Skip to content

Commit

Permalink
Merge pull request #61 from LedgerHQ/add/getnextassertion
Browse files Browse the repository at this point in the history
getNextAssertion implementation
  • Loading branch information
lpascal-ledger authored Dec 11, 2024
2 parents d3c6a94 + 3df6855 commit a468a22
Show file tree
Hide file tree
Showing 1,242 changed files with 3,781 additions and 3,146 deletions.
64 changes: 21 additions & 43 deletions .github/workflows/build_and_functional_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,49 +24,27 @@ jobs:
with:
upload_app_binaries_artifact: compiled_app_binaries

ragger_tests:
name: Run ragger tests
strategy:
fail-fast: false
matrix:
include:
- model: nanox

- model: stax

- model: flex

- model: nanosp
args: "--fast"

- model: nanos
args: "--fast"

- model: nanox
args: "--transport HID --fast"

tests:
needs: build_application
name: Ragger tests
uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_ragger_tests.yml@v1
with:
download_app_binaries_artifact: compiled_app_binaries

runs-on: ubuntu-latest

steps:
- name: Clone
uses: actions/checkout@v3

- name: Download app binaries
uses: actions/download-artifact@v4
with:
name: compiled_app_binaries
path: build/

- name: Install APT dependencies
run: sudo apt-get update && sudo apt-get install -y qemu-user-static tesseract-ocr libtesseract-dev

- name: Install tests dependencies
run: |
pip install --extra-index-url https://test.pypi.org/simple/ -r tests/speculos/requirements.txt
tests_nfc:
needs: build_application
name: Ragger NFC tests
uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_ragger_tests.yml@v1
with:
download_app_binaries_artifact: compiled_app_binaries
run_for_devices: '["stax", "flex"]'
test_options: '--transport NFC'

- name: Run test
env:
CTEST_OUTPUT_ON_FAILURE: 1
run: pytest tests/speculos/ --tb=short -v --device ${{ matrix.model }} ${{ matrix.args }}
tests_hid:
needs: build_application
name: Ragger HID tests
uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_ragger_tests.yml@v1
with:
download_app_binaries_artifact: compiled_app_binaries
run_for_devices: '["nanox"]'
test_options: '--transport HID'
4 changes: 2 additions & 2 deletions .github/workflows/lint-workflow.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
uses: actions/checkout@v3

- name: Lint C code
run: clang-format --dry-run --Werror include/* src/* src-cbor/*
run: find src/ include/ cbor-src/ -iname "*.c" -or -iname "*.h" | xargs clang-format --dry-run -Werror

job_lint_python:
name: Lint Python code
Expand All @@ -32,4 +32,4 @@ jobs:
sudo apt install -y flake8
- name: Lint Python code
run: cd tests/speculos && flake8
run: cd tests/functional && flake8
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ doc/latex
attestations/data/prod/*/*priv-key.*
attestations/data/prod/*priv-key.*

tests/speculos/snapshots-tmp/
tests/functional/snapshots-tmp/
50 changes: 50 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [1.7.0] - 2024-??-??

### Added

- Resident Keys: `GET_NEXT_ASSERTION` function implemented on Stax and Flex, available only over NFC
- On Stax and Flex, over NFC, `MAKE_CREDENTIAL` and `GET_ASSERTION` functions displays RP and user
information of the current operation.

### Fixed

- UI: Status pages text and titles are now centered


## [1.6.4] - 2024-01-02

### Fixed

- Resident Keys: enabling option was removed, but RKs were activated by default


## [1.6.3] - 2024-01-02

### Fixed

- Resident Keys: disabled for production version


## [1.6.2] - 2024-01-02

### Fixed

- Internal minor fixes and changes

## [1.6.1] - 2023-01-02

### Fixed

- Minor UI improvements


## [1.6.0] - 2024-06-11

- Initial version for CHANGELOG
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ ENABLE_NFC = 1
##############

# Application source files
APP_SOURCE_PATH += src src-cbor
APP_SOURCE_PATH += src cbor-src
SDK_SOURCE_PATH += lib_u2f

ifeq ($(API_LEVEL),)
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
5 changes: 2 additions & 3 deletions include/credential.h
Original file line number Diff line number Diff line change
Expand Up @@ -31,18 +31,17 @@
* This API expose credentials in 3 different forms:
* - credId form (bytes):
* This is the form that is exchanged with the platform.
* It structure is:
* Its structure is:
* +---------+----------+------------------------------+
* | VERSION | AES Tag | AES-SIV encrypted credential |
* | | |------------------------------+
* | | | Nonce | encodedCredential |
* +---------+----------+------------------------------+
* | 1 byte | 16 bytes | 16 bytes |encodedLength bytes|
* +---------+----------+------------------------------+
*
* - encodedCredential form (bytes):
* This is a list of byte containing information encoded in CBOR.
* This is a list of bytes containing information encoded in CBOR.
* It always contains:
* - A version
* - A flag (currently only storing if the resident key option is used)
Expand Down
115 changes: 5 additions & 110 deletions include/ctap2.h
Original file line number Diff line number Diff line change
Expand Up @@ -20,16 +20,18 @@
#define __CTAP2_H__

#ifndef UNIT_TESTS
#include "cx.h"
#include <cx.h>
#include <os_io_seproxyhal.h>

#include "u2f_service.h"
#include "u2f_transport.h"
#include <u2f_service.h>
#include <u2f_transport.h>
#else
#include "unit_test.h"
#endif

#include "cbip_decode.h"
#include "extension_hmac_secret.h"
#include "ctap2_utils.h"

#define RP_ID_HASH_SIZE CX_SHA256_SIZE
#define CRED_RANDOM_SIZE 32
Expand Down Expand Up @@ -87,102 +89,8 @@

#define FLAG_EXTENSION_HMAC_SECRET 0x01

// Helper to detect if CTAP2_CBOR_CMD command is proxyied over U2F_CMD
// - CTAP2 calls that are CTAP2_CMD_CBOR commands:
// There is a direct call from lib_stusb_impl/u2f_impl.c:u2f_message_complete()
// to ctap2_handle_cmd_cbor(), hence G_io_app.apdu_state = APDU_IDLE
// - CTAP2 calls that are encapsulated on an APDU over U2F_CMD_MSG command
// This calls goes through:
// - lib_stusb_impl/u2f_impl.c:u2f_message_complete()
// - lib_stusb_impl/u2f_impl.c:u2f_handle_cmd_msg()
// - ....
// - src/main.c:sample_main()
// - src/u2f_processing.c:handleApdu()
// In this case G_io_app.apdu_state is set to APDU_U2F in
// lib_stusb_impl/u2f_impl.c:u2f_handle_cmd_msg()
#define CMD_IS_OVER_U2F_CMD (G_io_app.apdu_state != APDU_IDLE)
#define CMD_IS_OVER_CTAP2_CBOR_CMD (G_io_app.apdu_state == APDU_IDLE)

#define CMD_IS_OVER_U2F_USB (G_io_u2f.media == U2F_MEDIA_USB)

#ifdef HAVE_NFC
#define CMD_IS_OVER_U2F_NFC (G_io_app.apdu_media == IO_APDU_MEDIA_NFC)
void nfc_idle_work2(void);
#else
#define CMD_IS_OVER_U2F_NFC false
#endif

extern const uint8_t AAGUID[16];

typedef struct ctap2_register_data_s {
uint8_t rpIdHash[CX_SHA256_SIZE];
uint8_t *buffer; // pointer to the CBOR message in the APDU buffer
char *rpId;
uint32_t rpIdLen;
uint8_t *clientDataHash;
uint8_t *userId;
uint32_t userIdLen;
char *userStr;
uint32_t userStrLen;
int coseAlgorithm; // algorithm chosen following the request message
uint8_t pinRequired; // set if uv is set
uint8_t pinPresented; // set if the PIN request was acknowledged by the user
uint8_t
clientPinAuthenticated; // set if a standard FIDO client PIN authentication was performed
uint8_t residentKey; // set if the credential shall be created as a resident key
uint8_t extensions; // extensions flags as a bitmask
} ctap2_register_data_t;

typedef union ctap2_assert_multiple_flow_data_s {
struct {
cbipItem_t credentialItem;
uint32_t currentCredential;
} allowList;
struct {
uint16_t minAge;
} rk;
} ctap2_assert_multiple_flow_data_t;

typedef struct ctap2_assert_data_s {
uint8_t rpIdHash[CX_SHA256_SIZE];
uint8_t *buffer; // pointer to the CBOR message in the APDU buffer
char *rpId;
uint32_t rpIdLen;
uint8_t *clientDataHash;
uint8_t *credId;
uint32_t credIdLen;
uint8_t *nonce;
uint8_t *credential;
uint32_t credentialLen;
uint8_t pinRequired; // set if uv is set
uint8_t pinPresented; // set if the PIN request was acknowledged by the user
uint8_t
clientPinAuthenticated; // set if a standard FIDO client PIN authentication was performed
uint8_t userPresenceRequired; // set if up is set
uint8_t extensions; // extensions flags as a bitmask

uint8_t allowListPresent;
uint16_t availableCredentials;

// Multiple flow data
uint16_t currentCredentialIndex;
ctap2_assert_multiple_flow_data_t multipleFlowData;
} ctap2_assert_data_t;

typedef enum ctap2_ux_state_e {
CTAP2_UX_STATE_NONE = 0,
CTAP2_UX_STATE_MAKE_CRED,
CTAP2_UX_STATE_GET_ASSERTION,
CTAP2_UX_STATE_MULTIPLE_ASSERTION,
CTAP2_UX_STATE_NO_ASSERTION,
CTAP2_UX_STATE_RESET,
} ctap2_ux_state_t;

bool ctap2_check_rpid_filter(const char *rpId, uint32_t rpIdLen);
void send_cbor_error(u2f_service_t *service, uint8_t error);
void send_cbor_response(u2f_service_t *service, uint32_t length);
void ctap2_send_keepalive_processing(void);

// Correspond to FIDO2.1 spec performBuiltInUv() operation
void performBuiltInUv(void);

Expand All @@ -193,19 +101,6 @@ void ctap2_get_info_handle(u2f_service_t *service, uint8_t *buffer, uint16_t len
void ctap2_client_pin_handle(u2f_service_t *service, uint8_t *buffer, uint16_t length);
void ctap2_reset_handle(u2f_service_t *service, uint8_t *buffer, uint16_t length);

void ctap2_make_credential_ux(void);
void ctap2_make_credential_confirm(void);
void ctap2_make_credential_user_cancel(void);

void ctap2_get_assertion_ux(ctap2_ux_state_t state);
void ctap2_get_assertion_credential_idx(uint16_t idx);
void ctap2_get_assertion_confirm(uint16_t idx);
void ctap2_get_assertion_user_cancel(void);

void ctap2_reset_ux(void);
void ctap2_reset_confirm(void);
void ctap2_reset_cancel(void);

void ctap2_client_pin_reset_ctx(void);

/******************************************/
Expand Down
Loading

0 comments on commit a468a22

Please sign in to comment.