Skip to content

Commit

Permalink
Reject RK option in get_assertion
Browse files Browse the repository at this point in the history
The getAssertion command does not use the rk option so we return an
InvalidOption error if it is set.

Fixes: #31
  • Loading branch information
robin-nitrokey authored and nickray committed Sep 13, 2023
1 parent 713c5e7 commit 7bd0c3b
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
makeCredential operations without user verification ([#26][])
- Ignore public key credential parameters with an unknown type, as required by
the Webauthn spec ([#28][])
- Reject `rk` option in getAssertion ([#31][])
- Ignore user data with empty ID in getAssertion ([#32][])
- Allow three instead of two PIN retries per boot ([#35][])

[#26]: https://github.com/solokeys/fido-authenticator/issues/26
[#28]: https://github.com/solokeys/fido-authenticator/issues/28
[#31]: https://github.com/solokeys/fido-authenticator/issues/31
[#32]: https://github.com/solokeys/fido-authenticator/issues/32
[#35]: https://github.com/solokeys/fido-authenticator/issues/35

Expand Down
5 changes: 5 additions & 0 deletions src/ctap2.rs
Original file line number Diff line number Diff line change
Expand Up @@ -921,6 +921,11 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti

// 6. process any options present

// RK is not supported in get_assertion
if parameters.options.as_ref().and_then(|options| options.rk).is_some() {
return Err(Error::InvalidOption);
}

// UP occurs by default, but option could specify not to.
let do_up = if parameters.options.is_some() {
parameters.options.as_ref().unwrap().up.unwrap_or(true)
Expand Down

0 comments on commit 7bd0c3b

Please sign in to comment.