Merge branch 'development' into eddsa

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2023-08-22 13:27:35 +02:00
parent 3adb1a8422 539420b996
commit a019b54d69
5 changed files with 95 additions and 52 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -25,7 +25,7 @@ from fido2.attestation import FidoU2FAttestation
 from fido2.ctap2.pin import ClientPin
 from fido2.server import Fido2Server
 from fido2.ctap import CtapError
-from fido2.webauthn import CollectedClientData, AttestedCredentialData
+from fido2.webauthn import CollectedClientData, PublicKeyCredentialParameters, PublicKeyCredentialType
 from utils import *
 from fido2.cose import ES256
 import sys
@@ -116,6 +116,10 @@ class Device():
        self.__rp = rp
        self.__attestation = attestation
        self.__server = Fido2Server(self.__rp, attestation=self.__attestation)
+        self.__server.allowed_algorithms = [
+            PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, p['alg'])
+            for p in self.__client._backend.info.algorithms
+        ]

    def client(self):
        return self.__client
--- a/tests/pico-fido/test_020_register.py
+++ b/tests/pico-fido/test_020_register.py
@@ -20,6 +20,7 @@

 from fido2.client import CtapError
 from fido2.cose import ES256, ES384, ES512, EdDSA
+from utils import ES256K
 import pytest


@@ -121,7 +122,7 @@ def test_bad_type_pubKeyCredParams(device):
        device.doMC(key_params=["wrong"])

@pytest.mark.parametrize(
-    "alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, EdDSA.ALGORITHM]
+    "alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM, EdDSA.ALGORITHM]
 )
 def test_algorithms(device, info, alg):
    if ({'alg': alg, 'type': 'public-key'} in info.algorithms):
@@ -131,14 +132,14 @@ def test_missing_pubKeyCredParams_type(device):
    with pytest.raises(CtapError) as e:
        device.doMC(key_params=[{"alg": ES256.ALGORITHM}])

-    assert e.value.code == CtapError.ERR.MISSING_PARAMETER
+    assert e.value.code == CtapError.ERR.INVALID_CBOR

 def test_missing_pubKeyCredParams_alg(device):
    with pytest.raises(CtapError) as e:
        device.doMC(key_params=[{"type": "public-key"}])

    assert e.value.code in [
-        CtapError.ERR.MISSING_PARAMETER,
+        CtapError.ERR.INVALID_CBOR,
        CtapError.ERR.UNSUPPORTED_ALGORITHM,
    ]

@@ -150,7 +151,7 @@ def test_unsupported_algorithm(device):
    with pytest.raises(CtapError) as e:
        device.doMC(key_params=[{"alg": 1337, "type": "public-key"}])

-    assert e.value.code == CtapError.ERR.UNSUPPORTED_ALGORITHM
+    assert e.value.code == CtapError.ERR.CBOR_UNEXPECTED_TYPE

 def test_exclude_list(resetdevice):
    resetdevice.doMC(exclude_list=[{"id": b"1234", "type": "rot13"}])
--- a/tests/pico-fido/test_021_authenticate.py
+++ b/tests/pico-fido/test_021_authenticate.py
@@ -20,7 +20,7 @@

 from fido2.client import CtapError
 from fido2.cose import ES256, ES384, ES512, EdDSA
-from utils import verify
+from utils import verify, ES256K
 import pytest

 def test_authenticate(device):
@@ -49,7 +49,7 @@ def test_empty_allowList(device):
    assert e.value.code == CtapError.ERR.NO_CREDENTIALS

@pytest.mark.parametrize(
-    "alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, EdDSA.ALGORITHM]
+    "alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM, EdDSA.ALGORITHM]
 )
 def test_algorithms(device, info, alg):
    if ({'alg': alg, 'type': 'public-key'} in info.algorithms):
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -19,6 +19,11 @@


 from fido2.webauthn import AttestedCredentialData
+from fido2.cose import CoseKey
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import ec
+from fido2.utils import bytes2int, int2bytes
+from cryptography.hazmat.backends import default_backend
 import random
 import string
 import secrets
@@ -175,3 +180,29 @@ class Timeout(object):
        if self.timer:
            self.timer.cancel()
            self.timer.join()
+
+class ES256K(CoseKey):
+    ALGORITHM = -47
+    _HASH_ALG = hashes.SHA256()
+
+    def verify(self, message, signature):
+        if self[-1] != 8:
+            raise ValueError("Unsupported elliptic curve")
+        ec.EllipticCurvePublicNumbers(
+            bytes2int(self[-2]), bytes2int(self[-3]), ec.SECP256K1()
+        ).public_key(default_backend()).verify(
+            signature, message, ec.ECDSA(self._HASH_ALG)
+        )
+
+    @classmethod
+    def from_cryptography_key(cls, public_key):
+        pn = public_key.public_numbers()
+        return cls(
+            {
+                1: 2,
+                3: cls.ALGORITHM,
+                -1: 8,
+                -2: int2bytes(pn.x, 32),
+                -3: int2bytes(pn.y, 32),
+            }
+        )