From 4b5388f5869f525ed06dc6fdde148a071d1c3b3f Mon Sep 17 00:00:00 2001 From: Lucas PASCAL Date: Thu, 31 Oct 2024 11:24:24 +0100 Subject: [PATCH] [add] Display 'Login request signed' only when there is only one (not getNextAssertion scenario) --- src/ctap2/get_assertion/get_assertion.c | 6 ++++++ src/ctap2/get_assertion/get_assertion_utils.c | 8 ++++++-- src/nfc_io.c | 4 +++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/ctap2/get_assertion/get_assertion.c b/src/ctap2/get_assertion/get_assertion.c index 2db267b7..91311458 100644 --- a/src/ctap2/get_assertion/get_assertion.c +++ b/src/ctap2/get_assertion/get_assertion.c @@ -251,6 +251,7 @@ static void nfc_handle_get_assertion() { if (ctap2AssertData->allowListPresent) { // Allow list -> non-RK credentials. // Falling back to previous behavior: login with the first compatible credential + g.is_getNextAssertion = false; get_assertion_confirm(1); } else { // No allow list -> RK credentials @@ -259,6 +260,11 @@ static void nfc_handle_get_assertion() { // call getNextAssertion to fetch other possible credentials. uint16_t slotIdx; ctap2AssertData->availableCredentials = rk_build_RKList_from_rpID(ctap2AssertData->rpIdHash); + if (ctap2AssertData->availableCredentials > 1) { + // This settings will disable the app_nbgl_status call (nothing displayed on SK) + // Else, this would lead the app to respond too slowly, and the client to bug out + g.is_getNextAssertion = true; + } PRINTF("Matching credentials: %d\n", ctap2AssertData->availableCredentials); rk_next_credential_from_RKList(&slotIdx, &ctap2AssertData->nonce, diff --git a/src/ctap2/get_assertion/get_assertion_utils.c b/src/ctap2/get_assertion/get_assertion_utils.c index 7bd6171d..39e4464e 100644 --- a/src/ctap2/get_assertion/get_assertion_utils.c +++ b/src/ctap2/get_assertion/get_assertion_utils.c @@ -382,21 +382,25 @@ static int build_and_encode_getAssertion_response(uint8_t *buffer, } // If RK: encoding credential info if (credData->residentKey) { + const bool encode_username = (g.is_getNextAssertion && credData->userStr != NULL); cbip_add_int(&encoder, TAG_RESP_USER); - cbip_add_map_header(&encoder, credData->userStr == NULL ? 1 : 3); + cbip_add_map_header(&encoder, encode_username ? 3 : 1); cbip_add_string(&encoder, KEY_USER_ID, sizeof(KEY_USER_ID) - 1); // credData->userId can still be used even after ctap2_rewrap_credential as // the credential is resident, and therefore userId is pointing to an area in nvm and // not in ctap2AssertData->credId cbip_add_byte_string(&encoder, credData->userId, credData->userIdLen); - if (credData->userStr != NULL) { + if (encode_username) { cbip_add_string(&encoder, KEY_USER_NAME, sizeof(KEY_USER_NAME) - 1); cbip_add_string(&encoder, credData->userStr, credData->userStrLen); cbip_add_string(&encoder, KEY_USER_DISPLAYNAME, sizeof(KEY_USER_DISPLAYNAME) - 1); cbip_add_string(&encoder, credData->userStr, credData->userStrLen); } + // While we're at it, copying user name on display buffer + ctap2_display_copy_username(credData->userStr, credData->userStrLen); + PRINTF("Adding user to response %.*H\n", credData->userIdLen, credData->userId); } diff --git a/src/nfc_io.c b/src/nfc_io.c index 5da421f2..3d71f67c 100644 --- a/src/nfc_io.c +++ b/src/nfc_io.c @@ -85,7 +85,9 @@ int nfc_io_send_prepared_response(bool display_infos) { if (display_infos) { ctap2_copy_info_on_buffers(); } - app_nbgl_status(nfc_status, true, ui_idle); + if (!g.is_getNextAssertion) { + app_nbgl_status(nfc_status, true, ui_idle); + } } return ret;