Merge branch 'development' into eddsa

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

.github/workflows/codeql.yml

@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main", "development" ]
+    branches: [ "main", "development", "eddsa" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main", "development" ]
+    branches: [ "main", "development", "eddsa" ]
   schedule:
     - cron: '23 5 * * 4'
 

.github/workflows/test.yml

@@ -13,10 +13,10 @@ name: "Emulation and test"
 
 on:
   push:
-    branches: [ "main", "development" ]
+    branches: [ "main", "development", "eddsa" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main", "development" ]
+    branches: [ "main", "development", "eddsa" ]
   schedule:
     - cron: '23 5 * * 4'
 

README.md

@@ -13,8 +13,8 @@ Pico FIDO has implemented the following features:
 - User Verification with PIN
 - Discoverable credentials
 - Credential management
-- ECDSA authentication
+- ECDSA and EDDSA authentication
-- Authentication with SECP256R1, SECP384R1, SECP521R1 and SECP256K1 curves.
+- Authentication with SECP256R1, SECP384R1, SECP521R1, SECP256K1 and Ed25519 curves
 - App registration and login
 - Device selection
 - Support for vendor Config

build_pico_fido.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 VERSION_MAJOR="5"
-VERSION_MINOR="6"
+VERSION_MINOR="6-eddsa1"
 
 rm -rf release/*
 cd build_release

src/fido/cbor.c

@@ -199,6 +199,9 @@ CborError COSE_key(mbedtls_ecp_keypair *key, CborEncoder *mapEncoderParent,
     else if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
         alg = FIDO2_ALG_ECDH_ES_HKDF_256;
     }
+    else if (key->grp.id == MBEDTLS_ECP_DP_ED25519) {
+        alg = FIDO2_ALG_EDDSA;
+    }
     return COSE_key_params(crv, alg, &key->grp, &key->Q, mapEncoderParent, mapEncoder);
 }
 CborError COSE_key_shared(mbedtls_ecdh_context *key,

src/fido/cbor_get_assertion.c

@@ -406,12 +406,12 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
         flags = flagsx;
         selcred = &credsx[credentialCounter];
     }
-    mbedtls_ecdsa_context ekey;
+    mbedtls_ecp_keypair ekey;
-    mbedtls_ecdsa_init(&ekey);
+    mbedtls_ecp_keypair_init(&ekey);
     int ret = fido_load_key(selcred->curve, selcred->id.data, &ekey);
     if (ret != 0) {
         if (derive_key(rp_id_hash, false, selcred->id.data, MBEDTLS_ECP_DP_SECP256R1, &ekey) != 0) {
-            mbedtls_ecdsa_free(&ekey);
+            mbedtls_ecp_keypair_free(&ekey);
             CBOR_ERROR(CTAP1_ERR_OTHER);
         }
     }
@@ -559,21 +559,42 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
     else if (ekey.grp.id == MBEDTLS_ECP_DP_SECP521R1) {
         md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
     }
-    ret = mbedtls_md(md,
+    else if (ekey.grp.id == MBEDTLS_ECP_DP_ED25519) {
-                     aut_data,
+        md = NULL;
-                     aut_data_len + clientDataHash.len,
+    }
-                     hash);
     size_t olen = 0;
-    ret = mbedtls_ecdsa_write_signature(&ekey,
+    if (md != NULL) {
-                                        mbedtls_md_get_type(md),
+        ret = mbedtls_md(md,
-                                        hash,
+                        aut_data,
-                                        mbedtls_md_get_size(md),
+                        aut_data_len + clientDataHash.len,
-                                        sig,
+                        hash);
-                                        sizeof(sig),
+        ret = mbedtls_ecdsa_write_signature(&ekey,
-                                        &olen,
+                                            mbedtls_md_get_type(md),
-                                        random_gen,
+                                            hash,
-                                        NULL);
+                                            mbedtls_md_get_size(md),
-    mbedtls_ecdsa_free(&ekey);
+                                            sig,
+                                            sizeof(sig),
+                                            &olen,
+                                            random_gen,
+                                            NULL);
+    }
+    else {
+        ret = mbedtls_eddsa_write_signature(&ekey,
+                                            aut_data,
+                                            aut_data_len + clientDataHash.len,
+                                            sig,
+                                            sizeof(sig),
+                                            &olen,
+                                            MBEDTLS_EDDSA_PURE,
+                                            NULL,
+                                            0,
+                                            random_gen,
+                                            NULL);
+    }
+    if (ret != 0) {
+        CBOR_ERROR(CTAP2_ERR_PROCESSING);
+    }
+    mbedtls_ecp_keypair_free(&ekey);
 
     uint8_t lfields = 3;
     if (selcred->opts.present == true && selcred->opts.rk == ptrue) {

src/fido/cbor_get_info.c

@@ -90,11 +90,14 @@ int cbor_get_info() {
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, MAX_CRED_ID_LENGTH)); // MAX_CRED_ID_MAX_LENGTH
 
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x0A));
-    CBOR_CHECK(cbor_encoder_create_array(&mapEncoder, &arrayEncoder, 4));
+
+    CBOR_CHECK(cbor_encoder_create_array(&mapEncoder, &arrayEncoder, 5));
     CBOR_CHECK(COSE_public_key(FIDO2_ALG_ES256, &arrayEncoder, &mapEncoder2));
+    CBOR_CHECK(COSE_public_key(FIDO2_ALG_EDDSA, &arrayEncoder, &mapEncoder2));
     CBOR_CHECK(COSE_public_key(FIDO2_ALG_ES384, &arrayEncoder, &mapEncoder2));
     CBOR_CHECK(COSE_public_key(FIDO2_ALG_ES512, &arrayEncoder, &mapEncoder2));
     CBOR_CHECK(COSE_public_key(FIDO2_ALG_ES256K, &arrayEncoder, &mapEncoder2));
+
     CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &arrayEncoder));
 
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x0B));

src/fido/cbor_make_credential.c

@@ -221,6 +221,11 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
             if (curve <= 0) {
                 curve = FIDO2_CURVE_P256K1;
             }
+        }        
+        else if (pubKeyCredParams[i].alg == FIDO2_ALG_EDDSA) {
+            if (curve <= 0) {
+                curve = FIDO2_CURVE_ED25519;
+            }
         }
         else if (pubKeyCredParams[i].alg <= FIDO2_ALG_RS256 && pubKeyCredParams[i].alg >= FIDO2_ALG_RS512) {
             // pass
@@ -386,16 +391,16 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
         ext_len = cbor_encoder_get_buffer_size(&encoder, ext);
         flags |= FIDO2_AUT_FLAG_ED;
     }
-    mbedtls_ecdsa_context ekey;
+    mbedtls_ecp_keypair ekey;
-    mbedtls_ecdsa_init(&ekey);
+    mbedtls_ecp_keypair_init(&ekey);
     int ret = fido_load_key(curve, cred_id, &ekey);
     if (ret != 0) {
-        mbedtls_ecdsa_free(&ekey);
+        mbedtls_ecp_keypair_free(&ekey);
         CBOR_ERROR(CTAP1_ERR_OTHER);
     }
     const mbedtls_ecp_curve_info *cinfo = mbedtls_ecp_curve_info_from_grp_id(ekey.grp.id);
     if (cinfo == NULL) {
-        mbedtls_ecdsa_free(&ekey);
+        mbedtls_ecp_keypair_free(&ekey);
         CBOR_ERROR(CTAP1_ERR_OTHER);
     }
     size_t olen = 0;
@@ -421,7 +426,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
     memcpy(pa, cbor_buf, rs); pa += rs;
     memcpy(pa, ext, ext_len); pa += ext_len;
     if (pa - aut_data != aut_data_len) {
-        mbedtls_ecdsa_free(&ekey);
+        mbedtls_ecp_keypair_free(&ekey);
         CBOR_ERROR(CTAP1_ERR_OTHER);
     }
 
@@ -434,29 +439,51 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
     else if (ekey.grp.id == MBEDTLS_ECP_DP_SECP521R1) {
         md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
     }
-    ret = mbedtls_md(md,
+    else if (ekey.grp.id == MBEDTLS_ECP_DP_ED25519) {
-                     aut_data,
+        md = NULL;
-                     aut_data_len + clientDataHash.len,
+    }
-                     hash);
+    if (md != NULL) {
-
+        ret = mbedtls_md(md,
+                         aut_data,
+                         aut_data_len + clientDataHash.len,
+                         hash);
+    }
     bool self_attestation = true;
     if (enterpriseAttestation == 2 || (ka && ka->use_self_attestation == pfalse)) {
-        mbedtls_ecdsa_free(&ekey);
+        mbedtls_ecp_keypair_free(&ekey);
-        mbedtls_ecdsa_init(&ekey);
+        mbedtls_ecp_keypair_init(&ekey);
         ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &ekey, file_get_data(ef_keydev), 32);
         md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
         self_attestation = false;
     }
-    ret = mbedtls_ecdsa_write_signature(&ekey,
+    if (md != NULL) {
-                                        mbedtls_md_get_type(md),
+        ret = mbedtls_ecdsa_write_signature(&ekey,
-                                        hash,
+                                            mbedtls_md_get_type(md),
-                                        mbedtls_md_get_size(md),
+                                            hash,
-                                        sig,
+                                            mbedtls_md_get_size(md),
-                                        sizeof(sig),
+                                            sig,
-                                        &olen,
+                                            sizeof(sig),
-                                        random_gen,
+                                            &olen,
-                                        NULL);
+                                            random_gen,
-    mbedtls_ecdsa_free(&ekey);
+                                            NULL);
+    }
+    else {
+        ret = mbedtls_eddsa_write_signature(&ekey,
+                                            aut_data,
+                                            aut_data_len + clientDataHash.len,
+                                            sig,
+                                            sizeof(sig),
+                                            &olen,
+                                            MBEDTLS_EDDSA_PURE,
+                                            NULL,
+                                            0,
+                                            random_gen,
+                                            NULL);
+    }
+    if (ret != 0) {
+        CBOR_ERROR(CTAP2_ERR_PROCESSING);
+    }
+    mbedtls_ecp_keypair_free(&ekey);
 
     uint8_t largeBlobKey[32];
     if (extensions.largeBlobKey == ptrue && options.rk == ptrue) {

src/fido/fido.c

@@ -93,6 +93,12 @@ mbedtls_ecp_group_id fido_curve_to_mbedtls(int curve) {
     else if (curve == FIDO2_CURVE_X448) {
         return MBEDTLS_ECP_DP_CURVE448;
     }
+    else if (curve == FIDO2_CURVE_ED25519) {
+        return MBEDTLS_ECP_DP_ED25519;
+    }
+    else if (curve == FIDO2_CURVE_ED448) {
+        return MBEDTLS_ECP_DP_ED448;
+    }
     return MBEDTLS_ECP_DP_NONE;
 }
 int mbedtls_curve_to_fido(mbedtls_ecp_group_id id) {
@@ -114,10 +120,16 @@ int mbedtls_curve_to_fido(mbedtls_ecp_group_id id) {
     else if (id == MBEDTLS_ECP_DP_CURVE448) {
         return FIDO2_CURVE_X448;
     }
+    else if (id == MBEDTLS_ECP_DP_ED25519) {
+        return FIDO2_CURVE_ED25519;
+    }
+    else if (id == MBEDTLS_ECP_DP_ED448) {
+        return FIDO2_CURVE_ED448;
+    }
     return 0;
 }
 
-int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecdsa_context *key) {
+int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecp_keypair *key) {
     mbedtls_ecp_group_id mbedtls_curve = fido_curve_to_mbedtls(curve);
     if (mbedtls_curve == MBEDTLS_ECP_DP_NONE) {
         return CTAP2_ERR_UNSUPPORTED_ALGORITHM;
@@ -174,7 +186,7 @@ int load_keydev(uint8_t *key) {
     return CCID_OK;
 }
 
-int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecdsa_context *key) {
+int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecp_keypair *key) {
     for (int i = 0; i < KEY_PATH_ENTRIES; i++) {
         uint32_t k = *(uint32_t *) &keyHandle[i * sizeof(uint32_t)];
         if (!(k & 0x80000000)) {
@@ -216,7 +228,7 @@ int derive_key(const uint8_t *app_id,
                bool new_key,
                uint8_t *key_handle,
                int curve,
-               mbedtls_ecdsa_context *key) {
+               mbedtls_ecp_keypair *key) {
     uint8_t outk[67] = { 0 }; //SECP521R1 key is 66 bytes length
     int r = 0;
     memset(outk, 0, sizeof(outk));
@@ -270,6 +282,9 @@ int derive_key(const uint8_t *app_id,
         if (r != 0) {
             return r;
         }
+        if (curve == MBEDTLS_ECP_DP_ED25519) {
+            return mbedtls_ecp_point_edwards(&key->grp, &key->Q, &key->d, random_gen, NULL);
+        }
         return mbedtls_ecp_mul(&key->grp, &key->Q, &key->d, &key->grp.G, random_gen, NULL);
     }
     mbedtls_platform_zeroize(outk, sizeof(outk));

src/fido/fido.h

@@ -23,6 +23,7 @@
 #endif
 #include "common.h"
 #include "mbedtls/ecdsa.h"
+#include "mbedtls/eddsa.h"
 #ifndef ENABLE_EMULATION
 #include "ctap_hid.h"
 #else
@@ -40,13 +41,13 @@ extern int derive_key(const uint8_t *app_id,
                       bool new_key,
                       uint8_t *key_handle,
                       int,
-                      mbedtls_ecdsa_context *key);
+                      mbedtls_ecp_keypair *key);
-extern int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecdsa_context *);
+extern int verify_key(const uint8_t *appId, const uint8_t *keyHandle, mbedtls_ecp_keypair *);
 extern bool wait_button_pressed();
 extern void init_fido();
 extern mbedtls_ecp_group_id fido_curve_to_mbedtls(int curve);
 extern int mbedtls_curve_to_fido(mbedtls_ecp_group_id id);
-extern int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecdsa_context *key);
+extern int fido_load_key(int curve, const uint8_t *cred_id, mbedtls_ecp_keypair *key);
 extern int load_keydev(uint8_t *key);
 extern int encrypt(uint8_t protocol,
                    const uint8_t *key,

src/fido/version.h

@@ -18,7 +18,7 @@
 #ifndef __VERSION_H_
 #define __VERSION_H_
 
-#define PICO_FIDO_VERSION 0x0506
+#define PICO_FIDO_VERSION 0x0507
 
 #define PICO_FIDO_VERSION_MAJOR ((PICO_FIDO_VERSION >> 8) & 0xff)
 #define PICO_FIDO_VERSION_MINOR (PICO_FIDO_VERSION & 0xff)

tests/pico-fido/test_020_register.py

@@ -19,7 +19,7 @@
 
 
 from fido2.client import CtapError
-from fido2.cose import ES256, ES384, ES512
+from fido2.cose import ES256, ES384, ES512, EdDSA
 from utils import ES256K
 import pytest
 
@@ -122,7 +122,7 @@ def test_bad_type_pubKeyCredParams(device):
         device.doMC(key_params=["wrong"])
 
 @pytest.mark.parametrize(
-    "alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM]
+    "alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM, EdDSA.ALGORITHM]
 )
 def test_algorithms(device, info, alg):
     if ({'alg': alg, 'type': 'public-key'} in info.algorithms):

tests/pico-fido/test_021_authenticate.py

@@ -19,7 +19,7 @@
 
 
 from fido2.client import CtapError
-from fido2.cose import ES256, ES384, ES512
+from fido2.cose import ES256, ES384, ES512, EdDSA
 from utils import verify, ES256K
 import pytest
 
@@ -49,7 +49,7 @@ def test_empty_allowList(device):
     assert e.value.code == CtapError.ERR.NO_CREDENTIALS
 
 @pytest.mark.parametrize(
-    "alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM]
+    "alg", [ES256.ALGORITHM, ES384.ALGORITHM, ES512.ALGORITHM, ES256K.ALGORITHM, EdDSA.ALGORITHM]
 )
 def test_algorithms(device, info, alg):
     if ({'alg': alg, 'type': 'public-key'} in info.algorithms):