Bug 1804624 - upgrade to authenticator 0.4.0-alpha.4. r=dveditz,supply-chain-reviewers

Version 0.4.0-alpha.4 fixes an issue where CTAP2 commands would fail if a token did not have a PIN set. See https://github.com/mozilla/authenticator-rs/pull/208 Differential Revision: https://phabricator.services.mozilla.com/D164255
2024-11-24 05:11:16 +00:00 · 2022-12-08 20:28:02 +00:00 · 2022-12-08 20:28:02 +00:00 · cc445a9697
commit cc445a9697
parent 4ec6b65323
8 changed files with 32 additions and 21 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -378,9 +378,9 @@ dependencies = [

 [[package]]
 name = "authenticator"
-version = "0.4.0-alpha.3"
+version = "0.4.0-alpha.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "671c5d49eab8c93b8aea310cef8a7fd0846eb9417e3c31e4f4d6ec7012aae842"
+checksum = "0e6049d26a8bcbee28599bc43e2369fa228dc5d63a0c5ad7739887d330c1228b"
 dependencies = [
 "base64",
 "bitflags",
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@ -99,7 +99,7 @@ notes = "I maintain this crate and have reviewed every line."
 [[audits.authenticator]]
 who = "John M. Schanck <jschanck@mozilla.com>"
 criteria = "safe-to-deploy"
-version = "0.4.0-alpha.3"
+version = "0.4.0-alpha.4"
 notes = "Maintained by the CryptoEng team at Mozilla."

 [[audits.autocfg]]
--- a/third_party/rust/authenticator/.cargo-checksum.json
+++ b/third_party/rust/authenticator/.cargo-checksum.json
--- a/third_party/rust/authenticator/Cargo.lock
+++ b/third_party/rust/authenticator/Cargo.lock
@ -39,7 +39,7 @@ dependencies = [

 [[package]]
 name = "authenticator"
-version = "0.4.0-alpha.3"
+version = "0.4.0-alpha.4"
 dependencies = [
 "assert_matches",
 "base64",
--- a/third_party/rust/authenticator/Cargo.toml
+++ b/third_party/rust/authenticator/Cargo.toml
@ -12,7 +12,7 @@
 [package]
 edition = "2018"
 name = "authenticator"
-version = "0.4.0-alpha.3"
+version = "0.4.0-alpha.4"
 authors = [
    "J.C. Jones <jc@mozilla.com>",
    "Tim Taubert <ttaubert@mozilla.com>",
--- a/third_party/rust/authenticator/src/ctap2/commands/client_pin.rs
+++ b/third_party/rust/authenticator/src/ctap2/commands/client_pin.rs
@ -745,6 +745,7 @@ pub enum PinError {
    InvalidPin(Option<u8>),
    PinAuthBlocked,
    PinBlocked,
+    PinNotSet,
    Backend(BackendError),
 }

@ -770,6 +771,7 @@ impl fmt::Display for PinError {
                f,
                "PinError: No retries left. Pin blocked. Device needs reset."
            ),
+            PinError::PinNotSet => write!(f, "PinError: Pin needed but not set on device."),
            PinError::Backend(ref e) => write!(f, "PinError: Crypto backend error: {:?}", e),
        }
    }
--- a/third_party/rust/authenticator/src/ctap2/commands/mod.rs
+++ b/third_party/rust/authenticator/src/ctap2/commands/mod.rs
@ -103,13 +103,14 @@ pub(crate) trait PinAuthCommand {
        }

        let client_data_hash = self.client_data_hash();
-        let pin_auth = match calculate_pin_auth(dev, &client_data_hash, &self.pin()) {
-            Ok(pin_auth) => pin_auth,
-            Err(e) => {
-                return Err(repackage_pin_errors(dev, e));
-            }
-        };
-        self.set_pin_auth(pin_auth, Some(1)); // TODO(MS): Currently, we only support version 1
+        let (pin_auth, pin_auth_protocol) =
+            match calculate_pin_auth(dev, &client_data_hash, &self.pin()) {
+                Ok((pin_auth, pin_auth_protocol)) => (pin_auth, pin_auth_protocol),
+                Err(e) => {
+                    return Err(repackage_pin_errors(dev, e));
+                }
+            };
+        self.set_pin_auth(pin_auth, pin_auth_protocol);
        Ok(())
    }
 }
@ -146,7 +147,12 @@ pub(crate) fn repackage_pin_errors<D: FidoDevice>(
        ))) => {
            return AuthenticatorError::PinError(PinError::PinRequired);
        }
-        // TODO(MS): Add "PinNotSet"
+        AuthenticatorError::HIDError(HIDError::Command(CommandError::StatusCode(
+            StatusCode::PinNotSet,
+            _,
+        ))) => {
+            return AuthenticatorError::PinError(PinError::PinNotSet);
+        }
        // TODO(MS): Add "PinPolicyViolated"
        err => {
            return err;
@ -427,7 +433,7 @@ pub(crate) fn calculate_pin_auth<Dev>(
    dev: &mut Dev,
    client_data_hash: &ClientDataHash,
    pin: &Option<Pin>,
-) -> Result<Option<PinAuth>, AuthenticatorError>
+) -> Result<(Option<PinAuth>, Option<u64>), AuthenticatorError>
 where
    Dev: FidoDevice,
 {
@ -448,13 +454,16 @@ where
        let pin_command = GetPinToken::new(&info, &shared_secret, &pin)?;
        let pin_token = dev.send_cbor(&pin_command)?;

-        Some(
-            pin_token
-                .auth(client_data_hash.as_ref())
-                .map_err(CommandError::Crypto)?,
+        (
+            Some(
+                pin_token
+                    .auth(client_data_hash.as_ref())
+                    .map_err(CommandError::Crypto)?,
+            ),
+            Some(1), // Currently only pin_auth_protocol 1 supported
        )
    } else {
-        None
+        (None, None)
    };

    Ok(pin_auth)
--- a/toolkit/library/rust/shared/Cargo.toml
+++ b/toolkit/library/rust/shared/Cargo.toml
@ -39,7 +39,7 @@ tokio-reactor = { version = "=0.1.3", optional = true }
 # audioipc2-client and audioipc2-server.
 tokio-threadpool = { version = "=0.1.17", optional = true }
 encoding_glue = { path = "../../../../intl/encoding_glue" }
-authenticator = { version = "0.4.0-alpha.3", features = ["gecko"] }
+authenticator = { version = "0.4.0-alpha.4", features = ["gecko"] }
 gkrust_utils = { path = "../../../../xpcom/rust/gkrust_utils" }
 gecko_logger = { path = "../../../../xpcom/rust/gecko_logger" }
 rsdparsa_capi = { path = "../../../../dom/media/webrtc/sdp/rsdparsa_capi" }