Implement minPinLength

Author: BryanJacobs

README.md

@@ -75,6 +75,7 @@ I suggest [reading the FAQ](docs/FAQ.md) and perhaps [the security model](docs/s
 | CTAP2.1 credential management             | Implemented                                             |
 | CTAP2.1 enterprise attestation            | Implemented but always rejected                         |
 | CTAP2.1 authenticator config              | Implemented                                             |
+| CTAP2.1 minPinLength extension            | Implemented, zero RPID storage capacity                 |
 | CTAP2.1 credBlob extension                | Implemented, discoverable creds only                    |
 | CTAP2.1 authenticatorLargeBlobs extension | Not implemented                                         |
 | CTAP2.1 largeBlobKey extension            | Not implemented                                         |

docs/FAQ.md

@@ -122,6 +122,7 @@ It will store:
 - a boolean set to true on the first credential from a given RP ID, used
   to save state when enumerating and counting on-device RPs
 - a two-bit credProtect level value
+- the length of any credBlob stored with the credential
 - a four-byte counter value tracking which credential was most recently created
 - how many distinct RPs have valid keys on the device, unencrypted
 - how many total RPs are on the device, unencrypted

python_tests/ctap/test_cred_management.py

@@ -7,7 +7,7 @@
 from .ctap_test import CTAPTestCase
 
 
-class CTAPPINTestCase(CTAPTestCase):
+class CredManagementTestCase(CTAPTestCase):
 
     cp: ClientPin
 
@@ -55,7 +55,7 @@ def test_disable_alwaysUv_without_pin_rejected(self):
         with self.assertRaises(CtapError) as e:
             Config(self.ctap2).toggle_always_uv()
 
-        self.assertEqual(CtapError.ERR.MISSING_PARAMETER, e.exception.code)
+        self.assertEqual(CtapError.ERR.PUAT_REQUIRED, e.exception.code)
 
     def test_toggling_alwaysUv_survives_soft_reset(self):
         Config(self.ctap2).toggle_always_uv()

python_tests/ctap/test_ctap_basics.py

@@ -22,6 +22,14 @@ def test_info_aaguid_none(self):
         info = self.ctap2.get_info()
         self.assertEqual(Aaguid.NONE, info.aaguid)
 
+    def test_info_uv_modality_hint(self):
+        info = self.ctap2.get_info()
+        self.assertEqual(0x0200, info.uv_modality)
+
+    def test_info_supported_algs_hint(self):
+        info = self.ctap2.get_info()
+        self.assertEqual([{'alg': -7, "type": "public-key"}], info.algorithms)
+
     def test_make_credential_self_attestation(self):
         rp_id = secrets.token_hex(50)
         self.basic_makecred_params['rp']['id'] = rp_id

python_tests/ctap/test_setminpin.py

@@ -0,0 +1,146 @@
+import secrets
+from typing import Optional
+
+from fido2.ctap import CtapError
+from fido2.ctap2 import Config, ClientPin, PinProtocolV2
+from parameterized import parameterized
+
+from .ctap_test import CTAPTestCase
+
+
+class SetMinPinTestCase(CTAPTestCase):
+
+    cp: ClientPin
+    pin: Optional[str] = None
+
+    def setUp(self, install_params: Optional[bytes] = None) -> None:
+        super().setUp(install_params=install_params)
+        self.cp = ClientPin(self.ctap2)
+
+    def get_cfg(self) -> Config:
+        if self.pin is None:
+            return Config(self.ctap2)
+        uv = self.cp.get_pin_token(self.pin,
+                                   permissions=ClientPin.PERMISSION.AUTHENTICATOR_CFG)
+        return Config(self.ctap2, pin_uv_protocol=PinProtocolV2(), pin_uv_token=uv)
+
+    def test_info_min_pin_length(self):
+        info = self.ctap2.get_info()
+        self.assertEqual(4, info.min_pin_length)
+
+    def test_info_max_rps_for_setminpin(self):
+        info = self.ctap2.get_info()
+        self.assertEqual(0, info.max_rpids_for_min_pin)
+
+    def test_setminpin_option(self):
+        info = self.ctap2.get_info()
+        self.assertEqual(True, info.options.get("setMinPINLength"))
+
+    @parameterized.expand([
+        ("authenticated", True),
+        ("unauthenticated", False),
+    ])
+    def test_setminpin_visible_in_info(self, _, setpin: bool):
+        if setpin:
+            self.pin = secrets.token_hex(10)
+            self.cp.set_pin(self.pin)
+
+        self.get_cfg().set_min_pin_length(min_pin_length=8)
+
+        info = self.ctap2.get_info()
+        self.assertEqual(8, info.min_pin_length)
+
+    def test_setminpin_requires_pin_when_set(self):
+        self.pin = secrets.token_hex(10)
+        self.cp.set_pin(self.pin)
+
+        with self.assertRaises(CtapError) as e:
+            Config(self.ctap2).set_min_pin_length(min_pin_length=2)
+
+        self.assertEqual(CtapError.ERR.PUAT_REQUIRED, e.exception.code)
+
+    @parameterized.expand([
+        (4, 3),
+        (8, 7),
+        (30, 4),
+    ])
+    def test_setminpin_cannot_go_down(self, original_value, new_value):
+        self.get_cfg().set_min_pin_length(min_pin_length=original_value)
+
+        with self.assertRaises(CtapError) as e:
+            self.get_cfg().set_min_pin_length(min_pin_length=new_value)
+
+        self.assertEqual(CtapError.ERR.PIN_POLICY_VIOLATION, e.exception.code)
+
+    def test_setminpin_overlong(self):
+        with self.assertRaises(CtapError) as e:
+            self.get_cfg().set_min_pin_length(min_pin_length=70)
+
+        self.assertEqual(CtapError.ERR.PIN_POLICY_VIOLATION, e.exception.code)
+
+    def test_four_ascii_chars(self):
+        self.cp.set_pin("aaaa")
+
+    def test_four_ascii_chars_rejected_when_length_increased(self):
+        self.get_cfg().set_min_pin_length(min_pin_length=5)
+
+        with self.assertRaises(CtapError) as e:
+            self.cp.set_pin("aaaa")
+
+        self.assertEqual(CtapError.ERR.PIN_POLICY_VIOLATION, e.exception.code)
+
+    def test_four_multibyte_chars_rejected_when_length_increased(self):
+        self.get_cfg().set_min_pin_length(min_pin_length=5)
+
+        with self.assertRaises(CtapError) as e:
+            self.cp.set_pin("✈✈✈✈")
+
+        self.assertEqual(CtapError.ERR.PIN_POLICY_VIOLATION, e.exception.code)
+
+    def test_five_multibyte_chars_accepted_when_length_increased(self):
+        self.get_cfg().set_min_pin_length(min_pin_length=5)
+
+        self.cp.set_pin("✈✈ä✈✈")
+
+    def test_four_multibyte_chars_accepted_normally(self):
+        self.cp.set_pin("✈✈✈✈")
+
+    def test_change_without_pin_does_not_force_change(self):
+        self.get_cfg().set_min_pin_length(min_pin_length=10)
+        info = self.ctap2.get_info()
+
+        self.assertEqual(False, info.force_pin_change)
+
+    def test_change_with_pin_does_force_change(self):
+        self.pin = secrets.token_hex(10)
+        self.cp.set_pin(self.pin)
+
+        self.get_cfg().set_min_pin_length(min_pin_length=10)
+        info = self.ctap2.get_info()
+
+        self.assertEqual(True, info.force_pin_change)
+
+    def test_change_with_pin_to_same_length_does_not_force_change(self):
+        self.pin = secrets.token_hex(10)
+        self.cp.set_pin(self.pin)
+
+        self.get_cfg().set_min_pin_length(min_pin_length=4)
+        info = self.ctap2.get_info()
+
+        self.assertEqual(False, info.force_pin_change)
+
+    def test_cannot_get_uv_when_change_forced(self):
+        self.pin = secrets.token_hex(10)
+        self.cp.set_pin(self.pin)
+        self.get_cfg().set_min_pin_length(force_change_pin=True)
+
+        with self.assertRaises(CtapError) as e:
+            self.cp.get_pin_token(self.pin)
+
+        self.assertEqual(CtapError.ERR.PIN_POLICY_VIOLATION, e.exception.code)
+
+    def test_cannot_force_change_without_pin(self):
+        with self.assertRaises(CtapError) as e:
+            self.get_cfg().set_min_pin_length(force_change_pin=True)
+
+        self.assertEqual(CtapError.ERR.PIN_NOT_SET, e.exception.code)

src/main/java/us/q3q/fido2/CannedCBOR.java

@@ -62,7 +62,7 @@ public abstract class CannedCBOR {
 
     static final byte[] AUTH_INFO_SECOND = {
                 0x04, // map key: options
-                    (byte) 0xA9, // map: nine entries
+                    (byte) 0xAA, // map: ten entries
                         0x62, // string: two bytes long
                             0x65, 0x70, // ep
                             (byte) 0xF4, // false
@@ -90,6 +90,11 @@ public abstract class CannedCBOR {
     static final byte[] MAKE_CRED_UV_NOT_REQD = {
             0x6D, 0x61, 0x6B, 0x65, 0x43, 0x72, 0x65, 0x64, 0x55, 0x76, 0x4E, 0x6F, 0x74, 0x52, 0x71, 0x64
     };
+
+    static final byte[] SET_MIN_PIN_LENGTH = {
+            0x73, 0x65, 0x74, 0x4D, 0x69, 0x6E, 0x50, 0x49, 0x4E, 0x4C, 0x65, 0x6E, 0x67, 0x74, 0x68, // setMinPINLength
+    };
+
     static final byte[] PIN_UV_AUTH_TOKEN = {
             0x70, 0x69, 0x6E, 0x55, 0x76, 0x41, 0x75, 0x74, 0x68, 0x54, 0x6F, 0x6B, 0x65, 0x6E
     };
@@ -161,4 +166,16 @@ public abstract class CannedCBOR {
             0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79
           //   p     u     b     l     i     c     -     k     e     y
     };
+
+    static final byte[] ES256_ALG_TYPE = {
+            (byte) 0x81, // array - one item
+                (byte) 0xA2, // map - two entries
+                    0x63, // string - three bytes long
+                        0x61, 0x6C, 0x67, // alg
+                        0x26, // -7 (alg ID for ES256)
+                    0x64, // string - four bytes long
+                        0x74, 0x79, 0x70, 0x65, // type
+                        0x6A, // string - ten bytes long
+                            0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0x2D, 0x6B, 0x65, 0x79, // public-key
+    };
 }