dearsky/pico-fido
1
0
Fork 0
Code Issues 46 Pull Requests 1 Actions Packages Projects Releases 22 Wiki Activity

Compare commits

base: dearsky:v5.6-eddsa1
Branches Tags
dearsky:main dearsky:development
dearsky:nightly-development dearsky:nightly-main dearsky:v7.4 dearsky:v7.2 dearsky:v7.0-eddsa dearsky:v7.0 dearsky:v6.6 dearsky:v6.4-eddsa1 dearsky:v6.4 dearsky:v6.2 dearsky:v6.0-eddsa1 dearsky:v6.0 dearsky:v5.12-eddsa1 dearsky:v5.12 dearsky:nightly-stable dearsky:v5.10 dearsky:v5.8-eddsa1 dearsky:v5.8 dearsky:v5.6-eddsa1 dearsky:v5.6 dearsky:v5.4 dearsky:v3.0 dearsky:v2.10 dearsky:v2.8 dearsky:v2.6 dearsky:v2.4 dearsky:v2.2 dearsky:v2.0 dearsky:v1.2 dearsky:v1.0
..
compare: dearsky:v5.6
Branches Tags
dearsky:main dearsky:development
dearsky:nightly-development dearsky:nightly-main dearsky:v7.4 dearsky:v7.2 dearsky:v7.0-eddsa dearsky:v7.0 dearsky:v6.6 dearsky:v6.4-eddsa1 dearsky:v6.4 dearsky:v6.2 dearsky:v6.0-eddsa1 dearsky:v6.0 dearsky:v5.12-eddsa1 dearsky:v5.12 dearsky:nightly-stable dearsky:v5.10 dearsky:v5.8-eddsa1 dearsky:v5.8 dearsky:v5.6-eddsa1 dearsky:v5.6 dearsky:v5.4 dearsky:v3.0 dearsky:v2.10 dearsky:v2.8 dearsky:v2.6 dearsky:v2.4 dearsky:v2.2 dearsky:v2.0 dearsky:v1.2 dearsky:v1.0

3 Commits
v5.6-eddsa ... v5.6

Author SHA1 Message Date
Pol Henarejos
900e7f2eb2 Merge branch 'development' 2023-09-18 09:00:39 +02:00
Pol Henarejos
cfcfb941e0 Merge 5.6 changes. 2023-09-17 19:13:43 +02:00
Pol Henarejos
cda97259b3 Create FUNDING.yml 2023-05-17 10:22:35 +02:00
15 changed files with 63 additions and 129 deletions
Expand all files Collapse all files

4
.github/FUNDING.yml vendored Normal file
View File

@@ -0,0 +1,4 @@
# These are supported funding model platforms
github: polhenarejos
custom: ["https://www.paypal.me/polhenarejos"]

4
.github/workflows/codeql.yml vendored
View File

@@ -13,10 +13,10 @@ name: "CodeQL"
on:
push:
branches: [ "main", "development", "eddsa" ]
branches: [ "main", "development" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main", "development", "eddsa" ]
branches: [ "main", "development" ]
schedule:
- cron: '23 5 * * 4'

4
.github/workflows/test.yml vendored
View File

@@ -13,10 +13,10 @@ name: "Emulation and test"
on:
push:
branches: [ "main", "development", "eddsa" ]
branches: [ "main", "development" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main", "development", "eddsa" ]
branches: [ "main", "development" ]
schedule:
- cron: '23 5 * * 4'

4
README.md
View File

@@ -13,8 +13,8 @@ Pico FIDO has implemented the following features:
- User Verification with PIN
- Discoverable credentials
- Credential management
- ECDSA and EDDSA authentication
- Authentication with SECP256R1, SECP384R1, SECP521R1, SECP256K1 and Ed25519 curves
- ECDSA authentication
- Authentication with SECP256R1, SECP384R1, SECP521R1 and SECP256K1 curves.
- App registration and login
- Device selection
- Support for vendor Config

2
build_pico_fido.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash
VERSION_MAJOR="5"
VERSION_MINOR="6-eddsa1"
VERSION_MINOR="6"
rm -rf release/*
cd build_release

2
pico-hsm-sdk

Submodule pico-hsm-sdk updated: 5ec98c84aa...a36a89cc95

3
src/fido/cbor.c
View File

@@ -199,9 +199,6 @@ CborError COSE_key(mbedtls_ecp_keypair *key, CborEncoder *mapEncoderParent,
else if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
alg = FIDO2_ALG_ECDH_ES_HKDF_256;
}
else if (key->grp.id == MBEDTLS_ECP_DP_ED25519) {
alg = FIDO2_ALG_EDDSA;
}
return COSE_key_params(crv, alg, &key->grp, &key->Q, mapEncoderParent, mapEncoder);
}
CborError COSE_key_shared(mbedtls_ecdh_context *key,

55
src/fido/cbor_get_assertion.c
View File

@@ -406,12 +406,12 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
flags = flagsx;
selcred = &credsx[credentialCounter];
}
mbedtls_ecp_keypair ekey;
mbedtls_ecp_keypair_init(&ekey);
mbedtls_ecdsa_context ekey;
mbedtls_ecdsa_init(&ekey);
int ret = fido_load_key(selcred->curve, selcred->id.data, &ekey);
if (ret != 0) {
if (derive_key(rp_id_hash, false, selcred->id.data, MBEDTLS_ECP_DP_SECP256R1, &ekey) != 0) {
mbedtls_ecp_keypair_free(&ekey);
mbedtls_ecdsa_free(&ekey);
CBOR_ERROR(CTAP1_ERR_OTHER);
}
}
@@ -559,42 +559,21 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
else if (ekey.grp.id == MBEDTLS_ECP_DP_SECP521R1) {
md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
}
else if (ekey.grp.id == MBEDTLS_ECP_DP_ED25519) {
md = NULL;
}
ret = mbedtls_md(md,
aut_data,
aut_data_len + clientDataHash.len,
hash);
size_t olen = 0;
if (md != NULL) {
ret = mbedtls_md(md,
aut_data,
aut_data_len + clientDataHash.len,
hash);
ret = mbedtls_ecdsa_write_signature(&ekey,
mbedtls_md_get_type(md),
hash,
mbedtls_md_get_size(md),
sig,
sizeof(sig),
&olen,
random_gen,
NULL);
}
else {
ret = mbedtls_eddsa_write_signature(&ekey,
aut_data,
aut_data_len + clientDataHash.len,
sig,
sizeof(sig),
&olen,
MBEDTLS_EDDSA_PURE,
NULL,
0,
random_gen,
NULL);
}
if (ret != 0) {
CBOR_ERROR(CTAP2_ERR_PROCESSING);
}
mbedtls_ecp_keypair_free(&ekey);
ret = mbedtls_ecdsa_write_signature(&ekey,
mbedtls_md_get_type(md),
hash,
mbedtls_md_get_size(md),
sig,
sizeof(sig),
&olen,
random_gen,
NULL);
mbedtls_ecdsa_free(&ekey);
uint8_t lfields = 3;
if (selcred->opts.present == true && selcred->opts.rk == ptrue) {

5
src/fido/cbor_get_info.c
View File

@@ -90,14 +90,11 @@ int cbor_get_info() {
CBOR_CHECK(cbor_encode_uint(&mapEncoder, MAX_CRED_ID_LENGTH)); // MAX_CRED_ID_MAX_LENGTH
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x0A));
CBOR_CHECK(cbor_encoder_create_array(&mapEncoder, &arrayEncoder, 5));
CBOR_CHECK(cbor_encoder_create_array(&mapEncoder, &arrayEncoder, 4));
CBOR_CHECK(COSE_public_key(FIDO2_ALG_ES256, &arrayEncoder, &mapEncoder2));
CBOR_CHECK(COSE_public_key(FIDO2_ALG_EDDSA, &arrayEncoder, &mapEncoder2));
CBOR_CHECK(COSE_public_key(FIDO2_ALG_ES384, &arrayEncoder, &mapEncoder2));
CBOR_CHECK(COSE_public_key(FIDO2_ALG_ES512, &arrayEncoder, &mapEncoder2));
CBOR_CHECK(COSE_public_key(FIDO2_ALG_ES256K, &arrayEncoder, &mapEncoder2));
CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &arrayEncoder));
CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x0B));

71
src/fido/cbor_make_credential.c
View File

@@ -221,11 +221,6 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
if (curve <= 0) {
curve = FIDO2_CURVE_P256K1;
}
}
else if (pubKeyCredParams[i].alg == FIDO2_ALG_EDDSA) {
if (curve <= 0) {
curve = FIDO2_CURVE_ED25519;
}
}
else if (pubKeyCredParams[i].alg <= FIDO2_ALG_RS256 && pubKeyCredParams[i].alg >= FIDO2_ALG_RS512) {
// pass
@@ -391,16 +386,16 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
ext_len = cbor_encoder_get_buffer_size(&encoder, ext);
flags |= FIDO2_AUT_FLAG_ED;
}
mbedtls_ecp_keypair ekey;
mbedtls_ecp_keypair_init(&ekey);
mbedtls_ecdsa_context ekey;
mbedtls_ecdsa_init(&ekey);
int ret = fido_load_key(curve, cred_id, &ekey);
if (ret != 0) {
mbedtls_ecp_keypair_free(&ekey);
mbedtls_ecdsa_free(&ekey);
CBOR_ERROR(CTAP1_ERR_OTHER);
}
const mbedtls_ecp_curve_info *cinfo = mbedtls_ecp_curve_info_from_grp_id(ekey.grp.id);
if (cinfo == NULL) {
mbedtls_ecp_keypair_free(&ekey);
mbedtls_ecdsa_free(&ekey);
CBOR_ERROR(CTAP1_ERR_OTHER);
}
size_t olen = 0;
@@ -426,7 +421,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
memcpy(pa, cbor_buf, rs); pa += rs;
memcpy(pa, ext, ext_len); pa += ext_len;
if (pa - aut_data != aut_data_len) {
mbedtls_ecp_keypair_free(&ekey);
mbedtls_ecdsa_free(&ekey);
CBOR_ERROR(CTAP1_ERR_OTHER);
}
@@ -439,51 +434,29 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
else if (ekey.grp.id == MBEDTLS_ECP_DP_SECP521R1) {
md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
}
else if (ekey.grp.id == MBEDTLS_ECP_DP_ED25519) {
md = NULL;
}
if (md != NULL) {
ret = mbedtls_md(md,
aut_data,
aut_data_len + clientDataHash.len,
hash);
}
ret = mbedtls_md(md,
aut_data,
aut_data_len + clientDataHash.len,
hash);
bool self_attestation = true;
if (enterpriseAttestation == 2 || (ka && ka->use_self_attestation == pfalse)) {
mbedtls_ecp_keypair_free(&ekey);
mbedtls_ecp_keypair_init(&ekey);
mbedtls_ecdsa_free(&ekey);
mbedtls_ecdsa_init(&ekey);
ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &ekey, file_get_data(ef_keydev), 32);
md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
self_attestation = false;
}
if (md != NULL) {
ret = mbedtls_ecdsa_write_signature(&ekey,
mbedtls_md_get_type(md),
hash,
mbedtls_md_get_size(md),
sig,
sizeof(sig),
&olen,
random_gen,
NULL);
}
else {
ret = mbedtls_eddsa_write_signature(&ekey,
aut_data,
aut_data_len + clientDataHash.len,
sig,
sizeof(sig),
&olen,
MBEDTLS_EDDSA_PURE,
NULL,
0,
random_gen,
NULL);
}
if (ret != 0) {
CBOR_ERROR(CTAP2_ERR_PROCESSING);
}
mbedtls_ecp_keypair_free(&ekey);
ret = mbedtls_ecdsa_write_signature(&ekey,
mbedtls_md_get_type(md),
hash,
mbedtls_md_get_size(md),
sig,
sizeof(sig),
&olen,
random_gen,
NULL);
mbedtls_ecdsa_free(&ekey);
uint8_t largeBlobKey[32];
if (extensions.largeBlobKey == ptrue && options.rk == ptrue) {

21
src/fido/fido.c
View File

@@ -93,12 +93,6 @@ mbedtls_ecp_group_id fido_curve_to_mbedtls(int curve) {
else if (curve == FIDO2_CURVE_X448) {
return MBEDTLS_ECP_DP_CURVE448;
}
else if (curve == FIDO2_CURVE_ED25519) {
return MBEDTLS_ECP_DP_ED25519;
}
else if (curve == FIDO2_CURVE_ED448) {
return MBEDTLS_ECP_DP_ED448;
}
return MBEDTLS_ECP_DP_NONE;
}
int mbedtls_curve_to_fido(mbedtls_ecp_group_id id) {
@@ -120,16 +114,10 @@ int mbedtls_curve_to_fido(mbedtls_ecp_group_id id) {
else if (id == MBEDTLS_ECP_DP_CURVE448) {
return FIDO2_CURVE_X448;
}
else if (id == MBEDTLS_ECP_DP_ED25519) {
return FIDO2_CURVE_ED25519;
}
else if (id == MBEDTLS_ECP_DP_ED448) {
return FIDO2_CURVE_ED448;
}
return 0;
}
int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecp_keypair *key) {
int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecdsa_context *key) {
mbedtls_ecp_group_id mbedtls_curve = fido_curve_to_mbedtls(curve);
if (mbedtls_curve == MBEDTLS_ECP_DP_NONE) {
return CTAP2_ERR_UNSUPPORTED_ALGORITHM;
@@ -186,7 +174,7 @@ int load_keydev(uint8_t *key) {
return CCID_OK;
}
int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecp_keypair *key) {
int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecdsa_context *key) {
for (int i = 0; i < KEY_PATH_ENTRIES; i++) {
uint32_t k = *(uint32_t *) &keyHandle[i * sizeof(uint32_t)];
if (!(k & 0x80000000)) {
@@ -228,7 +216,7 @@ int derive_key(const uint8_t *app_id,
bool new_key,
uint8_t *key_handle,
int curve,
mbedtls_ecp_keypair *key) {
mbedtls_ecdsa_context *key) {
uint8_t outk[67] = { 0 }; //SECP521R1 key is 66 bytes length
int r = 0;
memset(outk, 0, sizeof(outk));
@@ -282,9 +270,6 @@ int derive_key(const uint8_t *app_id,
if (r != 0) {
return r;
}
if (curve == MBEDTLS_ECP_DP_ED25519) {
return mbedtls_ecp_point_edwards(&key->grp, &key->Q, &key->d, random_gen, NULL);
}
return mbedtls_ecp_mul(&key->grp, &key->Q, &key->d, &key->grp.G, random_gen, NULL);
}
mbedtls_platform_zeroize(outk, sizeof(outk));

7
src/fido/fido.h
View File

@@ -23,7 +23,6 @@
#endif
#include "common.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/eddsa.h"
#ifndef ENABLE_EMULATION
#include "ctap_hid.h"
#else
@@ -41,13 +40,13 @@ extern int derive_key(const uint8_t *app_id,
bool new_key,
uint8_t *key_handle,
int,
mbedtls_ecp_keypair *key);
extern int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecp_keypair *);
mbedtls_ecdsa_context *key);
extern int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecdsa_context *);
extern bool wait_button_pressed();
extern void init_fido();
extern mbedtls_ecp_group_id fido_curve_to_mbedtls(int curve);
extern int mbedtls_curve_to_fido(mbedtls_ecp_group_id id);
extern int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecp_keypair *key);
extern int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecdsa_context *key);
extern int load_keydev(uint8_t *key);
extern int encrypt(uint8_t protocol,
const uint8_t *key,

2
src/fido/version.h
View File

@@ -18,7 +18,7 @@
#ifndef __VERSION_H_
#define __VERSION_H_
#define PICO_FIDO_VERSION 0x0507
#define PICO_FIDO_VERSION 0x0506
#define PICO_FIDO_VERSION_MAJOR ((PICO_FIDO_VERSION >> 8) & 0xff)
#define PICO_FIDO_VERSION_MINOR (PICO_FIDO_VERSION & 0xff)

4
tests/pico-fido/test_020_register.py
View File

@@ -19,7 +19,7 @@
from fido2.client import CtapError
from fido2.cose import ES256, ES384, ES512, EdDSA
from fido2.cose import ES256, ES384, ES512
from utils import ES256K
import pytest
@@ -122,7 +122,7 @@ def test_bad_type_pubKeyCredParams(device):
device.doMC(key_params=["wrong"])
@pytest.mark.parametrize(
"alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM, EdDSA.ALGORITHM]
"alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM]
)
def test_algorithms(device, info, alg):
if ({'alg': alg, 'type': 'public-key'} in info.algorithms):

4
tests/pico-fido/test_021_authenticate.py
View File

@@ -19,7 +19,7 @@
from fido2.client import CtapError
from fido2.cose import ES256, ES384, ES512, EdDSA
from fido2.cose import ES256, ES384, ES512
from utils import verify, ES256K
import pytest
@@ -49,7 +49,7 @@ def test_empty_allowList(device):
assert e.value.code == CtapError.ERR.NO_CREDENTIALS
@pytest.mark.parametrize(
"alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM, EdDSA.ALGORITHM]
"alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM]
)
def test_algorithms(device, info, alg):
if ({'alg': alg, 'type': 'public-key'} in info.algorithms):