@@ -214,8 +214,9 @@ impl<UP: UserPresence, T: TrussedRequirements> Authenticator for crate::Authenti
214214
215215 // 1-4.
216216 if let Some ( options) = parameters. options . as_ref ( ) {
217- // up option is not valid for make_credential
218- if options. up . is_some ( ) {
217+ // CTAP 2.1 §6.1.2: MakeCredential allows `up` only with value
218+ // true (UP is implicit and required); `up=false` is invalid.
219+ if options. up == Some ( false ) {
219220 return Err ( Error :: InvalidOption ) ;
220221 }
221222 }
@@ -2427,15 +2428,10 @@ impl<UP: UserPresence, T: TrussedRequirements> crate::Authenticator<UP, T> {
24272428 let Some ( pin_uv_auth_protocol) = request. pin_uv_auth_protocol else {
24282429 return Err ( Error :: PinRequired ) ;
24292430 } ;
2430- if pin_uv_auth_protocol != 1 {
2431- return Err ( Error :: PinAuthInvalid ) ;
2432- }
24332431 let pin_protocol = self . parse_pin_protocol ( pin_uv_auth_protocol) ?;
2434- // TODO: check pinUvAuthToken
2435- let pin_auth: [ u8 ; 16 ] = pin_uv_auth_param
2436- . as_ref ( )
2437- . try_into ( )
2438- . map_err ( |_| Error :: PinAuthInvalid ) ?;
2432+ // verify_pin_token truncates per protocol (16 B for v1, 32 B
2433+ // for v2), so pass the full param.
2434+ let pin_auth: & [ u8 ] = pin_uv_auth_param. as_ref ( ) ;
24392435
24402436 let mut auth_data: Bytes < 70 > = Bytes :: new ( ) ;
24412437 // 32x 0xff
@@ -2451,7 +2447,7 @@ impl<UP: UserPresence, T: TrussedRequirements> crate::Authenticator<UP, T> {
24512447 auth_data. extend_from_slice ( & Sha256 :: digest ( data) ) . unwrap ( ) ;
24522448
24532449 let mut pin_protocol = self . pin_protocol ( pin_protocol) ;
2454- let pin_token = pin_protocol. verify_pin_token ( & pin_auth , & auth_data ) ?;
2450+ let pin_token = pin_protocol. verify_pin_token ( & auth_data , pin_auth ) ?;
24552451 pin_token. require_permissions ( Permissions :: LARGE_BLOB_WRITE ) ?;
24562452 }
24572453
0 commit comments