Reject RK option in get_assertion

The getAssertion command does not use the rk option so we return an InvalidOption error if it is set. Fixes: trussed-dev#31
robin-nitrokey · Jul 10, 2023 · c9a56aa · c9a56aa
1 parent d3e1753
commit c9a56aa
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+# Unreleased
+
+- Reject `rk` option in getAssertion ([#31][])
+
+[#31]: https://github.com/solokeys/fido-authenticator/issues/31
+
 ## [0.1.1] - 2022-08-22
 - Fix bug that treated U2F payloads as APDU over APDU in NFC transport @conorpp
 - Add config option to skip UP when device was just booted,

diff --git a/src/ctap2.rs b/src/ctap2.rs
@@ -923,6 +923,11 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
 
         // 6. process any options present
 
+        // RK is not supported in get_assertion
+        if parameters.options.as_ref().and_then(|options| options.rk).is_some() {
+            return Err(Error::InvalidOption);
+        }
+
         // UP occurs by default, but option could specify not to.
         let do_up = if parameters.options.is_some() {
             parameters.options.as_ref().unwrap().up.unwrap_or(true)