From 9410d650378540fd60ec998cdcac17a9c5b4a888 Mon Sep 17 00:00:00 2001 From: Martin Sirringhaus Date: Fri, 13 Dec 2024 13:47:37 +0100 Subject: [PATCH] Only create shared secret, when hmac is requested for CTAP2.0 tokens --- src/ctap2/commands/authenticator_config.rs | 4 ++++ src/ctap2/commands/bio_enrollment.rs | 4 ++++ src/ctap2/commands/credential_management.rs | 4 ++++ src/ctap2/commands/get_assertion.rs | 4 ++++ src/ctap2/commands/make_credentials.rs | 8 ++++++++ src/ctap2/commands/mod.rs | 1 + src/ctap2/mod.rs | 4 ++-- 7 files changed, 27 insertions(+), 2 deletions(-) diff --git a/src/ctap2/commands/authenticator_config.rs b/src/ctap2/commands/authenticator_config.rs index 909be911..8f0deb54 100644 --- a/src/ctap2/commands/authenticator_config.rs +++ b/src/ctap2/commands/authenticator_config.rs @@ -188,6 +188,10 @@ impl PinUvAuthCommand for AuthenticatorConfig { fn get_rp_id(&self) -> Option<&String> { None } + + fn hmac_requested(&self) -> bool { + false + } } #[cfg(test)] diff --git a/src/ctap2/commands/bio_enrollment.rs b/src/ctap2/commands/bio_enrollment.rs index a1d0a3f3..ebddc906 100644 --- a/src/ctap2/commands/bio_enrollment.rs +++ b/src/ctap2/commands/bio_enrollment.rs @@ -224,6 +224,10 @@ impl PinUvAuthCommand for BioEnrollment { fn get_pin_uv_auth_param(&self) -> Option<&PinUvAuthParam> { self.pin_uv_auth_param.as_ref() } + + fn hmac_requested(&self) -> bool { + false + } } impl RequestCtap2 for BioEnrollment { diff --git a/src/ctap2/commands/credential_management.rs b/src/ctap2/commands/credential_management.rs index c555c3fb..85404d57 100644 --- a/src/ctap2/commands/credential_management.rs +++ b/src/ctap2/commands/credential_management.rs @@ -421,6 +421,10 @@ impl PinUvAuthCommand for CredentialManagement { fn get_pin_uv_auth_param(&self) -> Option<&PinUvAuthParam> { self.pin_uv_auth_param.as_ref() } + + fn hmac_requested(&self) -> bool { + false + } } #[cfg(test)] diff --git a/src/ctap2/commands/get_assertion.rs b/src/ctap2/commands/get_assertion.rs index 890febae..f0708543 100644 --- a/src/ctap2/commands/get_assertion.rs +++ b/src/ctap2/commands/get_assertion.rs @@ -477,6 +477,10 @@ impl PinUvAuthCommand for GetAssertion { fn get_pin_uv_auth_param(&self) -> Option<&PinUvAuthParam> { self.pin_uv_auth_param.as_ref() } + + fn hmac_requested(&self) -> bool { + self.extensions.hmac_secret.is_some() + } } impl Serialize for GetAssertion { diff --git a/src/ctap2/commands/make_credentials.rs b/src/ctap2/commands/make_credentials.rs index c64d4076..f0a08b33 100644 --- a/src/ctap2/commands/make_credentials.rs +++ b/src/ctap2/commands/make_credentials.rs @@ -468,6 +468,14 @@ impl PinUvAuthCommand for MakeCredentials { fn get_pin_uv_auth_param(&self) -> Option<&PinUvAuthParam> { self.pin_uv_auth_param.as_ref() } + + fn hmac_requested(&self) -> bool { + !(self.extensions.hmac_secret.is_none() + || matches!( + self.extensions.hmac_secret, + Some(HmacCreateSecretOrPrf::HmacCreateSecret(false)) + )) + } } impl Serialize for MakeCredentials { diff --git a/src/ctap2/commands/mod.rs b/src/ctap2/commands/mod.rs index 12990122..26144d21 100644 --- a/src/ctap2/commands/mod.rs +++ b/src/ctap2/commands/mod.rs @@ -143,6 +143,7 @@ pub(crate) trait PinUvAuthCommand: RequestCtap2 { fn get_pin_uv_auth_param(&self) -> Option<&PinUvAuthParam>; fn set_uv_option(&mut self, uv: Option); fn get_rp_id(&self) -> Option<&String>; + fn hmac_requested(&self) -> bool; fn can_skip_user_verification( &mut self, info: &AuthenticatorInfo, diff --git a/src/ctap2/mod.rs b/src/ctap2/mod.rs index 6ec768b4..c51bb745 100644 --- a/src/ctap2/mod.rs +++ b/src/ctap2/mod.rs @@ -288,9 +288,9 @@ fn get_pin_uv_auth_param( // If the device supports internal user-verification (e.g. fingerprints), // skip PIN-stuff - // We may need the shared secret for HMAC-extension, so we + // We need the shared secret for HMAC-extension, if it was requested, so we // have to establish one - if info.supports_hmac_secret() { + if cmd.hmac_requested() && info.supports_hmac_secret() { let _shared_secret = dev.establish_shared_secret(alive)?; } // CTAP 2.1, Section 6.1.1, Step 1.1.2.1.2.