diff --git a/src/ctap2/get_assertion/get_assertion.c b/src/ctap2/get_assertion/get_assertion.c index d01edd96..b3cc7fbc 100644 --- a/src/ctap2/get_assertion/get_assertion.c +++ b/src/ctap2/get_assertion/get_assertion.c @@ -344,18 +344,25 @@ void ctap2_get_assertion_handle(u2f_service_t *service, uint8_t *buffer, uint16_ goto exit; } + ctap2_copy_info_on_buffers(); + + /* if (true) { */ + /* nfc_handle_get_assertion(); */ + + /* } else */ + if (CMD_IS_OVER_U2F_NFC) { // No up nor uv requested, skip UX and reply immediately - ctap2_copy_info_on_buffers(); - nfc_handle_get_assertion(); - } else if (!ctap2AssertData->userPresenceRequired && !ctap2AssertData->pinRequired) { // No up nor uv required, skip UX and reply immediately get_assertion_confirm(1); } else { // Look for a potential rk entry if no allow list was provided if (!ctap2AssertData->allowListPresent) { + // This value will be set to 1 further into the code, because in this case (non-NFC, + // non-RK), credential is chosen authenticator-side, *not* client-side (through + // getNextAssertion). ctap2AssertData->availableCredentials = rk_build_RKList_from_rpID(ctap2AssertData->rpIdHash); if (ctap2AssertData->availableCredentials == 1) { diff --git a/src/ctap2/get_assertion/get_assertion_ui.c b/src/ctap2/get_assertion/get_assertion_ui.c index 6994bedf..c88a09ff 100644 --- a/src/ctap2/get_assertion/get_assertion_ui.c +++ b/src/ctap2/get_assertion/get_assertion_ui.c @@ -65,6 +65,10 @@ static void ctap_ux_on_user_choice(bool confirm, uint16_t idx) { ctap2UxState = CTAP2_UX_STATE_NONE; if (confirm) { + // As the choice is made authenticator-side, according to the spec SK should display 1 and + // only 1 matching credential. This will prevent the client to call getNextAssertion to + // discover more credentials. + globals_get_ctap2_assert_data()->availableCredentials = 1; get_assertion_confirm(idx); #ifdef HAVE_NBGL app_nbgl_status("Login request signed", true, ui_idle); diff --git a/tests/functional/conftest.py b/tests/functional/conftest.py index df8c5de3..ad5de6cc 100644 --- a/tests/functional/conftest.py +++ b/tests/functional/conftest.py @@ -35,7 +35,7 @@ def pytest_addoption(parser): - parser.addoption("--transport", default="U2F") + parser.addoption("--transport", default="U2F", choices=("U2F", "HID")) parser.addoption("--fast", action="store_true") parser.addoption("--ctap2_u2f_proxy", action="store_true") diff --git a/tests/functional/ctap2/test_get_assertion.py b/tests/functional/ctap2/test_get_assertion.py index d7091635..630c8d48 100644 --- a/tests/functional/ctap2/test_get_assertion.py +++ b/tests/functional/ctap2/test_get_assertion.py @@ -10,7 +10,7 @@ from utils import generate_make_credentials_params, fido_known_app -def test_get_assertion(client, test_name): +def test_get_assertion_ok(client, test_name): compare_args = (TESTS_SPECULOS_DIR, test_name) # This test use the fact that after a reboot of the device # the ctap2WrappingKey should stay the same. @@ -124,7 +124,7 @@ def test_get_assertion_user_refused(client, test_name): def test_get_assertion_no_credentials(client, test_name): compare_args = (TESTS_SPECULOS_DIR, test_name) args = generate_make_credentials_params(client, ref=0) - + rp = args.rp # Try without allow_list with pytest.raises(CtapError) as e: client.ctap2.get_assertion(args.rp["id"], args.client_data_hash, @@ -137,7 +137,7 @@ def test_get_assertion_no_credentials(client, test_name): args = generate_make_credentials_params(client) allow_list = [{"id": generate_random_bytes(32), "type": "public-key"}] with pytest.raises(CtapError) as e: - client.ctap2.get_assertion(args.rp["id"], args.client_data_hash, + client.ctap2.get_assertion(rp["id"], args.client_data_hash, allow_list, login_type="none", check_screens="full", @@ -222,13 +222,12 @@ def test_get_assertion_allow_list_ok(client, test_name): users_credential_data = [] # Register a first user with a random RP - t = generate_get_assertion_params(client, rp=rp) + t = generate_get_assertion_params(client) allow_list.append({"id": t.credential_data.credential_id, "type": "public-key"}) # Register 3 users for a known RP for idx in range(1, 4): - local_args = generate_make_credentials_params(client, ref=idx) - local_args.rp = t.args.rp + local_args = generate_make_credentials_params(client, ref=idx, rp=rp) attestation = client.ctap2.make_credential(local_args) credential_data = AttestedCredentialData(attestation.auth_data.credential_data) allow_list.append({"id": credential_data.credential_id, "type": "public-key"}) @@ -241,7 +240,7 @@ def test_get_assertion_allow_list_ok(client, test_name): # Generate get assertion request checking presented users client_data_hash = generate_random_bytes(32) - assertion = client.ctap2.get_assertion(t.args.rp["id"], client_data_hash, allow_list, + assertion = client.ctap2.get_assertion(rp["id"], client_data_hash, allow_list, login_type="multi", user_accept=True, check_users=registered_users, @@ -250,14 +249,14 @@ def test_get_assertion_allow_list_ok(client, test_name): select_user_idx=3) credential_data = users_credential_data[2] - assertion.verify(client_data_hash, t.credential_data.public_key) + assertion.verify(client_data_hash, credential_data.public_key) with pytest.raises(InvalidSignature): credential_data = users_credential_data[1] - assertion.verify(client_data_hash, t.credential_data.public_key) + assertion.verify(client_data_hash, credential_data.public_key) assert len(assertion.auth_data) == 37 - assert sha256(t.args.rp["id"].encode()) == assertion.auth_data.rp_id_hash + assert sha256(rp["id"].encode()) == assertion.auth_data.rp_id_hash assert assertion.auth_data.flags == AuthenticatorData.FLAG.USER_PRESENT assert assertion.user is None assert assertion.number_of_credentials is None diff --git a/tests/functional/snapshots/flex/test_get_assertion/00000.png b/tests/functional/snapshots/flex/test_get_assertion_ok/00000.png similarity index 100% rename from tests/functional/snapshots/flex/test_get_assertion/00000.png rename to tests/functional/snapshots/flex/test_get_assertion_ok/00000.png diff --git a/tests/functional/snapshots/nanos/test_get_assertion/00000.png b/tests/functional/snapshots/nanos/test_get_assertion_ok/00000.png similarity index 100% rename from tests/functional/snapshots/nanos/test_get_assertion/00000.png rename to tests/functional/snapshots/nanos/test_get_assertion_ok/00000.png diff --git a/tests/functional/snapshots/nanos/test_get_assertion/00001.png b/tests/functional/snapshots/nanos/test_get_assertion_ok/00001.png similarity index 100% rename from tests/functional/snapshots/nanos/test_get_assertion/00001.png rename to tests/functional/snapshots/nanos/test_get_assertion_ok/00001.png diff --git a/tests/functional/snapshots/nanos/test_get_assertion/00002.png b/tests/functional/snapshots/nanos/test_get_assertion_ok/00002.png similarity index 100% rename from tests/functional/snapshots/nanos/test_get_assertion/00002.png rename to tests/functional/snapshots/nanos/test_get_assertion_ok/00002.png diff --git a/tests/functional/snapshots/nanos/test_get_assertion/00003.png b/tests/functional/snapshots/nanos/test_get_assertion_ok/00003.png similarity index 100% rename from tests/functional/snapshots/nanos/test_get_assertion/00003.png rename to tests/functional/snapshots/nanos/test_get_assertion_ok/00003.png diff --git a/tests/functional/snapshots/nanos/test_get_assertion/00004.png b/tests/functional/snapshots/nanos/test_get_assertion_ok/00004.png similarity index 100% rename from tests/functional/snapshots/nanos/test_get_assertion/00004.png rename to tests/functional/snapshots/nanos/test_get_assertion_ok/00004.png diff --git a/tests/functional/snapshots/nanosp/test_get_assertion/00000.png b/tests/functional/snapshots/nanosp/test_get_assertion_ok/00000.png similarity index 100% rename from tests/functional/snapshots/nanosp/test_get_assertion/00000.png rename to tests/functional/snapshots/nanosp/test_get_assertion_ok/00000.png diff --git a/tests/functional/snapshots/nanosp/test_get_assertion/00001.png b/tests/functional/snapshots/nanosp/test_get_assertion_ok/00001.png similarity index 100% rename from tests/functional/snapshots/nanosp/test_get_assertion/00001.png rename to tests/functional/snapshots/nanosp/test_get_assertion_ok/00001.png diff --git a/tests/functional/snapshots/nanosp/test_get_assertion/00002.png b/tests/functional/snapshots/nanosp/test_get_assertion_ok/00002.png similarity index 100% rename from tests/functional/snapshots/nanosp/test_get_assertion/00002.png rename to tests/functional/snapshots/nanosp/test_get_assertion_ok/00002.png diff --git a/tests/functional/snapshots/nanosp/test_get_assertion/00003.png b/tests/functional/snapshots/nanosp/test_get_assertion_ok/00003.png similarity index 100% rename from tests/functional/snapshots/nanosp/test_get_assertion/00003.png rename to tests/functional/snapshots/nanosp/test_get_assertion_ok/00003.png diff --git a/tests/functional/snapshots/nanox/test_get_assertion/00000.png b/tests/functional/snapshots/nanox/test_get_assertion_ok/00000.png similarity index 100% rename from tests/functional/snapshots/nanox/test_get_assertion/00000.png rename to tests/functional/snapshots/nanox/test_get_assertion_ok/00000.png diff --git a/tests/functional/snapshots/nanox/test_get_assertion/00001.png b/tests/functional/snapshots/nanox/test_get_assertion_ok/00001.png similarity index 100% rename from tests/functional/snapshots/nanox/test_get_assertion/00001.png rename to tests/functional/snapshots/nanox/test_get_assertion_ok/00001.png diff --git a/tests/functional/snapshots/nanox/test_get_assertion/00002.png b/tests/functional/snapshots/nanox/test_get_assertion_ok/00002.png similarity index 100% rename from tests/functional/snapshots/nanox/test_get_assertion/00002.png rename to tests/functional/snapshots/nanox/test_get_assertion_ok/00002.png diff --git a/tests/functional/snapshots/nanox/test_get_assertion/00003.png b/tests/functional/snapshots/nanox/test_get_assertion_ok/00003.png similarity index 100% rename from tests/functional/snapshots/nanox/test_get_assertion/00003.png rename to tests/functional/snapshots/nanox/test_get_assertion_ok/00003.png diff --git a/tests/functional/snapshots/stax/test_get_assertion/00000.png b/tests/functional/snapshots/stax/test_get_assertion_ok/00000.png similarity index 100% rename from tests/functional/snapshots/stax/test_get_assertion/00000.png rename to tests/functional/snapshots/stax/test_get_assertion_ok/00000.png diff --git a/tests/functional/utils.py b/tests/functional/utils.py index 0890cfb9..f1794a83 100644 --- a/tests/functional/utils.py +++ b/tests/functional/utils.py @@ -70,7 +70,7 @@ def generate_random_string(length): def generate_make_credentials_params(client, rp=None, rk: Optional[bool] = None, - uv=None, + uv: Optional[bool] = None, key_params=None, pin: Optional[bytes] = None, pin_uv_param: Optional[bytes] = None,