Add Support for User Verification (UV) and BioEnrollment #718

bradjc-veridian · 2025-02-28T23:02:56Z

This PR includes our changes to OpenSK to support UV and bioenrollment. Because there is no fingerprint sensor on the nRF52840dk or in Tock, the environment implementation is just a stub.

We are happy to test this PR against our internal hardware platform as updates are made to this PR after feedback.

Local tests pass (running run_desktop_tests.sh)
Tested against boards
- Nordic nRF52840 DK
- Nordic nRF52840 Dongle (JTAG programmed)
- Nordic nRF52840 Dongle (DFU programmed)
- Makerdiary nRF52840 MDK USB Dongle
Appropriate changes to README are included in PR

google-cla · 2025-02-28T23:03:01Z

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

ia0

Thanks for the PR! I've just reviewed src/api/persist{,/keys}.rs.

ia0 · 2025-03-01T07:47:48Z

libraries/opensk/src/api/persist/keys.rs

+
+    /// Stored counter  UV retries.
+    UV_RETRIES = 2048;
+
+    /// Stored friendly names for enrolled fingerprints.
+    FRIENDLY_NAMES = 2100..2105;


Those should be between 2005 and 2037, or between 21 and 999, as per the comment line 60 reserving keys 2048 and above for migration purposes.

Note that cargo test --features=std keys_are_disjoint fails otherwise.

ia0 · 2025-03-01T07:53:56Z

libraries/opensk/src/api/persist.rs

@@ -386,6 +408,23 @@ pub trait Persist {
        }
    }

+    /// Store a Bio Enrollment friendly name for a given template_id.
+    fn store_friendly_name(&mut self, template_id: u8, friendly_name: &str) -> CtapResult<()> {
+        let key = keys::FRIENDLY_NAMES.start + template_id as usize;


We should check key < keys::FRIENDLY_NAMES.end.

ia0 · 2025-03-01T07:54:44Z

libraries/opensk/src/api/persist.rs

+
+    /// Retrieve the Bio Enrollment friendly name for a given template_id.
+    fn get_friendly_name(&mut self, template_id: u8) -> CtapResult<String> {
+        let key = keys::FRIENDLY_NAMES.start + template_id as usize;


ia0 · 2025-03-01T07:57:08Z

libraries/opensk/src/api/persist.rs

+
+        match self.find(key)? {
+            None => Err(Ctap2StatusCode::CTAP1_ERR_OTHER),
+            Some(value) => Ok(String::from_utf8(value).unwrap_or(String::from(""))),


We should return an internal error if the value is not UTF-8.

Add fingerprint and UV support

b422099

ia0 reviewed Mar 1, 2025

View reviewed changes

ia0 requested a review from kaczmarczyck March 1, 2025 08:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add Support for User Verification (UV) and BioEnrollment #718

Add Support for User Verification (UV) and BioEnrollment #718

Uh oh!

bradjc-veridian commented Feb 28, 2025

Uh oh!

google-cla bot commented Feb 28, 2025

Uh oh!

ia0 left a comment

Uh oh!

ia0 Mar 1, 2025

Uh oh!

ia0 Mar 1, 2025

Uh oh!

ia0 Mar 1, 2025

Uh oh!

ia0 Mar 1, 2025

Uh oh!

Uh oh!

Add Support for User Verification (UV) and BioEnrollment #718

Are you sure you want to change the base?

Add Support for User Verification (UV) and BioEnrollment #718

Uh oh!

Conversation

bradjc-veridian commented Feb 28, 2025

Uh oh!

google-cla bot commented Feb 28, 2025

Uh oh!

ia0 left a comment

Choose a reason for hiding this comment

Uh oh!

ia0 Mar 1, 2025

Choose a reason for hiding this comment

Uh oh!

ia0 Mar 1, 2025

Choose a reason for hiding this comment

Uh oh!

ia0 Mar 1, 2025

Choose a reason for hiding this comment

Uh oh!

ia0 Mar 1, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!