2 * Copyright (c) 2018-2022 Yubico AB. All rights reserved.
3 * Use of this source code is governed by a BSD-style
4 * license that can be found in the LICENSE file.
5 * SPDX-License-Identifier: BSD-2-Clause
8 #include <openssl/sha.h>
9 #include <openssl/x509.h>
12 #include "fido/es256.h"
14 #ifndef FIDO_MAXMSG_CRED
15 #define FIDO_MAXMSG_CRED 4096
19 parse_makecred_reply(const cbor_item_t *key, const cbor_item_t *val, void *arg)
21 fido_cred_t *cred = arg;
23 if (cbor_isa_uint(key) == false ||
24 cbor_int_get_width(key) != CBOR_INT_8) {
25 fido_log_debug("%s: cbor type", __func__);
26 return (0); /* ignore */
29 switch (cbor_get_uint8(key)) {
31 return (cbor_decode_fmt(val, &cred->fmt));
32 case 2: /* authdata */
33 if (fido_blob_decode(val, &cred->authdata_raw) < 0) {
34 fido_log_debug("%s: fido_blob_decode", __func__);
37 return (cbor_decode_cred_authdata(val, cred->type,
38 &cred->authdata_cbor, &cred->authdata, &cred->attcred,
39 &cred->authdata_ext));
40 case 3: /* attestation statement */
41 return (cbor_decode_attstmt(val, &cred->attstmt));
42 case 5: /* large blob key */
43 return (fido_blob_decode(val, &cred->largeblob_key));
45 fido_log_debug("%s: cbor type", __func__);
51 fido_dev_make_cred_tx(fido_dev_t *dev, fido_cred_t *cred, const char *pin,
55 fido_blob_t *ecdh = NULL;
56 fido_opt_t uv = cred->uv;
57 es256_pk_t *pk = NULL;
59 const uint8_t cmd = CTAP_CBOR_MAKECRED;
62 memset(&f, 0, sizeof(f));
63 memset(argv, 0, sizeof(argv));
65 if (cred->cdh.ptr == NULL || cred->type == 0) {
66 fido_log_debug("%s: cdh=%p, type=%d", __func__,
67 (void *)cred->cdh.ptr, cred->type);
68 r = FIDO_ERR_INVALID_ARGUMENT;
72 if ((argv[0] = fido_blob_encode(&cred->cdh)) == NULL ||
73 (argv[1] = cbor_encode_rp_entity(&cred->rp)) == NULL ||
74 (argv[2] = cbor_encode_user_entity(&cred->user)) == NULL ||
75 (argv[3] = cbor_encode_pubkey_param(cred->type)) == NULL) {
76 fido_log_debug("%s: cbor encode", __func__);
77 r = FIDO_ERR_INTERNAL;
81 /* excluded credentials */
83 if ((argv[4] = cbor_encode_pubkey_list(&cred->excl)) == NULL) {
84 fido_log_debug("%s: cbor_encode_pubkey_list", __func__);
85 r = FIDO_ERR_INTERNAL;
91 if ((argv[5] = cbor_encode_cred_ext(&cred->ext,
92 &cred->blob)) == NULL) {
93 fido_log_debug("%s: cbor_encode_cred_ext", __func__);
94 r = FIDO_ERR_INTERNAL;
98 /* user verification */
99 if (pin != NULL || (uv == FIDO_OPT_TRUE &&
100 fido_dev_supports_permissions(dev))) {
101 if ((r = fido_do_ecdh(dev, &pk, &ecdh, ms)) != FIDO_OK) {
102 fido_log_debug("%s: fido_do_ecdh", __func__);
105 if ((r = cbor_add_uv_params(dev, cmd, &cred->cdh, pk, ecdh,
106 pin, cred->rp.id, &argv[7], &argv[8], ms)) != FIDO_OK) {
107 fido_log_debug("%s: cbor_add_uv_params", __func__);
114 if (cred->rk != FIDO_OPT_OMIT || uv != FIDO_OPT_OMIT)
115 if ((argv[6] = cbor_encode_cred_opt(cred->rk, uv)) == NULL) {
116 fido_log_debug("%s: cbor_encode_cred_opt", __func__);
117 r = FIDO_ERR_INTERNAL;
121 /* framing and transmission */
122 if (cbor_build_frame(cmd, argv, nitems(argv), &f) < 0 ||
123 fido_tx(dev, CTAP_CMD_CBOR, f.ptr, f.len, ms) < 0) {
124 fido_log_debug("%s: fido_tx", __func__);
132 fido_blob_free(&ecdh);
133 cbor_vector_free(argv, nitems(argv));
140 fido_dev_make_cred_rx(fido_dev_t *dev, fido_cred_t *cred, int *ms)
142 unsigned char *reply;
146 fido_cred_reset_rx(cred);
148 if ((reply = malloc(FIDO_MAXMSG_CRED)) == NULL) {
149 r = FIDO_ERR_INTERNAL;
153 if ((reply_len = fido_rx(dev, CTAP_CMD_CBOR, reply, FIDO_MAXMSG_CRED,
155 fido_log_debug("%s: fido_rx", __func__);
160 if ((r = cbor_parse_reply(reply, (size_t)reply_len, cred,
161 parse_makecred_reply)) != FIDO_OK) {
162 fido_log_debug("%s: parse_makecred_reply", __func__);
166 if (cred->fmt == NULL || fido_blob_is_empty(&cred->authdata_cbor) ||
167 fido_blob_is_empty(&cred->attcred.id)) {
168 r = FIDO_ERR_INVALID_CBOR;
177 fido_cred_reset_rx(cred);
183 fido_dev_make_cred_wait(fido_dev_t *dev, fido_cred_t *cred, const char *pin,
188 if ((r = fido_dev_make_cred_tx(dev, cred, pin, ms)) != FIDO_OK ||
189 (r = fido_dev_make_cred_rx(dev, cred, ms)) != FIDO_OK)
196 fido_dev_make_cred(fido_dev_t *dev, fido_cred_t *cred, const char *pin)
198 int ms = dev->timeout_ms;
201 if (dev->flags & FIDO_DEV_WINHELLO)
202 return (fido_winhello_make_cred(dev, cred, pin, ms));
204 if (fido_dev_is_fido2(dev) == false) {
205 if (pin != NULL || cred->rk == FIDO_OPT_TRUE ||
207 return (FIDO_ERR_UNSUPPORTED_OPTION);
208 return (u2f_register(dev, cred, &ms));
211 return (fido_dev_make_cred_wait(dev, cred, pin, &ms));
215 check_extensions(const fido_cred_ext_t *authdata_ext,
216 const fido_cred_ext_t *ext)
220 /* XXX: largeBlobKey is not part of the extensions map */
221 memcpy(&tmp, ext, sizeof(tmp));
222 tmp.mask &= ~FIDO_EXT_LARGEBLOB_KEY;
224 return (timingsafe_bcmp(authdata_ext, &tmp, sizeof(*authdata_ext)));
228 fido_check_rp_id(const char *id, const unsigned char *obtained_hash)
230 unsigned char expected_hash[SHA256_DIGEST_LENGTH];
232 explicit_bzero(expected_hash, sizeof(expected_hash));
234 if (SHA256((const unsigned char *)id, strlen(id),
235 expected_hash) != expected_hash) {
236 fido_log_debug("%s: sha256", __func__);
240 return (timingsafe_bcmp(expected_hash, obtained_hash,
241 SHA256_DIGEST_LENGTH));
245 get_signed_hash_u2f(fido_blob_t *dgst, const unsigned char *rp_id,
246 size_t rp_id_len, const fido_blob_t *clientdata, const fido_blob_t *id,
247 const es256_pk_t *pk)
249 const uint8_t zero = 0;
250 const uint8_t four = 4; /* uncompressed point */
251 const EVP_MD *md = NULL;
252 EVP_MD_CTX *ctx = NULL;
255 if (dgst->len < SHA256_DIGEST_LENGTH ||
256 (md = EVP_sha256()) == NULL ||
257 (ctx = EVP_MD_CTX_new()) == NULL ||
258 EVP_DigestInit_ex(ctx, md, NULL) != 1 ||
259 EVP_DigestUpdate(ctx, &zero, sizeof(zero)) != 1 ||
260 EVP_DigestUpdate(ctx, rp_id, rp_id_len) != 1 ||
261 EVP_DigestUpdate(ctx, clientdata->ptr, clientdata->len) != 1 ||
262 EVP_DigestUpdate(ctx, id->ptr, id->len) != 1 ||
263 EVP_DigestUpdate(ctx, &four, sizeof(four)) != 1 ||
264 EVP_DigestUpdate(ctx, pk->x, sizeof(pk->x)) != 1 ||
265 EVP_DigestUpdate(ctx, pk->y, sizeof(pk->y)) != 1 ||
266 EVP_DigestFinal_ex(ctx, dgst->ptr, NULL) != 1) {
267 fido_log_debug("%s: sha256", __func__);
270 dgst->len = SHA256_DIGEST_LENGTH;
274 EVP_MD_CTX_free(ctx);
280 verify_attstmt(const fido_blob_t *dgst, const fido_attstmt_t *attstmt)
284 EVP_PKEY *pkey = NULL;
287 /* openssl needs ints */
288 if (attstmt->x5c.len > INT_MAX) {
289 fido_log_debug("%s: x5c.len=%zu", __func__, attstmt->x5c.len);
293 /* fetch key from x509 */
294 if ((rawcert = BIO_new_mem_buf(attstmt->x5c.ptr,
295 (int)attstmt->x5c.len)) == NULL ||
296 (cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
297 (pkey = X509_get_pubkey(cert)) == NULL) {
298 fido_log_debug("%s: x509 key", __func__);
302 switch (attstmt->alg) {
305 ok = es256_verify_sig(dgst, pkey, &attstmt->sig);
308 ok = es384_verify_sig(dgst, pkey, &attstmt->sig);
311 ok = rs256_verify_sig(dgst, pkey, &attstmt->sig);
314 ok = rs1_verify_sig(dgst, pkey, &attstmt->sig);
317 ok = eddsa_verify_sig(dgst, pkey, &attstmt->sig);
320 fido_log_debug("%s: unknown alg %d", __func__, attstmt->alg);
333 fido_cred_verify(const fido_cred_t *cred)
335 unsigned char buf[1024]; /* XXX */
341 dgst.len = sizeof(buf);
343 /* do we have everything we need? */
344 if (cred->cdh.ptr == NULL || cred->authdata_cbor.ptr == NULL ||
345 cred->attstmt.x5c.ptr == NULL || cred->attstmt.sig.ptr == NULL ||
346 cred->fmt == NULL || cred->attcred.id.ptr == NULL ||
347 cred->rp.id == NULL) {
348 fido_log_debug("%s: cdh=%p, authdata=%p, x5c=%p, sig=%p, "
349 "fmt=%p id=%p, rp.id=%s", __func__, (void *)cred->cdh.ptr,
350 (void *)cred->authdata_cbor.ptr,
351 (void *)cred->attstmt.x5c.ptr,
352 (void *)cred->attstmt.sig.ptr, (void *)cred->fmt,
353 (void *)cred->attcred.id.ptr, cred->rp.id);
354 r = FIDO_ERR_INVALID_ARGUMENT;
358 if (fido_check_rp_id(cred->rp.id, cred->authdata.rp_id_hash) != 0) {
359 fido_log_debug("%s: fido_check_rp_id", __func__);
360 r = FIDO_ERR_INVALID_PARAM;
364 if (fido_check_flags(cred->authdata.flags, FIDO_OPT_TRUE,
366 fido_log_debug("%s: fido_check_flags", __func__);
367 r = FIDO_ERR_INVALID_PARAM;
371 if (check_extensions(&cred->authdata_ext, &cred->ext) != 0) {
372 fido_log_debug("%s: check_extensions", __func__);
373 r = FIDO_ERR_INVALID_PARAM;
377 if ((cose_alg = cred->attstmt.alg) == COSE_UNSPEC)
378 cose_alg = COSE_ES256; /* backwards compat */
380 if (!strcmp(cred->fmt, "packed")) {
381 if (fido_get_signed_hash(cose_alg, &dgst, &cred->cdh,
382 &cred->authdata_cbor) < 0) {
383 fido_log_debug("%s: fido_get_signed_hash", __func__);
384 r = FIDO_ERR_INTERNAL;
387 } else if (!strcmp(cred->fmt, "fido-u2f")) {
388 if (get_signed_hash_u2f(&dgst, cred->authdata.rp_id_hash,
389 sizeof(cred->authdata.rp_id_hash), &cred->cdh,
390 &cred->attcred.id, &cred->attcred.pubkey.es256) < 0) {
391 fido_log_debug("%s: get_signed_hash_u2f", __func__);
392 r = FIDO_ERR_INTERNAL;
395 } else if (!strcmp(cred->fmt, "tpm")) {
396 if (fido_get_signed_hash_tpm(&dgst, &cred->cdh,
397 &cred->authdata_raw, &cred->attstmt, &cred->attcred) < 0) {
398 fido_log_debug("%s: fido_get_signed_hash_tpm", __func__);
399 r = FIDO_ERR_INTERNAL;
403 fido_log_debug("%s: unknown fmt %s", __func__, cred->fmt);
404 r = FIDO_ERR_INVALID_ARGUMENT;
408 if (verify_attstmt(&dgst, &cred->attstmt) < 0) {
409 fido_log_debug("%s: verify_attstmt", __func__);
410 r = FIDO_ERR_INVALID_SIG;
416 explicit_bzero(buf, sizeof(buf));
422 fido_cred_verify_self(const fido_cred_t *cred)
424 unsigned char buf[1024]; /* XXX */
430 dgst.len = sizeof(buf);
432 /* do we have everything we need? */
433 if (cred->cdh.ptr == NULL || cred->authdata_cbor.ptr == NULL ||
434 cred->attstmt.x5c.ptr != NULL || cred->attstmt.sig.ptr == NULL ||
435 cred->fmt == NULL || cred->attcred.id.ptr == NULL ||
436 cred->rp.id == NULL) {
437 fido_log_debug("%s: cdh=%p, authdata=%p, x5c=%p, sig=%p, "
438 "fmt=%p id=%p, rp.id=%s", __func__, (void *)cred->cdh.ptr,
439 (void *)cred->authdata_cbor.ptr,
440 (void *)cred->attstmt.x5c.ptr,
441 (void *)cred->attstmt.sig.ptr, (void *)cred->fmt,
442 (void *)cred->attcred.id.ptr, cred->rp.id);
443 r = FIDO_ERR_INVALID_ARGUMENT;
447 if (fido_check_rp_id(cred->rp.id, cred->authdata.rp_id_hash) != 0) {
448 fido_log_debug("%s: fido_check_rp_id", __func__);
449 r = FIDO_ERR_INVALID_PARAM;
453 if (fido_check_flags(cred->authdata.flags, FIDO_OPT_TRUE,
455 fido_log_debug("%s: fido_check_flags", __func__);
456 r = FIDO_ERR_INVALID_PARAM;
460 if (check_extensions(&cred->authdata_ext, &cred->ext) != 0) {
461 fido_log_debug("%s: check_extensions", __func__);
462 r = FIDO_ERR_INVALID_PARAM;
466 if (!strcmp(cred->fmt, "packed")) {
467 if (fido_get_signed_hash(cred->attcred.type, &dgst, &cred->cdh,
468 &cred->authdata_cbor) < 0) {
469 fido_log_debug("%s: fido_get_signed_hash", __func__);
470 r = FIDO_ERR_INTERNAL;
473 } else if (!strcmp(cred->fmt, "fido-u2f")) {
474 if (get_signed_hash_u2f(&dgst, cred->authdata.rp_id_hash,
475 sizeof(cred->authdata.rp_id_hash), &cred->cdh,
476 &cred->attcred.id, &cred->attcred.pubkey.es256) < 0) {
477 fido_log_debug("%s: get_signed_hash_u2f", __func__);
478 r = FIDO_ERR_INTERNAL;
482 fido_log_debug("%s: unknown fmt %s", __func__, cred->fmt);
483 r = FIDO_ERR_INVALID_ARGUMENT;
487 switch (cred->attcred.type) {
489 ok = es256_pk_verify_sig(&dgst, &cred->attcred.pubkey.es256,
493 ok = es384_pk_verify_sig(&dgst, &cred->attcred.pubkey.es384,
497 ok = rs256_pk_verify_sig(&dgst, &cred->attcred.pubkey.rs256,
501 ok = eddsa_pk_verify_sig(&dgst, &cred->attcred.pubkey.eddsa,
505 fido_log_debug("%s: unsupported cose_alg %d", __func__,
507 r = FIDO_ERR_UNSUPPORTED_OPTION;
512 r = FIDO_ERR_INVALID_SIG;
517 explicit_bzero(buf, sizeof(buf));
525 return (calloc(1, sizeof(fido_cred_t)));
529 fido_cred_clean_authdata(fido_cred_t *cred)
531 fido_blob_reset(&cred->authdata_cbor);
532 fido_blob_reset(&cred->authdata_raw);
533 fido_blob_reset(&cred->attcred.id);
535 memset(&cred->authdata_ext, 0, sizeof(cred->authdata_ext));
536 memset(&cred->authdata, 0, sizeof(cred->authdata));
537 memset(&cred->attcred, 0, sizeof(cred->attcred));
541 fido_cred_clean_attstmt(fido_attstmt_t *attstmt)
543 fido_blob_reset(&attstmt->certinfo);
544 fido_blob_reset(&attstmt->pubarea);
545 fido_blob_reset(&attstmt->cbor);
546 fido_blob_reset(&attstmt->x5c);
547 fido_blob_reset(&attstmt->sig);
549 memset(attstmt, 0, sizeof(*attstmt));
553 fido_cred_reset_tx(fido_cred_t *cred)
555 fido_blob_reset(&cred->cd);
556 fido_blob_reset(&cred->cdh);
557 fido_blob_reset(&cred->user.id);
558 fido_blob_reset(&cred->blob);
562 free(cred->user.icon);
563 free(cred->user.name);
564 free(cred->user.display_name);
565 fido_cred_empty_exclude_list(cred);
567 memset(&cred->rp, 0, sizeof(cred->rp));
568 memset(&cred->user, 0, sizeof(cred->user));
569 memset(&cred->ext, 0, sizeof(cred->ext));
572 cred->rk = FIDO_OPT_OMIT;
573 cred->uv = FIDO_OPT_OMIT;
577 fido_cred_reset_rx(fido_cred_t *cred)
581 fido_cred_clean_authdata(cred);
582 fido_cred_clean_attstmt(&cred->attstmt);
583 fido_blob_reset(&cred->largeblob_key);
587 fido_cred_free(fido_cred_t **cred_p)
591 if (cred_p == NULL || (cred = *cred_p) == NULL)
593 fido_cred_reset_tx(cred);
594 fido_cred_reset_rx(cred);
600 fido_cred_set_authdata(fido_cred_t *cred, const unsigned char *ptr, size_t len)
602 cbor_item_t *item = NULL;
603 struct cbor_load_result cbor;
604 int r = FIDO_ERR_INVALID_ARGUMENT;
606 fido_cred_clean_authdata(cred);
608 if (ptr == NULL || len == 0)
611 if ((item = cbor_load(ptr, len, &cbor)) == NULL) {
612 fido_log_debug("%s: cbor_load", __func__);
616 if (fido_blob_decode(item, &cred->authdata_raw) < 0) {
617 fido_log_debug("%s: fido_blob_decode", __func__);
621 if (cbor_decode_cred_authdata(item, cred->type, &cred->authdata_cbor,
622 &cred->authdata, &cred->attcred, &cred->authdata_ext) < 0) {
623 fido_log_debug("%s: cbor_decode_cred_authdata", __func__);
633 fido_cred_clean_authdata(cred);
639 fido_cred_set_authdata_raw(fido_cred_t *cred, const unsigned char *ptr,
642 cbor_item_t *item = NULL;
643 int r = FIDO_ERR_INVALID_ARGUMENT;
645 fido_cred_clean_authdata(cred);
647 if (ptr == NULL || len == 0)
650 if (fido_blob_set(&cred->authdata_raw, ptr, len) < 0) {
651 fido_log_debug("%s: fido_blob_set", __func__);
652 r = FIDO_ERR_INTERNAL;
656 if ((item = cbor_build_bytestring(ptr, len)) == NULL) {
657 fido_log_debug("%s: cbor_build_bytestring", __func__);
658 r = FIDO_ERR_INTERNAL;
662 if (cbor_decode_cred_authdata(item, cred->type, &cred->authdata_cbor,
663 &cred->authdata, &cred->attcred, &cred->authdata_ext) < 0) {
664 fido_log_debug("%s: cbor_decode_cred_authdata", __func__);
674 fido_cred_clean_authdata(cred);
680 fido_cred_set_id(fido_cred_t *cred, const unsigned char *ptr, size_t len)
682 if (fido_blob_set(&cred->attcred.id, ptr, len) < 0)
683 return (FIDO_ERR_INVALID_ARGUMENT);
689 fido_cred_set_x509(fido_cred_t *cred, const unsigned char *ptr, size_t len)
691 if (fido_blob_set(&cred->attstmt.x5c, ptr, len) < 0)
692 return (FIDO_ERR_INVALID_ARGUMENT);
698 fido_cred_set_sig(fido_cred_t *cred, const unsigned char *ptr, size_t len)
700 if (fido_blob_set(&cred->attstmt.sig, ptr, len) < 0)
701 return (FIDO_ERR_INVALID_ARGUMENT);
707 fido_cred_set_attstmt(fido_cred_t *cred, const unsigned char *ptr, size_t len)
709 cbor_item_t *item = NULL;
710 struct cbor_load_result cbor;
711 int r = FIDO_ERR_INVALID_ARGUMENT;
713 fido_cred_clean_attstmt(&cred->attstmt);
715 if (ptr == NULL || len == 0)
718 if ((item = cbor_load(ptr, len, &cbor)) == NULL) {
719 fido_log_debug("%s: cbor_load", __func__);
723 if (cbor_decode_attstmt(item, &cred->attstmt) < 0) {
724 fido_log_debug("%s: cbor_decode_attstmt", __func__);
734 fido_cred_clean_attstmt(&cred->attstmt);
740 fido_cred_exclude(fido_cred_t *cred, const unsigned char *id_ptr, size_t id_len)
743 fido_blob_t *list_ptr;
745 memset(&id_blob, 0, sizeof(id_blob));
747 if (fido_blob_set(&id_blob, id_ptr, id_len) < 0)
748 return (FIDO_ERR_INVALID_ARGUMENT);
750 if (cred->excl.len == SIZE_MAX) {
752 return (FIDO_ERR_INVALID_ARGUMENT);
755 if ((list_ptr = recallocarray(cred->excl.ptr, cred->excl.len,
756 cred->excl.len + 1, sizeof(fido_blob_t))) == NULL) {
758 return (FIDO_ERR_INTERNAL);
761 list_ptr[cred->excl.len++] = id_blob;
762 cred->excl.ptr = list_ptr;
768 fido_cred_empty_exclude_list(fido_cred_t *cred)
770 fido_free_blob_array(&cred->excl);
771 memset(&cred->excl, 0, sizeof(cred->excl));
777 fido_cred_set_clientdata(fido_cred_t *cred, const unsigned char *data,
780 if (!fido_blob_is_empty(&cred->cdh) ||
781 fido_blob_set(&cred->cd, data, data_len) < 0) {
782 return (FIDO_ERR_INVALID_ARGUMENT);
784 if (fido_sha256(&cred->cdh, data, data_len) < 0) {
785 fido_blob_reset(&cred->cd);
786 return (FIDO_ERR_INTERNAL);
793 fido_cred_set_clientdata_hash(fido_cred_t *cred, const unsigned char *hash,
796 if (!fido_blob_is_empty(&cred->cd) ||
797 fido_blob_set(&cred->cdh, hash, hash_len) < 0)
798 return (FIDO_ERR_INVALID_ARGUMENT);
804 fido_cred_set_rp(fido_cred_t *cred, const char *id, const char *name)
806 fido_rp_t *rp = &cred->rp;
808 if (rp->id != NULL) {
812 if (rp->name != NULL) {
817 if (id != NULL && (rp->id = strdup(id)) == NULL)
819 if (name != NULL && (rp->name = strdup(name)) == NULL)
829 return (FIDO_ERR_INTERNAL);
833 fido_cred_set_user(fido_cred_t *cred, const unsigned char *user_id,
834 size_t user_id_len, const char *name, const char *display_name,
837 fido_user_t *up = &cred->user;
839 if (up->id.ptr != NULL) {
844 if (up->name != NULL) {
848 if (up->display_name != NULL) {
849 free(up->display_name);
850 up->display_name = NULL;
852 if (up->icon != NULL) {
857 if (user_id != NULL && fido_blob_set(&up->id, user_id, user_id_len) < 0)
859 if (name != NULL && (up->name = strdup(name)) == NULL)
861 if (display_name != NULL &&
862 (up->display_name = strdup(display_name)) == NULL)
864 if (icon != NULL && (up->icon = strdup(icon)) == NULL)
871 free(up->display_name);
877 up->display_name = NULL;
880 return (FIDO_ERR_INTERNAL);
884 fido_cred_set_extensions(fido_cred_t *cred, int ext)
889 if ((ext & FIDO_EXT_CRED_MASK) != ext)
890 return (FIDO_ERR_INVALID_ARGUMENT);
891 cred->ext.mask |= ext;
898 fido_cred_set_options(fido_cred_t *cred, bool rk, bool uv)
900 cred->rk = rk ? FIDO_OPT_TRUE : FIDO_OPT_FALSE;
901 cred->uv = uv ? FIDO_OPT_TRUE : FIDO_OPT_FALSE;
907 fido_cred_set_rk(fido_cred_t *cred, fido_opt_t rk)
915 fido_cred_set_uv(fido_cred_t *cred, fido_opt_t uv)
923 fido_cred_set_prot(fido_cred_t *cred, int prot)
926 cred->ext.mask &= ~FIDO_EXT_CRED_PROTECT;
929 if (prot != FIDO_CRED_PROT_UV_OPTIONAL &&
930 prot != FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID &&
931 prot != FIDO_CRED_PROT_UV_REQUIRED)
932 return (FIDO_ERR_INVALID_ARGUMENT);
934 cred->ext.mask |= FIDO_EXT_CRED_PROTECT;
935 cred->ext.prot = prot;
942 fido_cred_set_pin_minlen(fido_cred_t *cred, size_t len)
945 cred->ext.mask &= ~FIDO_EXT_MINPINLEN;
947 cred->ext.mask |= FIDO_EXT_MINPINLEN;
949 cred->ext.minpinlen = len;
955 fido_cred_set_blob(fido_cred_t *cred, const unsigned char *ptr, size_t len)
957 if (ptr == NULL || len == 0)
958 return (FIDO_ERR_INVALID_ARGUMENT);
959 if (fido_blob_set(&cred->blob, ptr, len) < 0)
960 return (FIDO_ERR_INTERNAL);
962 cred->ext.mask |= FIDO_EXT_CRED_BLOB;
968 fido_cred_set_fmt(fido_cred_t *cred, const char *fmt)
974 return (FIDO_ERR_INVALID_ARGUMENT);
976 if (strcmp(fmt, "packed") && strcmp(fmt, "fido-u2f") &&
977 strcmp(fmt, "none") && strcmp(fmt, "tpm"))
978 return (FIDO_ERR_INVALID_ARGUMENT);
980 if ((cred->fmt = strdup(fmt)) == NULL)
981 return (FIDO_ERR_INTERNAL);
987 fido_cred_set_type(fido_cred_t *cred, int cose_alg)
990 return (FIDO_ERR_INVALID_ARGUMENT);
991 if (cose_alg != COSE_ES256 && cose_alg != COSE_ES384 &&
992 cose_alg != COSE_RS256 && cose_alg != COSE_EDDSA)
993 return (FIDO_ERR_INVALID_ARGUMENT);
995 cred->type = cose_alg;
1001 fido_cred_type(const fido_cred_t *cred)
1003 return (cred->type);
1007 fido_cred_flags(const fido_cred_t *cred)
1009 return (cred->authdata.flags);
1013 fido_cred_sigcount(const fido_cred_t *cred)
1015 return (cred->authdata.sigcount);
1018 const unsigned char *
1019 fido_cred_clientdata_hash_ptr(const fido_cred_t *cred)
1021 return (cred->cdh.ptr);
1025 fido_cred_clientdata_hash_len(const fido_cred_t *cred)
1027 return (cred->cdh.len);
1030 const unsigned char *
1031 fido_cred_x5c_ptr(const fido_cred_t *cred)
1033 return (cred->attstmt.x5c.ptr);
1037 fido_cred_x5c_len(const fido_cred_t *cred)
1039 return (cred->attstmt.x5c.len);
1042 const unsigned char *
1043 fido_cred_sig_ptr(const fido_cred_t *cred)
1045 return (cred->attstmt.sig.ptr);
1049 fido_cred_sig_len(const fido_cred_t *cred)
1051 return (cred->attstmt.sig.len);
1054 const unsigned char *
1055 fido_cred_authdata_ptr(const fido_cred_t *cred)
1057 return (cred->authdata_cbor.ptr);
1061 fido_cred_authdata_len(const fido_cred_t *cred)
1063 return (cred->authdata_cbor.len);
1066 const unsigned char *
1067 fido_cred_authdata_raw_ptr(const fido_cred_t *cred)
1069 return (cred->authdata_raw.ptr);
1073 fido_cred_authdata_raw_len(const fido_cred_t *cred)
1075 return (cred->authdata_raw.len);
1078 const unsigned char *
1079 fido_cred_attstmt_ptr(const fido_cred_t *cred)
1081 return (cred->attstmt.cbor.ptr);
1085 fido_cred_attstmt_len(const fido_cred_t *cred)
1087 return (cred->attstmt.cbor.len);
1090 const unsigned char *
1091 fido_cred_pubkey_ptr(const fido_cred_t *cred)
1095 switch (cred->attcred.type) {
1097 ptr = &cred->attcred.pubkey.es256;
1100 ptr = &cred->attcred.pubkey.es384;
1103 ptr = &cred->attcred.pubkey.rs256;
1106 ptr = &cred->attcred.pubkey.eddsa;
1117 fido_cred_pubkey_len(const fido_cred_t *cred)
1121 switch (cred->attcred.type) {
1123 len = sizeof(cred->attcred.pubkey.es256);
1126 len = sizeof(cred->attcred.pubkey.es384);
1129 len = sizeof(cred->attcred.pubkey.rs256);
1132 len = sizeof(cred->attcred.pubkey.eddsa);
1142 const unsigned char *
1143 fido_cred_id_ptr(const fido_cred_t *cred)
1145 return (cred->attcred.id.ptr);
1149 fido_cred_id_len(const fido_cred_t *cred)
1151 return (cred->attcred.id.len);
1154 const unsigned char *
1155 fido_cred_aaguid_ptr(const fido_cred_t *cred)
1157 return (cred->attcred.aaguid);
1161 fido_cred_aaguid_len(const fido_cred_t *cred)
1163 return (sizeof(cred->attcred.aaguid));
1167 fido_cred_prot(const fido_cred_t *cred)
1169 return (cred->ext.prot);
1173 fido_cred_pin_minlen(const fido_cred_t *cred)
1175 return (cred->ext.minpinlen);
1179 fido_cred_fmt(const fido_cred_t *cred)
1185 fido_cred_rp_id(const fido_cred_t *cred)
1187 return (cred->rp.id);
1191 fido_cred_rp_name(const fido_cred_t *cred)
1193 return (cred->rp.name);
1197 fido_cred_user_name(const fido_cred_t *cred)
1199 return (cred->user.name);
1203 fido_cred_display_name(const fido_cred_t *cred)
1205 return (cred->user.display_name);
1208 const unsigned char *
1209 fido_cred_user_id_ptr(const fido_cred_t *cred)
1211 return (cred->user.id.ptr);
1215 fido_cred_user_id_len(const fido_cred_t *cred)
1217 return (cred->user.id.len);
1220 const unsigned char *
1221 fido_cred_largeblob_key_ptr(const fido_cred_t *cred)
1223 return (cred->largeblob_key.ptr);
1227 fido_cred_largeblob_key_len(const fido_cred_t *cred)
1229 return (cred->largeblob_key.len);
projects / FreeBSD / FreeBSD.git / blob