[add] Display 'Login request signed' only when there is only one (not…

… getNextAssertion scenario)
LedgerHQ · Oct 31, 2024 · 70263ff · 70263ff
1 parent 6f19b75
commit 70263ff
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/include/globals.h b/include/globals.h
@@ -73,6 +73,7 @@ typedef struct global_s {
     char buffer2_65[65];
     char display_status[131];
     bool is_nfc;
+    bool is_getNextAssertion;
 } global_t;
 
 extern global_t g;

diff --git a/src/ctap2/get_assertion/get_assertion.c b/src/ctap2/get_assertion/get_assertion.c
@@ -251,6 +251,7 @@ static void nfc_handle_get_assertion() {
     if (ctap2AssertData->allowListPresent) {
         // Allow list -> non-RK credentials.
         // Falling back to previous behavior: login with the first compatible credential
+        g.is_getNextAssertion = false;
         get_assertion_confirm(1);
     } else {
         // No allow list -> RK credentials
@@ -259,6 +260,11 @@ static void nfc_handle_get_assertion() {
         // call getNextAssertion to fetch other possible credentials.
         uint16_t slotIdx;
         ctap2AssertData->availableCredentials = rk_build_RKList_from_rpID(ctap2AssertData->rpIdHash);
+        if (ctap2AssertData->availableCredentials > 1) {
+            // This settings will disable the app_nbgl_status call (nothing displayed on SK)
+            // Else, this would lead the app to respond too slowly, and the client to bug out
+            g.is_getNextAssertion = true;
+        }
         PRINTF("Matching credentials: %d\n", ctap2AssertData->availableCredentials);
         rk_next_credential_from_RKList(&slotIdx,
                                        &ctap2AssertData->nonce,

diff --git a/src/ctap2/get_assertion/get_assertion_utils.c b/src/ctap2/get_assertion/get_assertion_utils.c
@@ -382,21 +382,25 @@ static int build_and_encode_getAssertion_response(uint8_t *buffer,
     }
     // If RK: encoding credential info
     if (credData->residentKey) {
+        const bool encode_username = (g.is_getNextAssertion && credData->userStr != NULL);
         cbip_add_int(&encoder, TAG_RESP_USER);
-        cbip_add_map_header(&encoder, credData->userStr == NULL ? 1 : 3);
+        cbip_add_map_header(&encoder, encode_username ? 3 : 1);
         cbip_add_string(&encoder, KEY_USER_ID, sizeof(KEY_USER_ID) - 1);
         // credData->userId can still be used even after ctap2_rewrap_credential as
         // the credential is resident, and therefore userId is pointing to an area in nvm and
         // not in ctap2AssertData->credId
         cbip_add_byte_string(&encoder, credData->userId, credData->userIdLen);
 
-        if (credData->userStr != NULL) {
+        if (encode_username) {
             cbip_add_string(&encoder, KEY_USER_NAME, sizeof(KEY_USER_NAME) - 1);
             cbip_add_string(&encoder, credData->userStr, credData->userStrLen);
             cbip_add_string(&encoder, KEY_USER_DISPLAYNAME, sizeof(KEY_USER_DISPLAYNAME) - 1);
             cbip_add_string(&encoder, credData->userStr, credData->userStrLen);
         }
 
+        // While we're at it, copying user name on display buffer
+        ctap2_display_copy_username(credData->userStr, credData->userStrLen);
+
         PRINTF("Adding user to response %.*H\n", credData->userIdLen, credData->userId);
     }
 

diff --git a/src/nfc_io.c b/src/nfc_io.c
@@ -85,7 +85,9 @@ int nfc_io_send_prepared_response(bool display_infos) {
         if (display_infos) {
             ctap2_copy_info_on_buffers();
         }
-        app_nbgl_status(nfc_status, true, ui_idle);
+        if (!g.is_getNextAssertion) {
+            app_nbgl_status(nfc_status, true, ui_idle);
+        }
     }
 
     return ret;