save

Author: aterga

src/internet_identity/src/anchor_management/registration/registration_flow_v2.rs

@@ -4,8 +4,8 @@ use crate::anchor_management::registration::captcha::{
 use crate::anchor_management::registration::rate_limit::process_rate_limit;
 use crate::anchor_management::registration::Base64;
 use crate::anchor_management::{
-    activity_bookkeeping, add_openid_credential_skip_checks, check_openid_credential_is_unique,
-    post_operation_bookkeeping, set_name,
+    self, activity_bookkeeping, add_openid_credential_skip_checks,
+    check_openid_credential_is_unique, post_operation_bookkeeping, set_name,
 };
 use crate::state::flow_states::RegistrationFlowState;
 use crate::storage::anchor::{Anchor, Device};
@@ -17,10 +17,10 @@ use ic_cdk::caller;
 use ic_stable_structures::Memory;
 use internet_identity_interface::archive::types::{DeviceDataWithoutAlias, Operation};
 use internet_identity_interface::internet_identity::types::{
-    AuthnMethod, AuthorizationKey, CaptchaTrigger, CheckCaptchaArg, CheckCaptchaError,
-    CreateIdentityData, DeviceData, DeviceWithUsage, IdRegFinishArg, IdRegFinishError,
-    IdRegFinishResult, IdRegNextStepResult, IdRegStartError, IdentityNumber, OpenIDRegFinishArg,
-    RegistrationFlowNextStep, StaticCaptchaTrigger,
+    AuthnMethod, AuthnMethodData, AuthorizationKey, CaptchaTrigger, CheckCaptchaArg,
+    CheckCaptchaError, CreateIdentityData, DeviceData, DeviceWithUsage, IdRegFinishArg,
+    IdRegFinishError, IdRegFinishResult, IdRegNextStepResult, IdRegStartError, IdentityNumber,
+    OpenIDRegFinishArg, RegistrationFlowNextStep, StaticCaptchaTrigger,
 };
 
 impl RegistrationFlowState {
@@ -236,18 +236,6 @@ fn validate_identity_data<M: Memory + Clone>(
 ) -> Result<ValidatedCreateIdentityData, IdRegFinishError> {
     match &arg {
         CreateIdentityData::PubkeyAuthn(arg) => {
-            // Enforce global uniqueness of passkey pubkeys across all anchors.
-            if let AuthnMethod::WebAuthn(webauthn) = &arg.authn_method.authn_method {
-                if storage
-                    .lookup_anchor_with_passkey_pubkey(&webauthn.pubkey)
-                    .is_some()
-                {
-                    return Err(IdRegFinishError::InvalidAuthnMethod(
-                        "passkey with this public key is already used".to_string(),
-                    ));
-                }
-            }
-
             Ok(ValidatedCreateIdentityData::PubkeyAuthn(arg.clone()))
         }
         CreateIdentityData::OpenID(openid_registration_data) => {
@@ -323,6 +311,20 @@ fn apply_identity_data(
 }
 
 fn create_identity(arg: &CreateIdentityData, now: u64) -> Result<IdentityNumber, IdRegFinishError> {
+    // Enforce global uniqueness of passkey pubkeys across all anchors.
+    if let CreateIdentityData::PubkeyAuthn(IdRegFinishArg {
+        authn_method:
+            AuthnMethodData {
+                authn_method: AuthnMethod::WebAuthn(webauthn),
+                ..
+            },
+        ..
+    }) = &arg
+    {
+        anchor_management::check_passkey_pubkey_is_not_used(&webauthn.pubkey)
+            .map_err(|err| IdRegFinishError::InvalidAuthnMethod(err))?;
+    }
+
     let (identity_number, operation) = state::storage_borrow_mut(|storage| {
         let arg = validate_identity_data(storage, arg)?;
 

src/internet_identity/src/anchor_management/tentative_device_registration.rs

@@ -4,7 +4,7 @@ use crate::state::RegistrationState::{
     SessionTentativelyConfirmed,
 };
 use crate::state::TentativeDeviceRegistration;
-use crate::{secs_to_nanos, state};
+use crate::{anchor_management, secs_to_nanos, state};
 use candid::{CandidType, Principal};
 use ic_cdk::api::time;
 use ic_cdk::{call, trap};
@@ -101,6 +101,9 @@ pub async fn add_tentative_device(
                     state: DeviceRegistrationModeActive,
                     ..
                 } => {
+                    anchor_management::check_passkey_pubkey_is_not_used(&tentative_device.pubkey)
+                        .map_err(|_| AuthnMethodRegisterError::PasskeyWithThisPublicKeyIsAlreadyUsed)?;
+
                     registration.state = DeviceTentativelyAdded {
                         tentative_device,
                         failed_attempts: 0,

src/internet_identity/src/main.rs

@@ -144,10 +144,6 @@ async fn add_tentative_device(
     anchor_number: AnchorNumber,
     device_data: DeviceData,
 ) -> AddTentativeDeviceResponse {
-    if anchor_management::check_passkey_pubkey_is_not_used(&device_data.pubkey).is_err() {
-        return AddTentativeDeviceResponse::PasskeyWithThisPublicKeyIsAlreadyUsed;
-    };
-
     let result =
         tentative_device_registration::add_tentative_device(anchor_number, device_data).await;
     match result {
@@ -238,11 +234,9 @@ fn register(
 
 #[update]
 fn add(anchor_number: AnchorNumber, device_data: DeviceData) {
-    if let Err(err) = anchor_management::check_passkey_pubkey_is_not_used(&device_data.pubkey) {
-        trap(&err);
-    };
-
     anchor_operation_with_authz_check(anchor_number, |anchor| {
+        anchor_management::check_passkey_pubkey_is_not_used(&device_data.pubkey)?;
+
         Ok::<_, String>(((), anchor_management::add_device(anchor, device_data)))
     })
     .unwrap_or_else(|err| trap(err.as_str()))
@@ -1108,9 +1102,6 @@ mod v2_api {
         let device = DeviceWithUsage::try_from(authn_method)
             .map_err(|err| AuthnMethodRegisterError::InvalidMetadata(err.to_string()))?;
 
-        anchor_management::check_passkey_pubkey_is_not_used(&device.pubkey)
-            .map_err(|_| AuthnMethodRegisterError::PasskeyWithThisPublicKeyIsAlreadyUsed)?;
-
         tentative_device_registration::add_tentative_device(
             identity_number,
             DeviceData::from(device),

src/internet_identity/tests/integration/activity_stats/authn_methods.rs

@@ -1,7 +1,7 @@
 use crate::openid;
 use crate::v2_api::authn_method_test_helpers::{
     create_identity_with_authn_method, create_identity_with_openid_credential,
-    sample_webauthn_authn_method, test_authn_method,
+    sample_webauthn_authn_method,
 };
 use candid::Principal;
 use canister_tests::api::internet_identity as api;