diff options
| author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2021-10-13 10:25:00 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-10-14 04:06:06 +0000 |
| commit | 31bf4f49ecbbeb2ce4f4d86c334d4c3fa4144a26 (patch) | |
| tree | 8f1ee3b7dfc624b3b2e42d9eab12139fa50d4190 /test | |
| parent | e77a39a2e493e89d067a5aa6834afbbed365f880 (diff) | |
| download | chrome-ec-31bf4f49ecbbeb2ce4f4d86c334d4c3fa4144a26.tar.gz | |
cr50: update U2F_Sign command to hash authentication secret
U2F_Sign is expected to receive pre-hashed version of user credentials
so should apply SHA2-256 to the value before key handle verification.
Also, enforce user verification with authentication time secret if no
user presence (power button press) is requested.
test/tpm_test/tpmtest.py updated to apply SHA256 in U2F_Generate to
match expected u2fd behavior.
BUG=b:172971998
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1;
test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I92d73cd1fc0d962fefe11faeb4ce0ed68c798aa7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3221264
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Howard Yang <hcyang@google.com>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'test')
| -rw-r--r-- | test/tpm_test/u2f_test.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/test/tpm_test/u2f_test.py b/test/tpm_test/u2f_test.py index 156399d740..8bbacd4eb3 100644 --- a/test/tpm_test/u2f_test.py +++ b/test/tpm_test/u2f_test.py @@ -19,6 +19,9 @@ def u2f_generate(tpm, origin, user, flag, auth): origin = origin[:32].ljust(32, b'\0') user = user[:32].ljust(32, b'\0') auth = auth[:32].ljust(32, b'\0') + + # U2F_Sign receives prehashed credentials, U2F_Generate - hashed + auth = hashlib.sha256(auth).digest() cmd = origin + user + flag.to_bytes(1, 'big') + auth wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.U2F_GENERATE, cmd)) response = tpm.unwrap_ext_response(subcmd.U2F_GENERATE, wrapped_response) |