Minor compatibility fixups

BryanJacobs · BryanJacobs · commit f76cbbcaa2e8 · 2023-08-24T20:35:20.000+10:00
diff --git a/python_tests/ctap/test_ctap_basics.py b/python_tests/ctap/test_ctap_basics.py
@@ -189,6 +189,10 @@ def test_multiple_matching_rks(self):
             [x.credential['id'] for x in asserts]
         )
 
+    def test_accepts_long_utf8_display_name(self):
+        self.basic_makecred_params['user']['display_name'] = "猫" * 144
+        self.ctap2.make_credential(**self.basic_makecred_params)
+
     def test_makecred_rk_disallowed_by_exclude_list(self):
         non_resident_cred = self.ctap2.make_credential(**self.basic_makecred_params)
         self.basic_makecred_params['options'] = {
diff --git a/src/main/java/us/q3q/fido2/FIDO2Applet.java b/src/main/java/us/q3q/fido2/FIDO2Applet.java
@@ -723,7 +723,7 @@ private void makeCredential(APDU apdu, short lc, byte[] buffer) {
                     }
                     continue;
                 case 0x07: // options
-                    readIdx = processOptionsMap(apdu, buffer, readIdx, lc, true);
+                    readIdx = processOptionsMap(apdu, buffer, readIdx, lc, true, true);
                     continue;
                 case 0x08: // pinAuth
                     // Read past this, because we need the pinProtocol option first
@@ -1978,7 +1978,7 @@ private void getAssertion(final APDU apdu, final short lc, final byte[] buffer,
 
                         break;
                     case 0x05: // options
-                        readIdx = processOptionsMap(apdu, buffer, readIdx, lc, false);
+                        readIdx = processOptionsMap(apdu, buffer, readIdx, lc, false, false);
                         break;
                     case 0x06: // pinAuth
                         pinAuthIdx = readIdx;
@@ -2555,10 +2555,11 @@ private void defaultOptions() {
      * @param readIdx Read index into request buffer
      * @param lc Length of incoming request, as sent by the platform
      * @param requireUP Disallow UP=false, and set UP=true afterwards if option omitted
+     * @param allowRK If false, error on the RK option (with any value)
      *
      * @return New read index after consuming the options map object
      */
-    private short processOptionsMap(APDU apdu, byte[] buffer, short readIdx, short lc, boolean requireUP) {
+    private short processOptionsMap(APDU apdu, byte[] buffer, short readIdx, short lc, boolean requireUP, boolean allowRK) {
         short numOptions = getMapEntryCount(apdu, buffer[readIdx++]);
         if (readIdx >= lc) {
             sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_INVALID_CBOR);
@@ -2586,6 +2587,9 @@ private short processOptionsMap(APDU apdu, byte[] buffer, short readIdx, short l
                 } else {
                     sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
                 }
+                if (!allowRK) {
+                    sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_INVALID_OPTION);
+                }
             } else {
                 short pOrVPos = ++readIdx;
 
@@ -3254,9 +3258,6 @@ private short consumeMapAndGetID(APDU apdu, byte[] buffer, short readIdx, short
             if (isType && foundType) {
                 sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_INVALID_CBOR);
             }
-            /*if (keyLen == 4 && buffer[readIdx] == 'i' && buffer[(short)(readIdx+1)] == 'c'
-                    && buffer[(short)(readIdx+2)] == 'o' && buffer[(short)(readIdx+3)] == 'n') {
-            }*/
 
             readIdx += keyLen;
             if (readIdx >= lc) {
@@ -3269,7 +3270,7 @@ private short consumeMapAndGetID(APDU apdu, byte[] buffer, short readIdx, short
             }
             short idPos = readIdx;
 
-            byte valLen = 0;
+            short valLen = 0;
             if (valDef == 0x78 || valDef == 0x58) {
                 if (isId) {
                     if (valDef == 0x78 && byteString) {
@@ -3292,6 +3293,13 @@ private short consumeMapAndGetID(APDU apdu, byte[] buffer, short readIdx, short
                 if (readIdx >= lc) {
                     sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_INVALID_CBOR);
                 }
+            } else if (valDef == 0x79) {
+                if (isId) {
+                    // Whoa nelly.
+                    sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
+                }
+                valLen = Util.getShort(buffer, readIdx);
+                readIdx += 2;
             } else if (valDef >= 0x60 && valDef < 0x78) {
                 if (isId && byteString) {
                     sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_CBOR_UNEXPECTED_TYPE);
@@ -3316,7 +3324,7 @@ private short consumeMapAndGetID(APDU apdu, byte[] buffer, short readIdx, short
 
             if (isId) {
                 foundId = true;
-                transientStorage.setStoredVars(idPos, valLen);
+                transientStorage.setStoredVars(idPos, (byte) valLen);
             }
 
             if (!foundType && isType && checkTypePublicKey) {
@@ -3326,7 +3334,7 @@ private short consumeMapAndGetID(APDU apdu, byte[] buffer, short readIdx, short
                         CannedCBOR.PUBLIC_KEY_TYPE, (short) 0, valLen) == 0;
             }
 
-            readIdx += ub(valLen);
+            readIdx += valLen;
             if (readIdx >= lc) {
                 sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_INVALID_CBOR);
             }
