Updates UP and UV requirements (#749)

kaczmarczyck · web-flow · commit 90639f42a8e9 · 2025-08-05T16:02:44.000+02:00
* Updates UP and UV requirements

Fixes how devices with fingerprint recognize the contributions of
internal UV to grant UP and UV.

* Also adds UP caching to clientPin
diff --git a/libraries/opensk/src/ctap/client_pin.rs b/libraries/opensk/src/ctap/client_pin.rs
@@ -339,7 +339,7 @@ impl<E: Env> ClientPin<E> {
         self.pin_protocol_v1.reset_pin_uv_auth_token(env);
         self.pin_protocol_v2.reset_pin_uv_auth_token(env);
         self.pin_uv_auth_token_state
-            .begin_using_pin_uv_auth_token(env);
+            .begin_using_pin_uv_auth_token(env, false);
         self.pin_uv_auth_token_state.set_default_permissions();
         let pin_uv_auth_token = shared_secret.encrypt(
             env,
@@ -402,7 +402,7 @@ impl<E: Env> ClientPin<E> {
         self.pin_protocol_v1.reset_pin_uv_auth_token(env);
         self.pin_protocol_v2.reset_pin_uv_auth_token(env);
         self.pin_uv_auth_token_state
-            .begin_using_pin_uv_auth_token(env);
+            .begin_using_pin_uv_auth_token(env, true);
         let pin_uv_auth_token = shared_secret.encrypt(
             env,
             self.get_pin_protocol(pin_uv_auth_protocol)
@@ -609,6 +609,7 @@ impl<E: Env> ClientPin<E> {
 
     /// Consumes flags and permissions related to the pinUvAuthToken.
     pub fn clear_token_flags(&mut self) {
+        self.pin_uv_auth_token_state.clear_user_present_flag();
         self.pin_uv_auth_token_state.clear_user_verified_flag();
         self.pin_uv_auth_token_state
             .clear_pin_uv_auth_token_permissions_except_lbw();
@@ -620,6 +621,11 @@ impl<E: Env> ClientPin<E> {
             .pin_uv_auth_token_usage_timer_observer(env);
     }
 
+    /// Returns if user presence is cached for use of the pinUvAuthToken.
+    pub fn get_user_present_flag(&mut self) -> bool {
+        self.pin_uv_auth_token_state.get_user_present_flag_value()
+    }
+
     /// Checks if user verification is cached for use of the pinUvAuthToken.
     pub fn check_user_verified_flag(&mut self) -> CtapResult<()> {
         if self.pin_uv_auth_token_state.get_user_verified_flag_value() {
@@ -686,7 +692,7 @@ impl<E: Env> ClientPin<E> {
         };
         let mut pin_uv_auth_token_state = PinUvAuthTokenState::new();
         pin_uv_auth_token_state.set_permissions(0xFF);
-        pin_uv_auth_token_state.begin_using_pin_uv_auth_token(env);
+        pin_uv_auth_token_state.begin_using_pin_uv_auth_token(env, true);
         Self {
             pin_protocol_v1: PinProtocol::new_test(key_agreement_key_v1, pin_uv_auth_token),
             pin_protocol_v2: PinProtocol::new_test(key_agreement_key_v2, pin_uv_auth_token),
@@ -1727,7 +1733,7 @@ mod test {
         assert!(!client_pin.has_token(&mut env));
         client_pin
             .pin_uv_auth_token_state
-            .begin_using_pin_uv_auth_token(&mut env);
+            .begin_using_pin_uv_auth_token(&mut env, false);
         assert!(client_pin.has_token(&mut env));
 
         let pin_uv_auth_token_v1 = client_pin
diff --git a/libraries/opensk/src/ctap/mod.rs b/libraries/opensk/src/ctap/mod.rs
@@ -763,6 +763,14 @@ impl<E: Env> CtapState<E> {
         Ok(())
     }
 
+    fn has_valid_up(&mut self, has_pin_uv_auth_param: bool, has_uv_option: bool) -> bool {
+        if has_pin_uv_auth_param {
+            self.client_pin.get_user_present_flag()
+        } else {
+            has_uv_option
+        }
+    }
+
     fn process_make_credential(
         &mut self,
         env: &mut E,
@@ -812,10 +820,7 @@ impl<E: Env> CtapState<E> {
             false
         };
 
-        // MakeCredential always requires user presence.
-        // User verification depends on the PIN auth inputs, which are checked here.
-        // The ED flag is added later, if applicable.
-        let has_uv = pin_uv_auth_param.is_some();
+        let has_pin_uv_auth_param = pin_uv_auth_param.is_some();
         let mut flags = match pin_uv_auth_param {
             Some(pin_uv_auth_param) => {
                 // This case is not mentioned in CTAP2.1, so we keep 2.0 logic.
@@ -860,8 +865,11 @@ impl<E: Env> CtapState<E> {
                 }
             }
         };
+        // MakeCredential always requires user presence.
+        // The ED flag is added later, if applicable.
         flags |= UP_FLAG | AT_FLAG;
 
+        let has_uv = has_pin_uv_auth_param || options.uv;
         let rp_id_hash = Sha::<E>::digest(rp_id.as_bytes());
         if let Some(exclude_list) = exclude_list {
             for cred_desc in exclude_list {
@@ -885,7 +893,9 @@ impl<E: Env> CtapState<E> {
             }
         }
 
-        check_user_presence(env, channel)?;
+        if !self.has_valid_up(has_pin_uv_auth_param, options.uv) {
+            check_user_presence(env, channel)?;
+        }
         self.client_pin.clear_token_flags();
 
         let default_cred_protect = env.customization().default_cred_protect();
@@ -1191,9 +1201,7 @@ impl<E: Env> CtapState<E> {
             return Err(Ctap2StatusCode::CTAP2_ERR_UNSUPPORTED_OPTION);
         }
 
-        // The user verification bit depends on the existance of PIN auth, since we do
-        // not support internal UV. User presence is requested as an option.
-        let has_uv = pin_uv_auth_param.is_some();
+        let has_pin_uv_auth_param = pin_uv_auth_param.is_some();
         let mut flags = match pin_uv_auth_param {
             Some(pin_uv_auth_param) => {
                 // This case is not mentioned in CTAP2.1, so we keep 2.0 logic.
@@ -1240,6 +1248,7 @@ impl<E: Env> CtapState<E> {
             flags |= ED_FLAG;
         }
 
+        let has_uv = has_pin_uv_auth_param || options.uv;
         let rp_id_hash = Sha::<E>::digest(rp_id.as_bytes());
         let (credential, next_credential_keys) = if let Some(allow_list) = allow_list {
             (
@@ -1280,7 +1289,7 @@ impl<E: Env> CtapState<E> {
         let credential = credential.ok_or(Ctap2StatusCode::CTAP2_ERR_NO_CREDENTIALS)?;
 
         // This check comes before CTAP2_ERR_NO_CREDENTIALS in CTAP 2.0.
-        if options.up {
+        if options.up && !self.has_valid_up(has_pin_uv_auth_param, options.uv) {
             check_user_presence(env, channel)?;
             self.client_pin.clear_token_flags();
         }
@@ -2393,6 +2402,39 @@ mod test {
         );
     }
 
+    #[test]
+    #[cfg(feature = "fingerprint")]
+    fn test_process_make_credential_cached_up() {
+        let mut env = TestEnv::default();
+        let key_agreement_key = EcdhSk::<TestEnv>::random(env.rng());
+        let pin_uv_auth_token = [0x88; 32];
+        let pin_uv_auth_protocol = PinUvAuthProtocol::V2;
+        let client_pin = ClientPin::<TestEnv>::new_test(
+            &mut env,
+            key_agreement_key,
+            pin_uv_auth_token,
+            pin_uv_auth_protocol,
+        );
+        let mut ctap_state = CtapState::<TestEnv>::new(&mut env);
+        env.create_fingerprint().unwrap();
+        ctap_state.client_pin = client_pin;
+
+        env.persist().set_pin(&[0u8; 16], 4).unwrap();
+        env.user_presence().set(|| Err(UserPresenceError::Canceled));
+        let client_data_hash = [0xCD];
+        let pin_uv_auth_param = authenticate_pin_uv_auth_token(
+            &pin_uv_auth_token,
+            &client_data_hash,
+            pin_uv_auth_protocol,
+        );
+        let mut make_credential_params = create_minimal_make_credential_parameters();
+        make_credential_params.pin_uv_auth_param = Some(pin_uv_auth_param);
+        make_credential_params.pin_uv_auth_protocol = Some(pin_uv_auth_protocol);
+        assert!(ctap_state
+            .process_make_credential(&mut env, make_credential_params, DUMMY_CHANNEL)
+            .is_ok());
+    }
+
     fn check_assertion_response_with_user(
         response: CtapResult<ResponseData>,
         expected_user: Option<PublicKeyCredentialUserEntity>,
@@ -2501,6 +2543,107 @@ mod test {
         check_assertion_response(get_assertion_response, vec![0x1D], signature_counter, None);
     }
 
+    #[test]
+    fn test_process_get_assertion_cancelled() {
+        let mut env = TestEnv::default();
+        let mut ctap_state = CtapState::<TestEnv>::new(&mut env);
+
+        let make_credential_params = create_minimal_make_credential_parameters();
+        assert!(ctap_state
+            .process_make_credential(&mut env, make_credential_params, DUMMY_CHANNEL)
+            .is_ok());
+
+        env.user_presence().set(|| Err(UserPresenceError::Canceled));
+        let get_assertion_params = AuthenticatorGetAssertionParameters {
+            rp_id: String::from("example.com"),
+            client_data_hash: vec![0xCD],
+            allow_list: None,
+            extensions: GetAssertionExtensions::default(),
+            options: GetAssertionOptions {
+                up: true,
+                uv: false,
+            },
+            pin_uv_auth_param: None,
+            pin_uv_auth_protocol: None,
+        };
+        let get_assertion_response =
+            ctap_state.process_get_assertion(&mut env, get_assertion_params, DUMMY_CHANNEL);
+        assert_eq!(
+            get_assertion_response,
+            Err(Ctap2StatusCode::CTAP2_ERR_KEEPALIVE_CANCEL)
+        );
+    }
+
+    #[test]
+    #[cfg(feature = "fingerprint")]
+    fn test_process_get_assertion_up_through_fingerprint() {
+        let mut env = TestEnv::default();
+        let mut ctap_state = CtapState::<TestEnv>::new(&mut env);
+
+        let make_credential_params = create_minimal_make_credential_parameters();
+        assert!(ctap_state
+            .process_make_credential(&mut env, make_credential_params, DUMMY_CHANNEL)
+            .is_ok());
+
+        env.user_presence().set(|| Err(UserPresenceError::Canceled));
+        env.create_fingerprint().unwrap();
+        let get_assertion_params = AuthenticatorGetAssertionParameters {
+            rp_id: String::from("example.com"),
+            client_data_hash: vec![0xCD],
+            allow_list: None,
+            extensions: GetAssertionExtensions::default(),
+            options: GetAssertionOptions { up: true, uv: true },
+            pin_uv_auth_param: None,
+            pin_uv_auth_protocol: None,
+        };
+        let get_assertion_response =
+            ctap_state.process_get_assertion(&mut env, get_assertion_params, DUMMY_CHANNEL);
+        let expected_user = PublicKeyCredentialUserEntity {
+            user_id: vec![0x1D],
+            user_name: None,
+            user_display_name: None,
+            user_icon: None,
+        };
+        let signature_counter = env.persist().global_signature_counter().unwrap();
+        check_assertion_response_with_user(
+            get_assertion_response,
+            Some(expected_user),
+            0x05,
+            signature_counter,
+            None,
+            &[],
+        );
+    }
+
+    #[test]
+    #[cfg(not(feature = "fingerprint"))]
+    fn test_process_get_assertion_no_uv_from_fingerprint() {
+        let mut env = TestEnv::default();
+        let mut ctap_state = CtapState::<TestEnv>::new(&mut env);
+
+        let make_credential_params = create_minimal_make_credential_parameters();
+        assert!(ctap_state
+            .process_make_credential(&mut env, make_credential_params, DUMMY_CHANNEL)
+            .is_ok());
+
+        env.user_presence().set(|| Err(UserPresenceError::Canceled));
+        let get_assertion_params = AuthenticatorGetAssertionParameters {
+            rp_id: String::from("example.com"),
+            client_data_hash: vec![0xCD],
+            allow_list: None,
+            extensions: GetAssertionExtensions::default(),
+            options: GetAssertionOptions { up: true, uv: true },
+            pin_uv_auth_param: None,
+            pin_uv_auth_protocol: None,
+        };
+        let get_assertion_response =
+            ctap_state.process_get_assertion(&mut env, get_assertion_params, DUMMY_CHANNEL);
+        assert_eq!(
+            get_assertion_response,
+            Err(Ctap2StatusCode::CTAP2_ERR_INVALID_OPTION)
+        );
+    }
+
     fn get_assertion_hmac_secret_params(
         key_agreement_key: EcdhSk<TestEnv>,
         key_agreement_response: ResponseData,
diff --git a/libraries/opensk/src/ctap/token_state.rs b/libraries/opensk/src/ctap/token_state.rs
@@ -37,6 +37,7 @@ pub struct PinUvAuthTokenState<E: Env> {
     permissions_set: u8,
     permissions_rp_id: Option<String>,
     usage_timer: <E::Clock as Clock>::Timer,
+    user_present: bool,
     user_verified: bool,
     in_use: bool,
 }
@@ -48,6 +49,7 @@ impl<E: Env> PinUvAuthTokenState<E> {
             permissions_set: 0,
             permissions_rp_id: None,
             usage_timer: <E::Clock as Clock>::Timer::default(),
+            user_present: false,
             user_verified: false,
             in_use: false,
         }
@@ -110,7 +112,8 @@ impl<E: Env> PinUvAuthTokenState<E> {
     }
 
     /// Starts the timer for pinUvAuthToken usage.
-    pub fn begin_using_pin_uv_auth_token(&mut self, env: &mut E) {
+    pub fn begin_using_pin_uv_auth_token(&mut self, env: &mut E, user_is_present: bool) {
+        self.user_present = user_is_present;
         self.user_verified = true;
         self.usage_timer = env.clock().make_timer(INITIAL_USAGE_TIME_LIMIT_MS);
         self.in_use = true;
@@ -126,11 +129,21 @@ impl<E: Env> PinUvAuthTokenState<E> {
         }
     }
 
+    /// Returns whether the user is present.
+    pub fn get_user_present_flag_value(&self) -> bool {
+        self.in_use && self.user_present
+    }
+
     /// Returns whether the user is verified.
     pub fn get_user_verified_flag_value(&self) -> bool {
         self.in_use && self.user_verified
     }
 
+    /// Consumes the user presence.
+    pub fn clear_user_present_flag(&mut self) {
+        self.user_present = false;
+    }
+
     /// Consumes the user verification.
     pub fn clear_user_verified_flag(&mut self) {
         self.user_verified = false;
@@ -146,6 +159,7 @@ impl<E: Env> PinUvAuthTokenState<E> {
         self.permissions_rp_id = None;
         self.permissions_set = 0;
         self.usage_timer = <E::Clock as Clock>::Timer::default();
+        self.user_present = false;
         self.user_verified = false;
         self.in_use = false;
     }
@@ -161,7 +175,7 @@ mod test {
     fn test_observer() {
         let mut env = TestEnv::default();
         let mut token_state = PinUvAuthTokenState::<TestEnv>::new();
-        token_state.begin_using_pin_uv_auth_token(&mut env);
+        token_state.begin_using_pin_uv_auth_token(&mut env, false);
         assert!(token_state.is_in_use());
         env.clock().advance(100);
         token_state.pin_uv_auth_token_usage_timer_observer(&mut env);
@@ -175,7 +189,7 @@ mod test {
     fn test_stop() {
         let mut env = TestEnv::default();
         let mut token_state = PinUvAuthTokenState::<TestEnv>::new();
-        token_state.begin_using_pin_uv_auth_token(&mut env);
+        token_state.begin_using_pin_uv_auth_token(&mut env, false);
         assert!(token_state.is_in_use());
         token_state.stop_using_pin_uv_auth_token();
         assert!(!token_state.is_in_use());
@@ -257,16 +271,33 @@ mod test {
         );
     }
 
+    #[test]
+    fn test_user_present_flag() {
+        let mut env = TestEnv::default();
+        let mut token_state = PinUvAuthTokenState::<TestEnv>::new();
+        assert!(!token_state.get_user_present_flag_value());
+        token_state.begin_using_pin_uv_auth_token(&mut env, false);
+        assert!(!token_state.get_user_present_flag_value());
+        token_state.begin_using_pin_uv_auth_token(&mut env, true);
+        assert!(token_state.get_user_present_flag_value());
+        token_state.clear_user_present_flag();
+        assert!(!token_state.get_user_present_flag_value());
+        token_state.begin_using_pin_uv_auth_token(&mut env, true);
+        assert!(token_state.get_user_present_flag_value());
+        token_state.stop_using_pin_uv_auth_token();
+        assert!(!token_state.get_user_present_flag_value());
+    }
+
     #[test]
     fn test_user_verified_flag() {
         let mut env = TestEnv::default();
         let mut token_state = PinUvAuthTokenState::<TestEnv>::new();
         assert!(!token_state.get_user_verified_flag_value());
-        token_state.begin_using_pin_uv_auth_token(&mut env);
+        token_state.begin_using_pin_uv_auth_token(&mut env, false);
         assert!(token_state.get_user_verified_flag_value());
         token_state.clear_user_verified_flag();
         assert!(!token_state.get_user_verified_flag_value());
-        token_state.begin_using_pin_uv_auth_token(&mut env);
+        token_state.begin_using_pin_uv_auth_token(&mut env, false);
         assert!(token_state.get_user_verified_flag_value());
         token_state.stop_using_pin_uv_auth_token();
         assert!(!token_state.get_user_verified_flag_value());
