credman: support non-preview command

If credMgmt option ID is present in the authenticatorGetInfo response, use the authenticatorCredentialManagement (0x0A) command instead of the preview command (0x41).
Yubico · Nov 27, 2023 · 1b55726 · 1b55726
1 parent da07482
commit 1b55726
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 4 deletions.
diff --git a/src/credman.c b/src/credman.c
@@ -111,6 +111,15 @@ credman_prepare_hmac(uint8_t cmd, const void *body, cbor_item_t **param,
 	return (ok);
 }
 
+static uint8_t
+credman_get_cmd(const fido_dev_t *dev)
+{
+	if (dev->flags & FIDO_DEV_CREDMAN)
+		return (CTAP_CBOR_CRED_MGMT);
+
+	return (CTAP_CBOR_CRED_MGMT_PRE);
+}
+
 static int
 credman_tx(fido_dev_t *dev, uint8_t subcmd, const void *param, const char *pin,
     const char *rp_id, fido_opt_t uv, int *ms)
@@ -120,7 +129,7 @@ credman_tx(fido_dev_t *dev, uint8_t subcmd, const void *param, const char *pin,
 	fido_blob_t	 hmac;
 	es256_pk_t	*pk = NULL;
 	cbor_item_t	*argv[4];
-	const uint8_t	 cmd = CTAP_CBOR_CRED_MGMT_PRE;
+	const uint8_t	 cmd = credman_get_cmd(dev);
 	int		 r = FIDO_ERR_INTERNAL;
 
 	memset(&f, 0, sizeof(f));

diff --git a/src/dev.c b/src/dev.c
@@ -46,10 +46,12 @@ fido_dev_set_option_flags(fido_dev_t *dev, const fido_cbor_info_t *info)
 		if (strcmp(ptr[i], "clientPin") == 0) {
 			dev->flags |= val[i] ?
 			    FIDO_DEV_PIN_SET : FIDO_DEV_PIN_UNSET;
-		} else if (strcmp(ptr[i], "credMgmt") == 0 ||
-			   strcmp(ptr[i], "credentialMgmtPreview") == 0) {
+		} else if (strcmp(ptr[i], "credMgmt") == 0) {
 			if (val[i])
 				dev->flags |= FIDO_DEV_CREDMAN;
+		} else if (strcmp(ptr[i], "credentialMgmtPreview") == 0) {
+			if (val[i])
+				dev->flags |= FIDO_DEV_CREDMAN_PRE;
 		} else if (strcmp(ptr[i], "uv") == 0) {
 			dev->flags |= val[i] ?
 			    FIDO_DEV_UV_SET : FIDO_DEV_UV_UNSET;
@@ -538,7 +540,7 @@ fido_dev_supports_cred_prot(const fido_dev_t *dev)
 bool
 fido_dev_supports_credman(const fido_dev_t *dev)
 {
-	return (dev->flags & FIDO_DEV_CREDMAN);
+	return (dev->flags & (FIDO_DEV_CREDMAN|FIDO_DEV_CREDMAN_PRE));
 }
 
 bool

diff --git a/src/extern.h b/src/extern.h
@@ -259,6 +259,7 @@ uint32_t uniform_random(uint32_t);
 #define FIDO_DEV_UV_UNSET	0x080
 #define FIDO_DEV_TOKEN_PERMS	0x100
 #define FIDO_DEV_WINHELLO	0x200
+#define FIDO_DEV_CREDMAN_PRE	0x400
 
 /* miscellanea */
 #define FIDO_DUMMY_CLIENTDATA	""

diff --git a/src/fido/param.h b/src/fido/param.h
@@ -53,6 +53,7 @@
 #define CTAP_CBOR_CLIENT_PIN		0x06
 #define CTAP_CBOR_RESET			0x07
 #define CTAP_CBOR_NEXT_ASSERT		0x08
+#define CTAP_CBOR_CRED_MGMT		0x0a
 #define CTAP_CBOR_LARGEBLOB		0x0c
 #define CTAP_CBOR_CONFIG		0x0d
 #define CTAP_CBOR_BIO_ENROLL_PRE	0x40

diff --git a/src/pin.c b/src/pin.c
@@ -137,6 +137,7 @@ encode_uv_permission(uint8_t cmd)
 	case CTAP_CBOR_MAKECRED:
 		return (cbor_build_uint8(CTAP21_UV_TOKEN_PERM_MAKECRED));
 	case CTAP_CBOR_CRED_MGMT_PRE:
+	case CTAP_CBOR_CRED_MGMT:
 		return (cbor_build_uint8(CTAP21_UV_TOKEN_PERM_CRED_MGMT));
 	case CTAP_CBOR_LARGEBLOB:
 		return (cbor_build_uint8(CTAP21_UV_TOKEN_PERM_LARGEBLOB));