Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update MDS to support undocumented FIDO additions #455

Merged
merged 1 commit into from
Nov 22, 2024
Merged

Update MDS to support undocumented FIDO additions #455

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion fido-mds/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1126,7 +1126,7 @@ impl TryFrom<RawFidoDevice> for FidoDevice {
mut authenticator_get_info,
} = metadata_statement;

let status_reports: BTreeSet<_> = status_reports
let mut status_reports: BTreeSet<_> = status_reports
.into_iter()
.filter_map(|sr| {
sr.try_into()
Expand All @@ -1141,6 +1141,10 @@ impl TryFrom<RawFidoDevice> for FidoDevice {
})
.collect();

if let Some(status_report) = patch::mds_deny_insecure_authenticators(aaguid) {
status_reports.insert(status_report);
}

let attestation_root_certificates = attestation_root_certificates.into_iter()
.filter_map(|cert| {
let trim_cert = cert.trim();
Expand Down
14 changes: 14 additions & 0 deletions fido-mds/src/mds.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ pub struct BiometricAccuracyDescriptor {
/// in related biometricStatusReport as specified in FIDOMetadataService).
#[serde(rename = "selfAttestedFAR")]
pub self_attested_far: Option<f32>,

/// Maximum number of alternative templates from different fingers allowed (for other modalities,
/// multiple parts of the body that can be used interchangeably), e.g. 3 if the user is allowed
/// to enroll up to 3 different fingers to a fingerprint based authenticator.
Expand All @@ -115,6 +116,10 @@ pub struct BiometricAccuracyDescriptor {
/// until an alternative user verification method succeeded. All alternative user verification
/// methods must be specified appropriately in the metadata in userVerificationDetails.
pub block_slowdown: Option<u16>,

/// ⚠️ WARNING - CONTENT AND USE OF THIS VALUE IS NOT DOCUMENTED BY FIDO
#[serde(rename = "iAPARThreshold")]
pub iapar_threshold: Option<serde_json::Value>,
}

impl Hash for BiometricAccuracyDescriptor {
Expand Down Expand Up @@ -319,6 +324,9 @@ pub enum AuthenticationAlgorithm {
/// secp384r1_ecdsa_sha384_raw
#[serde(rename = "secp384r1_ecdsa_sha384_raw")]
Secp384r1EcdsaSha384Raw,
/// secp521r1_ecdsa_sha512_raw
#[serde(rename = "secp521r1_ecdsa_sha512_raw")]
Secp521r1EcdsaSha512Raw,
/// rsassa_pkcsv15_sha256_raw
#[serde(rename = "rsassa_pkcsv15_sha256_raw")]
RsassaPkcsv15Sha256Raw,
Expand Down Expand Up @@ -346,6 +354,9 @@ impl fmt::Display for AuthenticationAlgorithm {
AuthenticationAlgorithm::Secp384r1EcdsaSha384Raw => {
write!(f, "secp384r1_ecdsa_sha384_raw")
}
AuthenticationAlgorithm::Secp521r1EcdsaSha512Raw => {
write!(f, "secp521r1_ecdsa_sha512_raw")
}
AuthenticationAlgorithm::RsassaPkcsv15Sha256Raw => {
write!(f, "rsassa_pkcsv15_sha256_raw")
}
Expand Down Expand Up @@ -991,6 +1002,9 @@ pub struct StatusReport {
/// The Document Version of the Authenticator Security Requirements (DV)
/// FIDOAuthenticatorSecurityRequirements the implementation is certified to, e.g. "1.2.0".
pub certification_requirements_version: Option<String>,

/// ⚠️ WARNING - CONTENT AND USE OF THIS VALUE IS NOT DOCUMENTED BY FIDO
certification_profiles: Option<serde_json::Value>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
Expand Down
17 changes: 16 additions & 1 deletion fido-mds/src/patch.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
use crate::mds::{
UserVerificationMethod as RawUserVerificationMethod, VerificationMethodAndCombinations,
};
use crate::UserVerificationMethod;
use crate::{StatusReport, UserVerificationMethod};
use tracing::{debug, error, warn};
use uuid::Uuid;

Expand All @@ -26,6 +26,8 @@ const VERIMARK_GUARD_FINGERPRINT_HASH: u64 = 3483018605;
const AUTHENTON1: Uuid = uuid::uuid!("b267239b-954f-4041-a01b-ee4f33c145b6");
const AUTHENTON1_HASH: u64 = 1117557365;

const NITROKEY_3_AM: Uuid = uuid::uuid!("2cd2f727-f6ca-44da-8f48-5c2e5da000a2");

pub(crate) fn mds_user_verification_method_code_accuracy_descriptor(
uvm: &mut [Vec<VerificationMethodAndCombinations>],
) -> bool {
Expand Down Expand Up @@ -153,6 +155,19 @@ pub(crate) fn user_verification_method(
}
}

/// Deny authenticators that have publicly known security vulnerabilities, that FIDO
/// has not yet acknowledged.
pub(crate) fn mds_deny_insecure_authenticators(aaguid: Option<Uuid>) -> Option<StatusReport> {
match aaguid {
Some(NITROKEY_3_AM) => Some(StatusReport::UserKeyRemoteCompromise {
effective_date: None,
authenticator_version: 0,
url: None,
}),
_ => None,
}
}

/// Incorrect UVM Method:
/// `PresenceInternal AND PasscodeInternal() AND None`
///
Expand Down
Loading