clientPin: Support getRetries without PIN protocol

robin-nitrokey · robin-nitrokey · commit 5ebb4a48302e · 2025-05-12T17:42:26.000+02:00
This fixes compatibility with CTAP 2.1. Fixes: #118
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,7 +16,7 @@ required-features = ["dispatch"]
 
 [dependencies]
 cbor-smol = { version = "0.5" }
-ctap-types = { version = "0.3.1", features = ["get-info-full", "large-blobs", "third-party-payment"] }
+ctap-types = { version = "0.4", features = ["get-info-full", "large-blobs", "third-party-payment"] }
 cosey = "0.3"
 delog = "0.1.0"
 heapless = "0.7"
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -8,7 +8,7 @@ edition = "2021"
 cargo-fuzz = true
 
 [dependencies]
-ctap-types = { version = "0.3.0", features = ["arbitrary"] }
+ctap-types = { version = "0.4", features = ["arbitrary"] }
 libfuzzer-sys = "0.4"
 trussed = { version = "0.1", features = ["clients-1", "certificate-client", "crypto-client", "filesystem-client", "management-client", "aes256-cbc", "ed255", "p256", "sha256"] }
 trussed-staging = { version = "0.3.0", features = ["chunked", "hkdf", "virt", "fs-info"] }
diff --git a/src/ctap2.rs b/src/ctap2.rs
@@ -530,7 +530,10 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
         debug_now!("CTAP2.PIN...");
         // info_now!("{:?}", parameters);
 
-        let pin_protocol = self.parse_pin_protocol(parameters.pin_protocol)?;
+        let pin_protocol = parameters
+            .pin_protocol
+            .ok_or(Error::MissingParameter)
+            .and_then(|pin_protocol| self.parse_pin_protocol(pin_protocol));
         let mut response = ctap2::client_pin::Response::default();
 
         match parameters.sub_command {
@@ -543,6 +546,7 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
             Subcommand::GetKeyAgreement => {
                 debug_now!("CTAP2.Pin.GetKeyAgreement");
 
+                let pin_protocol = pin_protocol?;
                 response.key_agreement = Some(self.pin_protocol(pin_protocol).key_agreement_key());
             }
 
@@ -567,6 +571,7 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
                         return Err(Error::MissingParameter);
                     }
                 };
+                let pin_protocol = pin_protocol?;
 
                 // 2. is pin already set
                 if self.state.persistent.pin_is_set() {
@@ -624,6 +629,7 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
                         return Err(Error::MissingParameter);
                     }
                 };
+                let pin_protocol = pin_protocol?;
 
                 // 2. fail if no retries left
                 self.state.pin_blocked()?;
@@ -679,7 +685,7 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
                     .ok_or(Error::MissingParameter)?;
 
                 // 2. Check PIN protocol
-                let pin_protocol = self.parse_pin_protocol(parameters.pin_protocol)?;
+                let pin_protocol = pin_protocol?;
 
                 // 3. + 4. Check invalid parameters
                 if parameters.permissions.is_some() || parameters.rp_id.is_some() {
@@ -744,7 +750,7 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
                 let permissions = parameters.permissions.ok_or(Error::MissingParameter)?;
 
                 // 2. Check PIN protocol
-                let pin_protocol = self.parse_pin_protocol(parameters.pin_protocol)?;
+                let pin_protocol = pin_protocol?;
 
                 // 3. Check that permissions are not empty
                 let permissions = Permissions::from_bits_truncate(permissions);
