Better credProtect indirect exclusion handling

BryanJacobs · BryanJacobs · commit e42e9fbb4eda · 2023-08-05T18:39:41.000+10:00
diff --git a/python_tests/ctap/test_credprotect.py b/python_tests/ctap/test_credprotect.py
@@ -129,13 +129,64 @@ def test_deviations_from_expectations(self, _, level, policy,
                                        level, policy, UserVerificationRequirement.DISCOURAGED,
                                        resident, discoverable_afterwards, usable_afterwards)
 
+    def test_strong_protected_creds_ignored_on_exclude_list_without_pin(self):
+        policy = CredProtectExtension.POLICY.REQUIRED
+        client = self.get_high_level_client(extensions=[CredProtectExtension])
+        res = client.make_credential(options=self.get_high_level_make_cred_options(
+            ResidentKeyRequirement.DISCOURAGED,
+            {
+                "credentialProtectionPolicy": policy
+            }
+        ))
+        self.basic_makecred_params['exclude_list'] = [{
+            "type": "public-key",
+            "id": res.attestation_object.auth_data.credential_data.credential_id
+        }]
+
+        self.ctap2.make_credential(**self.basic_makecred_params)
+
+    def test_level_3_protected_creds_ignored_on_exclude_list_without_pin(self):
+        policy = CredProtectExtension.POLICY.REQUIRED
+        client = self.get_high_level_client(extensions=[CredProtectExtension])
+        res = client.make_credential(options=self.get_high_level_make_cred_options(
+            ResidentKeyRequirement.REQUIRED,
+            {
+                "credentialProtectionPolicy": policy
+            }
+        ))
+        self.basic_makecred_params['exclude_list'] = [{
+            "type": "public-key",
+            "id": res.attestation_object.auth_data.credential_data.credential_id
+        }]
+
+        self.ctap2.make_credential(**self.basic_makecred_params)
+
+    def test_level_2_protected_creds_effective_on_exclude_list_without_pin(self):
+        policy = CredProtectExtension.POLICY.OPTIONAL_WITH_LIST
+        client = self.get_high_level_client(extensions=[CredProtectExtension])
+        res = client.make_credential(options=self.get_high_level_make_cred_options(
+            ResidentKeyRequirement.REQUIRED,
+            {
+                "credentialProtectionPolicy": policy
+            }
+        ))
+        self.basic_makecred_params['exclude_list'] = [{
+            "type": "public-key",
+            "id": res.attestation_object.auth_data.credential_data.credential_id
+        }]
+
+        with self.assertRaises(CtapError) as e:
+            self.ctap2.make_credential(**self.basic_makecred_params)
+
+        self.assertEqual(CtapError.ERR.CREDENTIAL_EXCLUDED, e.exception.code)
+
 
 class CredProtectRKVisTestCase(CredManagementBaseTestCase):
     @parameterized.expand([
         ("Level 3", 3, CredProtectExtension.POLICY.REQUIRED),
         ("Level 2", 2, CredProtectExtension.POLICY.OPTIONAL_WITH_LIST),
         ("Level 1", 1, CredProtectExtension.POLICY.OPTIONAL),
-        ("Omitted", 0, None),
+        ("Omitted", 1, None),
     ])
     def test_cred_protect_level_rk_visibility(self, _, level, policy):
         client = self.get_high_level_client(extensions=[CredProtectExtension],
diff --git a/src/main/java/us/q3q/fido2/FIDO2Applet.java b/src/main/java/us/q3q/fido2/FIDO2Applet.java
@@ -832,7 +832,7 @@ private void makeCredential(APDU apdu, short lc, byte[] buffer) {
 
                 if (checkCredential(buffer, credIdIdx, CREDENTIAL_ID_LEN,
                         scratchRPIDHashBuffer, scratchRPIDHashOffset,
-                        scratchCredBuffer, scratchCredOffset, (short) -1, true)) {
+                        scratchCredBuffer, scratchCredOffset, (short) -1, pinAuthSuccess)) {
                     // This credential is a valid non-discoverable cred.
                     sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_CREDENTIAL_EXCLUDED);
                 }
@@ -987,7 +987,12 @@ private void makeCredential(APDU apdu, short lc, byte[] buffer) {
                 initSymmetricWrapperForRK(targetRKSlot, RK_IV_CRED_BLOB);
                 symmetricWrap(residentKeyCredBlobs, (short)(targetRKSlot * MAX_CRED_BLOB_LEN), MAX_CRED_BLOB_LEN,
                         residentKeyCredBlobs, (short) (targetRKSlot * MAX_CRED_BLOB_LEN));
-                byte residentKeyFlagByte = (byte) (0x80 | credProtectLevel);
+                byte effectiveCPLevel = credProtectLevel;
+                if (effectiveCPLevel == 0) {
+                    // "default" creds are saved as level one
+                    effectiveCPLevel = 1;
+                }
+                byte residentKeyFlagByte = (byte) (0x80 | effectiveCPLevel);
                 if (!foundMatchingRK) {
                     // We're filling an empty slot
                     numResidentCredentials++;
