Fix handling of residentKey "preferred"

Yubico · Nov 18, 2024 · 7dfaffb · 7dfaffb
1 parent 2deef9b
commit 7dfaffb
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/fido2/client.py b/fido2/client.py
@@ -45,6 +45,7 @@
     AuthenticatorAttestationResponse,
     AuthenticatorAssertionResponse,
     AttestationConveyancePreference,
+    ResidentKeyRequirement,
     _as_cbor,
 )
 from .cose import ES256
@@ -631,7 +632,6 @@ def do_make_credential(
         exclude_list = options.exclude_credentials
         extensions = options.extensions
         selection = options.authenticator_selection or AuthenticatorSelectionCriteria()
-        rk = selection.require_resident_key
         user_verification = selection.user_verification
 
         on_keepalive = _user_keepalive(self.user_interaction)
@@ -693,6 +693,18 @@ def _do_make():
             except ValueError as e:
                 raise ClientError.ERR.CONFIGURATION_UNSUPPORTED(e)
 
+            can_rk = self.info.options.get("rk", False)
+            if selection.resident_key == ResidentKeyRequirement.REQUIRED:
+                if not can_rk:
+                    raise ClientError.ERR.CONFIGURATION_UNSUPPORTED(
+                        "Resident key not supported"
+                    )
+                rk = True
+            elif selection.resident_key == ResidentKeyRequirement.PREFERRED:
+                rk = can_rk
+            else:
+                rk = False
+
             if not (rk or internal_uv):
                 options = None
             else: