Credentials CANNOT be regenerated, as they depend on random IV.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

src/fido/cbor_get_assertion.c

@@ -292,14 +292,9 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
         }
     }
 
-    uint8_t cred_id[MAX_CRED_ID_LENGTH];
-    size_t cred_id_len = 0;
-    if (credential_create_cred(selcred, cred_id, &cred_id_len) != 0)
-        CBOR_ERROR(CTAP2_ERR_INTEGRITY_FAILURE);
-
     mbedtls_ecdsa_context ekey;
     mbedtls_ecdsa_init(&ekey);
-    int ret = fido_load_key(selcred->curve, cred_id, &ekey);
+    int ret = fido_load_key(selcred->curve, selcred->id.data, &ekey);
     if (ret != 0) {
         mbedtls_ecdsa_free(&ekey);
         CBOR_ERROR(CTAP1_ERR_OTHER);
@@ -414,7 +409,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len) {
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
     CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2, 2));
     CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "id"));
-    CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, cred_id, cred_id_len));
+    CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, selcred->id.data, selcred->id.len));
     CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "type"));
     CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "public-key"));
     CBOR_CHECK(cbor_encoder_close_container(&mapEncoder, &mapEncoder2));

src/fido/credential.c

@@ -38,10 +38,6 @@ int credential_verify(uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id
     return mbedtls_chachapoly_auth_decrypt(&chatx, cred_id_len - (4 + 12 + 16), iv, rp_id_hash, 32, tag, cipher, cipher);
 }
 
-int credential_create_cred(Credential *cred, uint8_t *cred_id, size_t *cred_id_len) {
-    return credential_create(&cred->rpId, &cred->userId, &cred->userName, &cred->userDisplayName, &cred->extensions, cred->use_sign_count, cred->alg, cred->curve, cred_id, cred_id_len);
-}
-
 int credential_create(CborCharString *rpId, CborByteString *userId, CborCharString *userName, CborCharString *userDisplayName, CredExtensions *extensions, bool use_sign_count, int alg, int curve, uint8_t *cred_id, size_t *cred_id_len) {
     CborEncoder encoder, mapEncoder, mapEncoder2;
     CborError error = CborNoError;
@@ -92,6 +88,7 @@ int credential_create(CborCharString *rpId, CborByteString *userId, CborCharStri
     }
     memcpy(cred_id, "\xf1\xd0\x02\x00", 4);
     memcpy(cred_id + 4, iv, 12);
+
     err:
     if (error != CborNoError) {
         if (error == CborErrorImproperValue)
@@ -151,7 +148,10 @@ int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *r
             CBOR_ADVANCE(1);
         }
     }
-
+    cred->id.present = true;
+    cred->id.data = (uint8_t *)calloc(1, cred_id_len);
+    memcpy(cred->id.data, cred_id, cred_id_len);
+    cred->id.len = cred_id_len;
     cred->present = true;
     err:
     free(copy_cred_id);
@@ -168,6 +168,7 @@ void credential_free(Credential *cred) {
     CBOR_FREE_BYTE_STRING(cred->userId);
     CBOR_FREE_BYTE_STRING(cred->userName);
     CBOR_FREE_BYTE_STRING(cred->userDisplayName);
+    CBOR_FREE_BYTE_STRING(cred->id);
     cred->present = false;
     cred->extensions.present = false;
 }

src/fido/credential.h

@@ -44,6 +44,7 @@ typedef struct Credential
     const bool *use_sign_count;
     int64_t alg;
     int64_t curve;
+    CborByteString id;
     bool present;
 } Credential;
 
@@ -56,7 +57,6 @@ extern int credential_create(CborCharString *rpId, CborByteString *userId, CborC
 extern void credential_free(Credential *cred);
 extern int credential_store(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash);
 extern int credential_load(const uint8_t *cred_id, size_t cred_id_len, const uint8_t *rp_id_hash, Credential *cred);
-extern int credential_create_cred(Credential *cred, uint8_t *cred_id, size_t *cred_id_len);
 extern int credential_derive_hmac_key(const uint8_t *cred_id, size_t cred_id_len, uint8_t *outk);
 
 #endif // _CREDENTIAL_H_