Allow reusing PIN tokens for getAssertion with UP=false

Author: BryanJacobs

python_tests/ctap/test_ctap_basics.py

@@ -356,6 +356,51 @@ def test_basic_assertion(self):
             assert_res.auth_data + assert_client_data, assert_res.signature
         )
 
+    def test_pin_uv_reuse(self):
+        cred_res = self.ctap2.make_credential(**self.basic_makecred_params)
+
+        pin = secrets.token_hex(10)
+        cp = ClientPin(self.ctap2)
+        cp.set_pin(pin)
+        uv = cp.get_pin_token(pin)
+        assert_client_data = self.get_random_client_data()
+        pin_uv_protocol = cp.protocol.VERSION
+        pin_uv_param = cp.protocol.authenticate(uv, assert_client_data)
+
+        assert_res1 = self.get_assertion_from_cred(cred_res, client_data=assert_client_data,
+                                                   pin_uv_protocol=pin_uv_protocol,
+                                                   pin_uv_param=pin_uv_param,
+                                                   options={
+                                                       'up': False
+                                                   })
+        assert_res2 = self.get_assertion_from_cred(cred_res, client_data=assert_client_data,
+                                                   pin_uv_protocol=pin_uv_protocol,
+                                                   pin_uv_param=pin_uv_param,
+                                                   options={
+                                                       'up': False
+                                                   })
+        assert_res3 = self.get_assertion_from_cred(cred_res, client_data=assert_client_data,
+                                                   pin_uv_protocol=pin_uv_protocol,
+                                                   pin_uv_param=pin_uv_param,
+                                                   options={
+                                                       'up': True
+                                                   })
+        error_raised = False
+        try:
+            self.get_assertion_from_cred(cred_res, client_data=assert_client_data,
+                                         pin_uv_protocol=pin_uv_protocol,
+                                         pin_uv_param=pin_uv_param,
+                                         options={
+                                            'up': False
+                                         })
+        except CtapError as e:
+            self.assertEqual(CtapError.ERR.PIN_AUTH_INVALID, e.code)
+            error_raised = True
+        self.assertTrue(error_raised)
+        for assert_res in [assert_res1, assert_res2, assert_res3]:
+            self.assertEqual(cred_res.auth_data.credential_data.credential_id,
+                             assert_res.credential['id'])
+
     def test_creds_are_tamper_resistant(self):
         cred_res = self.ctap2.make_credential(**self.basic_makecred_params)
 

src/main/java/us/q3q/fido2/FIDO2Applet.java

@@ -822,7 +822,7 @@ private void makeCredential(APDU apdu, short lc, byte[] buffer) {
             // Come back and verify PIN auth
             byte pinPermissions = transientStorage.getPinPermissions();
 
-            verifyPinAuth(apdu, buffer, pinAuthIdx, buffer, clientDataHashIdx, pinProtocol);
+            verifyPinAuth(apdu, buffer, pinAuthIdx, buffer, clientDataHashIdx, pinProtocol, true);
 
             if ((pinPermissions & FIDOConstants.PERM_MAKE_CREDENTIAL) == 0) {
                 // PIN token doesn't have permission for the MC operation
@@ -1397,16 +1397,18 @@ private void hmacSha256(APDU apdu, byte[] keyBuff, short keyOff,
     /**
      * Uses the currently-set pinToken to hash some data and compare against a verification value
      *
-     * @param apdu          Request/response object
-     * @param content       Buffer containing content to HMAC using the pinToken
-     * @param contentIdx    Index of content in given buffer
-     * @param contentLen    Length of content
-     * @param checkAgainst  Buffer containing "correct" hash we're looking for
-     * @param checkIdx      Index of correct hash in corresponding buffer
-     * @param pinProtocol   Integer PIN protocol version number
+     * @param apdu            Request/response object
+     * @param content         Buffer containing content to HMAC using the pinToken
+     * @param contentIdx      Index of content in given buffer
+     * @param contentLen      Length of content
+     * @param checkAgainst    Buffer containing "correct" hash we're looking for
+     * @param checkIdx        Index of correct hash in corresponding buffer
+     * @param pinProtocol     Integer PIN protocol version number
+     * @param invalidateToken If true, consider invalidating the PIN token
      */
     private void checkPinToken(APDU apdu, byte[] content, short contentIdx, short contentLen,
-                               byte[] checkAgainst, short checkIdx, byte pinProtocol) {
+                               byte[] checkAgainst, short checkIdx, byte pinProtocol,
+                               boolean invalidateToken) {
         if (pinProtocol != transientStorage.getPinProtocolInUse()) {
             // Can't use PIN protocol 1 with tokens created with v2 or vice versa
             sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_PIN_AUTH_INVALID);
@@ -1435,7 +1437,7 @@ private void checkPinToken(APDU apdu, byte[] content, short contentIdx, short co
 
         bufferManager.release(apdu, scratchHandle, (short) 32);
 
-        if (ONE_USE_PER_PIN_TOKEN) {
+        if (invalidateToken && ONE_USE_PER_PIN_TOKEN) {
             transientStorage.setPinProtocolInUse((byte) 3, (byte) 0);
         }
     }
@@ -1449,10 +1451,11 @@ private void checkPinToken(APDU apdu, byte[] content, short contentIdx, short co
      * @param clientDataHashBuffer Buffer containing client data hash
      * @param clientDataHashIdx    Index of the hash of the clientData object, as given by the platform
      * @param pinProtocol          Integer PIN protocol number
+     * @param invalidateToken      If true, consider invalidating the PIN token
      */
     private void verifyPinAuth(APDU apdu, byte[] buffer, short readIdx,
                                byte[] clientDataHashBuffer, short clientDataHashIdx,
-                               byte pinProtocol) {
+                               byte pinProtocol, boolean invalidateToken) {
         byte desiredLength = 16;
         if (pinProtocol == 2) {
             desiredLength = 32;
@@ -1490,7 +1493,7 @@ private void verifyPinAuth(APDU apdu, byte[] buffer, short readIdx,
         }
 
         checkPinToken(apdu, clientDataHashBuffer, clientDataHashIdx, CLIENT_DATA_HASH_LEN,
-                buffer, readIdx, pinProtocol);
+                buffer, readIdx, pinProtocol, invalidateToken);
     }
 
     /**
@@ -2147,17 +2150,18 @@ private void getAssertion(final APDU apdu, final short lc, final byte[] buffer,
                 }
 
                 // check the provided PIN
-                byte pinPermissions = transientStorage.getPinPermissions();
+                final byte pinPermissions = transientStorage.getPinPermissions();
+                final boolean shouldInvalidatePinToken = transientStorage.hasUPOption();
 
                 verifyPinAuth(apdu, buffer, pinAuthIdx, clientDataHashBuffer, clientDataHashIdx,
-                        stateKeepingBuffer[stateKeepingIdx]);
+                        stateKeepingBuffer[stateKeepingIdx], shouldInvalidatePinToken);
 
                 if ((pinPermissions & FIDOConstants.PERM_GET_ASSERTION) == 0) {
                     // PIN token doesn't have permission for the GA operation
                     sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_PIN_AUTH_INVALID);
                 }
 
-                if (WRITES_INVALIDATE_PINS) {
+                if (WRITES_INVALIDATE_PINS && shouldInvalidatePinToken) {
                     transientStorage.setPinProtocolInUse((byte) 3, (byte) 0);
                 }
 
@@ -3904,7 +3908,7 @@ private void handleLargeBlobs(APDU apdu, byte[] reqBuffer, short lc) {
                 byte pinPerms = transientStorage.getPinPermissions();
 
                 checkPinToken(apdu, scratch, scratchOffset, (short) 70,
-                        reqBuffer, pinUvAuthIdx, pinProtocol);
+                        reqBuffer, pinUvAuthIdx, pinProtocol, true);
 
                 if ((pinPerms & FIDOConstants.PERM_LARGE_BLOB_WRITE) == 0x00) {
                     sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_PIN_AUTH_INVALID);
@@ -4458,7 +4462,7 @@ private void authenticatorConfigSubcommand(APDU apdu, byte[] reqBuffer, short lc
             }
 
             checkPinToken(apdu, scratchBuffer, scratchOffset, bufferSize,
-                    reqBuffer, authIndex, pinProtocol);
+                    reqBuffer, authIndex, pinProtocol, true);
 
             if (WRITES_INVALIDATE_PINS) {
                 transientStorage.setPinProtocolInUse((byte) 3, (byte) 0);
@@ -4727,10 +4731,10 @@ private void credManagementSubcommand(APDU apdu, byte[] buffer, short lc) {
                 // Straight-up mangle the input buffer to put the command byte immediately before the subcommand params
                 buffer[(short)(subCommandParamsIdx - 1)] = buffer[subCommandIdx];
                 checkPinToken(apdu, buffer, (short) (subCommandParamsIdx - 1), (short) (subCommandParamsLen + 1),
-                        buffer, readIdx, pinProtocol);
+                        buffer, readIdx, pinProtocol, true);
             } else {
                 checkPinToken(apdu, buffer, subCommandIdx, (short) 1,
-                        buffer, readIdx, pinProtocol);
+                        buffer, readIdx, pinProtocol, true);
             }
         }