Add enterprise attestation to cli

martinpaljak · Nov 17, 2024 · 6a2fa74 · 6a2fa74
1 parent 19bccdd
commit 6a2fa74
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/common/src/main/java/pro/javacard/fido2/common/MakeCredentialCommand.java b/common/src/main/java/pro/javacard/fido2/common/MakeCredentialCommand.java
@@ -30,6 +30,8 @@ public class MakeCredentialCommand {
     byte[] pinAuth;
     int pinProtocol = -1;
 
+    int enterpriseAttestation = -1;
+
     public MakeCredentialCommand withClientDataHash(byte[] hash) {
         clientDataHash = hash.clone();
         return this;
@@ -86,6 +88,13 @@ public MakeCredentialCommand withOption(String option, boolean value) {
         return this;
     }
 
+    public MakeCredentialCommand withEnterpriseAttestation(int variant) {
+        if (!(variant == 1 || variant == 2))
+            throw new IllegalArgumentException("enterpriseAttestation must be 1 or 2");
+        enterpriseAttestation = variant;
+        return this;
+    }
+
     // Build the CBOR structure
     public byte[] build() {
         if (clientDataHash == null || origin == null || userId == null || algorithms.size() == 0)
@@ -106,6 +115,8 @@ public byte[] build() {
                 numElements++;
             if (excludeList.size() > 0)
                 numElements++;
+            if (enterpriseAttestation != -1)
+                numElements++;
 
             generator.writeStartObject(numElements);
 
@@ -183,6 +194,10 @@ public byte[] build() {
                 generator.writeFieldId(MakeCredentialCommandParameter.pinProtocol.value());
                 generator.writeNumber(pinProtocol);
             }
+            if (enterpriseAttestation != -1) {
+                generator.writeFieldId(MakeCredentialCommandParameter.enterpriseAttestation.value());
+                generator.writeNumber(enterpriseAttestation);
+            }
             generator.writeEndObject();
 
             generator.close();

diff --git a/tool/src/main/java/pro/javacard/fido2/cli/CommandLineInterface.java b/tool/src/main/java/pro/javacard/fido2/cli/CommandLineInterface.java
@@ -49,6 +49,7 @@ abstract class CommandLineInterface {
     protected static OptionSpec<String> OPT_AUTHENTICATE = parser.acceptsAll(Arrays.asList("a", "authenticate"), "Get assertion / authenticate").withRequiredArg().describedAs("[user@]domain");
 
     // Arguments for registration/authentication
+    protected static OptionSpec<Integer> OPT_EA = parser.acceptsAll(Arrays.asList("ea"),  "Enterprise Attestation (FIDO2)").withOptionalArg().ofType(Integer.class).defaultsTo(1);
     protected static OptionSpec<Void> OPT_RK = parser.acceptsAll(Arrays.asList("rk", "discoverable"), "Discoverable (FIDO2)");
     protected static OptionSpec<String> OPT_HMAC_SECRET = parser.acceptsAll(Arrays.asList("hmac-secret"), "Use hmac-secret (FIDO2)").withOptionalArg().describedAs("hex");
     protected static OptionSpec<Integer> OPT_PROTECT = parser.acceptsAll(Arrays.asList("protect"), "Use credProtect (FIDO2)").withRequiredArg().ofType(Integer.class);

diff --git a/tool/src/main/java/pro/javacard/fido2/cli/FIDOTool.java b/tool/src/main/java/pro/javacard/fido2/cli/FIDOTool.java
@@ -374,6 +374,8 @@ else if (filtered.size() > 1) {
                         makeCredentialCommand.withUserID(uid);
                     }
                     if (!useU2F(transport, options)) {
+                        if (options.has(OPT_EA))
+                            makeCredentialCommand.withEnterpriseAttestation(options.valueOf(OPT_EA));
                         if (options.has(OPT_RK))
                             makeCredentialCommand.withOption("rk");
                         if (options.has(OPT_NO_UP))