Extend Credential structure with Password Safe field #63
Conversation
Bump version to 0.11.0 Add GetCredential command Allow additional fields in Register command New tags for the PWS fields New OTP kind to signalize OTP being unused in the given Credential, without changing the data structure
This allows to fully populate all PWS and Name fields, reaching 512 bytes, which otherwise could not be sent due to the 255B limit.
There was a problem hiding this comment.
Looks good.
What do you think about moving the credential data into an enum because they should be mutually exclusive? Something like this:
pub struct Credential<'l> {
pub label: &'l [u8],
pub touch_required: bool,
pub encryption_key_type: EncryptionKeyType,
pub counter: Option<u32>,
pub data: CredentialData<'l>,
}
pub enum CredentialData<'l> {
OneTimePassword {
kind: oath::Kind,
algorithm: oath::Algorithm,
digits: u8,
secret: &'l [u8],
}.
StaticPassword {
login: &'l [u8],
password: &'l [u8],
metadata: &'l [u8],
},
}Data created with firmware using this application may block working of the older version
We should talk about if we want to try to avoid this. For example, we could add a version number and just ignore data that we don’t understand. Not sure if it is worth the effort.
|
Thank you for the review!
|
I do not see a point in tracking this (edit: as long as we do not have hard migrations, but just extensions) since downgrades in stables are forbidden. This particular note is rather for the users of the test firmware, which could find some of their newly created credentials not working, if "downgraded" to the last stable. |
|
Just to be clear, I’m only talking about the data structures in the code, not the serialization format. It could still make sense to move the fields into structs that are flattened during the serialization, e. g.: My concern is that code with implicit invariants, e. g. if
That’s totally fine. My understanding was that adding a credential with the test firmware might block the user from accessing other credentials using the stable firmware. While this would also be okay, I’d rather try to avoid such situations if possible. |
|
Ah, I missed lifetimes and confused it with the serialized data type indeed. In that case I agree, it would be nice to keep the clean types planes in the commands and function handling them. Since this looks like a bigger refactorization, can we do that in a separate PR? |
There was a problem hiding this comment.
I think we also need a way to query the credential metadata (without the secrets) that does not require a button press. For the nitrokey-app2, we want to first determine the type of the credential (static password? OTP, if yes, which algorithm?), and then provide the appropriate actions to the user. Currently this would mean a GetCredential call that has to be confirmed by button press or PIN entry. Maybe there could be a separate GetCredentialMetadata command that does not require confirmation and only returns which kind of secrets are available for a credential?
I believe the Note: this feedback should not be a PR rejection, but feature-request in a separate ticket (please write user scenario there, which will be used for the design update). |
|
Ah, I missed that because it is only returned as |
It might be possible it is listing only one type right now, even if there are multiple types specified. To check.
Please do |
Extend Credential structure with Password Safe field
Add GetCredential command
Allow additional fields in Register command
New tags for the PWS fields
New OTP kind to signalize OTP being unused in the given Credential, without changing the data structure
Remarks:
testfirmware, and want to get back to stable firmware). Reset procedure should be able to recover all features though.Fixes #60