Fix handling of residentKey "preferred"

Yubico · Nov 18, 2024 · 24e5e77 · 24e5e77
1 parent 2deef9b
commit 24e5e77
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/fido2/client.py b/fido2/client.py
@@ -45,6 +45,7 @@
     AuthenticatorAttestationResponse,
     AuthenticatorAssertionResponse,
     AttestationConveyancePreference,
+    ResidentKeyRequirement,
     _as_cbor,
 )
 from .cose import ES256
@@ -631,7 +632,6 @@ def do_make_credential(
         exclude_list = options.exclude_credentials
         extensions = options.extensions
         selection = options.authenticator_selection or AuthenticatorSelectionCriteria()
-        rk = selection.require_resident_key
         user_verification = selection.user_verification
 
         on_keepalive = _user_keepalive(self.user_interaction)
@@ -693,11 +693,20 @@ def _do_make():
             except ValueError as e:
                 raise ClientError.ERR.CONFIGURATION_UNSUPPORTED(e)
 
+            can_rk = self.info.options.get("rk")
+            rk = selection.resident_key == ResidentKeyRequirement.REQUIRED or (
+                selection.resident_key == ResidentKeyRequirement.PREFERRED and can_rk
+            )
+
             if not (rk or internal_uv):
                 options = None
             else:
                 options = {}
                 if rk:
+                    if not can_rk:
+                        raise ClientError.ERR.CONFIGURATION_UNSUPPORTED(
+                            "Resident key not supported"
+                        )
                     options["rk"] = True
                 if internal_uv:
                     options["uv"] = True

diff --git a/fido2/ctap2/extensions.py b/fido2/ctap2/extensions.py
@@ -36,6 +36,7 @@
     PublicKeyCredentialCreationOptions,
     PublicKeyCredentialRequestOptions,
     AuthenticatorSelectionCriteria,
+    ResidentKeyRequirement,
 )
 from enum import Enum, unique
 from dataclasses import dataclass
@@ -435,5 +436,9 @@ def process_create_output(self, attestation_response, *args):
             self._create_options.authenticator_selection
             or AuthenticatorSelectionCriteria()
         )
-        rk = selection.require_resident_key
+
+        rk = selection.resident_key == ResidentKeyRequirement.REQUIRED or (
+            selection.resident_key == ResidentKeyRequirement.PREFERRED
+            and self.ctap.info.options.get("rk")
+        )
         return {"credProps": _CredPropsOutputs(rk=rk)}