ctap2-proto: Move authenticator::client_pin::AuthProtocolVersion to own module

In preparation for adding traits for the PIN/UV Auth Protocol, this
splits the AuthProtocolVersion type into its own module and renames it
to auth_protocol::Version.
main
Nick Zana 1 year ago
parent 16d11745a3
commit a8a9eeb817

@ -1,5 +1,5 @@
use crate::Sha256Hash; use crate::Sha256Hash;
use crate::{authenticator::client_pin::AuthProtocolVersion, extensions}; use crate::{authenticator::client_pin::auth_protocol, extensions};
use fido_common::credential::public_key; use fido_common::credential::public_key;
use std::{collections::BTreeMap, usize}; use std::{collections::BTreeMap, usize};
@ -69,7 +69,7 @@ pub struct Request<'a> {
pub pin_uv_auth_param: Option<&'a [u8]>, pub pin_uv_auth_param: Option<&'a [u8]>,
/// > PIN/UV protocol version selected by platform. /// > PIN/UV protocol version selected by platform.
#[cfg_attr(feature = "serde", serde(rename = 0x07))] #[cfg_attr(feature = "serde", serde(rename = 0x07))]
pub pin_uv_auth_protocol_version: Option<AuthProtocolVersion>, pub pin_uv_auth_protocol_version: Option<auth_protocol::Version>,
} }
/// Response structure for [`Ctap2Device::get_assertion`] operation. /// Response structure for [`Ctap2Device::get_assertion`] operation.

@ -0,0 +1,31 @@
#[cfg(feature = "serde")]
use serde::{Deserialize, Serialize};
#[derive(Clone, Copy, PartialEq, Eq, Hash, Debug)]
#[cfg_attr(
feature = "serde",
derive(Serialize, Deserialize),
serde(into = "u8", try_from = "u8")
)]
pub enum Version {
One = 1,
Two = 2,
}
impl From<Version> for u8 {
fn from(value: Version) -> Self {
value as u8
}
}
impl TryFrom<u8> for Version {
type Error = super::Error;
fn try_from(value: u8) -> Result<Self, Self::Error> {
match value {
1 => Ok(Version::One),
2 => Ok(Version::Two),
_ => Err(super::Error::InvalidParameter),
}
}
}

@ -4,55 +4,15 @@ use std::collections::BTreeSet;
#[cfg(feature = "serde")] #[cfg(feature = "serde")]
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
#[derive(Clone, Copy, PartialEq, Eq, Hash, Debug)] pub mod auth_protocol;
#[cfg_attr(
feature = "serde",
derive(Serialize, Deserialize),
serde(into = "u8", try_from = "u8")
)]
pub enum AuthProtocolVersion {
One = 1,
Two = 2,
}
impl From<AuthProtocolVersion> for u8 {
fn from(value: AuthProtocolVersion) -> Self {
value as u8
}
}
impl TryFrom<u8> for AuthProtocolVersion {
type Error = Error;
fn try_from(value: u8) -> Result<Self, Self::Error> {
match value {
1 => Ok(AuthProtocolVersion::One),
2 => Ok(AuthProtocolVersion::Two),
_ => Err(Error::InvalidParameter),
}
}
}
where
D: serde::Deserializer<'de>,
{
use serde::de;
match u8::deserialize(deserializer)? { pub type PinUvAuthParam = [u8; 16];
1 => Ok(Self::One),
2 => Ok(Self::Two),
i => Err(de::Error::invalid_value(
de::Unexpected::Unsigned(i.into()),
&"1 or 2",
)),
}
}
}
#[derive(Clone, Copy)] #[derive(Clone)]
pub enum Request<'a> { pub enum Request<'a> {
GetPinRetries, GetPinRetries,
GetKeyAgreement { GetKeyAgreement {
version: AuthProtocolVersion, version: auth_protocol::Version,
}, },
SetPin { SetPin {
key_agreement: &'a coset::CoseKey, key_agreement: &'a coset::CoseKey,
@ -60,25 +20,25 @@ pub enum Request<'a> {
pin_uv_auth_param: &'a [u8], pin_uv_auth_param: &'a [u8],
}, },
ChangePin { ChangePin {
version: AuthProtocolVersion, version: auth_protocol::Version,
pin_hash_encrypted: &'a [u8], pin_hash_encrypted: &'a [u8],
new_pin_encrypted: &'a [u8], new_pin_encrypted: &'a [u8],
pin_uv_auth_param: &'a [u8], pin_uv_auth_param: &'a [u8],
}, },
GetPinToken { GetPinToken {
version: AuthProtocolVersion, version: auth_protocol::Version,
key_agreement: &'a coset::CoseKey, key_agreement: cosey::PublicKey,
pin_hash_encrypted: &'a [u8], pin_hash_encrypted: &'a [u8],
}, },
GetPinUvAuthTokenUsingUvWithPermissions { GetPinUvAuthTokenUsingUvWithPermissions {
version: AuthProtocolVersion, version: auth_protocol::Version,
key_agreement: &'a coset::CoseKey, key_agreement: &'a coset::CoseKey,
permissions: &'a BTreeSet<Permission>, // TODO: Enforce non-empty set? permissions: &'a BTreeSet<Permission>, // TODO: Enforce non-empty set?
relying_party_id: Option<usize>, relying_party_id: Option<usize>,
}, },
GetUvRetries, GetUvRetries,
GetPinUvAuthTokenUsingPinWithPermissions { GetPinUvAuthTokenUsingPinWithPermissions {
version: AuthProtocolVersion, version: auth_protocol::Version,
key_agreement: &'a coset::CoseKey, key_agreement: &'a coset::CoseKey,
pin_hash_encrypted: usize, pin_hash_encrypted: usize,
permissions: &'a BTreeSet<Permission>, // TODO: Enforce non-empty set? permissions: &'a BTreeSet<Permission>, // TODO: Enforce non-empty set?
@ -126,6 +86,7 @@ pub enum Response {
}, },
} }
#[derive(Debug, Clone, Copy)]
pub enum Error { pub enum Error {
MissingParameter, MissingParameter,
InvalidParameter, InvalidParameter,
@ -142,6 +103,26 @@ pub enum Error {
UserVerificationInvalid, UserVerificationInvalid,
} }
impl std::fmt::Display for Error {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
Error::MissingParameter => write!(f, "Missing parameter"),
Error::InvalidParameter => write!(f, "Invalid parameter"),
Error::PinAuthInvalid => write!(f, "PIN auth invalid"),
Error::PinPolicyViolation => write!(f, "PIN policy violation"),
Error::PinBlocked => write!(f, "PIN blocked"),
Error::PinAuthBlocked => write!(f, "PIN auth blocked"),
Error::PinInvalid => write!(f, "PIN invalid"),
Error::OperationDenied => write!(f, "Operation denied"),
Error::UnauthorizedPermission => write!(f, "Unauthorized permission"),
Error::NotAllowed => write!(f, "Not allowed"),
Error::UserVerificationBlocked => write!(f, "User verification blocked"),
Error::UserActionTimeout => write!(f, "User action timeout"),
Error::UserVerificationInvalid => write!(f, "User verification invalid"),
}
}
}
/// > When obtaining a `pinUvAuthToken`, the platform requests permissions /// > When obtaining a `pinUvAuthToken`, the platform requests permissions
/// > appropriate for the operations it intends to perform. Consequently, the /// > appropriate for the operations it intends to perform. Consequently, the
/// > `pinUvAuthToken` can only be used for those operations. /// > `pinUvAuthToken` can only be used for those operations.

@ -1,19 +1,19 @@
use std::collections::BTreeMap; use std::collections::BTreeMap;
use super::client_pin::AuthProtocolVersion; use super::client_pin::auth_protocol;
#[derive(Clone, Copy)] #[derive(Clone, Copy)]
pub enum Request<'a> { pub enum Request<'a> {
/// > This `enableEnterpriseAttestation` subcommand is only implemented if /// > This `enableEnterpriseAttestation` subcommand is only implemented if
/// > the enterprise attestation feature is supported. /// > the enterprise attestation feature is supported.
EnableEnterpriseAttestation { EnableEnterpriseAttestation {
pin_uv_auth_protocol: AuthProtocolVersion, pin_uv_auth_protocol: auth_protocol::Version,
pin_uv_auth_param: &'a [u8], // TODO: Is using a more specific type possible? pin_uv_auth_param: &'a [u8], // TODO: Is using a more specific type possible?
}, },
/// > This `toggleAlwaysUv` subcommand is only implemented if the Always /// > This `toggleAlwaysUv` subcommand is only implemented if the Always
/// > Require User Verification feature is supported. /// > Require User Verification feature is supported.
ToggleAlwaysUserVerification { ToggleAlwaysUserVerification {
pin_uv_auth_protocol: AuthProtocolVersion, pin_uv_auth_protocol: auth_protocol::Version,
pin_uv_auth_param: &'a [u8], // TODO: Is using a more specific type possible? pin_uv_auth_param: &'a [u8], // TODO: Is using a more specific type possible?
}, },
/// > This `setMinPINLength` subcommand is only implemented if the /// > This `setMinPINLength` subcommand is only implemented if the
@ -22,7 +22,7 @@ pub enum Request<'a> {
/// > This command sets the minimum PIN length in Unicode code points to be /// > This command sets the minimum PIN length in Unicode code points to be
/// > enforced by the authenticator while changing/setting up a ClientPIN. /// > enforced by the authenticator while changing/setting up a ClientPIN.
SetMinPinLength { SetMinPinLength {
pin_uv_auth_protocol: AuthProtocolVersion, pin_uv_auth_protocol: auth_protocol::Version,
pin_uv_auth_param: &'a [u8], // TODO: Is using a more specific type possible? pin_uv_auth_param: &'a [u8], // TODO: Is using a more specific type possible?
}, },
/// > This subCommand allows vendors to test authenticator configuration /// > This subCommand allows vendors to test authenticator configuration
@ -39,7 +39,7 @@ pub enum Request<'a> {
vendor_command_id: usize, vendor_command_id: usize,
params: &'a BTreeMap<Vec<u8>, Vec<u8>>, /* TODO: Is the character space of keys params: &'a BTreeMap<Vec<u8>, Vec<u8>>, /* TODO: Is the character space of keys
* restricted to UTF-8? */ * restricted to UTF-8? */
pin_uv_auth_protocol: AuthProtocolVersion, pin_uv_auth_protocol: auth_protocol::Version,
pin_uv_auth_param: &'a [u8], // TODO: Is using a more specific type possible? pin_uv_auth_param: &'a [u8], // TODO: Is using a more specific type possible?
}, },
} }

@ -99,7 +99,7 @@ pub struct Request<'a> {
/// > PIN/UV protocol version selected by platform. /// > PIN/UV protocol version selected by platform.
#[builder(default, setter(strip_option))] #[builder(default, setter(strip_option))]
#[cfg_attr(feature = "serde", serde(rename = 0x09))] #[cfg_attr(feature = "serde", serde(rename = 0x09))]
pub pin_uv_auth_protocol_version: Option<client_pin::AuthProtocolVersion>, pub pin_uv_auth_protocol_version: Option<client_pin::auth_protocol::Version>,
/// > An authenticator supporting this enterprise attestation feature is /// > An authenticator supporting this enterprise attestation feature is
/// > enterprise attestation capable and signals its support via the `ep` /// > enterprise attestation capable and signals its support via the `ep`
/// > Option ID in the `authenticatorGetInfo` command response. /// > Option ID in the `authenticatorGetInfo` command response.

@ -7,13 +7,13 @@ pub type PinUvAuthParam = [u8; 16];
pub enum Request<'a> { pub enum Request<'a> {
GetCredentialsMetadata { GetCredentialsMetadata {
/// > PIN/UV protocol version chosen by the platform. /// > PIN/UV protocol version chosen by the platform.
pin_uv_auth_protocol: client_pin::AuthProtocolVersion, pin_uv_auth_protocol: client_pin::auth_protocol::Version,
/// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`. /// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`.
pin_uv_auth_param: &'a PinUvAuthParam, pin_uv_auth_param: &'a PinUvAuthParam,
}, },
EnumerateRPsBegin { EnumerateRPsBegin {
/// > PIN/UV protocol version chosen by the platform. /// > PIN/UV protocol version chosen by the platform.
pin_uv_auth_protocol: client_pin::AuthProtocolVersion, pin_uv_auth_protocol: client_pin::auth_protocol::Version,
/// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`. /// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`.
pin_uv_auth_param: &'a PinUvAuthParam, pin_uv_auth_param: &'a PinUvAuthParam,
}, },
@ -22,7 +22,7 @@ pub enum Request<'a> {
/// The ID of the relying party to enumerate credentials for. /// The ID of the relying party to enumerate credentials for.
relying_party_id_hash: &'a Sha256Hash, relying_party_id_hash: &'a Sha256Hash,
/// > PIN/UV protocol version chosen by the platform. /// > PIN/UV protocol version chosen by the platform.
pin_uv_auth_protocol: client_pin::AuthProtocolVersion, pin_uv_auth_protocol: client_pin::auth_protocol::Version,
/// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`. /// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`.
pin_uv_auth_param: &'a PinUvAuthParam, pin_uv_auth_param: &'a PinUvAuthParam,
}, },
@ -31,7 +31,7 @@ pub enum Request<'a> {
/// The ID of the credential to delete. /// The ID of the credential to delete.
credential_id: &'a public_key::Descriptor, credential_id: &'a public_key::Descriptor,
/// > PIN/UV protocol version chosen by the platform. /// > PIN/UV protocol version chosen by the platform.
pin_uv_auth_protocol: client_pin::AuthProtocolVersion, pin_uv_auth_protocol: client_pin::auth_protocol::Version,
/// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`. /// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`.
pin_uv_auth_param: &'a PinUvAuthParam, pin_uv_auth_param: &'a PinUvAuthParam,
}, },
@ -41,7 +41,7 @@ pub enum Request<'a> {
/// The updated user information. /// The updated user information.
user: &'a public_key::UserEntity, user: &'a public_key::UserEntity,
/// > PIN/UV protocol version chosen by the platform. /// > PIN/UV protocol version chosen by the platform.
pin_uv_auth_protocol: client_pin::AuthProtocolVersion, pin_uv_auth_protocol: client_pin::auth_protocol::Version,
/// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`. /// > First 16 bytes of HMAC-SHA-256 of contents using `pinUvAuthToken`.
pin_uv_auth_param: &'a PinUvAuthParam, pin_uv_auth_param: &'a PinUvAuthParam,
}, },

@ -1,4 +1,4 @@
use crate::authenticator::client_pin::AuthProtocolVersion; use crate::authenticator::client_pin::auth_protocol;
use crate::authenticator::Transport; use crate::authenticator::Transport;
use crate::extensions; use crate::extensions;
use fido_common::credential::public_key; use fido_common::credential::public_key;
@ -247,7 +247,7 @@ pub struct Info {
/// > authenticator preference. MUST NOT contain duplicate values... /// > authenticator preference. MUST NOT contain duplicate values...
// Cannot be empty if present // Cannot be empty if present
#[cfg_attr(feature = "serde", serde(rename = 0x06))] #[cfg_attr(feature = "serde", serde(rename = 0x06))]
pub pin_uv_auth_protocols: Option<Vec<AuthProtocolVersion>>, pub pin_uv_auth_protocols: Option<Vec<auth_protocol::Version>>,
/// > Maximum number of credentials supported in credentialID list at a time /// > Maximum number of credentials supported in credentialID list at a time
/// > by the authenticator. /// > by the authenticator.
#[cfg_attr(feature = "serde", serde(rename = 0x07))] #[cfg_attr(feature = "serde", serde(rename = 0x07))]

Loading…
Cancel
Save