Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cred: support for enterprise attestation #824

Merged
merged 17 commits into from
Nov 6, 2024
Merged

cred: support for enterprise attestation #824

merged 17 commits into from
Nov 6, 2024

Conversation

LDVG
Copy link
Contributor

@LDVG LDVG commented Oct 2, 2024
edited
Loading

In short, the following user visible changes are applied:

  • fido_cred_set_entattest() is added for the client to be able to request enterprise attestation;
  • fido_cred_entattest() is added to query whether the authenticator performed enterprise attestation; and
  • fido2-cred -M -a is added to request enterprise attestation (dito examples/cred).

Internally,

  • fido_dev_make_cred_tx() learned how to encode the enterprise attestation parameter;
  • fido_dev_make_cred_rx() learned how to decode the response; and
  • likewise for the winhello.c equivalents.

Finally, the fuzzer and manual pages are updated accordingly.

Further resources:

LDVG added 11 commits October 2, 2024 10:57
@LDVG
cred: add fido_cred_set_entattest()
1b4bf97 
Can be used to enable enterprise attestation.
@LDVG
man: add fido_cred_set_entattest()
13f0771
@LDVG
cred: add fido_cred_entattest()
74c2d0f 
Returns true if an enterprise attestation was returned for this
credential, false otherwise.
@LDVG
man: add fido_cred_entattest()
fe5f5ec
@LDVG
cred: export fido_cred_{,set_}entattest()
0e3a8f8
@LDVG
fuzz: exercise fido_cred_{,set_}entattest()
b29a9c9 
Use excl_cred's first byte as an input to fido_cred_set_entattest();
like what fido_cred_set_prot() is doing with user_id. This saves adding
additional members to the parameter struct.
@LDVG
winhello: support entattest
26b4115
@LDVG
examples: consistent style; range syntax
00b9b0a
@LDVG
examples: add cred -a toggle
e9f2466 
To request enterprise attestation.
@LDVG
fido2-cred: add -M -a toggle
6c4070a 
To request enterprise attestation.
@LDVG
man: add fido2-cred -M -a
3deb04e
@martelletto
Copy link
Contributor

we seem to be missing MAN_ALIAS bits for the new functions, otherwise LGTM. for my own education, what does fido_cred_entattest() signify? what is the application expected to do with that information?

@LDVG
Copy link
Contributor Author

LDVG commented Oct 7, 2024

we seem to be missing MAN_ALIAS bits for the new functions, otherwise LGTM

Thanks!

for my own education, what does fido_cred_entattest() signify? what is the application expected to do with that information?

Here's my understanding: It is for the to indicate whether the authenticator used EA. The client may, for example, replace the attestation with an empty ("none") attestation statement if the authenticator did not return an EA and instead downgraded to regular attestation, I believe Chrome does this(?). If this boolean was not present in the response, the client would need knowledge of how to parse and discern EA, i.e. what constitutes individually identifiable information.

@martelletto
Copy link
Contributor

understood; thank you. is there wire data we could use for regression tests?

@LDVG
Copy link
Contributor Author

LDVG commented Oct 7, 2024

understood; thank you. is there wire data we could use for regression tests?

We could definitely record some. I'll make sure to do so before marking this PR as ready. Thanks!

LDVG added 5 commits October 16, 2024 07:54
@LDVG
regress: use cmake_parse_arguments()
edff574 
To be able to specify multiple source files to add_regress_test().
@LDVG
regress: move mocked io to its own source file
8862183 
No functional change.
@LDVG
regress: use mock for cred regression tests
d8a1a41
@LDVG
regress: exercise fido_dev_make_cred() parser
acaa691 
This makes use of mocked i/o to ensure that our parsers work correctly.
To do this, new wiredata was recorded and the contents of the response
were extracted so that we can re-use the same expected data throughout
these tests.
@LDVG
regress: test enterprise attestation
d0996a7 
Recorded from a device provisioned with the FIDO alliance test data [0].

[0] https://github.com/fido-alliance/conformance-test-tools-resources/blob/821c7114ae193148d276464a80c98d5535fa5681/docs/FIDO2/Authenticator/README.md
@LDVG LDVG marked this pull request as ready for review October 16, 2024 07:15
@LDVG
Copy link
Contributor Author

LDVG commented Oct 16, 2024
edited
Loading

I've added regression tests where we can assert that we parse the response to fido_dev_make_cred() correctly, this should now mostly be good to go (cc @kongeo).

@LDVG LDVG requested a review from kongeo October 31, 2024 12:02
kongeo
kongeo approved these changes Nov 6, 2024
View reviewed changes
Copy link
Member

@kongeo kongeo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! :)

@LDVG LDVG merged commit fae3b4e into main Nov 6, 2024
74 checks passed
@LDVG LDVG deleted the ea-ci branch November 6, 2024 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kongeo kongeo kongeo approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@LDVG @martelletto @kongeo