CDC Badge OS
Firmware for the CDC Badge v1.0 hardware security key
Loading...
Searching...
No Matches
ctap2.h
Go to the documentation of this file.
1// CTAP2 Protocol Implementation (FIDO2)
2// Handles CBOR-encoded CTAP2 commands
3
4#pragma once
5#include <stdint.h>
6#include <stdbool.h>
7#include "fido2.h"
8
9#ifdef __cplusplus
10extern "C" {
11#endif
12
13// ============================================================================
14// CTAP2 Commands
15// ============================================================================
16
17#define CTAP2_CMD_MAKE_CREDENTIAL 0x01
18#define CTAP2_CMD_GET_ASSERTION 0x02
19#define CTAP2_CMD_GET_INFO 0x04
20#define CTAP2_CMD_CLIENT_PIN 0x06
21#define CTAP2_CMD_RESET 0x07
22#define CTAP2_CMD_GET_NEXT_ASSERTION 0x08
23#define CTAP2_CMD_CRED_MANAGEMENT 0x0A
24#define CTAP2_CMD_SELECTION 0x0B
25#define CTAP2_CMD_LARGE_BLOBS 0x0C
26#define CTAP2_CMD_CONFIG 0x0D
27
28// Vendor commands
29#define CTAP2_CMD_VENDOR_FIRST 0x40
30#define CTAP2_CMD_VENDOR_LAST 0xBF
31
32// ============================================================================
33// CTAP2 Status Codes
34// ============================================================================
35
36#define CTAP2_OK 0x00
37#define CTAP1_ERR_INVALID_COMMAND 0x01
38#define CTAP1_ERR_INVALID_PARAMETER 0x02
39#define CTAP1_ERR_INVALID_LENGTH 0x03
40#define CTAP1_ERR_INVALID_SEQ 0x04
41#define CTAP1_ERR_TIMEOUT 0x05
42#define CTAP1_ERR_CHANNEL_BUSY 0x06
43#define CTAP1_ERR_LOCK_REQUIRED 0x0A
44#define CTAP1_ERR_INVALID_CHANNEL 0x0B
45#define CTAP2_ERR_CBOR_UNEXPECTED_TYPE 0x11
46#define CTAP2_ERR_INVALID_CBOR 0x12
47#define CTAP2_ERR_MISSING_PARAMETER 0x14
48#define CTAP2_ERR_LIMIT_EXCEEDED 0x15
49#define CTAP2_ERR_UNSUPPORTED_EXT 0x16
50#define CTAP2_ERR_CREDENTIAL_EXCLUDED 0x19
51#define CTAP2_ERR_PROCESSING 0x21
52#define CTAP2_ERR_INVALID_CREDENTIAL 0x22
53#define CTAP2_ERR_USER_ACTION_PENDING 0x23
54#define CTAP2_ERR_OPERATION_PENDING 0x24
55#define CTAP2_ERR_NO_OPERATIONS 0x25
56#define CTAP2_ERR_UNSUPPORTED_ALGORITHM 0x26
57#define CTAP2_ERR_OPERATION_DENIED 0x27
58#define CTAP2_ERR_KEY_STORE_FULL 0x28
59#define CTAP2_ERR_NO_OPERATION_PENDING 0x2A
60#define CTAP2_ERR_UNSUPPORTED_OPTION 0x2B
61#define CTAP2_ERR_INVALID_OPTION 0x2C
62#define CTAP2_ERR_KEEPALIVE_CANCEL 0x2D
63#define CTAP2_ERR_NO_CREDENTIALS 0x2E
64#define CTAP2_ERR_USER_ACTION_TIMEOUT 0x2F
65#define CTAP2_ERR_NOT_ALLOWED 0x30
66#define CTAP2_ERR_PIN_INVALID 0x31
67#define CTAP2_ERR_PIN_BLOCKED 0x32
68#define CTAP2_ERR_PIN_AUTH_INVALID 0x33
69#define CTAP2_ERR_PIN_AUTH_BLOCKED 0x34
70#define CTAP2_ERR_PIN_NOT_SET 0x35
71#define CTAP2_ERR_PIN_REQUIRED 0x36
72#define CTAP2_ERR_PIN_POLICY_VIOLATION 0x37
73#define CTAP2_ERR_PIN_TOKEN_EXPIRED 0x38
74#define CTAP2_ERR_REQUEST_TOO_LARGE 0x39
75#define CTAP2_ERR_ACTION_TIMEOUT 0x3A
76#define CTAP2_ERR_UP_REQUIRED 0x3B
77#define CTAP2_ERR_UV_BLOCKED 0x3C
78#define CTAP2_ERR_OTHER 0x7F
79
80// ============================================================================
81// CTAP2 Algorithms
82// ============================================================================
83
84#define COSE_ALG_ES256 -7 // ECDSA with SHA-256 (P-256)
85#define COSE_ALG_EDDSA -8 // EdDSA (Ed25519)
86#define COSE_ALG_RS256 -257 // RSASSA-PKCS1-v1_5 with SHA-256
87#define COSE_ALG_ECDH_ES_HKDF_256 -25 // ECDH-ES + HKDF-256 (RFC 8152)
88
89// ============================================================================
90// COSE Key Constants (RFC 8152 / RFC 8037)
91// See: https://datatracker.ietf.org/doc/html/rfc8152
92// https://www.iana.org/assignments/cose/cose.xhtml
93// ============================================================================
94
95// COSE Key Common Parameter labels (negative values are curve-specific labels)
96#define COSE_KEY_LABEL_KTY 1 // Key type
97#define COSE_KEY_LABEL_KID 2 // Key identifier
98#define COSE_KEY_LABEL_ALG 3 // Algorithm
99#define COSE_KEY_LABEL_OPS 4 // Key operations
100#define COSE_KEY_LABEL_BASE_IV 5 // Base IV
101#define COSE_KEY_LABEL_CRV -1 // Curve (EC2/OKP)
102#define COSE_KEY_LABEL_X -2 // X coordinate (EC2) / public key (OKP)
103#define COSE_KEY_LABEL_Y -3 // Y coordinate (EC2)
104#define COSE_KEY_LABEL_D -4 // Private key
105
106// COSE Key Type (kty) values
107#define COSE_KEY_TYPE_OKP 1 // Octet Key Pair (Ed25519, X25519)
108#define COSE_KEY_TYPE_EC2 2 // Elliptic Curve with x/y coordinates
109#define COSE_KEY_TYPE_SYMMETRIC 4 // Symmetric key
110
111// COSE Elliptic Curves (crv) values
112#define COSE_CRV_P256 1 // NIST P-256 (secp256r1)
113#define COSE_CRV_P384 2 // NIST P-384
114#define COSE_CRV_P521 3 // NIST P-521
115#define COSE_CRV_X25519 4 // X25519 ECDH
116#define COSE_CRV_X448 5 // X448 ECDH
117#define COSE_CRV_ED25519 6 // Ed25519 EdDSA
118#define COSE_CRV_ED448 7 // Ed448 EdDSA
119
120// ============================================================================
121// CTAP2 CBOR Map Keys (CTAP 2.1 Specification)
122// See: https://fidoalliance.org/specs/fido-v2.1-rd-20191217/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html
123// ============================================================================
124
125// authenticatorGetInfo response keys (Section 6.4)
126#define CTAP2_INFO_VERSIONS 0x01
127#define CTAP2_INFO_EXTENSIONS 0x02
128#define CTAP2_INFO_AAGUID 0x03
129#define CTAP2_INFO_OPTIONS 0x04
130#define CTAP2_INFO_MAX_MSG_SIZE 0x05
131#define CTAP2_INFO_PIN_UV_AUTH_PROTOCOLS 0x06
132#define CTAP2_INFO_MAX_CRED_COUNT_IN_LIST 0x07
133#define CTAP2_INFO_MAX_CRED_ID_LENGTH 0x08
134#define CTAP2_INFO_TRANSPORTS 0x09
135#define CTAP2_INFO_ALGORITHMS 0x0A
136
137// authenticatorMakeCredential parameter keys (Section 6.1)
138#define CTAP2_MC_CLIENT_DATA_HASH 0x01
139#define CTAP2_MC_RP 0x02
140#define CTAP2_MC_USER 0x03
141#define CTAP2_MC_PUB_KEY_CRED_PARAMS 0x04
142#define CTAP2_MC_EXCLUDE_LIST 0x05
143#define CTAP2_MC_EXTENSIONS 0x06
144#define CTAP2_MC_OPTIONS 0x07
145#define CTAP2_MC_PIN_UV_AUTH_PARAM 0x08
146#define CTAP2_MC_PIN_UV_AUTH_PROTOCOL 0x09
147
148// authenticatorMakeCredential response keys (Section 6.1)
149#define CTAP2_MC_RESP_FMT 0x01
150#define CTAP2_MC_RESP_AUTH_DATA 0x02
151#define CTAP2_MC_RESP_ATT_STMT 0x03
152
153// authenticatorGetAssertion parameter keys (Section 6.2)
154#define CTAP2_GA_RP_ID 0x01
155#define CTAP2_GA_CLIENT_DATA_HASH 0x02
156#define CTAP2_GA_ALLOW_LIST 0x03
157#define CTAP2_GA_EXTENSIONS 0x04
158#define CTAP2_GA_OPTIONS 0x05
159#define CTAP2_GA_PIN_UV_AUTH_PARAM 0x06
160#define CTAP2_GA_PIN_UV_AUTH_PROTOCOL 0x07
161
162// authenticatorGetAssertion response keys (Section 6.2)
163#define CTAP2_GA_RESP_CREDENTIAL 0x01
164#define CTAP2_GA_RESP_AUTH_DATA 0x02
165#define CTAP2_GA_RESP_SIGNATURE 0x03
166#define CTAP2_GA_RESP_USER 0x04
167#define CTAP2_GA_RESP_NUMBER_OF_CREDS 0x05
168
169// authenticatorClientPIN parameter keys (Section 6.5)
170#define CTAP2_PIN_PROTOCOL 0x01
171#define CTAP2_PIN_SUBCOMMAND 0x02
172#define CTAP2_PIN_KEY_AGREEMENT 0x03
173#define CTAP2_PIN_AUTH 0x04
174#define CTAP2_PIN_NEW_PIN_ENC 0x05
175#define CTAP2_PIN_HASH_ENC 0x06
176#define CTAP2_PIN_PERMISSIONS 0x09
177#define CTAP2_PIN_PERMISSIONS_RPID 0x0A
178
179// authenticatorClientPIN response keys (Section 6.5)
180#define CTAP2_PIN_RESP_KEY_AGREEMENT 0x01
181#define CTAP2_PIN_RESP_PIN_TOKEN 0x02
182#define CTAP2_PIN_RESP_PIN_RETRIES 0x03
183#define CTAP2_PIN_RESP_POWER_CYCLE_STATE 0x04
184#define CTAP2_PIN_RESP_UV_RETRIES 0x05
185
186// authenticatorCredentialManagement parameter keys (Section 6.8)
187#define CTAP2_CM_SUBCOMMAND 0x01
188#define CTAP2_CM_SUBCOMMAND_PARAMS 0x02
189#define CTAP2_CM_PIN_UV_AUTH_PROTOCOL 0x03
190#define CTAP2_CM_PIN_UV_AUTH_PARAM 0x04
191
192// authenticatorCredentialManagement subcommand parameter keys
193#define CTAP2_CM_SUB_RP_ID_HASH 0x01
194#define CTAP2_CM_SUB_CREDENTIAL_ID 0x02
195
196// authenticatorCredentialManagement response keys (Section 6.8)
197#define CTAP2_CM_RESP_EXISTING_CRED_COUNT 0x01
198#define CTAP2_CM_RESP_REMAINING_CRED_COUNT 0x02
199#define CTAP2_CM_RESP_RP 0x03
200#define CTAP2_CM_RESP_RP_ID_HASH 0x04
201#define CTAP2_CM_RESP_TOTAL_RPS 0x05
202#define CTAP2_CM_RESP_USER 0x06
203#define CTAP2_CM_RESP_CREDENTIAL_ID 0x07
204#define CTAP2_CM_RESP_PUBLIC_KEY 0x08
205#define CTAP2_CM_RESP_TOTAL_CREDENTIALS 0x09
206#define CTAP2_CM_RESP_CRED_PROTECT 0x0A
207
208// ============================================================================
209// Processing Functions
210// ============================================================================
211
217bool ctap2_init(void);
218
228uint8_t ctap2_process_command(const uint8_t *cmd, uint16_t cmd_len,
229 uint8_t *response, uint16_t *response_len);
230
235void ctap2_send_keepalive(uint8_t status);
236
240void ctap2_cancel(void);
241
247void ctap2_clear_cancel(void);
248
252bool ctap2_is_cancelled(void);
253
254// ============================================================================
255// Individual Command Handlers
256// ============================================================================
257
258uint8_t ctap2_make_credential(const uint8_t *params, uint16_t params_len,
259 uint8_t *response, uint16_t *response_len);
260
261uint8_t ctap2_get_assertion(const uint8_t *params, uint16_t params_len,
262 uint8_t *response, uint16_t *response_len);
263
264uint8_t ctap2_get_info(uint8_t *response, uint16_t *response_len);
265
266uint8_t ctap2_client_pin(const uint8_t *params, uint16_t params_len,
267 uint8_t *response, uint16_t *response_len);
268
269uint8_t ctap2_reset(uint8_t *response, uint16_t *response_len);
270
271uint8_t ctap2_get_next_assertion(uint8_t *response, uint16_t *response_len);
272
273uint8_t ctap2_cred_management(const uint8_t *params, uint16_t params_len,
274 uint8_t *response, uint16_t *response_len);
275
276uint8_t ctap2_selection(uint8_t *response, uint16_t *response_len);
277
278#ifdef __cplusplus
279}
280#endif
281
ctap2_reset
uint8_t ctap2_reset(uint8_t *response, uint16_t *response_len)
Handles CTAP2 authenticatorReset (0x07).
Definition ctap2.cpp:3027
ctap2_client_pin
uint8_t ctap2_client_pin(const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len)
Handles CTAP2 authenticatorClientPIN (0x06).
Definition ctap2.cpp:2948
ctap2_cancel
void ctap2_cancel(void)
Marks current CTAP2 operation as cancelled.
Definition ctap2.cpp:3624
ctap2_process_command
uint8_t ctap2_process_command(const uint8_t *cmd, uint16_t cmd_len, uint8_t *response, uint16_t *response_len)
Dispatches one CTAP2 command and writes response payload.
Definition ctap2.cpp:3529
ctap2_clear_cancel
void ctap2_clear_cancel(void)
Clears the cancel flag. Called when a new CTAPHID channel is opened so a cancel from a previous chann...
Definition ctap2.cpp:3634
ctap2_init
bool ctap2_init(void)
Initializes CTAP2 runtime state.
Definition ctap2.cpp:3513
ctap2_selection
uint8_t ctap2_selection(uint8_t *response, uint16_t *response_len)
Handles CTAP2 authenticatorSelection (0x0B).
Definition ctap2.cpp:3496
ctap2_is_cancelled
bool ctap2_is_cancelled(void)
Returns true if the current CTAP2 operation has been cancelled.
Definition ctap2.cpp:3641
ctap2_send_keepalive
void ctap2_send_keepalive(uint8_t status)
Sends CTAPHID keepalive for currently active channel.
Definition ctap2.cpp:3614
ctap2_get_assertion
uint8_t ctap2_get_assertion(const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len)
Handles CTAP2 authenticatorGetAssertion (0x02).
Definition ctap2.cpp:1832
ctap2_make_credential
uint8_t ctap2_make_credential(const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len)
ctap2_cred_management
uint8_t ctap2_cred_management(const uint8_t *params, uint16_t params_len, uint8_t *response, uint16_t *response_len)
Handles CTAP2 authenticatorCredentialManagement (0x0A).
Definition ctap2.cpp:3220
ctap2_get_next_assertion
uint8_t ctap2_get_next_assertion(uint8_t *response, uint16_t *response_len)
Handles CTAP2 authenticatorGetNextAssertion (0x08).
Definition ctap2.cpp:1973
ctap2_get_info
uint8_t ctap2_get_info(uint8_t *response, uint16_t *response_len)
Handles CTAP2 authenticatorGetInfo (0x04).
Definition ctap2.cpp:667