From c938d47bf7500670d5ab03467dce1252e99f1f0f Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Tue, 20 Sep 2022 23:59:52 +0200
Subject: [PATCH] Adding extensions struct.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/fido/credential.c | 30 ++++++++++++++++++++++++++----
 src/fido/credential.h | 18 +++++++++++++++---
 2 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/src/fido/credential.c b/src/fido/credential.c
index 7e3d002..9b8ef6a 100644
--- a/src/fido/credential.c
+++ b/src/fido/credential.c
@@ -38,8 +38,8 @@ int credential_verify(uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id
     return mbedtls_chachapoly_auth_decrypt(&chatx, cred_id_len - (4 + 12 + 16), iv, rp_id_hash, 32, tag, cipher, cipher);
 }
 
-int credential_create(CborCharString *rpId, CborByteString *userId, CborCharString *userName, CborCharString *userDisplayName, const bool *hmac_secret, bool use_sign_count, int alg, int curve, uint8_t *cred_id, size_t *cred_id_len) {
-    CborEncoder encoder, mapEncoder;
+int credential_create(CborCharString *rpId, CborByteString *userId, CborCharString *userName, CborCharString *userDisplayName, CredExtensions *extensions, bool use_sign_count, int alg, int curve, uint8_t *cred_id, size_t *cred_id_len) {
+    CborEncoder encoder, mapEncoder, mapEncoder2;
     CborError error = CborNoError;
     uint8_t rp_id_hash[32];
     mbedtls_sha256((uint8_t *)rpId->data, rpId->len, rp_id_hash, 0);
@@ -52,7 +52,19 @@ int credential_create(CborCharString *rpId, CborByteString *userId, CborCharStri
     CBOR_APPEND_KEY_UINT_VAL_STRING(mapEncoder, 0x04, *userName);
     CBOR_APPEND_KEY_UINT_VAL_STRING(mapEncoder, 0x05, *userDisplayName);
     CBOR_APPEND_KEY_UINT_VAL_UINT(mapEncoder, 0x06, board_millis());
-    CBOR_APPEND_KEY_UINT_VAL_PBOOL(mapEncoder, 0x07, hmac_secret);
+    if (extensions->present == true) {
+        CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x07));
+        CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2,  CborIndefiniteLength));
+        if (extensions->credProtect != 0) {
+            CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "credProtect"));
+            CBOR_CHECK(cbor_encode_uint(&mapEncoder2, extensions->credProtect));
+        }
+        if (extensions->hmac_secret != NULL) {
+            CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "hmac-secret"));
+            CBOR_CHECK(cbor_encode_boolean(&mapEncoder, *extensions->hmac_secret));
+        }
+        CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2));
+    }
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x08));
     CBOR_CHECK(cbor_encode_boolean(&mapEncoder, use_sign_count));
     if (alg != FIDO2_ALG_ES256 || curve != FIDO2_CURVE_P256) {
@@ -110,7 +122,15 @@ int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *r
             CBOR_FIELD_GET_UINT(cred->creation, 1);
         }
         else if (val_u == 0x07) {
-            CBOR_FIELD_GET_BOOL(cred->hmac_secret, 1);
+            cred->extensions.present = true;
+            CBOR_PARSE_MAP_START(_f1, 2)
+            {
+                CBOR_FIELD_GET_KEY_TEXT(2);
+                CBOR_FIELD_KEY_TEXT_VAL_BOOL(2, "hmac-secret", cred->extensions.hmac_secret);
+                CBOR_FIELD_KEY_TEXT_VAL_UINT(2, "credProtect", cred->extensions.credProtect);
+                CBOR_ADVANCE(2);
+            }
+            CBOR_PARSE_MAP_END(_f1, 2);
         }
         else if (val_u == 0x08) {
             CBOR_FIELD_GET_BOOL(cred->use_sign_count, 1);
@@ -140,6 +160,8 @@ int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *r
 void credential_free(Credential *cred) {
     CBOR_FREE_BYTE_STRING(cred->rpId);
     CBOR_FREE_BYTE_STRING(cred->userId);
+    cred->present = false;
+    cred->extensions.present = false;
 }
 
 int credential_store(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash) {
diff --git a/src/fido/credential.h b/src/fido/credential.h
index 02e81f4..8ac53ed 100644
--- a/src/fido/credential.h
+++ b/src/fido/credential.h
@@ -27,20 +27,32 @@ typedef struct CredOptions {
     bool present;
 } CredOptions;
 
-typedef struct Credential {
+typedef struct CredExtensions {
+    const bool *hmac_secret;
+    uint64_t credProtect;
+    bool present;
+} CredExtensions;
+
+typedef struct Credential
+{
     CborCharString rpId;
     CborByteString userId;
     uint64_t creation;
-    const bool *hmac_secret;
+    CredExtensions extensions;
     const bool *use_sign_count;
     int64_t alg;
     int64_t curve;
     bool present;
 } Credential;
 
+#define CRED_PROT_UV_OPTIONAL               0x01
+#define CRED_PROT_UV_OPTIONAL_WITH_LIST     0x02
+#define CRED_PROT_UV_REQUIRED               0x03
+
 extern int credential_verify(uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash);
-extern int credential_create(CborCharString *rpId, CborByteString *userId, CborCharString *userName, CborCharString *userDisplayName, const bool *hmac_secret, bool use_sign_count, int alg, int curve, uint8_t *cred_id, size_t *cred_id_len);
+extern int credential_create(CborCharString *rpId, CborByteString *userId, CborCharString *userName, CborCharString *userDisplayName, CredExtensions *extensions, bool use_sign_count, int alg, int curve, uint8_t *cred_id, size_t *cred_id_len);
 extern void credential_free(Credential *cred);
 extern int credential_store(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash);
+extern int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash, Credential *cred);
 
 #endif // _CREDENTIAL_H_