From b63990dba47067d48c62e4b9eca0b1d80aea4241 Mon Sep 17 00:00:00 2001 From: "John M. Schanck" Date: Sat, 4 Nov 2023 09:48:44 -0700 Subject: [PATCH] Handle present-but-empty extension data when serializing AuthenticatorData --- src/ctap2/attestation.rs | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/src/ctap2/attestation.rs b/src/ctap2/attestation.rs index 7841bf2f..af33b159 100644 --- a/src/ctap2/attestation.rs +++ b/src/ctap2/attestation.rs @@ -289,8 +289,6 @@ impl Serialize for AuthenticatorData { data.extend([self.flags.bits()]); // (2) "flags", len=1 (u8) data.extend(self.counter.to_be_bytes()); // (3) "signCount", len=4, 32-bit unsigned big-endian integer. - // TODO(MS): Here flags=AT needs to be set, but this data comes from the security device - // and we (probably?) need to just trust the device to set the right flags if let Some(cred) = &self.credential_data { // see https://www.w3.org/TR/webauthn-2/#sctn-attested-credential-data // Attested Credential Data @@ -308,9 +306,12 @@ impl Serialize for AuthenticatorData { .map_err(|_| SerError::custom("Failed to serialize auth_data"))?, ); } - // TODO(MS): Here flags=ED needs to be set, but this data comes from the security device - // and we (probably?) need to just trust the device to set the right flags - if self.extensions.has_some() { + // If we have parsed extension data, then we should serialize it even if the authenticator + // failed to set the extension data flag. + // If we don't have parsed extension data, then what we output depends on the flag. + // If the flag is set, we output the empty CBOR map. If it is not set, we output nothing. + if self.extensions.has_some() || self.flags.contains(AuthenticatorDataFlags::EXTENSION_DATA) + { data.extend( // (5) "extensions", len=variable &serde_cbor::to_vec(&self.extensions) @@ -1078,6 +1079,29 @@ pub mod test { ); } + #[test] + fn test_empty_extension_data() { + let mut parsed_auth_data: AuthenticatorData = + from_slice(&SAMPLE_AUTH_DATA_MAKE_CREDENTIAL).unwrap(); + assert!(parsed_auth_data + .flags + .contains(AuthenticatorDataFlags::EXTENSION_DATA)); + + // Remove the extension data but keep the extension data flag set. + parsed_auth_data.extensions = Default::default(); + let with_flag = to_vec(&parsed_auth_data).expect("could not serialize auth data"); + // The serialized auth data should end with an empty map (CBOR 0xA0). + assert_eq!(with_flag[with_flag.len() - 1], 0xA0); + + // Remove the extension data flag. + parsed_auth_data + .flags + .remove(AuthenticatorDataFlags::EXTENSION_DATA); + let without_flag = to_vec(&parsed_auth_data).expect("could not serialize auth data"); + // The serialized auth data should be one byte shorter. + assert!(with_flag.len() == without_flag.len() + 1); + } + /// See: https://github.com/mozilla/authenticator-rs/issues/187 #[test] fn test_aaguid_output() {