add configs for CTAP SM2 support

canokeys · Dec 26, 2023 · 276d978 · 276d978
1 parent c81f322
commit 276d978
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 1 deletion.
diff --git a/applets/admin/admin.c b/applets/admin/admin.c
@@ -261,6 +261,15 @@ int admin_process_apdu(const CAPDU *capdu, RAPDU *rapdu) {
   case ADMIN_INS_TOGGLE_NDEF_READ_ONLY:
     ret = ndef_toggle_read_only(capdu, rapdu);
     break;
+  case ADMIN_INS_RESET_CTAP:
+    ret = ctap_install(1);
+    break;
+  case ADMIN_INS_READ_CTAP_SM2_CONFIG:
+    ret = ctap_read_sm2_config(capdu, rapdu);
+    break;
+  case ADMIN_INS_WRITE_CTAP_SM2_CONFIG:
+    ret = ctap_write_sm2_config(capdu, rapdu);
+    break;
   case ADMIN_INS_CHANGE_PIN:
     ret = admin_change_pin(capdu, rapdu);
     break;

diff --git a/applets/ctap/ctap-parser.c b/applets/ctap/ctap-parser.c
@@ -187,7 +187,7 @@ uint8_t parse_verify_pub_key_cred_params(CborValue *val, int32_t *alg_type) {
     CHECK_PARSER_RET(ret);
     if (ret == 0 && (cur_alg_type == COSE_ALG_ES256 ||
                      cur_alg_type == COSE_ALG_EDDSA ||
-                     ctap_sm2_attr.enabled && cur_alg_type == ctap_sm2_attr.algo_id)) {
+                     (ctap_sm2_attr.enabled && cur_alg_type == ctap_sm2_attr.algo_id))) {
       // https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#authenticatorMakeCredential
       //
       // > This sequence is ordered from most preferred (by the RP) to least preferred.

diff --git a/applets/ctap/ctap.c b/applets/ctap/ctap.c
@@ -104,6 +104,21 @@ int ctap_install_cert(const CAPDU *capdu, RAPDU *rapdu) {
   return write_file(CTAP_CERT_FILE, DATA, 0, LC, 1);
 }
 
+int ctap_read_sm2_config(const CAPDU *capdu, RAPDU *rapdu) {
+  UNUSED(capdu);
+  const int ret = read_attr(CTAP_CERT_FILE, SM2_ATTR, RDATA, sizeof(ctap_sm2_attr));
+  if (ret < 0) return ret;
+  LL = ret;
+  return 0;
+}
+
+int ctap_write_sm2_config(const CAPDU *capdu, RAPDU *rapdu) {
+  if (LC != sizeof(ctap_sm2_attr)) EXCEPT(SW_WRONG_LENGTH);
+  const int ret = write_attr(CTAP_CERT_FILE, SM2_ATTR, DATA, sizeof(ctap_sm2_attr));
+  memcpy(&ctap_sm2_attr, DATA, sizeof(ctap_sm2_attr));
+  return ret;
+}
+
 static int build_ecdsa_cose_key(uint8_t *data, int algo, int curve) {
   uint8_t buf[80];
   CborEncoder encoder, map_encoder;

diff --git a/include/admin.h b/include/admin.h
@@ -11,6 +11,9 @@
 #define ADMIN_INS_RESET_OATH 0x05
 #define ADMIN_INS_RESET_NDEF 0x07
 #define ADMIN_INS_TOGGLE_NDEF_READ_ONLY 0x08
+#define ADMIN_INS_RESET_CTAP 0x09
+#define ADMIN_INS_READ_CTAP_SM2_CONFIG 0x11
+#define ADMIN_INS_WRITE_CTAP_SM2_CONFIG 0x12
 #define ADMIN_INS_VERIFY 0x20
 #define ADMIN_INS_CHANGE_PIN 0x21
 #define ADMIN_INS_WRITE_SN 0x30

diff --git a/include/ctap.h b/include/ctap.h
@@ -8,6 +8,8 @@
 uint8_t ctap_install(uint8_t reset);
 int ctap_install_private_key(const CAPDU *capdu, RAPDU *rapdu);
 int ctap_install_cert(const CAPDU *capdu, RAPDU *rapdu);
+int ctap_read_sm2_config(const CAPDU *capdu, RAPDU *rapdu);
+int ctap_write_sm2_config(const CAPDU *capdu, RAPDU *rapdu);
 int ctap_process_cbor(uint8_t *req, size_t req_len, uint8_t *resp, size_t *resp_len);
 int ctap_process_apdu(const CAPDU *capdu, RAPDU *rapdu);
 int ctap_wink(void);