled | |
| uint8_t assertion_creds [32] | |
| uint8_t assertion_count | |
| uint8_t assertion_index | |
| uint8_t assertion_rp_id_hash [32] | |
| uint8_t assertion_client_data_hash [32] | |
| bool assertion_up_done | |
| bool assertion_include_user | |
| bool assertion_appid_used | |
| } | g_ctap2 = {} |
| Global CTAP2 runtime state. | |
| struct { | |
| bool initialized | |
| mbedtls_ecp_keypair ecdh_key | |
| bool ecdh_valid | |
| uint8_t pin_token [32] | |
| bool pin_token_valid | |
| uint8_t token_permissions | |
| uint8_t token_rp_id_hash [32] | |
| bool token_rp_id_set | |
| uint8_t pin_retries | |
| uint8_t uv_retries | |
| } | g_client_pin = {} |
| struct { | |
| uint8_t rp_slots [32] | |
| uint8_t rp_count | |
| uint8_t rp_index | |
| uint8_t cred_slots [32] | |
| uint8_t cred_count | |
| uint8_t cred_index | |
| uint8_t current_rp_id_hash [32] | |
| } | g_cred_mgmt = {} |
| static constexpr uint64_t | CTAP2_INFO_MAX_MSG_SIZE_VALUE = 1200 |
| Reported maximum message size for authenticatorGetInfo. | |
| static constexpr uint64_t | CTAP2_INFO_PIN_UV_AUTH_PROTOCOL_VALUE = 2 |
| Reported PIN/UV auth protocol version (Protocol Two). | |
| static constexpr uint64_t | CTAP2_INFO_MAX_CRED_LIST_COUNT_VALUE = 8 |
| Reported maxCredentialCountInList for authenticatorGetInfo. | |
CTAP2/FIDO2 command processing and ClientPIN implementation.
Definition in file ctap2.cpp.
| #define CRED_MGMT_DELETE_CREDENTIAL 0x06 |
Definition at line 126 of file ctap2.cpp.
Referenced by ctap2_cred_management().
| #define CRED_MGMT_ENUMERATE_CREDS_BEGIN 0x04 |
Definition at line 124 of file ctap2.cpp.
Referenced by ctap2_cred_management().
| #define CRED_MGMT_ENUMERATE_CREDS_GET_NEXT 0x05 |
Definition at line 125 of file ctap2.cpp.
Referenced by ctap2_cred_management().
| #define CRED_MGMT_ENUMERATE_RPS_BEGIN 0x02 |
Definition at line 122 of file ctap2.cpp.
Referenced by ctap2_cred_management().
| #define CRED_MGMT_ENUMERATE_RPS_GET_NEXT 0x03 |
Definition at line 123 of file ctap2.cpp.
Referenced by ctap2_cred_management().
| #define CRED_MGMT_GET_CREDS_METADATA 0x01 |
Credential management constants and enumeration state.
Definition at line 121 of file ctap2.cpp.
Referenced by ctap2_cred_management().
| #define CTAP2_DEBUG 0 |
| #define CTAP2_DEBUG_COMMANDS 0 |
Definition at line 41 of file ctap2.cpp.
Referenced by ctap2_cancel().
| #define CTAP2_ECP_GRP | ( | k | ) |
Referenced by ctap2_generate_ephemeral_keypair().
| #define CTAP2_ECP_Q | ( | k | ) |
Referenced by ctap2_generate_ephemeral_keypair().
| #define PIN_CMD_CHANGE_PIN 0x04 |
Definition at line 87 of file ctap2.cpp.
Referenced by ctap2_client_pin().
| #define PIN_CMD_GET_KEY_AGREEMENT 0x02 |
Definition at line 85 of file ctap2.cpp.
Referenced by ctap2_client_pin().
| #define PIN_CMD_GET_PIN_TOKEN 0x05 |
Definition at line 88 of file ctap2.cpp.
Referenced by ctap2_client_pin().
| #define PIN_CMD_GET_PIN_UV_TOKEN 0x09 |
Definition at line 89 of file ctap2.cpp.
Referenced by ctap2_client_pin().
| #define PIN_CMD_GET_RETRIES 0x01 |
ClientPIN subcommand identifiers.
Definition at line 84 of file ctap2.cpp.
Referenced by ctap2_client_pin().
| #define PIN_CMD_SET_PIN 0x03 |
Definition at line 86 of file ctap2.cpp.
Referenced by ctap2_client_pin().
| #define PIN_PERM_MAKE_CREDENTIAL 0x01 |
| #define PIN_PROTOCOL_VERSION 2 |
ClientPIN constants and state for PIN protocol support.
Definition at line 78 of file ctap2.cpp.
Referenced by ctap2_client_pin().
| #define PIN_RETRIES_MAX 8 |
Definition at line 80 of file ctap2.cpp.
Referenced by client_pin_get_pin_token(), client_pin_get_pin_uv_auth_token(), client_pin_init_ecdh(), and ctap2_client_pin().
| #define PIN_TOKEN_SIZE 32 |
Definition at line 79 of file ctap2.cpp.
Referenced by client_pin_get_pin_token(), client_pin_get_pin_uv_auth_token(), and ga_verify_pin_auth().
| #define PIN_UV_RETRIES_MAX 3 |
Definition at line 81 of file ctap2.cpp.
Referenced by client_pin_init_ecdh(), and ctap2_client_pin().
|
static |
Decrypts Protocol-1 PIN payload (AES-256-CBC with zero IV).
| key | 32-byte AES key. |
| input | Ciphertext buffer. |
| len | Ciphertext length in bytes. |
| output | Destination plaintext buffer. |
Definition at line 2248 of file ctap2.cpp.
References aes_256_cbc_decrypt_iv().
Referenced by client_pin_get_pin_token(), and client_pin_get_pin_uv_auth_token().
|
static |
Decrypts data using AES-256-CBC with caller-provided IV.
| key | 32-byte AES key. |
| iv | 16-byte IV. |
| input | Ciphertext buffer. |
| len | Ciphertext length in bytes. |
| output | Destination plaintext buffer. |
Definition at line 2221 of file ctap2.cpp.
Referenced by aes_256_cbc_decrypt(), client_pin_get_pin_token(), and client_pin_get_pin_uv_auth_token().
|
static |
Encrypts Protocol-1 PIN payload (AES-256-CBC with zero IV).
| key | 32-byte AES key. |
| input | Plaintext buffer. |
| len | Plaintext length in bytes. |
| output | Destination ciphertext buffer. |
Definition at line 2262 of file ctap2.cpp.
Referenced by client_pin_get_pin_token(), and client_pin_get_pin_uv_auth_token().
|
static |
Encrypts Protocol-2 PIN payload and prefixes random IV (IV || ciphertext).
| key | 32-byte AES key. |
| input | Plaintext buffer. |
| len | Plaintext length in bytes. |
| output | Destination buffer (len + 16 bytes required). |
Definition at line 2288 of file ctap2.cpp.
References secure_random_fill().
Referenced by client_pin_get_pin_token(), and client_pin_get_pin_uv_auth_token().
|
static |
Builds raw authenticatorData structure.
| rp_id_hash | SHA-256 hash of RP ID. |
| flags | Authenticator data flags. |
| sign_count | Signature counter value. |
| attested_cred_data | Optional attested credential block. |
| attested_cred_len | Length of attested_cred_data. |
| ext_data | Optional extension CBOR bytes. |
| ext_len | Length of ext_data. |
| out | Destination buffer. |
| out_len | Output length. |
Definition at line 466 of file ctap2.cpp.
References CTAP2_OK, flags, rp_id_hash, and sign_count.
Referenced by ctap2_build_auth_data_for_cred(), ctap2_get_assertion(), and ctap2_get_next_assertion().
|
static |
Computes ClientPIN shared secret from platform ECDH public key.
| platform_key_x | Platform public key X coordinate. |
| platform_key_y | Platform public key Y coordinate. |
| pin_protocol | PIN protocol version. |
| shared_secret | Output 32-byte shared secret. |
Definition at line 2102 of file ctap2.cpp.
References ctap2_random(), g_client_pin, LOG_D, LOG_E, LOG_I, and TAG_PIN.
Referenced by client_pin_get_pin_token(), and client_pin_get_pin_uv_auth_token().
|
static |
Handles ClientPIN subcommand getKeyAgreement (0x02).
| response | Output response buffer. |
| response_len | In/out length of response. |
Definition at line 2343 of file ctap2.cpp.
References cbor_encode_bytes(), cbor_encode_int(), cbor_encode_map(), cbor_encode_uint(), cbor_writer_init(), cbor_writer_length(), client_pin_init_ecdh(), COSE_ALG_ECDH_ES_HKDF_256, COSE_CRV_P256, COSE_KEY_LABEL_ALG, COSE_KEY_LABEL_CRV, COSE_KEY_LABEL_KTY, COSE_KEY_LABEL_X, COSE_KEY_LABEL_Y, COSE_KEY_TYPE_EC2, CTAP2_ERR_OTHER, CTAP2_OK, CTAP2_PIN_RESP_KEY_AGREEMENT, g_client_pin, LOG_I, and TAG_PIN.
Referenced by ctap2_client_pin().
|
static |
Handles ClientPIN subcommand getPinToken (0x05).
| params | CBOR request payload. |
| params_len | Length of params. |
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 2406 of file ctap2.cpp.
References aes_256_cbc_decrypt(), aes_256_cbc_decrypt_iv(), aes_256_cbc_encrypt(), aes_256_cbc_encrypt_p2(), cbor_encode_bytes(), cbor_encode_map(), cbor_encode_uint(), CBOR_NEGATIVE, cbor_read_bytes(), cbor_read_item(), cbor_read_map(), cbor_read_uint(), cbor_reader_init(), cbor_skip_item(), CBOR_UNSIGNED, cbor_writer_init(), cbor_writer_length(), client_pin_compute_shared_secret(), COSE_KEY_LABEL_X, COSE_KEY_LABEL_Y, CTAP2_ERR_INVALID_CBOR, CTAP2_ERR_MISSING_PARAMETER, CTAP2_ERR_OTHER, CTAP2_ERR_PIN_BLOCKED, CTAP2_ERR_PIN_INVALID, CTAP2_ERR_PIN_NOT_SET, CTAP2_OK, CTAP2_PIN_HASH_ENC, CTAP2_PIN_KEY_AGREEMENT, CTAP2_PIN_PROTOCOL, CTAP2_PIN_RESP_PIN_TOKEN, g_client_pin, LOG_D, LOG_E, LOG_I, LOG_W, PIN_RETRIES_MAX, pin_storage_fido2_available(), pin_storage_get_fido2_hash(), pin_storage_verify_fido2_hash(), PIN_TOKEN_SIZE, secure_random_fill(), sha256(), and TAG_PIN.
Referenced by ctap2_client_pin().
|
static |
Handles ClientPIN subcommand getPinUvAuthTokenUsingPinWithPermissions (0x09).
| params | CBOR request payload. |
| params_len | Length of params. |
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 2719 of file ctap2.cpp.
References aes_256_cbc_decrypt(), aes_256_cbc_decrypt_iv(), aes_256_cbc_encrypt(), aes_256_cbc_encrypt_p2(), cbor_encode_bytes(), cbor_encode_map(), cbor_encode_uint(), CBOR_NEGATIVE, cbor_read_bytes(), cbor_read_item(), cbor_read_map(), cbor_read_text(), cbor_read_uint(), cbor_reader_init(), cbor_skip_item(), CBOR_UNSIGNED, cbor_writer_init(), cbor_writer_length(), client_pin_compute_shared_secret(), COSE_KEY_LABEL_X, COSE_KEY_LABEL_Y, CTAP2_ERR_INVALID_CBOR, CTAP2_ERR_MISSING_PARAMETER, CTAP2_ERR_OTHER, CTAP2_ERR_PIN_BLOCKED, CTAP2_ERR_PIN_INVALID, CTAP2_ERR_PIN_NOT_SET, CTAP2_OK, CTAP2_PIN_HASH_ENC, CTAP2_PIN_KEY_AGREEMENT, CTAP2_PIN_PERMISSIONS, CTAP2_PIN_PERMISSIONS_RPID, CTAP2_PIN_PROTOCOL, CTAP2_PIN_RESP_PIN_TOKEN, g_client_pin, LOG_E, LOG_I, LOG_W, PIN_RETRIES_MAX, pin_storage_fido2_available(), pin_storage_verify_fido2_hash(), PIN_TOKEN_SIZE, rp_id, secure_random_fill(), sha256_str(), and TAG_PIN.
Referenced by ctap2_client_pin().
|
static |
Handles ClientPIN subcommand getPINRetries (0x01).
| response | Output response buffer. |
| response_len | In/out length of response. |
Definition at line 2318 of file ctap2.cpp.
References cbor_encode_map(), cbor_encode_uint(), cbor_writer_init(), cbor_writer_length(), CTAP2_OK, CTAP2_PIN_RESP_PIN_RETRIES, CTAP2_PIN_RESP_UV_RETRIES, and g_client_pin.
Referenced by ctap2_client_pin().
|
static |
ClientPIN command implementation helpers.
Initializes the ClientPIN ephemeral ECDH key pair.
Definition at line 2074 of file ctap2.cpp.
References ctap2_random(), g_client_pin, LOG_E, LOG_I, PIN_RETRIES_MAX, PIN_UV_RETRIES_MAX, and TAG_PIN.
Referenced by client_pin_get_key_agreement().
|
static |
Counts unique RP IDs among resident credentials.
Definition at line 3065 of file ctap2.cpp.
References cred_mgmt_slot_has_key(), FIDO2_MAX_CREDENTIALS, fido2_storage_get_credential(), fido2_storage_is_resident(), and g_cred_mgmt.
Referenced by ctap2_cred_management().
|
static |
Encodes a credential-management credential response entry.
| w | CBOR writer for output encoding. |
| slot | Credential slot to encode. |
| include_total | Whether to include total credential count. |
Definition at line 3159 of file ctap2.cpp.
References cbor_encode_bytes(), cbor_encode_cose_key_ed25519(), cbor_encode_cose_key_p256(), cbor_encode_map(), cbor_encode_text(), cbor_encode_uint(), CDC_CURVE_ED25519, CTAP2_CM_RESP_CRED_PROTECT, CTAP2_CM_RESP_CREDENTIAL_ID, CTAP2_CM_RESP_PUBLIC_KEY, CTAP2_CM_RESP_TOTAL_CREDENTIALS, CTAP2_CM_RESP_USER, FIDO2_CRED_ID_LEN, fido2_storage_get_cred_id(), fido2_storage_get_credential(), fido2_storage_get_pubkey(), and g_cred_mgmt.
Referenced by ctap2_cred_management().
|
static |
Encodes a credential-management RP response entry.
| w | CBOR writer for output encoding. |
| slot | Credential slot used as RP representative. |
| include_total | Whether to include total RP count. |
Definition at line 3126 of file ctap2.cpp.
References cbor_encode_bytes(), cbor_encode_map(), cbor_encode_text(), cbor_encode_uint(), CTAP2_CM_RESP_RP, CTAP2_CM_RESP_RP_ID_HASH, CTAP2_CM_RESP_TOTAL_RPS, fido2_storage_get_credential(), and g_cred_mgmt.
Referenced by ctap2_cred_management().
|
static |
Collects resident credentials for the given RP ID hash.
| rp_id_hash | 32-byte RP ID hash to match. |
Definition at line 3101 of file ctap2.cpp.
References cred_mgmt_slot_has_key(), FIDO2_MAX_CREDENTIALS, fido2_storage_get_credential(), fido2_storage_is_resident(), g_cred_mgmt, and rp_id_hash.
Referenced by ctap2_cred_management().
|
static |
Credential-management helper and command implementation.
Checks whether the slot's secure-element key material is present.
| slot | Logical slot index. |
Definition at line 3052 of file ctap2.cpp.
References fido2_storage_get_pubkey(), LOG_W, and TAG.
Referenced by cred_mgmt_count_unique_rps(), and cred_mgmt_find_creds_for_rp().
|
static |
Builds CBOR payload for appid extension in assertions.
| out | Output buffer. |
| out_size | Size of out in bytes. |
Definition at line 294 of file ctap2.cpp.
References cbor_encode_bool(), cbor_encode_map(), cbor_encode_text(), cbor_writer_error(), cbor_writer_init(), and cbor_writer_length().
Referenced by ctap2_get_assertion(), and ctap2_get_next_assertion().
|
static |
Builds attested credential data (AAGUID, credential ID, COSE key).
| cred_id | Credential ID bytes. |
| cred_id_len | Length of cred_id. |
| pubkey | Public key bytes. |
| curve | Public-key curve identifier. |
| out | Destination buffer. |
| out_size | Capacity of out in bytes. |
| out_len | Output length of encoded structure. |
Definition at line 191 of file ctap2.cpp.
References AAGUID, cbor_encode_cose_key_ed25519(), cbor_encode_cose_key_p256(), cbor_writer_error(), cbor_writer_init(), cbor_writer_length(), CDC_CURVE_ED25519, and curve.
Referenced by cdc::mod_fido2::create_credential_and_respond(), and cdc::mod_fido2::handle_browser_probe().
|
static |
Builds authenticator data for makeCredential with optional credProtect extension.
| rp_id_hash | SHA-256 hash of RP ID. |
| attested_cred | Encoded attested credential data. |
| attested_len | Length of attested_cred. |
| cred_protect | Requested credProtect level. |
| auth_data | Destination buffer for authenticator data. |
| auth_data_len | Output length. |
Definition at line 257 of file ctap2.cpp.
References build_authenticator_data(), cred_protect, ctap2_build_cred_protect_extension(), CTAP2_OK, fido2_is_pin_verified(), flags, LOG_I, pin_verified, rp_id_hash, and TAG.
Referenced by cdc::mod_fido2::create_credential_and_respond(), and cdc::mod_fido2::handle_browser_probe().
|
static |
Builds CBOR payload for the credProtect extension.
| level | Requested credProtect level. |
| out | Output buffer for CBOR bytes. |
| out_size | Size of out in bytes. |
Definition at line 234 of file ctap2.cpp.
References cbor_encode_map(), cbor_encode_text(), cbor_encode_uint(), cbor_writer_error(), cbor_writer_init(), and cbor_writer_length().
Referenced by ctap2_build_auth_data_for_cred().
|
static |
Builds packed-attestation makeCredential response CBOR payload.
| auth_data | Authenticator data bytes. |
| auth_data_len | Length of auth_data. |
| sig | Attestation signature bytes. |
| sig_len | Length of sig. |
| cert | Optional attestation certificate. |
| cert_len | Length of cert. |
| response | Destination CTAP2 response buffer. |
| response_len | In/out response buffer length. |
Definition at line 318 of file ctap2.cpp.
References cbor_encode_array(), cbor_encode_bytes(), cbor_encode_int(), cbor_encode_map(), cbor_encode_text(), cbor_encode_uint(), cbor_writer_error(), cbor_writer_init(), cbor_writer_length(), COSE_ALG_ES256, CTAP2_ERR_OTHER, CTAP2_MC_RESP_ATT_STMT, CTAP2_MC_RESP_AUTH_DATA, CTAP2_MC_RESP_FMT, and CTAP2_OK.
Referenced by cdc::mod_fido2::create_credential_and_respond(), and cdc::mod_fido2::handle_browser_probe().
| void ctap2_cancel | ( | void | ) |
Marks current CTAP2 operation as cancelled.
Cancel any pending operation.
Definition at line 3624 of file ctap2.cpp.
References CTAP2_DEBUG_COMMANDS, g_ctap2, LOG_D, and TAG.
Referenced by handle_cancel().
| void ctap2_clear_cancel | ( | void | ) |
Clears any latched cancel flag. Called at the start of a new CTAPHID channel (INIT) so a cancel from a previous channel does not abort responses on the new one.
Clears the cancel flag. Called when a new CTAPHID channel is opened so a cancel from a previous channel doesn't poison responses on the new one (notably the INIT response itself).
Definition at line 3634 of file ctap2.cpp.
References g_ctap2.
Referenced by cdc::mod_fido2::fido2_ui_user_presence_callback(), and handle_init().
| uint8_t ctap2_client_pin | ( | const uint8_t * | params, |
| uint16_t | params_len, | ||
| uint8_t * | response, | ||
| uint16_t * | response_len ) |
Handles CTAP2 authenticatorClientPIN (0x06).
| params | CBOR request payload. |
| params_len | Length of params. |
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 2948 of file ctap2.cpp.
References cbor_read_map(), cbor_read_uint(), cbor_reader_init(), cbor_skip_item(), client_pin_get_key_agreement(), client_pin_get_pin_token(), client_pin_get_pin_uv_auth_token(), client_pin_get_retries(), CTAP1_ERR_INVALID_COMMAND, CTAP1_ERR_INVALID_PARAMETER, CTAP2_ERR_INVALID_CBOR, CTAP2_ERR_UNSUPPORTED_OPTION, g_client_pin, LOG_I, LOG_W, PIN_CMD_CHANGE_PIN, PIN_CMD_GET_KEY_AGREEMENT, PIN_CMD_GET_PIN_TOKEN, PIN_CMD_GET_PIN_UV_TOKEN, PIN_CMD_GET_RETRIES, PIN_CMD_SET_PIN, PIN_PROTOCOL_VERSION, PIN_RETRIES_MAX, PIN_UV_RETRIES_MAX, and TAG_PIN.
Referenced by ctap2_process_command().
| uint8_t ctap2_cred_management | ( | const uint8_t * | params, |
| uint16_t | params_len, | ||
| uint8_t * | response, | ||
| uint16_t * | response_len ) |
Handles CTAP2 authenticatorCredentialManagement (0x0A).
| params | CBOR request payload. |
| params_len | Length of params. |
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 3220 of file ctap2.cpp.
References cbor_encode_map(), cbor_encode_uint(), cbor_read_bytes(), cbor_read_map(), cbor_read_text(), cbor_read_uint(), cbor_reader_init(), cbor_skip_item(), cbor_writer_error(), cbor_writer_init(), cbor_writer_length(), cred_mgmt_count_unique_rps(), CRED_MGMT_DELETE_CREDENTIAL, cred_mgmt_encode_credential(), cred_mgmt_encode_rp(), CRED_MGMT_ENUMERATE_CREDS_BEGIN, CRED_MGMT_ENUMERATE_CREDS_GET_NEXT, CRED_MGMT_ENUMERATE_RPS_BEGIN, CRED_MGMT_ENUMERATE_RPS_GET_NEXT, cred_mgmt_find_creds_for_rp(), CRED_MGMT_GET_CREDS_METADATA, CTAP2_CM_PIN_UV_AUTH_PARAM, CTAP2_CM_PIN_UV_AUTH_PROTOCOL, CTAP2_CM_RESP_EXISTING_CRED_COUNT, CTAP2_CM_RESP_REMAINING_CRED_COUNT, CTAP2_CM_SUB_CREDENTIAL_ID, CTAP2_CM_SUB_RP_ID_HASH, CTAP2_CM_SUBCOMMAND, CTAP2_CM_SUBCOMMAND_PARAMS, CTAP2_ERR_INVALID_CBOR, CTAP2_ERR_MISSING_PARAMETER, CTAP2_ERR_NO_CREDENTIALS, CTAP2_ERR_OTHER, CTAP2_ERR_PIN_AUTH_INVALID, CTAP2_ERR_UNSUPPORTED_OPTION, CTAP2_OK, FIDO2_CRED_ID_LEN, FIDO2_MAX_CREDENTIALS, fido2_storage_delete_credential(), fido2_storage_find_slot_by_cred_id(), fido2_storage_is_resident(), g_client_pin, g_cred_mgmt, LOG_I, rp_id_hash, and TAG.
Referenced by ctap2_process_command().
|
static |
Generates ephemeral P-256 key pair and exports 64-byte X||Y public key.
| key | Destination keypair structure. |
| pubkey | Destination buffer for public key coordinates. |
Definition at line 385 of file ctap2.cpp.
References CTAP2_ECP_GRP, CTAP2_ECP_Q, and ctap2_random().
Referenced by cdc::mod_fido2::handle_browser_probe().
| uint8_t ctap2_get_assertion | ( | const uint8_t * | params, |
| uint16_t | params_len, | ||
| uint8_t * | response, | ||
| uint16_t * | response_len ) |
Handles CTAP2 authenticatorGetAssertion (0x02).
| params | CBOR request payload. |
| params_len | Length of params. |
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 1832 of file ctap2.cpp.
References build_authenticator_data(), creds, ctap2_build_appid_extension(), CTAP2_ERR_MISSING_PARAMETER, CTAP2_ERR_NO_CREDENTIALS, CTAP2_ERR_OPERATION_DENIED, CTAP2_ERR_OTHER, CTAP2_ERR_UNSUPPORTED_OPTION, CTAP2_OK, FIDO2_ACTION_AUTHENTICATE, FIDO2_CRED_ID_LEN, fido2_increment_auth_counter(), fido2_storage_get_cred_id(), fido2_storage_get_credential(), fido2_storage_increment_sign_count(), flags, g_ctap2, ga_build_response(), ga_find_credentials(), ga_parse_params(), ga_sign_assertion(), ga_verify_pin_auth(), LOG_E, LOG_I, sign_count, TAG, and wait_for_user_presence().
Referenced by ctap2_process_command().
| uint8_t ctap2_get_info | ( | uint8_t * | response, |
| uint16_t * | response_len ) |
Handles CTAP2 authenticatorGetInfo (0x04).
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 667 of file ctap2.cpp.
References cbor_encode_map(), cbor_writer_error(), cbor_writer_init(), cbor_writer_length(), CTAP2_ERR_OTHER, CTAP2_OK, encode_info_aaguid(), encode_info_algorithms(), encode_info_extensions(), encode_info_max_cred_count(), encode_info_max_cred_id_length(), encode_info_max_msg_size(), encode_info_options(), encode_info_pin_uv_auth_protocols(), encode_info_transports(), and encode_info_versions().
Referenced by ctap2_process_command().
| uint8_t ctap2_get_next_assertion | ( | uint8_t * | response, |
| uint16_t * | response_len ) |
Handles CTAP2 authenticatorGetNextAssertion (0x08).
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 1973 of file ctap2.cpp.
References build_authenticator_data(), cbor_encode_bytes(), cbor_encode_map(), cbor_encode_text(), cbor_encode_uint(), cbor_writer_init(), cbor_writer_length(), ctap2_build_appid_extension(), CTAP2_ERR_NOT_ALLOWED, CTAP2_ERR_OTHER, CTAP2_GA_RESP_AUTH_DATA, CTAP2_GA_RESP_CREDENTIAL, CTAP2_GA_RESP_SIGNATURE, CTAP2_OK, FIDO2_CRED_ID_LEN, fido2_storage_get_cred_id(), fido2_storage_get_credential(), fido2_storage_increment_sign_count(), fido2_storage_sign_raw(), g_ctap2, LOG_E, sign_count, and TAG.
Referenced by ctap2_process_command().
| bool ctap2_init | ( | void | ) |
| bool ctap2_is_cancelled | ( | void | ) |
Returns true if the current CTAP2 operation has been cancelled.
Definition at line 3641 of file ctap2.cpp.
References g_ctap2.
Referenced by ctaphid_get_response_packet(), and cdc::mod_fido2::fido2_ui_user_presence_callback().
| uint8_t ctap2_process_command | ( | const uint8_t * | cmd, |
| uint16_t | cmd_len, | ||
| uint8_t * | response, | ||
| uint16_t * | response_len ) |
Dispatches one CTAP2 command and writes response payload.
| Plugin command channel | Command buffer (command byte || CBOR params). |
| cmd_len | Length of Plugin command channel. |
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 3529 of file ctap2.cpp.
References CTAP1_ERR_INVALID_COMMAND, ctap2_client_pin(), CTAP2_CMD_CLIENT_PIN, CTAP2_CMD_CONFIG, CTAP2_CMD_CRED_MANAGEMENT, CTAP2_CMD_GET_ASSERTION, CTAP2_CMD_GET_INFO, CTAP2_CMD_GET_NEXT_ASSERTION, CTAP2_CMD_LARGE_BLOBS, CTAP2_CMD_MAKE_CREDENTIAL, CTAP2_CMD_RESET, CTAP2_CMD_SELECTION, ctap2_cred_management(), CTAP2_ERR_UNSUPPORTED_OPTION, ctap2_get_assertion(), ctap2_get_info(), ctap2_get_next_assertion(), ctap2_make_credential(), ctap2_reset(), ctap2_selection(), g_ctap2, LOG_I, and TAG.
Referenced by handle_cbor().
|
static |
mbedTLS RNG callback backed by secure random source.
| ctx | Unused context pointer. |
| out | Destination buffer. |
| len | Number of random bytes. |
Definition at line 173 of file ctap2.cpp.
References secure_random_fill().
Referenced by client_pin_compute_shared_secret(), client_pin_init_ecdh(), ctap2_generate_ephemeral_keypair(), ctap2_sign_with_keypair(), and cdc::mod_fido2::handle_browser_probe().
| uint8_t ctap2_reset | ( | uint8_t * | response, |
| uint16_t * | response_len ) |
Handles CTAP2 authenticatorReset (0x07).
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 3027 of file ctap2.cpp.
References CTAP2_ERR_OPERATION_DENIED, CTAP2_ERR_OTHER, CTAP2_OK, FIDO2_ACTION_AUTHENTICATE, fido2_factory_reset(), LOG_I, TAG, and wait_for_user_presence().
Referenced by ctap2_process_command().
| uint8_t ctap2_selection | ( | uint8_t * | response, |
| uint16_t * | response_len ) |
Handles CTAP2 authenticatorSelection (0x0B).
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 3496 of file ctap2.cpp.
References CTAP2_ERR_OPERATION_DENIED, CTAP2_OK, FIDO2_ACTION_SELECT, and wait_for_user_presence().
Referenced by ctap2_process_command().
| void ctap2_send_keepalive | ( | uint8_t | status | ) |
Sends CTAPHID keepalive for currently active channel.
| status | Keepalive status byte. |
Definition at line 3614 of file ctap2.cpp.
References ctaphid_get_current_cid(), and ctaphid_send_keepalive().
Referenced by cdc::mod_fido2::create_credential_and_respond().
|
static |
Signs message using provided keypair (ECDSA over SHA-256).
| key | Keypair for signing. |
| Message transfer (badge-to-badge) | Message bytes to hash and sign. |
| msg_len | Length of Message transfer (badge-to-badge). |
| sig | Destination signature buffer. |
| sig_size | Size of sig. |
| sig_len | Output signature length. |
Definition at line 429 of file ctap2.cpp.
References ctap2_random(), and sha256().
Referenced by cdc::mod_fido2::handle_browser_probe().
|
static |
Encodes the authenticator AAGUID into the getInfo CBOR map.
Definition at line 571 of file ctap2.cpp.
References AAGUID, cbor_encode_bytes(), cbor_encode_uint(), and CTAP2_INFO_AAGUID.
Referenced by ctap2_get_info().
|
static |
Encodes the supported algorithms array (PublicKeyCredentialParameters).
Definition at line 629 of file ctap2.cpp.
References cbor_encode_array(), cbor_encode_int(), cbor_encode_map(), cbor_encode_text(), cbor_encode_uint(), COSE_ALG_EDDSA, COSE_ALG_ES256, and CTAP2_INFO_ALGORITHMS.
Referenced by ctap2_get_info().
|
static |
Encodes the supported CTAP extensions, sorted for CBOR canonical form.
Definition at line 562 of file ctap2.cpp.
References cbor_encode_array(), cbor_encode_text(), cbor_encode_uint(), and CTAP2_INFO_EXTENSIONS.
Referenced by ctap2_get_info().
|
static |
Encodes the maxCredentialCountInList entry.
Definition at line 610 of file ctap2.cpp.
References cbor_encode_uint(), CTAP2_INFO_MAX_CRED_COUNT_IN_LIST, and CTAP2_INFO_MAX_CRED_LIST_COUNT_VALUE.
Referenced by ctap2_get_info().
|
static |
Encodes the maxCredentialIdLength entry.
Definition at line 616 of file ctap2.cpp.
References cbor_encode_uint(), CTAP2_INFO_MAX_CRED_ID_LENGTH, and FIDO2_CRED_ID_LEN.
Referenced by ctap2_get_info().
|
static |
Encodes the maxMsgSize entry into the getInfo CBOR map.
Definition at line 597 of file ctap2.cpp.
References cbor_encode_uint(), CTAP2_INFO_MAX_MSG_SIZE, and CTAP2_INFO_MAX_MSG_SIZE_VALUE.
Referenced by ctap2_get_info().
|
static |
Encodes the supported authenticator options, keys sorted by length.
Definition at line 577 of file ctap2.cpp.
References cbor_encode_bool(), cbor_encode_map(), cbor_encode_text(), cbor_encode_uint(), and CTAP2_INFO_OPTIONS.
Referenced by ctap2_get_info().
|
static |
Encodes the supported pinUvAuthProtocols list.
Definition at line 603 of file ctap2.cpp.
References cbor_encode_array(), cbor_encode_uint(), CTAP2_INFO_PIN_UV_AUTH_PROTOCOL_VALUE, and CTAP2_INFO_PIN_UV_AUTH_PROTOCOLS.
Referenced by ctap2_get_info().
|
static |
Encodes the supported transports list.
Definition at line 622 of file ctap2.cpp.
References cbor_encode_array(), cbor_encode_text(), cbor_encode_uint(), CTAP2_INFO_TRANSPORTS, and INFO_TRANSPORTS.
Referenced by ctap2_get_info().
|
static |
Encodes the supported FIDO/U2F versions into the getInfo CBOR map.
Definition at line 553 of file ctap2.cpp.
References cbor_encode_array(), cbor_encode_text(), cbor_encode_uint(), and CTAP2_INFO_VERSIONS.
Referenced by ctap2_get_info().
|
static |
Builds CBOR response payload for getAssertion/getNextAssertion.
| cred_id | Credential ID bytes. |
| auth_data | Authenticator data bytes. |
| auth_data_len | Length of auth_data. |
| signature | Assertion signature bytes. |
| sig_len | Length of signature. |
| cred | Credential metadata record. |
| include_user | Whether to include user entity map. |
| total_creds | Total matching credential count. |
| response | Output response buffer. |
| response_len | In/out response length. |
Definition at line 1762 of file ctap2.cpp.
References cbor_encode_bytes(), cbor_encode_map(), cbor_encode_text(), cbor_encode_uint(), cbor_writer_error(), cbor_writer_init(), cbor_writer_length(), CTAP2_ERR_OTHER, CTAP2_GA_RESP_AUTH_DATA, CTAP2_GA_RESP_CREDENTIAL, CTAP2_GA_RESP_NUMBER_OF_CREDS, CTAP2_GA_RESP_SIGNATURE, CTAP2_GA_RESP_USER, CTAP2_OK, and FIDO2_CRED_ID_LEN.
Referenced by ctap2_get_assertion().
|
static |
Finds credentials matching RP/allowList and appid extension rules.
| p | Parsed getAssertion parameters (modified during selection). |
| creds | Output credential selection result. |
Definition at line 1656 of file ctap2.cpp.
References creds, FIDO2_MAX_CREDENTIALS, fido2_storage_find_by_rp(), fido2_storage_get_credential(), LOG_I, and TAG.
Referenced by ctap2_get_assertion().
|
static |
Parses getAssertion allowList (map key 0x03).
| r | CBOR reader positioned at the allowList value. |
| p | Output getAssertion parameter structure. |
Definition at line 1403 of file ctap2.cpp.
References cbor_read_array(), CTAP2_ERR_INVALID_CBOR, CTAP2_OK, FIDO2_CRED_ID_LEN, FIDO2_MAX_CREDENTIALS, fido2_storage_find_slot_by_cred_id(), and ga_parse_allow_list_credential().
Referenced by ga_parse_params().
|
static |
Parses one allowList credential descriptor and extracts credential ID.
| r | CBOR reader positioned at one descriptor map. |
| cred_id | Output credential ID buffer. |
| cred_id_len | Output credential ID length. |
Definition at line 1367 of file ctap2.cpp.
References cbor_read_bytes(), cbor_read_map(), cbor_read_text(), cbor_skip_item(), and FIDO2_CRED_ID_LEN.
Referenced by ga_parse_allow_list().
|
static |
Parses getAssertion extensions (map key 0x04).
| r | CBOR reader positioned at the extensions value. |
| p | Output getAssertion parameter structure. |
Definition at line 1446 of file ctap2.cpp.
References cbor_read_map(), cbor_read_text(), cbor_skip_item(), CTAP2_ERR_INVALID_CBOR, CTAP2_OK, and sha256_str().
Referenced by ga_parse_params().
|
static |
Parses getAssertion options (map key 0x05).
| r | CBOR reader positioned at the options value. |
| p | Output getAssertion parameter structure. |
Definition at line 1481 of file ctap2.cpp.
References cbor_read_bool(), cbor_read_map(), cbor_read_text(), cbor_skip_item(), CTAP2_ERR_INVALID_CBOR, and CTAP2_OK.
Referenced by ga_parse_params().
|
static |
Parses complete getAssertion request map from CBOR payload.
| params | CBOR request payload. |
| params_len | Length of params. |
| p | Output parameter structure. |
Definition at line 1513 of file ctap2.cpp.
References cbor_read_bytes(), cbor_read_map(), cbor_read_text(), cbor_read_uint(), cbor_reader_init(), cbor_skip_item(), CTAP2_ERR_INVALID_CBOR, CTAP2_GA_ALLOW_LIST, CTAP2_GA_CLIENT_DATA_HASH, CTAP2_GA_EXTENSIONS, CTAP2_GA_OPTIONS, CTAP2_GA_PIN_UV_AUTH_PARAM, CTAP2_GA_PIN_UV_AUTH_PROTOCOL, CTAP2_GA_RP_ID, CTAP2_OK, ga_parse_allow_list(), ga_parse_extensions(), ga_parse_options(), and sha256_str().
Referenced by ctap2_get_assertion().
|
static |
Signs assertion message (authData || clientDataHash) for one credential slot.
| slot | Credential slot index. |
| auth_data | Authenticator data bytes. |
| auth_data_len | Length of auth_data. |
| client_data_hash | ClientDataHash bytes. |
| signature | Destination signature buffer. |
| sig_len | Output signature length. |
Definition at line 1727 of file ctap2.cpp.
References CTAP2_ERR_OTHER, CTAP2_OK, fido2_storage_sign_raw(), LOG_E, and TAG.
Referenced by ctap2_get_assertion().
|
static |
Verifies getAssertion pinUvAuthParam via HMAC.
| p | Parsed getAssertion parameters. |
| uv_verified | Output flag set to UV verification result. |
Definition at line 1598 of file ctap2.cpp.
References CTAP2_ERR_PIN_AUTH_INVALID, CTAP2_OK, fido2_set_pin_verified(), g_client_pin, LOG_D, LOG_I, LOG_W, PIN_TOKEN_SIZE, and TAG.
Referenced by ctap2_get_assertion().
|
static |
Fills a buffer with cryptographically secure random bytes.
| out | Destination buffer. |
| len | Number of random bytes to generate. |
Definition at line 146 of file ctap2.cpp.
References cdc::hal::getSecureElementInstance().
Referenced by aes_256_cbc_encrypt_p2(), client_pin_get_pin_token(), client_pin_get_pin_uv_auth_token(), and ctap2_random().
|
inline |
Definition at line 29 of file fido2_common.h.
Referenced by client_pin_get_pin_token(), and ctap2_sign_with_keypair().
|
inline |
Definition at line 34 of file fido2_common.h.
Referenced by client_pin_get_pin_uv_auth_token(), ga_parse_extensions(), and ga_parse_params().
|
static |
Requests user-presence confirmation through platform callback.
| rp_id | RP ID shown to user. |
| action | Requested user action type. |
| user_name | Optional user name shown for registration. |
Definition at line 517 of file ctap2.cpp.
References ctaphid_get_current_cid(), ctaphid_send_keepalive(), CTAPHID_STATUS_UPNEEDED, FIDO2_ACTION_REGISTER, fido2_request_user_presence(), FIDO2_UP_APPROVED, FIDO2_UP_DENIED, FIDO2_UP_TIMEOUT, LOG_I, LOG_W, rp_id, TAG, and user_name.
Referenced by ctap2_get_assertion(), cdc::mod_fido2::ctap2_make_credential(), ctap2_reset(), ctap2_selection(), and cdc::mod_fido2::handle_browser_probe().
|
static |
Authenticator Attestation GUID for this authenticator model.
Definition at line 45 of file ctap2.cpp.
Referenced by ctap2_build_attested_cred(), and encode_info_aaguid().
| bool cancelled |
Definition at line 63 of file ctap2.cpp.
Referenced by ctaphid_get_response_packet().
| uint8_t cred_count |
Definition at line 136 of file ctap2.cpp.
Referenced by fido2_init().
|
staticconstexpr |
Reported maxCredentialCountInList for authenticatorGetInfo.
Definition at line 550 of file ctap2.cpp.
Referenced by encode_info_max_cred_count().
|
staticconstexpr |
Reported maximum message size for authenticatorGetInfo.
Definition at line 546 of file ctap2.cpp.
Referenced by encode_info_max_msg_size().
|
staticconstexpr |
Reported PIN/UV auth protocol version (Protocol Two).
Definition at line 548 of file ctap2.cpp.
Referenced by encode_info_pin_uv_auth_protocols().
| struct { ... } g_client_pin |
Referenced by client_pin_compute_shared_secret(), client_pin_get_key_agreement(), client_pin_get_pin_token(), client_pin_get_pin_uv_auth_token(), client_pin_get_retries(), client_pin_init_ecdh(), cdc::mod_fido2::create_credential_and_respond(), ctap2_client_pin(), ctap2_cred_management(), ga_verify_pin_auth(), and cdc::mod_fido2::verify_pin_uv_auth().
| struct { ... } g_cred_mgmt |
| struct { ... } g_ctap2 |
Global CTAP2 runtime state.
Referenced by cdc::mod_fido2::check_appid_exclude(), ctap2_cancel(), ctap2_clear_cancel(), ctap2_get_assertion(), ctap2_get_next_assertion(), ctap2_init(), ctap2_is_cancelled(), and ctap2_process_command().
|
static |
Device info strings reported by authenticatorGetInfo.
Definition at line 54 of file ctap2.cpp.
Referenced by encode_info_transports().
| bool initialized |
Definition at line 61 of file ctap2.cpp.
Referenced by ccid_card_present(), and ccid_init().
| uint8_t rp_count |
Definition at line 131 of file ctap2.cpp.
Referenced by cdc::mod_fido2::parse_rp_map().
|
static |
Definition at line 34 of file ctap2.cpp.
Referenced by client_pin_compute_shared_secret(), client_pin_get_key_agreement(), client_pin_get_pin_token(), client_pin_get_pin_uv_auth_token(), client_pin_init_ecdh(), and ctap2_client_pin().
1.16.1