[riot-notifications] [RIOT-OS/RIOT] FIDO2 support in RIOT (#16489)

Nils Ollrogge notifications at github.com
Tue Jul 20 17:18:38 CEST 2021

@Ollrogge commented on this pull request.

> +    DEBUG("fido2_ctap: initialization successful \n");
+    return 0;
+static void reset(void)
+    g_state.initialized = CTAP_INITIALIZED_MARKER;
+    g_state.rem_pin_att = CTAP_PIN_MAX_ATTS;
+    g_state.pin_is_set = false;
+    g_state.rk_amount_stored = 0;
+    g_state.sign_count = 0;
+    g_rem_pin_att_boot = CTAP_PIN_MAX_ATTS_BOOT;
+    fido2_ctap_crypto_prng(g_state.cred_key, sizeof(g_state.cred_key));

No it is not expected. The CTAP spec just mentions the possibility of storing a credential on a server in encrypted form. It doesn't define how. 

But to me it makes sense to initialize a new key in the reset method because this invalidates all credentials that are stored remotely since the Authenticator won't be able to decrypt them anymore with the new key. This to me is also part of the "factory default state".

I could also simply invalidate the old key (e.g. all 0) and initialize a new key the next time a credential needs to be stored remotely on a server.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20210720/224fd87b/attachment.htm>

More information about the notifications mailing list