Remove CTAP 2.1 flag

.github/workflows/cargo_check.yml

@@ -42,12 +42,6 @@ jobs:
  command: check
  args: --target thumbv7em-none-eabi --release --features with_ctap1
 
- - name: Check OpenSK with_ctap2_1
- uses: actions-rs/cargo@v1
- with:
- command: check
- args: --target thumbv7em-none-eabi --release --features with_ctap2_1
-
  - name: Check OpenSK debug_ctap
  uses: actions-rs/cargo@v1
  with:
@@ -78,17 +72,11 @@ jobs:
  command: check
  args: --target thumbv7em-none-eabi --release --features debug_ctap,with_ctap1
 
- - name: Check OpenSK debug_ctap,with_ctap2_1
- uses: actions-rs/cargo@v1
- with:
- command: check
- args: --target thumbv7em-none-eabi --release --features debug_ctap,with_ctap2_1
-
- - name: Check OpenSK debug_ctap,with_ctap1,with_ctap2_1,panic_console,debug_allocations,verbose
+ - name: Check OpenSK debug_ctap,with_ctap1,panic_console,debug_allocations,verbose
  uses: actions-rs/cargo@v1
  with:
  command: check
- args: --target thumbv7em-none-eabi --release --features debug_ctap,with_ctap1,with_ctap2_1,panic_console,debug_allocations,verbose
+ args: --target thumbv7em-none-eabi --release --features debug_ctap,with_ctap1,,panic_console,debug_allocations,verbose
 
  - name: Check examples
  uses: actions-rs/cargo@v1

.github/workflows/opensk_test.yml

@@ -51,27 +51,3 @@ jobs:
  command: test
  args: --features std,with_ctap1
 
- - name: Unit testing of CTAP2 (release mode + CTAP2.1)
- uses: actions-rs/cargo@v1
- with:
- command: test
- args: --release --features std,with_ctap2_1
-
- - name: Unit testing of CTAP2 (debug mode + CTAP2.1)
- uses: actions-rs/cargo@v1
- with:
- command: test
- args: --features std,with_ctap2_1
-
- - name: Unit testing of CTAP2 (release mode + CTAP1 + CTAP2.1)
- uses: actions-rs/cargo@v1
- with:
- command: test
- args: --release --features std,with_ctap1,with_ctap2_1
-
- - name: Unit testing of CTAP2 (debug mode + CTAP1 + CTAP2.1)
- uses: actions-rs/cargo@v1
- with:
- command: test
- args: --features std,with_ctap1,with_ctap2_1
-

Cargo.toml

@@ -27,7 +27,6 @@ panic_console = ["lang_items/panic_console"]
 std = ["cbor/std", "crypto/std", "crypto/derive_debug", "lang_items/std", "persistent_store/std"]
 verbose = ["debug_ctap", "libtock_drivers/verbose_usb"]
 with_ctap1 = ["crypto/with_ctap1"]
-with_ctap2_1 = []
 with_nfc = ["libtock_drivers/with_nfc"]
 
 [dev-dependencies]

README.md

@@ -24,15 +24,14 @@ few limitations:
 
 ### FIDO2
 
-Although we tested and implemented our firmware based on the published
+The stable branch implements the published
 [CTAP2.0 specifications](https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html),
-our implementation was not reviewed nor officially tested and doesn't claim to
-be FIDO Certified.
-We started adding features of the upcoming next version of the
-[CTAP2.1 specifications](https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html).
-The development is currently between 2.0 and 2.1, with updates hidden behind
-a feature flag.
-Please add the flag `--ctap2.1` to the deploy command to include them.
+but our implementation was not reviewed nor officially tested and doesn't claim
+to be FIDO Certified. It already contains some preview features of 2.1, that you
+can try by adding the flag `--ctap2.1` to the deploy command.
+The develop branch offers only the
+[CTAP2.1 specifications](https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html).
+The new features of 2.1 are currently work in progress.
 
 ### Cryptography
 

deploy.py

@@ -881,14 +881,6 @@ def main(args):
  help=("Compiles the OpenSK application without backward compatible "
  "support for U2F/CTAP1 protocol."),
  )
- main_parser.add_argument(
- "--ctap2.1",
- action="append_const",
- const="with_ctap2_1",
- dest="features",
- help=("Compiles the OpenSK application with backward compatible "
- "support for CTAP2.1 protocol."),
- )
  main_parser.add_argument(
  "--nfc",
  action="append_const",
@@ -947,7 +939,16 @@ def main(args):
  dest="application",
  action="store_const",
  const="store_latency",
- help=("Compiles and installs the store_latency example."))
+ help=("Compiles and installs the store_latency example which print "
+ "latency statistics of the persistent store library."))
+ apps_group.add_argument(
+ "--erase_storage",
+ dest="application",
+ action="store_const",
+ const="erase_storage",
+ help=("Compiles and installs the erase_storage example which erases "
+ "the storage. During operation the dongle red light is on. Once "
+ "the operation is completed the dongle green light is on."))
  apps_group.add_argument(
  "--panic_test",
  dest="application",

examples/erase_storage.rs

@@ -0,0 +1,53 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#![no_std]
+
+extern crate lang_items;
+
+use core::fmt::Write;
+use ctap2::embedded_flash::new_storage;
+use libtock_drivers::console::Console;
+use libtock_drivers::led;
+use libtock_drivers::result::FlexUnwrap;
+use persistent_store::{Storage, StorageIndex};
+
+fn is_page_erased(storage: &dyn Storage, page: usize) -> bool {
+ let index = StorageIndex { page, byte: 0 };
+ let length = storage.page_size();
+ storage
+ .read_slice(index, length)
+ .unwrap()
+ .iter()
+ .all(|&x| x == 0xff)
+}
+
+fn main() {
+ led::get(1).flex_unwrap().on().flex_unwrap(); // red on dongle
+ const NUM_PAGES: usize = 20; // should be at least ctap::storage::NUM_PAGES
+ let mut storage = new_storage(NUM_PAGES);
+ writeln!(Console::new(), "Erase {} pages of storage:", NUM_PAGES).unwrap();
+ for page in 0..NUM_PAGES {
+ write!(Console::new(), "- Page {} ", page).unwrap();
+ if is_page_erased(&storage, page) {
+ writeln!(Console::new(), "skipped (was already erased).").unwrap();
+ } else {
+ storage.erase_page(page).unwrap();
+ writeln!(Console::new(), "erased.").unwrap();
+ }
+ }
+ writeln!(Console::new(), "Done.").unwrap();
+ led::get(1).flex_unwrap().off().flex_unwrap();
+ led::get(0).flex_unwrap().on().flex_unwrap(); // green on dongle
+}

run_desktop_tests.sh

@@ -44,7 +44,6 @@ cargo test --manifest-path tools/heapviz/Cargo.toml
 echo "Checking that CTAP2 builds properly..."
 cargo check --release --target=thumbv7em-none-eabi
 cargo check --release --target=thumbv7em-none-eabi --features with_ctap1
-cargo check --release --target=thumbv7em-none-eabi --features with_ctap2_1
 cargo check --release --target=thumbv7em-none-eabi --features debug_ctap
 cargo check --release --target=thumbv7em-none-eabi --features panic_console
 cargo check --release --target=thumbv7em-none-eabi --features debug_allocations
@@ -116,16 +115,4 @@ then
 
  echo "Running unit tests on the desktop (debug mode + CTAP1)..."
  cargo test --features std,with_ctap1
-
- echo "Running unit tests on the desktop (release mode + CTAP2.1)..."
- cargo test --release --features std,with_ctap2_1
-
- echo "Running unit tests on the desktop (debug mode + CTAP2.1)..."
- cargo test --features std,with_ctap2_1
-
- echo "Running unit tests on the desktop (release mode + CTAP1 + CTAP2.1)..."
- cargo test --release --features std,with_ctap1,with_ctap2_1
-
- echo "Running unit tests on the desktop (debug mode + CTAP1 + CTAP2.1)..."
- cargo test --features std,with_ctap1,with_ctap2_1
 fi

src/ctap/command.rs

@@ -41,7 +41,6 @@ pub enum Command {
  AuthenticatorClientPin(AuthenticatorClientPinParameters),
  AuthenticatorReset,
  AuthenticatorGetNextAssertion,
- #[cfg(feature = "with_ctap2_1")]
  AuthenticatorSelection,
  // TODO(kaczmarczyck) implement FIDO 2.1 commands (see below consts)
  // Vendor specific commands
@@ -111,7 +110,6 @@ impl Command {
  // Parameters are ignored.
  Ok(Command::AuthenticatorGetNextAssertion)
  }
- #[cfg(feature = "with_ctap2_1")]
  Command::AUTHENTICATOR_SELECTION => {
  // Parameters are ignored.
  Ok(Command::AuthenticatorSelection)
@@ -292,32 +290,16 @@ pub struct AuthenticatorClientPinParameters {
  pub pin_auth: Option<Vec<u8>>,
  pub new_pin_enc: Option<Vec<u8>>,
  pub pin_hash_enc: Option<Vec<u8>>,
- #[cfg(feature = "with_ctap2_1")]
  pub min_pin_length: Option<u8>,
- #[cfg(feature = "with_ctap2_1")]
  pub min_pin_length_rp_ids: Option<Vec<String>>,
- #[cfg(feature = "with_ctap2_1")]
  pub permissions: Option<u8>,
- #[cfg(feature = "with_ctap2_1")]
  pub permissions_rp_id: Option<String>,
 }
 
 impl TryFrom<cbor::Value> for AuthenticatorClientPinParameters {
  type Error = Ctap2StatusCode;
 
  fn try_from(cbor_value: cbor::Value) -> Result<Self, Ctap2StatusCode> {
- #[cfg(not(feature = "with_ctap2_1"))]
- destructure_cbor_map! {
- let {
- 1 => pin_protocol,
- 2 => sub_command,
- 3 => key_agreement,
- 4 => pin_auth,
- 5 => new_pin_enc,
- 6 => pin_hash_enc,
- } = extract_map(cbor_value)?;
- }
- #[cfg(feature = "with_ctap2_1")]
  destructure_cbor_map! {
  let {
  1 => pin_protocol,
@@ -339,14 +321,12 @@ impl TryFrom<cbor::Value> for AuthenticatorClientPinParameters {
  let pin_auth = pin_auth.map(extract_byte_string).transpose()?;
  let new_pin_enc = new_pin_enc.map(extract_byte_string).transpose()?;
  let pin_hash_enc = pin_hash_enc.map(extract_byte_string).transpose()?;
- #[cfg(feature = "with_ctap2_1")]
  let min_pin_length = min_pin_length
  .map(extract_unsigned)
  .transpose()?
  .map(u8::try_from)
  .transpose()
  .map_err(|_| Ctap2StatusCode::CTAP2_ERR_PIN_POLICY_VIOLATION)?;
- #[cfg(feature = "with_ctap2_1")]
  let min_pin_length_rp_ids = match min_pin_length_rp_ids {
  Some(entry) => Some(
  extract_array(entry)?
@@ -356,14 +336,12 @@ impl TryFrom<cbor::Value> for AuthenticatorClientPinParameters {
  ),
  None => None,
  };
- #[cfg(feature = "with_ctap2_1")]
  // We expect a bit field of 8 bits, and drop everything else.
  // This means we ignore extensions in future versions.
  let permissions = permissions
  .map(extract_unsigned)
  .transpose()?
  .map(|p| p as u8);
- #[cfg(feature = "with_ctap2_1")]
  let permissions_rp_id = permissions_rp_id.map(extract_text_string).transpose()?;
 
  Ok(AuthenticatorClientPinParameters {
@@ -373,13 +351,9 @@ impl TryFrom<cbor::Value> for AuthenticatorClientPinParameters {
  pin_auth,
  new_pin_enc,
  pin_hash_enc,
- #[cfg(feature = "with_ctap2_1")]
  min_pin_length,
- #[cfg(feature = "with_ctap2_1")]
  min_pin_length_rp_ids,
- #[cfg(feature = "with_ctap2_1")]
  permissions,
- #[cfg(feature = "with_ctap2_1")]
  permissions_rp_id,
  })
  }
@@ -560,18 +534,6 @@ mod test {
 
  #[test]
  fn test_from_cbor_client_pin_parameters() {
- // TODO(kaczmarczyck) inline the #cfg when #128 is resolved:
- // https://github.com/google/OpenSK/issues/128
- #[cfg(not(feature = "with_ctap2_1"))]
- let cbor_value = cbor_map! {
- 1 => 1,
- 2 => ClientPinSubCommand::GetPinRetries,
- 3 => cbor_map!{},
- 4 => vec! [0xBB],
- 5 => vec! [0xCC],
- 6 => vec! [0xDD],
- };
- #[cfg(feature = "with_ctap2_1")]
  let cbor_value = cbor_map! {
  1 => 1,
  2 => ClientPinSubCommand::GetPinRetries,
@@ -594,13 +556,9 @@ mod test {
  pin_auth: Some(vec![0xBB]),
  new_pin_enc: Some(vec![0xCC]),
  pin_hash_enc: Some(vec![0xDD]),
- #[cfg(feature = "with_ctap2_1")]
  min_pin_length: Some(4),
- #[cfg(feature = "with_ctap2_1")]
  min_pin_length_rp_ids: Some(vec!["example.com".to_string()]),
- #[cfg(feature = "with_ctap2_1")]
  permissions: Some(0x03),
- #[cfg(feature = "with_ctap2_1")]
  permissions_rp_id: Some("example.com".to_string()),
  };
 
@@ -632,7 +590,6 @@ mod test {
  assert_eq!(command, Ok(Command::AuthenticatorGetNextAssertion));
  }
 
- #[cfg(feature = "with_ctap2_1")]
  #[test]
  fn test_deserialize_selection() {
  let cbor_bytes = [Command::AUTHENTICATOR_SELECTION];

src/ctap/data_formats.rs

@@ -704,13 +704,9 @@ pub enum ClientPinSubCommand {
  SetPin = 0x03,
  ChangePin = 0x04,
  GetPinToken = 0x05,
- #[cfg(feature = "with_ctap2_1")]
  GetPinUvAuthTokenUsingUvWithPermissions = 0x06,
- #[cfg(feature = "with_ctap2_1")]
  GetUvRetries = 0x07,
- #[cfg(feature = "with_ctap2_1")]
  SetMinPinLength = 0x08,
- #[cfg(feature = "with_ctap2_1")]
  GetPinUvAuthTokenUsingPinWithPermissions = 0x09,
 }
 
@@ -731,18 +727,11 @@ impl TryFrom<cbor::Value> for ClientPinSubCommand {
  0x03 => Ok(ClientPinSubCommand::SetPin),
  0x04 => Ok(ClientPinSubCommand::ChangePin),
  0x05 => Ok(ClientPinSubCommand::GetPinToken),
- #[cfg(feature = "with_ctap2_1")]
  0x06 => Ok(ClientPinSubCommand::GetPinUvAuthTokenUsingUvWithPermissions),
- #[cfg(feature = "with_ctap2_1")]
  0x07 => Ok(ClientPinSubCommand::GetUvRetries),
- #[cfg(feature = "with_ctap2_1")]
  0x08 => Ok(ClientPinSubCommand::SetMinPinLength),
- #[cfg(feature = "with_ctap2_1")]
  0x09 => Ok(ClientPinSubCommand::GetPinUvAuthTokenUsingPinWithPermissions),
- #[cfg(feature = "with_ctap2_1")]
  _ => Err(Ctap2StatusCode::CTAP2_ERR_INVALID_SUBCOMMAND),
- #[cfg(not(feature = "with_ctap2_1"))]
- _ => Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER),
  }
  }
 }

src/ctap/hid/mod.rs

@@ -219,7 +219,7 @@ impl CtapHid {
  cid,
  cmd: CtapHid::COMMAND_CBOR,
  payload: vec![
- Ctap2StatusCode::CTAP2_ERR_VENDOR_RESPONSE_TOO_LONG as u8,
+ Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR as u8,
  ],
  })
  .unwrap()